pykspa | 16c93fc1a426856cff62d7a99f8ae5e41442222861a72ca0ede3ecbaf54642e8

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	mtyyft.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	mtyyft.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	whljbuilgrv.exe

Pykspa
Pykspa is a worm spreads via Skype uses DGA and it's written in C++.
worm pykspa
Pykspa family
pykspa

UAC bypass 3 TTPs 21 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	whljbuilgrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	whljbuilgrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	mtyyft.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	whljbuilgrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	whljbuilgrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	whljbuilgrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	whljbuilgrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	whljbuilgrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	whljbuilgrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	whljbuilgrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	whljbuilgrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	mtyyft.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	mtyyft.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	whljbuilgrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	mtyyft.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	mtyyft.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	mtyyft.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	mtyyft.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	whljbuilgrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	whljbuilgrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	mtyyft.exe

Detect Pykspa worm 2 IoCs

worm

resource	yara_rule
behavioral2/files/0x0022000000023d26-4.dat	family_pykspa
behavioral2/files/0x000200000001e904-106.dat	family_pykspa

Adds policy Run key to start application 2 TTPs 40 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\fpxakbfly = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ohykddqfbpphsxwwrb.exe"	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qdouhbirhpjv = "ohykddqfbpphsxwwrb.exe"	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qdouhbirhpjv = "bxrgcfvnmdgbpxzcanplf.exe"	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qdouhbirhpjv = "fxnyqpbpkxwnxbzys.exe"	mtyyft.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qdouhbirhpjv = "mhaojlarpfhbovwyvhid.exe"	mtyyft.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\fpxakbfly = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fxnyqpbpkxwnxbzys.exe"	mtyyft.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qdouhbirhpjv = "bxrgcfvnmdgbpxzcanplf.exe"	mtyyft.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\fpxakbfly = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ztlysthxujkdpvvwsdd.exe"	mtyyft.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qdouhbirhpjv = "fxnyqpbpkxwnxbzys.exe"	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qdouhbirhpjv = "fxnyqpbpkxwnxbzys.exe"	whljbuilgrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\fpxakbfly = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bxrgcfvnmdgbpxzcanplf.exe"	mtyyft.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\fpxakbfly = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mhaojlarpfhbovwyvhid.exe"	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\fpxakbfly = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ztlysthxujkdpvvwsdd.exe"	whljbuilgrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\fpxakbfly = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fxnyqpbpkxwnxbzys.exe"	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qdouhbirhpjv = "ypeofdobvhfvehec.exe"	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qdouhbirhpjv = "ohykddqfbpphsxwwrb.exe"	mtyyft.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\fpxakbfly = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mhaojlarpfhbovwyvhid.exe"	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\fpxakbfly = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fxnyqpbpkxwnxbzys.exe"	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\fpxakbfly = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mhaojlarpfhbovwyvhid.exe"	whljbuilgrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	mtyyft.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\fpxakbfly = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mhaojlarpfhbovwyvhid.exe"	mtyyft.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qdouhbirhpjv = "ztlysthxujkdpvvwsdd.exe"	whljbuilgrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qdouhbirhpjv = "mhaojlarpfhbovwyvhid.exe"	mtyyft.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qdouhbirhpjv = "ypeofdobvhfvehec.exe"	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\fpxakbfly = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bxrgcfvnmdgbpxzcanplf.exe"	mtyyft.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\fpxakbfly = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bxrgcfvnmdgbpxzcanplf.exe"	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\fpxakbfly = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fxnyqpbpkxwnxbzys.exe"	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qdouhbirhpjv = "ztlysthxujkdpvvwsdd.exe"	whljbuilgrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qdouhbirhpjv = "ypeofdobvhfvehec.exe"	mtyyft.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	whljbuilgrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	mtyyft.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qdouhbirhpjv = "bxrgcfvnmdgbpxzcanplf.exe"	whljbuilgrv.exe

Disables RegEdit via registry modification 14 IoCs

defense_evasion

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	mtyyft.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	whljbuilgrv.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	whljbuilgrv.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	whljbuilgrv.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	whljbuilgrv.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	mtyyft.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	mtyyft.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	whljbuilgrv.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	whljbuilgrv.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	whljbuilgrv.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	whljbuilgrv.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	whljbuilgrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	whljbuilgrv.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	mtyyft.exe

Checks computer location settings 2 TTPs 56 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	ztlysthxujkdpvvwsdd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	fxnyqpbpkxwnxbzys.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	ypeofdobvhfvehec.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	ohykddqfbpphsxwwrb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	ztlysthxujkdpvvwsdd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	fxnyqpbpkxwnxbzys.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	fxnyqpbpkxwnxbzys.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	mhaojlarpfhbovwyvhid.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	bxrgcfvnmdgbpxzcanplf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	ohykddqfbpphsxwwrb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	fxnyqpbpkxwnxbzys.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	fxnyqpbpkxwnxbzys.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	ohykddqfbpphsxwwrb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	ypeofdobvhfvehec.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	fxnyqpbpkxwnxbzys.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	fxnyqpbpkxwnxbzys.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	ypeofdobvhfvehec.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	bxrgcfvnmdgbpxzcanplf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	whljbuilgrv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	ztlysthxujkdpvvwsdd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	bxrgcfvnmdgbpxzcanplf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	ztlysthxujkdpvvwsdd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	fxnyqpbpkxwnxbzys.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	bxrgcfvnmdgbpxzcanplf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	ypeofdobvhfvehec.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	ztlysthxujkdpvvwsdd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	bxrgcfvnmdgbpxzcanplf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	fxnyqpbpkxwnxbzys.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	ztlysthxujkdpvvwsdd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	mhaojlarpfhbovwyvhid.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	ypeofdobvhfvehec.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	fxnyqpbpkxwnxbzys.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	bxrgcfvnmdgbpxzcanplf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	ypeofdobvhfvehec.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	bxrgcfvnmdgbpxzcanplf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	ypeofdobvhfvehec.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	ztlysthxujkdpvvwsdd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	ohykddqfbpphsxwwrb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	bxrgcfvnmdgbpxzcanplf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	mhaojlarpfhbovwyvhid.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	ypeofdobvhfvehec.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	fxnyqpbpkxwnxbzys.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	ohykddqfbpphsxwwrb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	mhaojlarpfhbovwyvhid.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	ztlysthxujkdpvvwsdd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	JaffaCakes118_8c0afd40d1eaf4dbd91bacaf28849074.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	mhaojlarpfhbovwyvhid.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	fxnyqpbpkxwnxbzys.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	mhaojlarpfhbovwyvhid.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	ztlysthxujkdpvvwsdd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	ztlysthxujkdpvvwsdd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	ypeofdobvhfvehec.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	ohykddqfbpphsxwwrb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	ypeofdobvhfvehec.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	ztlysthxujkdpvvwsdd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	ohykddqfbpphsxwwrb.exe

Executes dropped EXE 64 IoCs

pid	Process
4012	whljbuilgrv.exe
3212	mhaojlarpfhbovwyvhid.exe
1728	mhaojlarpfhbovwyvhid.exe
4512	whljbuilgrv.exe
2632	fxnyqpbpkxwnxbzys.exe
3300	fxnyqpbpkxwnxbzys.exe
1184	ohykddqfbpphsxwwrb.exe
3620	whljbuilgrv.exe
2292	ztlysthxujkdpvvwsdd.exe
3008	whljbuilgrv.exe
4444	fxnyqpbpkxwnxbzys.exe
4432	ypeofdobvhfvehec.exe
1784	whljbuilgrv.exe
2540	mtyyft.exe
4300	mtyyft.exe
3368	mhaojlarpfhbovwyvhid.exe
1728	bxrgcfvnmdgbpxzcanplf.exe
1428	fxnyqpbpkxwnxbzys.exe
4568	ztlysthxujkdpvvwsdd.exe
1612	ohykddqfbpphsxwwrb.exe
980	whljbuilgrv.exe
2036	whljbuilgrv.exe
1916	fxnyqpbpkxwnxbzys.exe
2412	ypeofdobvhfvehec.exe
3884	fxnyqpbpkxwnxbzys.exe
1460	ohykddqfbpphsxwwrb.exe
1528	mhaojlarpfhbovwyvhid.exe
2736	ztlysthxujkdpvvwsdd.exe
3648	fxnyqpbpkxwnxbzys.exe
4964	fxnyqpbpkxwnxbzys.exe
4548	whljbuilgrv.exe
3808	whljbuilgrv.exe
2176	whljbuilgrv.exe
3232	whljbuilgrv.exe
4628	fxnyqpbpkxwnxbzys.exe
1056	mhaojlarpfhbovwyvhid.exe
4172	fxnyqpbpkxwnxbzys.exe
3652	bxrgcfvnmdgbpxzcanplf.exe
1296	whljbuilgrv.exe
4464	ypeofdobvhfvehec.exe
4488	whljbuilgrv.exe
1428	ohykddqfbpphsxwwrb.exe
5000	ohykddqfbpphsxwwrb.exe
4144	ypeofdobvhfvehec.exe
2768	whljbuilgrv.exe
2296	ohykddqfbpphsxwwrb.exe
3944	whljbuilgrv.exe
2944	whljbuilgrv.exe
1848	fxnyqpbpkxwnxbzys.exe
4444	bxrgcfvnmdgbpxzcanplf.exe
776	whljbuilgrv.exe
700	ohykddqfbpphsxwwrb.exe
3648	mhaojlarpfhbovwyvhid.exe
1232	ypeofdobvhfvehec.exe
3416	whljbuilgrv.exe
4044	fxnyqpbpkxwnxbzys.exe
4824	bxrgcfvnmdgbpxzcanplf.exe
2888	bxrgcfvnmdgbpxzcanplf.exe
4500	whljbuilgrv.exe
3180	ohykddqfbpphsxwwrb.exe
2360	ztlysthxujkdpvvwsdd.exe
2840	ypeofdobvhfvehec.exe
468	bxrgcfvnmdgbpxzcanplf.exe
1588	whljbuilgrv.exe

Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs

defense_evasion

Safe Mode Boot

T1562.009

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc	mtyyft.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power	mtyyft.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys	mtyyft.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc	mtyyft.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager	mtyyft.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys	mtyyft.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

defense_evasion persistence privilege_escalation

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tjxgwtdpitqfnpl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fxnyqpbpkxwnxbzys.exe ."	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tjxgwtdpitqfnpl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ztlysthxujkdpvvwsdd.exe ."	whljbuilgrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\tfpugzfncjc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mhaojlarpfhbovwyvhid.exe ."	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\yjswhzelzf = "ypeofdobvhfvehec.exe"	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tfpugzfncjc = "fxnyqpbpkxwnxbzys.exe ."	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ypeofdobvhfvehec = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bxrgcfvnmdgbpxzcanplf.exe"	mtyyft.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\tfpugzfncjc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ztlysthxujkdpvvwsdd.exe ."	whljbuilgrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yjswhzelzf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mhaojlarpfhbovwyvhid.exe"	mtyyft.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\tfpugzfncjc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ypeofdobvhfvehec.exe ."	mtyyft.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pdpwkfnxoxsfl = "fxnyqpbpkxwnxbzys.exe"	mtyyft.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yjswhzelzf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fxnyqpbpkxwnxbzys.exe"	mtyyft.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\yjswhzelzf = "fxnyqpbpkxwnxbzys.exe"	whljbuilgrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\qfsaplufxhdryz = "bxrgcfvnmdgbpxzcanplf.exe ."	mtyyft.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ypeofdobvhfvehec = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ohykddqfbpphsxwwrb.exe"	whljbuilgrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\tfpugzfncjc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ypeofdobvhfvehec.exe ."	whljbuilgrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yjswhzelzf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mhaojlarpfhbovwyvhid.exe"	mtyyft.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pdpwkfnxoxsfl = "ypeofdobvhfvehec.exe"	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tfpugzfncjc = "bxrgcfvnmdgbpxzcanplf.exe ."	mtyyft.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tfpugzfncjc = "bxrgcfvnmdgbpxzcanplf.exe ."	whljbuilgrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pdpwkfnxoxsfl = "ypeofdobvhfvehec.exe"	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tfpugzfncjc = "ztlysthxujkdpvvwsdd.exe ."	whljbuilgrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\tfpugzfncjc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mhaojlarpfhbovwyvhid.exe ."	mtyyft.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tfpugzfncjc = "mhaojlarpfhbovwyvhid.exe ."	whljbuilgrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pdpwkfnxoxsfl = "fxnyqpbpkxwnxbzys.exe"	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ypeofdobvhfvehec = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ypeofdobvhfvehec.exe"	mtyyft.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\qfsaplufxhdryz = "ohykddqfbpphsxwwrb.exe ."	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\yjswhzelzf = "ohykddqfbpphsxwwrb.exe"	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\yjswhzelzf = "fxnyqpbpkxwnxbzys.exe"	mtyyft.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tjxgwtdpitqfnpl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mhaojlarpfhbovwyvhid.exe ."	mtyyft.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\yjswhzelzf = "mhaojlarpfhbovwyvhid.exe"	whljbuilgrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\tfpugzfncjc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ohykddqfbpphsxwwrb.exe ."	mtyyft.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yjswhzelzf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fxnyqpbpkxwnxbzys.exe"	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\yjswhzelzf = "fxnyqpbpkxwnxbzys.exe"	mtyyft.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yjswhzelzf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ypeofdobvhfvehec.exe"	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tfpugzfncjc = "ohykddqfbpphsxwwrb.exe ."	whljbuilgrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pdpwkfnxoxsfl = "ohykddqfbpphsxwwrb.exe"	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ypeofdobvhfvehec = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ztlysthxujkdpvvwsdd.exe"	mtyyft.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\qfsaplufxhdryz = "fxnyqpbpkxwnxbzys.exe ."	whljbuilgrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\qfsaplufxhdryz = "mhaojlarpfhbovwyvhid.exe ."	mtyyft.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\yjswhzelzf = "ypeofdobvhfvehec.exe"	mtyyft.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pdpwkfnxoxsfl = "bxrgcfvnmdgbpxzcanplf.exe"	whljbuilgrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\qfsaplufxhdryz = "ztlysthxujkdpvvwsdd.exe ."	whljbuilgrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pdpwkfnxoxsfl = "bxrgcfvnmdgbpxzcanplf.exe"	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tfpugzfncjc = "ypeofdobvhfvehec.exe ."	whljbuilgrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\qfsaplufxhdryz = "fxnyqpbpkxwnxbzys.exe ."	whljbuilgrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pdpwkfnxoxsfl = "ohykddqfbpphsxwwrb.exe"	mtyyft.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pdpwkfnxoxsfl = "bxrgcfvnmdgbpxzcanplf.exe"	mtyyft.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\yjswhzelzf = "ztlysthxujkdpvvwsdd.exe"	whljbuilgrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\tfpugzfncjc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bxrgcfvnmdgbpxzcanplf.exe ."	whljbuilgrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yjswhzelzf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ohykddqfbpphsxwwrb.exe"	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ypeofdobvhfvehec = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mhaojlarpfhbovwyvhid.exe"	mtyyft.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yjswhzelzf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ohykddqfbpphsxwwrb.exe"	mtyyft.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yjswhzelzf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bxrgcfvnmdgbpxzcanplf.exe"	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ypeofdobvhfvehec = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bxrgcfvnmdgbpxzcanplf.exe"	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tjxgwtdpitqfnpl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mhaojlarpfhbovwyvhid.exe ."	mtyyft.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\tfpugzfncjc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ypeofdobvhfvehec.exe ."	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tfpugzfncjc = "ztlysthxujkdpvvwsdd.exe ."	mtyyft.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\tfpugzfncjc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bxrgcfvnmdgbpxzcanplf.exe ."	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tjxgwtdpitqfnpl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ztlysthxujkdpvvwsdd.exe ."	mtyyft.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ypeofdobvhfvehec = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bxrgcfvnmdgbpxzcanplf.exe"	whljbuilgrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\tfpugzfncjc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fxnyqpbpkxwnxbzys.exe ."	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ypeofdobvhfvehec = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ztlysthxujkdpvvwsdd.exe"	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ypeofdobvhfvehec = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fxnyqpbpkxwnxbzys.exe"	whljbuilgrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yjswhzelzf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ztlysthxujkdpvvwsdd.exe"	mtyyft.exe

Checks whether UAC is enabled 1 TTPs 24 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	whljbuilgrv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	whljbuilgrv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	mtyyft.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	mtyyft.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	whljbuilgrv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	whljbuilgrv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	whljbuilgrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	whljbuilgrv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	whljbuilgrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	whljbuilgrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	whljbuilgrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	whljbuilgrv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	whljbuilgrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	whljbuilgrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	mtyyft.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	whljbuilgrv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	whljbuilgrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	whljbuilgrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	whljbuilgrv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	whljbuilgrv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	mtyyft.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	whljbuilgrv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	whljbuilgrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	whljbuilgrv.exe

Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 3 IoCs

Possible Turn off User Account Control's privilege elevation for standard users.

Executable Installer File Permissions Weakness

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	whljbuilgrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	mtyyft.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	mtyyft.exe

Looks up external IP address via web service 7 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
32	www.showmyipaddress.com
40	whatismyip.everdot.org
44	www.whatismyip.ca
46	www.whatismyip.ca
60	www.whatismyip.ca
23	whatismyip.everdot.org
24	whatismyipaddress.com

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\ypeofdobvhfvehec.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\SysWOW64\mhaojlarpfhbovwyvhid.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\SysWOW64\spkaxbslldhdsbeihvyvqg.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\SysWOW64\ztlysthxujkdpvvwsdd.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\SysWOW64\ztlysthxujkdpvvwsdd.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\SysWOW64\bxrgcfvnmdgbpxzcanplf.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\SysWOW64\ztlysthxujkdpvvwsdd.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\SysWOW64\ohykddqfbpphsxwwrb.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\SysWOW64\ohykddqfbpphsxwwrb.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\SysWOW64\mhaojlarpfhbovwyvhid.exe	mtyyft.exe
File opened for modification	C:\Windows\SysWOW64\ztlysthxujkdpvvwsdd.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\SysWOW64\bxrgcfvnmdgbpxzcanplf.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\SysWOW64\ztlysthxujkdpvvwsdd.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\SysWOW64\bxrgcfvnmdgbpxzcanplf.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\SysWOW64\spkaxbslldhdsbeihvyvqg.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\SysWOW64\mhaojlarpfhbovwyvhid.exe	mtyyft.exe
File opened for modification	C:\Windows\SysWOW64\ypeofdobvhfvehec.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\SysWOW64\spkaxbslldhdsbeihvyvqg.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\SysWOW64\ohykddqfbpphsxwwrb.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\SysWOW64\ypeofdobvhfvehec.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\SysWOW64\fxnyqpbpkxwnxbzys.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\SysWOW64\spkaxbslldhdsbeihvyvqg.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\SysWOW64\mhaojlarpfhbovwyvhid.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\SysWOW64\bxrgcfvnmdgbpxzcanplf.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\SysWOW64\ypeofdobvhfvehec.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\SysWOW64\ohykddqfbpphsxwwrb.exe	mtyyft.exe
File opened for modification	C:\Windows\SysWOW64\ypeofdobvhfvehec.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\SysWOW64\ypeofdobvhfvehec.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\SysWOW64\spkaxbslldhdsbeihvyvqg.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\SysWOW64\mhaojlarpfhbovwyvhid.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\SysWOW64\mhaojlarpfhbovwyvhid.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\SysWOW64\fxnyqpbpkxwnxbzys.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\SysWOW64\ztlysthxujkdpvvwsdd.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\SysWOW64\mhaojlarpfhbovwyvhid.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\SysWOW64\ohykddqfbpphsxwwrb.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\SysWOW64\ztlysthxujkdpvvwsdd.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\SysWOW64\ohykddqfbpphsxwwrb.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\SysWOW64\bxrgcfvnmdgbpxzcanplf.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\SysWOW64\mhaojlarpfhbovwyvhid.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\SysWOW64\ypeofdobvhfvehec.exe	mtyyft.exe
File opened for modification	C:\Windows\SysWOW64\fxnyqpbpkxwnxbzys.exe	mtyyft.exe
File opened for modification	C:\Windows\SysWOW64\ztlysthxujkdpvvwsdd.exe	mtyyft.exe
File opened for modification	C:\Windows\SysWOW64\mhaojlarpfhbovwyvhid.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\SysWOW64\ztlysthxujkdpvvwsdd.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\SysWOW64\ohykddqfbpphsxwwrb.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\SysWOW64\ohykddqfbpphsxwwrb.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\SysWOW64\ypeofdobvhfvehec.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\SysWOW64\bxrgcfvnmdgbpxzcanplf.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\SysWOW64\ohykddqfbpphsxwwrb.exe	mtyyft.exe
File opened for modification	C:\Windows\SysWOW64\fxnyqpbpkxwnxbzys.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\SysWOW64\spkaxbslldhdsbeihvyvqg.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\SysWOW64\fxnyqpbpkxwnxbzys.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\SysWOW64\sxaydpopxxjnkbmyfbmrusxjij.rdh	mtyyft.exe
File created	C:\Windows\SysWOW64\tjxgwtdpitqfnpliahdthqgdnzsdapxzvskrn.raq	mtyyft.exe
File opened for modification	C:\Windows\SysWOW64\ypeofdobvhfvehec.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\SysWOW64\spkaxbslldhdsbeihvyvqg.exe	mtyyft.exe
File opened for modification	C:\Windows\SysWOW64\spkaxbslldhdsbeihvyvqg.exe	mtyyft.exe
File opened for modification	C:\Windows\SysWOW64\fxnyqpbpkxwnxbzys.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\SysWOW64\ohykddqfbpphsxwwrb.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\SysWOW64\bxrgcfvnmdgbpxzcanplf.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\SysWOW64\fxnyqpbpkxwnxbzys.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\SysWOW64\bxrgcfvnmdgbpxzcanplf.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\SysWOW64\bxrgcfvnmdgbpxzcanplf.exe	mtyyft.exe
File opened for modification	C:\Windows\SysWOW64\spkaxbslldhdsbeihvyvqg.exe	whljbuilgrv.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\tjxgwtdpitqfnpliahdthqgdnzsdapxzvskrn.raq	mtyyft.exe
File opened for modification	C:\Program Files (x86)\sxaydpopxxjnkbmyfbmrusxjij.rdh	mtyyft.exe
File created	C:\Program Files (x86)\sxaydpopxxjnkbmyfbmrusxjij.rdh	mtyyft.exe
File opened for modification	C:\Program Files (x86)\tjxgwtdpitqfnpliahdthqgdnzsdapxzvskrn.raq	mtyyft.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\bxrgcfvnmdgbpxzcanplf.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\ztlysthxujkdpvvwsdd.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\ztlysthxujkdpvvwsdd.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\ypeofdobvhfvehec.exe	mtyyft.exe
File opened for modification	C:\Windows\bxrgcfvnmdgbpxzcanplf.exe	mtyyft.exe
File opened for modification	C:\Windows\spkaxbslldhdsbeihvyvqg.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\ypeofdobvhfvehec.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\spkaxbslldhdsbeihvyvqg.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\ztlysthxujkdpvvwsdd.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\ypeofdobvhfvehec.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\ohykddqfbpphsxwwrb.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\mhaojlarpfhbovwyvhid.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\ohykddqfbpphsxwwrb.exe	mtyyft.exe
File opened for modification	C:\Windows\ztlysthxujkdpvvwsdd.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\ohykddqfbpphsxwwrb.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\fxnyqpbpkxwnxbzys.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\bxrgcfvnmdgbpxzcanplf.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\fxnyqpbpkxwnxbzys.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\ohykddqfbpphsxwwrb.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\ohykddqfbpphsxwwrb.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\bxrgcfvnmdgbpxzcanplf.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\ztlysthxujkdpvvwsdd.exe	mtyyft.exe
File opened for modification	C:\Windows\bxrgcfvnmdgbpxzcanplf.exe	mtyyft.exe
File opened for modification	C:\Windows\ohykddqfbpphsxwwrb.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\mhaojlarpfhbovwyvhid.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\fxnyqpbpkxwnxbzys.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\spkaxbslldhdsbeihvyvqg.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\sxaydpopxxjnkbmyfbmrusxjij.rdh	mtyyft.exe
File opened for modification	C:\Windows\ohykddqfbpphsxwwrb.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\ztlysthxujkdpvvwsdd.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\ztlysthxujkdpvvwsdd.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\mhaojlarpfhbovwyvhid.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\ypeofdobvhfvehec.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\fxnyqpbpkxwnxbzys.exe	mtyyft.exe
File opened for modification	C:\Windows\tjxgwtdpitqfnpliahdthqgdnzsdapxzvskrn.raq	mtyyft.exe
File opened for modification	C:\Windows\ypeofdobvhfvehec.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\ohykddqfbpphsxwwrb.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\spkaxbslldhdsbeihvyvqg.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\mhaojlarpfhbovwyvhid.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\fxnyqpbpkxwnxbzys.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\ohykddqfbpphsxwwrb.exe	mtyyft.exe
File opened for modification	C:\Windows\bxrgcfvnmdgbpxzcanplf.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\mhaojlarpfhbovwyvhid.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\ypeofdobvhfvehec.exe	mtyyft.exe
File opened for modification	C:\Windows\ypeofdobvhfvehec.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\mhaojlarpfhbovwyvhid.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\bxrgcfvnmdgbpxzcanplf.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\ohykddqfbpphsxwwrb.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\ypeofdobvhfvehec.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\mhaojlarpfhbovwyvhid.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\fxnyqpbpkxwnxbzys.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\spkaxbslldhdsbeihvyvqg.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\fxnyqpbpkxwnxbzys.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\ypeofdobvhfvehec.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\bxrgcfvnmdgbpxzcanplf.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\ztlysthxujkdpvvwsdd.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\bxrgcfvnmdgbpxzcanplf.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\ypeofdobvhfvehec.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\bxrgcfvnmdgbpxzcanplf.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\spkaxbslldhdsbeihvyvqg.exe	mtyyft.exe
File opened for modification	C:\Windows\ztlysthxujkdpvvwsdd.exe	mtyyft.exe
File opened for modification	C:\Windows\mhaojlarpfhbovwyvhid.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\bxrgcfvnmdgbpxzcanplf.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\spkaxbslldhdsbeihvyvqg.exe	whljbuilgrv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ypeofdobvhfvehec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mtyyft.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mhaojlarpfhbovwyvhid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fxnyqpbpkxwnxbzys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ohykddqfbpphsxwwrb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ypeofdobvhfvehec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bxrgcfvnmdgbpxzcanplf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fxnyqpbpkxwnxbzys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ztlysthxujkdpvvwsdd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bxrgcfvnmdgbpxzcanplf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ypeofdobvhfvehec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fxnyqpbpkxwnxbzys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ztlysthxujkdpvvwsdd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mhaojlarpfhbovwyvhid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fxnyqpbpkxwnxbzys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ztlysthxujkdpvvwsdd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ypeofdobvhfvehec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mhaojlarpfhbovwyvhid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ypeofdobvhfvehec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fxnyqpbpkxwnxbzys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ypeofdobvhfvehec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mhaojlarpfhbovwyvhid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mhaojlarpfhbovwyvhid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fxnyqpbpkxwnxbzys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bxrgcfvnmdgbpxzcanplf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fxnyqpbpkxwnxbzys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ohykddqfbpphsxwwrb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fxnyqpbpkxwnxbzys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ztlysthxujkdpvvwsdd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ztlysthxujkdpvvwsdd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mhaojlarpfhbovwyvhid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ypeofdobvhfvehec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ypeofdobvhfvehec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ypeofdobvhfvehec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_8c0afd40d1eaf4dbd91bacaf28849074.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bxrgcfvnmdgbpxzcanplf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ztlysthxujkdpvvwsdd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ztlysthxujkdpvvwsdd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fxnyqpbpkxwnxbzys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ztlysthxujkdpvvwsdd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ohykddqfbpphsxwwrb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fxnyqpbpkxwnxbzys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fxnyqpbpkxwnxbzys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bxrgcfvnmdgbpxzcanplf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ypeofdobvhfvehec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mhaojlarpfhbovwyvhid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mhaojlarpfhbovwyvhid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bxrgcfvnmdgbpxzcanplf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ohykddqfbpphsxwwrb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ohykddqfbpphsxwwrb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fxnyqpbpkxwnxbzys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	whljbuilgrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bxrgcfvnmdgbpxzcanplf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ztlysthxujkdpvvwsdd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mhaojlarpfhbovwyvhid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mhaojlarpfhbovwyvhid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ohykddqfbpphsxwwrb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ohykddqfbpphsxwwrb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fxnyqpbpkxwnxbzys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ypeofdobvhfvehec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ohykddqfbpphsxwwrb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ohykddqfbpphsxwwrb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bxrgcfvnmdgbpxzcanplf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ypeofdobvhfvehec.exe

Suspicious behavior: EnumeratesProcesses 52 IoCs

pid	Process
3540	JaffaCakes118_8c0afd40d1eaf4dbd91bacaf28849074.exe
3540	JaffaCakes118_8c0afd40d1eaf4dbd91bacaf28849074.exe
3540	JaffaCakes118_8c0afd40d1eaf4dbd91bacaf28849074.exe
3540	JaffaCakes118_8c0afd40d1eaf4dbd91bacaf28849074.exe
3540	JaffaCakes118_8c0afd40d1eaf4dbd91bacaf28849074.exe
3540	JaffaCakes118_8c0afd40d1eaf4dbd91bacaf28849074.exe
3540	JaffaCakes118_8c0afd40d1eaf4dbd91bacaf28849074.exe
3540	JaffaCakes118_8c0afd40d1eaf4dbd91bacaf28849074.exe
3540	JaffaCakes118_8c0afd40d1eaf4dbd91bacaf28849074.exe
3540	JaffaCakes118_8c0afd40d1eaf4dbd91bacaf28849074.exe
3540	JaffaCakes118_8c0afd40d1eaf4dbd91bacaf28849074.exe
3540	JaffaCakes118_8c0afd40d1eaf4dbd91bacaf28849074.exe
3540	JaffaCakes118_8c0afd40d1eaf4dbd91bacaf28849074.exe
3540	JaffaCakes118_8c0afd40d1eaf4dbd91bacaf28849074.exe
3540	JaffaCakes118_8c0afd40d1eaf4dbd91bacaf28849074.exe
3540	JaffaCakes118_8c0afd40d1eaf4dbd91bacaf28849074.exe
2540	mtyyft.exe
2540	mtyyft.exe
3540	JaffaCakes118_8c0afd40d1eaf4dbd91bacaf28849074.exe
3540	JaffaCakes118_8c0afd40d1eaf4dbd91bacaf28849074.exe
3540	JaffaCakes118_8c0afd40d1eaf4dbd91bacaf28849074.exe
3540	JaffaCakes118_8c0afd40d1eaf4dbd91bacaf28849074.exe
3540	JaffaCakes118_8c0afd40d1eaf4dbd91bacaf28849074.exe
3540	JaffaCakes118_8c0afd40d1eaf4dbd91bacaf28849074.exe
3540	JaffaCakes118_8c0afd40d1eaf4dbd91bacaf28849074.exe
3540	JaffaCakes118_8c0afd40d1eaf4dbd91bacaf28849074.exe
3540	JaffaCakes118_8c0afd40d1eaf4dbd91bacaf28849074.exe
3540	JaffaCakes118_8c0afd40d1eaf4dbd91bacaf28849074.exe
3540	JaffaCakes118_8c0afd40d1eaf4dbd91bacaf28849074.exe
3540	JaffaCakes118_8c0afd40d1eaf4dbd91bacaf28849074.exe
3540	JaffaCakes118_8c0afd40d1eaf4dbd91bacaf28849074.exe
3540	JaffaCakes118_8c0afd40d1eaf4dbd91bacaf28849074.exe
3540	JaffaCakes118_8c0afd40d1eaf4dbd91bacaf28849074.exe
3540	JaffaCakes118_8c0afd40d1eaf4dbd91bacaf28849074.exe
3540	JaffaCakes118_8c0afd40d1eaf4dbd91bacaf28849074.exe
3540	JaffaCakes118_8c0afd40d1eaf4dbd91bacaf28849074.exe
3540	JaffaCakes118_8c0afd40d1eaf4dbd91bacaf28849074.exe
3540	JaffaCakes118_8c0afd40d1eaf4dbd91bacaf28849074.exe
3540	JaffaCakes118_8c0afd40d1eaf4dbd91bacaf28849074.exe
3540	JaffaCakes118_8c0afd40d1eaf4dbd91bacaf28849074.exe
3540	JaffaCakes118_8c0afd40d1eaf4dbd91bacaf28849074.exe
3540	JaffaCakes118_8c0afd40d1eaf4dbd91bacaf28849074.exe
3540	JaffaCakes118_8c0afd40d1eaf4dbd91bacaf28849074.exe
3540	JaffaCakes118_8c0afd40d1eaf4dbd91bacaf28849074.exe
3540	JaffaCakes118_8c0afd40d1eaf4dbd91bacaf28849074.exe
3540	JaffaCakes118_8c0afd40d1eaf4dbd91bacaf28849074.exe
3540	JaffaCakes118_8c0afd40d1eaf4dbd91bacaf28849074.exe
3540	JaffaCakes118_8c0afd40d1eaf4dbd91bacaf28849074.exe
3540	JaffaCakes118_8c0afd40d1eaf4dbd91bacaf28849074.exe
3540	JaffaCakes118_8c0afd40d1eaf4dbd91bacaf28849074.exe
3540	JaffaCakes118_8c0afd40d1eaf4dbd91bacaf28849074.exe
3540	JaffaCakes118_8c0afd40d1eaf4dbd91bacaf28849074.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2540	mtyyft.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3540 wrote to memory of 4012	3540	JaffaCakes118_8c0afd40d1eaf4dbd91bacaf28849074.exe	89
PID 3540 wrote to memory of 4012	3540	JaffaCakes118_8c0afd40d1eaf4dbd91bacaf28849074.exe	89
PID 3540 wrote to memory of 4012	3540	JaffaCakes118_8c0afd40d1eaf4dbd91bacaf28849074.exe	89
PID 3952 wrote to memory of 3212	3952	cmd.exe	92
PID 3952 wrote to memory of 3212	3952	cmd.exe	92
PID 3952 wrote to memory of 3212	3952	cmd.exe	92
PID 3232 wrote to memory of 1728	3232	cmd.exe	95
PID 3232 wrote to memory of 1728	3232	cmd.exe	95
PID 3232 wrote to memory of 1728	3232	cmd.exe	95
PID 1728 wrote to memory of 4512	1728	mhaojlarpfhbovwyvhid.exe	99
PID 1728 wrote to memory of 4512	1728	mhaojlarpfhbovwyvhid.exe	99
PID 1728 wrote to memory of 4512	1728	mhaojlarpfhbovwyvhid.exe	99
PID 2440 wrote to memory of 2632	2440	cmd.exe	101
PID 2440 wrote to memory of 2632	2440	cmd.exe	101
PID 2440 wrote to memory of 2632	2440	cmd.exe	101
PID 4524 wrote to memory of 3300	4524	cmd.exe	137
PID 4524 wrote to memory of 3300	4524	cmd.exe	137
PID 4524 wrote to memory of 3300	4524	cmd.exe	137
PID 5104 wrote to memory of 1184	5104	cmd.exe	135
PID 5104 wrote to memory of 1184	5104	cmd.exe	135
PID 5104 wrote to memory of 1184	5104	cmd.exe	135
PID 3300 wrote to memory of 3620	3300	fxnyqpbpkxwnxbzys.exe	239
PID 3300 wrote to memory of 3620	3300	fxnyqpbpkxwnxbzys.exe	239
PID 3300 wrote to memory of 3620	3300	fxnyqpbpkxwnxbzys.exe	239
PID 4780 wrote to memory of 2292	4780	cmd.exe	109
PID 4780 wrote to memory of 2292	4780	cmd.exe	109
PID 4780 wrote to memory of 2292	4780	cmd.exe	109
PID 2292 wrote to memory of 3008	2292	ztlysthxujkdpvvwsdd.exe	114
PID 2292 wrote to memory of 3008	2292	ztlysthxujkdpvvwsdd.exe	114
PID 2292 wrote to memory of 3008	2292	ztlysthxujkdpvvwsdd.exe	114
PID 3204 wrote to memory of 4444	3204	cmd.exe	280
PID 3204 wrote to memory of 4444	3204	cmd.exe	280
PID 3204 wrote to memory of 4444	3204	cmd.exe	280
PID 3020 wrote to memory of 4432	3020	cmd.exe	116
PID 3020 wrote to memory of 4432	3020	cmd.exe	116
PID 3020 wrote to memory of 4432	3020	cmd.exe	116
PID 4432 wrote to memory of 1784	4432	ypeofdobvhfvehec.exe	117
PID 4432 wrote to memory of 1784	4432	ypeofdobvhfvehec.exe	117
PID 4432 wrote to memory of 1784	4432	ypeofdobvhfvehec.exe	117
PID 4012 wrote to memory of 2540	4012	whljbuilgrv.exe	120
PID 4012 wrote to memory of 2540	4012	whljbuilgrv.exe	120
PID 4012 wrote to memory of 2540	4012	whljbuilgrv.exe	120
PID 4012 wrote to memory of 4300	4012	whljbuilgrv.exe	121
PID 4012 wrote to memory of 4300	4012	whljbuilgrv.exe	121
PID 4012 wrote to memory of 4300	4012	whljbuilgrv.exe	121
PID 2684 wrote to memory of 3368	2684	cmd.exe	128
PID 2684 wrote to memory of 3368	2684	cmd.exe	128
PID 2684 wrote to memory of 3368	2684	cmd.exe	128
PID 3940 wrote to memory of 1728	3940	cmd.exe	296
PID 3940 wrote to memory of 1728	3940	cmd.exe	296
PID 3940 wrote to memory of 1728	3940	cmd.exe	296
PID 4328 wrote to memory of 1428	4328	cmd.exe	195
PID 4328 wrote to memory of 1428	4328	cmd.exe	195
PID 4328 wrote to memory of 1428	4328	cmd.exe	195
PID 3232 wrote to memory of 4568	3232	cmd.exe	139
PID 3232 wrote to memory of 4568	3232	cmd.exe	139
PID 3232 wrote to memory of 4568	3232	cmd.exe	139
PID 4964 wrote to memory of 1612	4964	cmd.exe	222
PID 4964 wrote to memory of 1612	4964	cmd.exe	222
PID 4964 wrote to memory of 1612	4964	cmd.exe	222
PID 4568 wrote to memory of 980	4568	ztlysthxujkdpvvwsdd.exe	153
PID 4568 wrote to memory of 980	4568	ztlysthxujkdpvvwsdd.exe	153
PID 4568 wrote to memory of 980	4568	ztlysthxujkdpvvwsdd.exe	153
PID 1428 wrote to memory of 2036	1428	fxnyqpbpkxwnxbzys.exe	335

System policy modification 1 TTPs 54 IoCs

defense_evasion

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	whljbuilgrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	mtyyft.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	mtyyft.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	mtyyft.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	whljbuilgrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	mtyyft.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	mtyyft.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	mtyyft.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	mtyyft.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	mtyyft.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	whljbuilgrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	whljbuilgrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	whljbuilgrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	mtyyft.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	mtyyft.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	mtyyft.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	mtyyft.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	whljbuilgrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	whljbuilgrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	whljbuilgrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	whljbuilgrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	whljbuilgrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	whljbuilgrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	whljbuilgrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	mtyyft.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	mtyyft.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	mtyyft.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	whljbuilgrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	whljbuilgrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	whljbuilgrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	mtyyft.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	whljbuilgrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	whljbuilgrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	whljbuilgrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	whljbuilgrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	mtyyft.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	mtyyft.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	mtyyft.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	whljbuilgrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	whljbuilgrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	whljbuilgrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	whljbuilgrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	mtyyft.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	mtyyft.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	whljbuilgrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	whljbuilgrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	mtyyft.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	mtyyft.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	whljbuilgrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	whljbuilgrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	whljbuilgrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	whljbuilgrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	whljbuilgrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	mtyyft.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8c0afd40d1eaf4dbd91bacaf28849074.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8c0afd40d1eaf4dbd91bacaf28849074.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3540
- C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
  "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\jaffacakes118_8c0afd40d1eaf4dbd91bacaf28849074.exe*"
  2⤵
  - Modifies WinLogon for persistence
  - UAC bypass
  - Adds policy Run key to start application
  - Disables RegEdit via registry modification
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Hijack Execution Flow: Executable Installer File Permissions Weakness
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:4012
- - C:\Users\Admin\AppData\Local\Temp\mtyyft.exe
    "C:\Users\Admin\AppData\Local\Temp\mtyyft.exe" "-c:\users\admin\appdata\local\temp\jaffacakes118_8c0afd40d1eaf4dbd91bacaf28849074.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Impair Defenses: Safe Mode Boot
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Hijack Execution Flow: Executable Installer File Permissions Weakness
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:2540
- - C:\Users\Admin\AppData\Local\Temp\mtyyft.exe
    "C:\Users\Admin\AppData\Local\Temp\mtyyft.exe" "-c:\users\admin\appdata\local\temp\jaffacakes118_8c0afd40d1eaf4dbd91bacaf28849074.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Hijack Execution Flow: Executable Installer File Permissions Weakness
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:4300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mhaojlarpfhbovwyvhid.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:3952
- C:\Windows\mhaojlarpfhbovwyvhid.exe
  mhaojlarpfhbovwyvhid.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mhaojlarpfhbovwyvhid.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:3232
- C:\Windows\mhaojlarpfhbovwyvhid.exe
  mhaojlarpfhbovwyvhid.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1728
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\mhaojlarpfhbovwyvhid.exe*."
    3⤵
    - Executes dropped EXE
    PID:4512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fxnyqpbpkxwnxbzys.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2440
- C:\Windows\fxnyqpbpkxwnxbzys.exe
  fxnyqpbpkxwnxbzys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fxnyqpbpkxwnxbzys.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:4524
- C:\Windows\fxnyqpbpkxwnxbzys.exe
  fxnyqpbpkxwnxbzys.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3300
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\fxnyqpbpkxwnxbzys.exe*."
    3⤵
    - Executes dropped EXE
    PID:3620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohykddqfbpphsxwwrb.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:5104
- C:\Users\Admin\AppData\Local\Temp\ohykddqfbpphsxwwrb.exe
  C:\Users\Admin\AppData\Local\Temp\ohykddqfbpphsxwwrb.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztlysthxujkdpvvwsdd.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:4780
- C:\Users\Admin\AppData\Local\Temp\ztlysthxujkdpvvwsdd.exe
  C:\Users\Admin\AppData\Local\Temp\ztlysthxujkdpvvwsdd.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2292
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\ztlysthxujkdpvvwsdd.exe*."
    3⤵
    - Executes dropped EXE
    PID:3008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fxnyqpbpkxwnxbzys.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:3204
- C:\Users\Admin\AppData\Local\Temp\fxnyqpbpkxwnxbzys.exe
  C:\Users\Admin\AppData\Local\Temp\fxnyqpbpkxwnxbzys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ypeofdobvhfvehec.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:3020
- C:\Users\Admin\AppData\Local\Temp\ypeofdobvhfvehec.exe
  C:\Users\Admin\AppData\Local\Temp\ypeofdobvhfvehec.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4432
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\ypeofdobvhfvehec.exe*."
    3⤵
    - Executes dropped EXE
    PID:1784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxrgcfvnmdgbpxzcanplf.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:3940
- C:\Windows\bxrgcfvnmdgbpxzcanplf.exe
  bxrgcfvnmdgbpxzcanplf.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mhaojlarpfhbovwyvhid.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2684
- C:\Windows\mhaojlarpfhbovwyvhid.exe
  mhaojlarpfhbovwyvhid.exe
  2⤵
  - Executes dropped EXE
  PID:3368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fxnyqpbpkxwnxbzys.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:4328
- C:\Windows\fxnyqpbpkxwnxbzys.exe
  fxnyqpbpkxwnxbzys.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1428
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\fxnyqpbpkxwnxbzys.exe*."
    3⤵
    - Executes dropped EXE
    PID:2036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ztlysthxujkdpvvwsdd.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:3232
- C:\Windows\ztlysthxujkdpvvwsdd.exe
  ztlysthxujkdpvvwsdd.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4568
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\ztlysthxujkdpvvwsdd.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ohykddqfbpphsxwwrb.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4964
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1184
- C:\Windows\ohykddqfbpphsxwwrb.exe
  ohykddqfbpphsxwwrb.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fxnyqpbpkxwnxbzys.exe
1⤵
PID:2748
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3300
- C:\Windows\fxnyqpbpkxwnxbzys.exe
  fxnyqpbpkxwnxbzys.exe
  2⤵
  - Executes dropped EXE
  PID:1916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ohykddqfbpphsxwwrb.exe .
1⤵
PID:3176
- C:\Windows\ohykddqfbpphsxwwrb.exe
  ohykddqfbpphsxwwrb.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1460
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\ohykddqfbpphsxwwrb.exe*."
    3⤵
    - Executes dropped EXE
    PID:3232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mhaojlarpfhbovwyvhid.exe .
1⤵
PID:4952
- C:\Windows\mhaojlarpfhbovwyvhid.exe
  mhaojlarpfhbovwyvhid.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1528
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\mhaojlarpfhbovwyvhid.exe*."
    3⤵
    - Executes dropped EXE
    PID:3808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ypeofdobvhfvehec.exe
1⤵
PID:4488
- C:\Users\Admin\AppData\Local\Temp\ypeofdobvhfvehec.exe
  C:\Users\Admin\AppData\Local\Temp\ypeofdobvhfvehec.exe
  2⤵
  - Executes dropped EXE
  PID:2412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fxnyqpbpkxwnxbzys.exe
1⤵
PID:3948
- C:\Users\Admin\AppData\Local\Temp\fxnyqpbpkxwnxbzys.exe
  C:\Users\Admin\AppData\Local\Temp\fxnyqpbpkxwnxbzys.exe
  2⤵
  - Executes dropped EXE
  PID:3648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fxnyqpbpkxwnxbzys.exe .
1⤵
PID:4444
- C:\Users\Admin\AppData\Local\Temp\fxnyqpbpkxwnxbzys.exe
  C:\Users\Admin\AppData\Local\Temp\fxnyqpbpkxwnxbzys.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3884
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\fxnyqpbpkxwnxbzys.exe*."
    3⤵
    - Executes dropped EXE
    PID:4548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztlysthxujkdpvvwsdd.exe .
1⤵
PID:932
- C:\Users\Admin\AppData\Local\Temp\ztlysthxujkdpvvwsdd.exe
  C:\Users\Admin\AppData\Local\Temp\ztlysthxujkdpvvwsdd.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2736
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\ztlysthxujkdpvvwsdd.exe*."
    3⤵
    - Executes dropped EXE
    PID:2176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fxnyqpbpkxwnxbzys.exe
1⤵
PID:2920
- C:\Users\Admin\AppData\Local\Temp\fxnyqpbpkxwnxbzys.exe
  C:\Users\Admin\AppData\Local\Temp\fxnyqpbpkxwnxbzys.exe
  2⤵
  - Executes dropped EXE
  PID:4964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhaojlarpfhbovwyvhid.exe
1⤵
PID:1620
- C:\Users\Admin\AppData\Local\Temp\mhaojlarpfhbovwyvhid.exe
  C:\Users\Admin\AppData\Local\Temp\mhaojlarpfhbovwyvhid.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fxnyqpbpkxwnxbzys.exe .
1⤵
PID:708
- C:\Users\Admin\AppData\Local\Temp\fxnyqpbpkxwnxbzys.exe
  C:\Users\Admin\AppData\Local\Temp\fxnyqpbpkxwnxbzys.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4628
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\fxnyqpbpkxwnxbzys.exe*."
    3⤵
    - Executes dropped EXE
    PID:1296

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohykddqfbpphsxwwrb.exe .
1⤵
PID:2320
- C:\Users\Admin\AppData\Local\Temp\ohykddqfbpphsxwwrb.exe
  C:\Users\Admin\AppData\Local\Temp\ohykddqfbpphsxwwrb.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1428
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\ohykddqfbpphsxwwrb.exe*."
    3⤵
    - Executes dropped EXE
    PID:2768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fxnyqpbpkxwnxbzys.exe
1⤵
PID:560
- C:\Windows\fxnyqpbpkxwnxbzys.exe
  fxnyqpbpkxwnxbzys.exe
  2⤵
  - Executes dropped EXE
  PID:4172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxrgcfvnmdgbpxzcanplf.exe .
1⤵
PID:2472
- C:\Windows\bxrgcfvnmdgbpxzcanplf.exe
  bxrgcfvnmdgbpxzcanplf.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3652
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\bxrgcfvnmdgbpxzcanplf.exe*."
    3⤵
    - Executes dropped EXE
    PID:4488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ypeofdobvhfvehec.exe
1⤵
PID:3924
- C:\Windows\ypeofdobvhfvehec.exe
  ypeofdobvhfvehec.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ohykddqfbpphsxwwrb.exe .
1⤵
PID:2684
- C:\Windows\ohykddqfbpphsxwwrb.exe
  ohykddqfbpphsxwwrb.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2296
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\ohykddqfbpphsxwwrb.exe*."
    3⤵
    - Executes dropped EXE
    PID:2944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohykddqfbpphsxwwrb.exe
1⤵
PID:2092
- C:\Users\Admin\AppData\Local\Temp\ohykddqfbpphsxwwrb.exe
  C:\Users\Admin\AppData\Local\Temp\ohykddqfbpphsxwwrb.exe
  2⤵
  - Executes dropped EXE
  PID:5000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ypeofdobvhfvehec.exe .
1⤵
PID:4780
- C:\Users\Admin\AppData\Local\Temp\ypeofdobvhfvehec.exe
  C:\Users\Admin\AppData\Local\Temp\ypeofdobvhfvehec.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4144
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\ypeofdobvhfvehec.exe*."
    3⤵
    - Executes dropped EXE
    PID:3944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fxnyqpbpkxwnxbzys.exe
1⤵
PID:2736
- C:\Users\Admin\AppData\Local\Temp\fxnyqpbpkxwnxbzys.exe
  C:\Users\Admin\AppData\Local\Temp\fxnyqpbpkxwnxbzys.exe
  2⤵
  - Executes dropped EXE
  PID:1848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxrgcfvnmdgbpxzcanplf.exe .
1⤵
PID:1384
- C:\Users\Admin\AppData\Local\Temp\bxrgcfvnmdgbpxzcanplf.exe
  C:\Users\Admin\AppData\Local\Temp\bxrgcfvnmdgbpxzcanplf.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4444
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\bxrgcfvnmdgbpxzcanplf.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ohykddqfbpphsxwwrb.exe
1⤵
PID:4180
- C:\Windows\ohykddqfbpphsxwwrb.exe
  ohykddqfbpphsxwwrb.exe
  2⤵
  - Executes dropped EXE
  PID:700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mhaojlarpfhbovwyvhid.exe .
1⤵
PID:1452
- C:\Windows\mhaojlarpfhbovwyvhid.exe
  mhaojlarpfhbovwyvhid.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3648
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\mhaojlarpfhbovwyvhid.exe*."
    3⤵
    - Executes dropped EXE
    PID:3416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fxnyqpbpkxwnxbzys.exe
1⤵
PID:4664
- C:\Windows\fxnyqpbpkxwnxbzys.exe
  fxnyqpbpkxwnxbzys.exe
  2⤵
  - Executes dropped EXE
  PID:4044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ypeofdobvhfvehec.exe
1⤵
PID:4464
- C:\Windows\ypeofdobvhfvehec.exe
  ypeofdobvhfvehec.exe
  2⤵
  - Executes dropped EXE
  PID:1232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxrgcfvnmdgbpxzcanplf.exe
1⤵
PID:3100
- C:\Windows\bxrgcfvnmdgbpxzcanplf.exe
  bxrgcfvnmdgbpxzcanplf.exe
  2⤵
  - Executes dropped EXE
  PID:4824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ztlysthxujkdpvvwsdd.exe .
1⤵
PID:1612
- C:\Windows\ztlysthxujkdpvvwsdd.exe
  ztlysthxujkdpvvwsdd.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2360
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\ztlysthxujkdpvvwsdd.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:1588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxrgcfvnmdgbpxzcanplf.exe .
1⤵
PID:3428
- C:\Windows\bxrgcfvnmdgbpxzcanplf.exe
  bxrgcfvnmdgbpxzcanplf.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2888
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\bxrgcfvnmdgbpxzcanplf.exe*."
    3⤵
    - Executes dropped EXE
    PID:4500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ypeofdobvhfvehec.exe .
1⤵
PID:4176
- C:\Windows\ypeofdobvhfvehec.exe
  ypeofdobvhfvehec.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2840
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\ypeofdobvhfvehec.exe*."
    3⤵
    PID:932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohykddqfbpphsxwwrb.exe
1⤵
PID:1168
- C:\Users\Admin\AppData\Local\Temp\ohykddqfbpphsxwwrb.exe
  C:\Users\Admin\AppData\Local\Temp\ohykddqfbpphsxwwrb.exe
  2⤵
  - Executes dropped EXE
  PID:3180

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ypeofdobvhfvehec.exe .
1⤵
PID:3944
- C:\Users\Admin\AppData\Local\Temp\ypeofdobvhfvehec.exe
  C:\Users\Admin\AppData\Local\Temp\ypeofdobvhfvehec.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4768
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\ypeofdobvhfvehec.exe*."
    3⤵
    PID:5000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxrgcfvnmdgbpxzcanplf.exe
1⤵
PID:1728
- C:\Windows\bxrgcfvnmdgbpxzcanplf.exe
  bxrgcfvnmdgbpxzcanplf.exe
  2⤵
  - Executes dropped EXE
  PID:468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ztlysthxujkdpvvwsdd.exe
1⤵
PID:1804
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3620
- C:\Windows\ztlysthxujkdpvvwsdd.exe
  ztlysthxujkdpvvwsdd.exe
  2⤵
  PID:3856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxrgcfvnmdgbpxzcanplf.exe .
1⤵
PID:4328
- C:\Windows\bxrgcfvnmdgbpxzcanplf.exe
  bxrgcfvnmdgbpxzcanplf.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:468
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\bxrgcfvnmdgbpxzcanplf.exe*."
    3⤵
    PID:2880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxrgcfvnmdgbpxzcanplf.exe .
1⤵
PID:3216
- C:\Windows\bxrgcfvnmdgbpxzcanplf.exe
  bxrgcfvnmdgbpxzcanplf.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1984
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\bxrgcfvnmdgbpxzcanplf.exe*."
    3⤵
    PID:2548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxrgcfvnmdgbpxzcanplf.exe
1⤵
PID:2836
- C:\Users\Admin\AppData\Local\Temp\bxrgcfvnmdgbpxzcanplf.exe
  C:\Users\Admin\AppData\Local\Temp\bxrgcfvnmdgbpxzcanplf.exe
  2⤵
  PID:2844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhaojlarpfhbovwyvhid.exe
1⤵
PID:544
- C:\Users\Admin\AppData\Local\Temp\mhaojlarpfhbovwyvhid.exe
  C:\Users\Admin\AppData\Local\Temp\mhaojlarpfhbovwyvhid.exe
  2⤵
  PID:960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztlysthxujkdpvvwsdd.exe .
1⤵
PID:5108
- C:\Users\Admin\AppData\Local\Temp\ztlysthxujkdpvvwsdd.exe
  C:\Users\Admin\AppData\Local\Temp\ztlysthxujkdpvvwsdd.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:2736
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\ztlysthxujkdpvvwsdd.exe*."
    3⤵
    PID:1512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fxnyqpbpkxwnxbzys.exe
1⤵
PID:2828
- C:\Users\Admin\AppData\Local\Temp\fxnyqpbpkxwnxbzys.exe
  C:\Users\Admin\AppData\Local\Temp\fxnyqpbpkxwnxbzys.exe
  2⤵
  PID:2548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztlysthxujkdpvvwsdd.exe .
1⤵
PID:2676
- C:\Users\Admin\AppData\Local\Temp\ztlysthxujkdpvvwsdd.exe
  C:\Users\Admin\AppData\Local\Temp\ztlysthxujkdpvvwsdd.exe .
  2⤵
  - Checks computer location settings
  PID:4212
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\ztlysthxujkdpvvwsdd.exe*."
    3⤵
    PID:756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztlysthxujkdpvvwsdd.exe .
1⤵
PID:3756
- C:\Users\Admin\AppData\Local\Temp\ztlysthxujkdpvvwsdd.exe
  C:\Users\Admin\AppData\Local\Temp\ztlysthxujkdpvvwsdd.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:2336
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\ztlysthxujkdpvvwsdd.exe*."
    3⤵
    PID:4060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhaojlarpfhbovwyvhid.exe
1⤵
PID:748
- C:\Users\Admin\AppData\Local\Temp\mhaojlarpfhbovwyvhid.exe
  C:\Users\Admin\AppData\Local\Temp\mhaojlarpfhbovwyvhid.exe
  2⤵
  PID:4412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohykddqfbpphsxwwrb.exe
1⤵
PID:452
- C:\Users\Admin\AppData\Local\Temp\ohykddqfbpphsxwwrb.exe
  C:\Users\Admin\AppData\Local\Temp\ohykddqfbpphsxwwrb.exe
  2⤵
  PID:4808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ypeofdobvhfvehec.exe .
1⤵
PID:2412
- C:\Users\Admin\AppData\Local\Temp\ypeofdobvhfvehec.exe
  C:\Users\Admin\AppData\Local\Temp\ypeofdobvhfvehec.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4164
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\ypeofdobvhfvehec.exe*."
    3⤵
    PID:352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhaojlarpfhbovwyvhid.exe .
1⤵
PID:4628
- C:\Users\Admin\AppData\Local\Temp\mhaojlarpfhbovwyvhid.exe
  C:\Users\Admin\AppData\Local\Temp\mhaojlarpfhbovwyvhid.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4444
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\mhaojlarpfhbovwyvhid.exe*."
    3⤵
    PID:1752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fxnyqpbpkxwnxbzys.exe
1⤵
PID:1968
- C:\Windows\fxnyqpbpkxwnxbzys.exe
  fxnyqpbpkxwnxbzys.exe
  2⤵
  PID:2316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxrgcfvnmdgbpxzcanplf.exe .
1⤵
PID:1592
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1728
- C:\Windows\bxrgcfvnmdgbpxzcanplf.exe
  bxrgcfvnmdgbpxzcanplf.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:2036
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\bxrgcfvnmdgbpxzcanplf.exe*."
    3⤵
    PID:3652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ztlysthxujkdpvvwsdd.exe
1⤵
PID:3148
- C:\Windows\ztlysthxujkdpvvwsdd.exe
  ztlysthxujkdpvvwsdd.exe
  2⤵
  PID:2584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ohykddqfbpphsxwwrb.exe .
1⤵
PID:1616
- C:\Windows\ohykddqfbpphsxwwrb.exe
  ohykddqfbpphsxwwrb.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:2280
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\ohykddqfbpphsxwwrb.exe*."
    3⤵
    PID:3584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxrgcfvnmdgbpxzcanplf.exe
1⤵
PID:1664
- C:\Users\Admin\AppData\Local\Temp\bxrgcfvnmdgbpxzcanplf.exe
  C:\Users\Admin\AppData\Local\Temp\bxrgcfvnmdgbpxzcanplf.exe
  2⤵
  PID:4328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fxnyqpbpkxwnxbzys.exe .
1⤵
PID:4608
- C:\Users\Admin\AppData\Local\Temp\fxnyqpbpkxwnxbzys.exe
  C:\Users\Admin\AppData\Local\Temp\fxnyqpbpkxwnxbzys.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:3216
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\fxnyqpbpkxwnxbzys.exe*."
    3⤵
    PID:2976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxrgcfvnmdgbpxzcanplf.exe
1⤵
PID:1752
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2736
- C:\Users\Admin\AppData\Local\Temp\bxrgcfvnmdgbpxzcanplf.exe
  C:\Users\Admin\AppData\Local\Temp\bxrgcfvnmdgbpxzcanplf.exe
  2⤵
  PID:232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fxnyqpbpkxwnxbzys.exe .
1⤵
PID:452
- C:\Users\Admin\AppData\Local\Temp\fxnyqpbpkxwnxbzys.exe
  C:\Users\Admin\AppData\Local\Temp\fxnyqpbpkxwnxbzys.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1232
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\fxnyqpbpkxwnxbzys.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:4984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ohykddqfbpphsxwwrb.exe
1⤵
PID:1920
- C:\Windows\ohykddqfbpphsxwwrb.exe
  ohykddqfbpphsxwwrb.exe
  2⤵
  PID:4164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ypeofdobvhfvehec.exe .
1⤵
PID:4068
- C:\Windows\ypeofdobvhfvehec.exe
  ypeofdobvhfvehec.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:2092
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\ypeofdobvhfvehec.exe*."
    3⤵
    PID:1320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxrgcfvnmdgbpxzcanplf.exe
1⤵
PID:4548
- C:\Windows\bxrgcfvnmdgbpxzcanplf.exe
  bxrgcfvnmdgbpxzcanplf.exe
  2⤵
  PID:2548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fxnyqpbpkxwnxbzys.exe .
1⤵
PID:4600
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2036
- C:\Windows\fxnyqpbpkxwnxbzys.exe
  fxnyqpbpkxwnxbzys.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1096
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\fxnyqpbpkxwnxbzys.exe*."
    3⤵
    PID:4212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxrgcfvnmdgbpxzcanplf.exe
1⤵
PID:1592
- C:\Users\Admin\AppData\Local\Temp\bxrgcfvnmdgbpxzcanplf.exe
  C:\Users\Admin\AppData\Local\Temp\bxrgcfvnmdgbpxzcanplf.exe
  2⤵
  PID:4824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztlysthxujkdpvvwsdd.exe .
1⤵
PID:2024
- C:\Users\Admin\AppData\Local\Temp\ztlysthxujkdpvvwsdd.exe
  C:\Users\Admin\AppData\Local\Temp\ztlysthxujkdpvvwsdd.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4428
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\ztlysthxujkdpvvwsdd.exe*."
    3⤵
    PID:1488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ypeofdobvhfvehec.exe
1⤵
PID:3584
- C:\Users\Admin\AppData\Local\Temp\ypeofdobvhfvehec.exe
  C:\Users\Admin\AppData\Local\Temp\ypeofdobvhfvehec.exe
  2⤵
  PID:1960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhaojlarpfhbovwyvhid.exe .
1⤵
PID:2768
- C:\Users\Admin\AppData\Local\Temp\mhaojlarpfhbovwyvhid.exe
  C:\Users\Admin\AppData\Local\Temp\mhaojlarpfhbovwyvhid.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1788
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\mhaojlarpfhbovwyvhid.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:2620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ztlysthxujkdpvvwsdd.exe
1⤵
PID:3284
- C:\Windows\ztlysthxujkdpvvwsdd.exe
  ztlysthxujkdpvvwsdd.exe
  2⤵
  PID:452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ypeofdobvhfvehec.exe .
1⤵
PID:1192
- C:\Windows\ypeofdobvhfvehec.exe
  ypeofdobvhfvehec.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4952
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\ypeofdobvhfvehec.exe*."
    3⤵
    PID:1296

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ypeofdobvhfvehec.exe
1⤵
PID:3100
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2888
- C:\Windows\ypeofdobvhfvehec.exe
  ypeofdobvhfvehec.exe
  2⤵
  PID:1904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fxnyqpbpkxwnxbzys.exe .
1⤵
PID:1628
- C:\Windows\fxnyqpbpkxwnxbzys.exe
  fxnyqpbpkxwnxbzys.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:2360
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\fxnyqpbpkxwnxbzys.exe*."
    3⤵
    PID:4832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztlysthxujkdpvvwsdd.exe
1⤵
PID:3416
- C:\Users\Admin\AppData\Local\Temp\ztlysthxujkdpvvwsdd.exe
  C:\Users\Admin\AppData\Local\Temp\ztlysthxujkdpvvwsdd.exe
  2⤵
  PID:2264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohykddqfbpphsxwwrb.exe .
1⤵
PID:4436
- C:\Users\Admin\AppData\Local\Temp\ohykddqfbpphsxwwrb.exe
  C:\Users\Admin\AppData\Local\Temp\ohykddqfbpphsxwwrb.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:3692
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\ohykddqfbpphsxwwrb.exe*."
    3⤵
    PID:2112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhaojlarpfhbovwyvhid.exe
1⤵
PID:1596
- C:\Users\Admin\AppData\Local\Temp\mhaojlarpfhbovwyvhid.exe
  C:\Users\Admin\AppData\Local\Temp\mhaojlarpfhbovwyvhid.exe
  2⤵
  PID:4576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxrgcfvnmdgbpxzcanplf.exe .
1⤵
PID:4020
- C:\Users\Admin\AppData\Local\Temp\bxrgcfvnmdgbpxzcanplf.exe
  C:\Users\Admin\AppData\Local\Temp\bxrgcfvnmdgbpxzcanplf.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:3856
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\bxrgcfvnmdgbpxzcanplf.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:4972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fxnyqpbpkxwnxbzys.exe
1⤵
PID:116
- C:\Windows\fxnyqpbpkxwnxbzys.exe
  fxnyqpbpkxwnxbzys.exe
  2⤵
  PID:1488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ztlysthxujkdpvvwsdd.exe .
1⤵
PID:2380
- C:\Windows\ztlysthxujkdpvvwsdd.exe
  ztlysthxujkdpvvwsdd.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:3884
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\ztlysthxujkdpvvwsdd.exe*."
    3⤵
    PID:2668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mhaojlarpfhbovwyvhid.exe
1⤵
PID:4984
- C:\Windows\mhaojlarpfhbovwyvhid.exe
  mhaojlarpfhbovwyvhid.exe
  2⤵
  PID:1492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ohykddqfbpphsxwwrb.exe .
1⤵
PID:2472
- C:\Windows\ohykddqfbpphsxwwrb.exe
  ohykddqfbpphsxwwrb.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:3672
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\ohykddqfbpphsxwwrb.exe*."
    3⤵
    PID:2536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fxnyqpbpkxwnxbzys.exe
1⤵
PID:3924
- C:\Users\Admin\AppData\Local\Temp\fxnyqpbpkxwnxbzys.exe
  C:\Users\Admin\AppData\Local\Temp\fxnyqpbpkxwnxbzys.exe
  2⤵
  PID:3948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fxnyqpbpkxwnxbzys.exe .
1⤵
PID:2676
- C:\Users\Admin\AppData\Local\Temp\fxnyqpbpkxwnxbzys.exe
  C:\Users\Admin\AppData\Local\Temp\fxnyqpbpkxwnxbzys.exe .
  2⤵
  - Checks computer location settings
  PID:2104
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\fxnyqpbpkxwnxbzys.exe*."
    3⤵
    PID:2880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ypeofdobvhfvehec.exe
1⤵
PID:4572
- C:\Users\Admin\AppData\Local\Temp\ypeofdobvhfvehec.exe
  C:\Users\Admin\AppData\Local\Temp\ypeofdobvhfvehec.exe
  2⤵
  PID:1400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ypeofdobvhfvehec.exe .
1⤵
PID:3324
- C:\Users\Admin\AppData\Local\Temp\ypeofdobvhfvehec.exe
  C:\Users\Admin\AppData\Local\Temp\ypeofdobvhfvehec.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4024
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\ypeofdobvhfvehec.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:4488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ohykddqfbpphsxwwrb.exe
1⤵
PID:4548
- C:\Windows\ohykddqfbpphsxwwrb.exe
  ohykddqfbpphsxwwrb.exe
  2⤵
  PID:5076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ohykddqfbpphsxwwrb.exe .
1⤵
PID:5020
- C:\Windows\ohykddqfbpphsxwwrb.exe
  ohykddqfbpphsxwwrb.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1984
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\ohykddqfbpphsxwwrb.exe*."
    3⤵
    PID:3652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxrgcfvnmdgbpxzcanplf.exe
1⤵
PID:2032
- C:\Windows\bxrgcfvnmdgbpxzcanplf.exe
  bxrgcfvnmdgbpxzcanplf.exe
  2⤵
  PID:4648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fxnyqpbpkxwnxbzys.exe .
1⤵
PID:1592
- C:\Windows\fxnyqpbpkxwnxbzys.exe
  fxnyqpbpkxwnxbzys.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4328
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\fxnyqpbpkxwnxbzys.exe*."
    3⤵
    PID:1960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhaojlarpfhbovwyvhid.exe
1⤵
PID:2036
- C:\Users\Admin\AppData\Local\Temp\mhaojlarpfhbovwyvhid.exe
  C:\Users\Admin\AppData\Local\Temp\mhaojlarpfhbovwyvhid.exe
  2⤵
  PID:4768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztlysthxujkdpvvwsdd.exe .
1⤵
PID:3584
- C:\Users\Admin\AppData\Local\Temp\ztlysthxujkdpvvwsdd.exe
  C:\Users\Admin\AppData\Local\Temp\ztlysthxujkdpvvwsdd.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1972
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\ztlysthxujkdpvvwsdd.exe*."
    3⤵
    PID:3956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztlysthxujkdpvvwsdd.exe
1⤵
PID:2976
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4044
- C:\Users\Admin\AppData\Local\Temp\ztlysthxujkdpvvwsdd.exe
  C:\Users\Admin\AppData\Local\Temp\ztlysthxujkdpvvwsdd.exe
  2⤵
  PID:3284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztlysthxujkdpvvwsdd.exe .
1⤵
PID:1948
- C:\Users\Admin\AppData\Local\Temp\ztlysthxujkdpvvwsdd.exe
  C:\Users\Admin\AppData\Local\Temp\ztlysthxujkdpvvwsdd.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:2904
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\ztlysthxujkdpvvwsdd.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:2472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ypeofdobvhfvehec.exe
1⤵
PID:4164
- C:\Windows\ypeofdobvhfvehec.exe
  ypeofdobvhfvehec.exe
  2⤵
  PID:4764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fxnyqpbpkxwnxbzys.exe .
1⤵
PID:3088
- C:\Windows\fxnyqpbpkxwnxbzys.exe
  fxnyqpbpkxwnxbzys.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4420
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\fxnyqpbpkxwnxbzys.exe*."
    3⤵
    PID:3668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mhaojlarpfhbovwyvhid.exe
1⤵
PID:2828
- C:\Windows\mhaojlarpfhbovwyvhid.exe
  mhaojlarpfhbovwyvhid.exe
  2⤵
  PID:3516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ohykddqfbpphsxwwrb.exe
1⤵
PID:5036
- C:\Windows\ohykddqfbpphsxwwrb.exe
  ohykddqfbpphsxwwrb.exe
  2⤵
  PID:1488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fxnyqpbpkxwnxbzys.exe
1⤵
PID:5116
- C:\Windows\fxnyqpbpkxwnxbzys.exe
  fxnyqpbpkxwnxbzys.exe
  2⤵
  PID:468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mhaojlarpfhbovwyvhid.exe .
1⤵
PID:4792
- C:\Windows\mhaojlarpfhbovwyvhid.exe
  mhaojlarpfhbovwyvhid.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4328
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\mhaojlarpfhbovwyvhid.exe*."
    3⤵
    PID:4952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fxnyqpbpkxwnxbzys.exe .
1⤵
PID:2112
- C:\Windows\fxnyqpbpkxwnxbzys.exe
  fxnyqpbpkxwnxbzys.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:3908
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\fxnyqpbpkxwnxbzys.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:3692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztlysthxujkdpvvwsdd.exe
1⤵
PID:4824
- C:\Users\Admin\AppData\Local\Temp\ztlysthxujkdpvvwsdd.exe
  C:\Users\Admin\AppData\Local\Temp\ztlysthxujkdpvvwsdd.exe
  2⤵
  PID:1784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ztlysthxujkdpvvwsdd.exe .
1⤵
PID:1968
- C:\Windows\ztlysthxujkdpvvwsdd.exe
  ztlysthxujkdpvvwsdd.exe .
  2⤵
  PID:5000
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\ztlysthxujkdpvvwsdd.exe*."
    3⤵
    PID:1848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ypeofdobvhfvehec.exe .
1⤵
PID:1984
- C:\Users\Admin\AppData\Local\Temp\ypeofdobvhfvehec.exe
  C:\Users\Admin\AppData\Local\Temp\ypeofdobvhfvehec.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:2360
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\ypeofdobvhfvehec.exe*."
    3⤵
    PID:2836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxrgcfvnmdgbpxzcanplf.exe
1⤵
PID:3368
- C:\Windows\bxrgcfvnmdgbpxzcanplf.exe
  bxrgcfvnmdgbpxzcanplf.exe
  2⤵
  PID:2280

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ypeofdobvhfvehec.exe .
1⤵
PID:3756
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4412
- C:\Windows\ypeofdobvhfvehec.exe
  ypeofdobvhfvehec.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4068
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\ypeofdobvhfvehec.exe*."
    3⤵
    PID:3748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mhaojlarpfhbovwyvhid.exe
1⤵
PID:2024
- C:\Windows\mhaojlarpfhbovwyvhid.exe
  mhaojlarpfhbovwyvhid.exe
  2⤵
  PID:2828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztlysthxujkdpvvwsdd.exe
1⤵
PID:2672
- C:\Users\Admin\AppData\Local\Temp\ztlysthxujkdpvvwsdd.exe
  C:\Users\Admin\AppData\Local\Temp\ztlysthxujkdpvvwsdd.exe
  2⤵
  PID:4432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxrgcfvnmdgbpxzcanplf.exe .
1⤵
PID:112
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3180
- C:\Windows\bxrgcfvnmdgbpxzcanplf.exe
  bxrgcfvnmdgbpxzcanplf.exe .
  2⤵
  - Checks computer location settings
  PID:1400
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\bxrgcfvnmdgbpxzcanplf.exe*."
    3⤵
    PID:3060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohykddqfbpphsxwwrb.exe
1⤵
PID:4168
- C:\Users\Admin\AppData\Local\Temp\ohykddqfbpphsxwwrb.exe
  C:\Users\Admin\AppData\Local\Temp\ohykddqfbpphsxwwrb.exe
  2⤵
  PID:1512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhaojlarpfhbovwyvhid.exe .
1⤵
PID:1188
- C:\Users\Admin\AppData\Local\Temp\mhaojlarpfhbovwyvhid.exe
  C:\Users\Admin\AppData\Local\Temp\mhaojlarpfhbovwyvhid.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5036
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\mhaojlarpfhbovwyvhid.exe*."
    3⤵
    PID:4172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fxnyqpbpkxwnxbzys.exe
1⤵
PID:3272
- C:\Users\Admin\AppData\Local\Temp\fxnyqpbpkxwnxbzys.exe
  C:\Users\Admin\AppData\Local\Temp\fxnyqpbpkxwnxbzys.exe
  2⤵
  PID:1848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ypeofdobvhfvehec.exe .
1⤵
PID:3008
- C:\Users\Admin\AppData\Local\Temp\ypeofdobvhfvehec.exe
  C:\Users\Admin\AppData\Local\Temp\ypeofdobvhfvehec.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1492
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\ypeofdobvhfvehec.exe*."
    3⤵
    PID:560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhaojlarpfhbovwyvhid.exe .
1⤵
PID:3572
- C:\Users\Admin\AppData\Local\Temp\mhaojlarpfhbovwyvhid.exe
  C:\Users\Admin\AppData\Local\Temp\mhaojlarpfhbovwyvhid.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1804
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\mhaojlarpfhbovwyvhid.exe*."
    3⤵
    PID:1848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fxnyqpbpkxwnxbzys.exe
1⤵
PID:4320
- C:\Users\Admin\AppData\Local\Temp\fxnyqpbpkxwnxbzys.exe
  C:\Users\Admin\AppData\Local\Temp\fxnyqpbpkxwnxbzys.exe
  2⤵
  PID:1488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztlysthxujkdpvvwsdd.exe
1⤵
PID:1628
- C:\Users\Admin\AppData\Local\Temp\ztlysthxujkdpvvwsdd.exe
  C:\Users\Admin\AppData\Local\Temp\ztlysthxujkdpvvwsdd.exe
  2⤵
  PID:1400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fxnyqpbpkxwnxbzys.exe .
1⤵
PID:1728
- C:\Users\Admin\AppData\Local\Temp\fxnyqpbpkxwnxbzys.exe
  C:\Users\Admin\AppData\Local\Temp\fxnyqpbpkxwnxbzys.exe .
  2⤵
  PID:3232
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\fxnyqpbpkxwnxbzys.exe*."
    3⤵
    PID:3092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fxnyqpbpkxwnxbzys.exe .
1⤵
PID:3088
- C:\Users\Admin\AppData\Local\Temp\fxnyqpbpkxwnxbzys.exe
  C:\Users\Admin\AppData\Local\Temp\fxnyqpbpkxwnxbzys.exe .
  2⤵
  PID:4964
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\fxnyqpbpkxwnxbzys.exe*."
    3⤵
    PID:3884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxrgcfvnmdgbpxzcanplf.exe
1⤵
PID:3204
- C:\Windows\bxrgcfvnmdgbpxzcanplf.exe
  bxrgcfvnmdgbpxzcanplf.exe
  2⤵
  PID:3708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ohykddqfbpphsxwwrb.exe .
1⤵
PID:2328
- C:\Windows\ohykddqfbpphsxwwrb.exe
  ohykddqfbpphsxwwrb.exe .
  2⤵
  PID:4808
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\ohykddqfbpphsxwwrb.exe*."
    3⤵
    PID:2544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fxnyqpbpkxwnxbzys.exe
1⤵
PID:3748
- C:\Windows\fxnyqpbpkxwnxbzys.exe
  fxnyqpbpkxwnxbzys.exe
  2⤵
  PID:4760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ohykddqfbpphsxwwrb.exe .
1⤵
PID:4312
- C:\Windows\ohykddqfbpphsxwwrb.exe
  ohykddqfbpphsxwwrb.exe .
  2⤵
  PID:3184
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\ohykddqfbpphsxwwrb.exe*."
    3⤵
    PID:1924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohykddqfbpphsxwwrb.exe
1⤵
PID:4792
- C:\Users\Admin\AppData\Local\Temp\ohykddqfbpphsxwwrb.exe
  C:\Users\Admin\AppData\Local\Temp\ohykddqfbpphsxwwrb.exe
  2⤵
  PID:4600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhaojlarpfhbovwyvhid.exe .
1⤵
PID:1804
- C:\Users\Admin\AppData\Local\Temp\mhaojlarpfhbovwyvhid.exe
  C:\Users\Admin\AppData\Local\Temp\mhaojlarpfhbovwyvhid.exe .
  2⤵
  PID:632
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\mhaojlarpfhbovwyvhid.exe*."
    3⤵
    PID:4172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fxnyqpbpkxwnxbzys.exe
1⤵
PID:2036
- C:\Users\Admin\AppData\Local\Temp\fxnyqpbpkxwnxbzys.exe
  C:\Users\Admin\AppData\Local\Temp\fxnyqpbpkxwnxbzys.exe
  2⤵
  PID:1428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhaojlarpfhbovwyvhid.exe .
1⤵
PID:1348
- C:\Users\Admin\AppData\Local\Temp\mhaojlarpfhbovwyvhid.exe
  C:\Users\Admin\AppData\Local\Temp\mhaojlarpfhbovwyvhid.exe .
  2⤵
  PID:2684
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\mhaojlarpfhbovwyvhid.exe*."
    3⤵
    PID:3948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mhaojlarpfhbovwyvhid.exe
1⤵
PID:2412
- C:\Windows\mhaojlarpfhbovwyvhid.exe
  mhaojlarpfhbovwyvhid.exe
  2⤵
  PID:4212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ypeofdobvhfvehec.exe .
1⤵
PID:2352
- C:\Windows\ypeofdobvhfvehec.exe
  ypeofdobvhfvehec.exe .
  2⤵
  PID:224
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\ypeofdobvhfvehec.exe*."
    3⤵
    PID:216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ypeofdobvhfvehec.exe
1⤵
PID:1548
- C:\Windows\ypeofdobvhfvehec.exe
  ypeofdobvhfvehec.exe
  2⤵
  PID:2632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxrgcfvnmdgbpxzcanplf.exe .
1⤵
PID:748
- C:\Windows\bxrgcfvnmdgbpxzcanplf.exe
  bxrgcfvnmdgbpxzcanplf.exe .
  2⤵
  PID:3624
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\bxrgcfvnmdgbpxzcanplf.exe*."
    3⤵
    PID:4568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohykddqfbpphsxwwrb.exe
1⤵
PID:3084
- C:\Users\Admin\AppData\Local\Temp\ohykddqfbpphsxwwrb.exe
  C:\Users\Admin\AppData\Local\Temp\ohykddqfbpphsxwwrb.exe
  2⤵
  PID:3368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxrgcfvnmdgbpxzcanplf.exe .
1⤵
PID:3148
- C:\Users\Admin\AppData\Local\Temp\bxrgcfvnmdgbpxzcanplf.exe
  C:\Users\Admin\AppData\Local\Temp\bxrgcfvnmdgbpxzcanplf.exe .
  2⤵
  PID:3944
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\bxrgcfvnmdgbpxzcanplf.exe*."
    3⤵
    PID:3184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohykddqfbpphsxwwrb.exe
1⤵
PID:776
- C:\Users\Admin\AppData\Local\Temp\ohykddqfbpphsxwwrb.exe
  C:\Users\Admin\AppData\Local\Temp\ohykddqfbpphsxwwrb.exe
  2⤵
  PID:2032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxrgcfvnmdgbpxzcanplf.exe .
1⤵
PID:4484
- C:\Users\Admin\AppData\Local\Temp\bxrgcfvnmdgbpxzcanplf.exe
  C:\Users\Admin\AppData\Local\Temp\bxrgcfvnmdgbpxzcanplf.exe .
  2⤵
  PID:4564
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\bxrgcfvnmdgbpxzcanplf.exe*."
    3⤵
    PID:2792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ztlysthxujkdpvvwsdd.exe
1⤵
PID:2240
- C:\Windows\ztlysthxujkdpvvwsdd.exe
  ztlysthxujkdpvvwsdd.exe
  2⤵
  PID:2968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mhaojlarpfhbovwyvhid.exe .
1⤵
PID:2024
- C:\Windows\mhaojlarpfhbovwyvhid.exe
  mhaojlarpfhbovwyvhid.exe .
  2⤵
  PID:3516
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\mhaojlarpfhbovwyvhid.exe*."
    3⤵
    PID:4780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ohykddqfbpphsxwwrb.exe
1⤵
PID:1192
- C:\Windows\ohykddqfbpphsxwwrb.exe
  ohykddqfbpphsxwwrb.exe
  2⤵
  PID:1728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mhaojlarpfhbovwyvhid.exe .
1⤵
PID:440
- C:\Windows\mhaojlarpfhbovwyvhid.exe
  mhaojlarpfhbovwyvhid.exe .
  2⤵
  PID:2332
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\mhaojlarpfhbovwyvhid.exe*."
    3⤵
    PID:232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohykddqfbpphsxwwrb.exe
1⤵
PID:4212
- C:\Users\Admin\AppData\Local\Temp\ohykddqfbpphsxwwrb.exe
  C:\Users\Admin\AppData\Local\Temp\ohykddqfbpphsxwwrb.exe
  2⤵
  PID:3080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhaojlarpfhbovwyvhid.exe .
1⤵
PID:3264
- C:\Users\Admin\AppData\Local\Temp\mhaojlarpfhbovwyvhid.exe
  C:\Users\Admin\AppData\Local\Temp\mhaojlarpfhbovwyvhid.exe .
  2⤵
  PID:4824
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\mhaojlarpfhbovwyvhid.exe*."
    3⤵
    PID:2392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ypeofdobvhfvehec.exe
1⤵
PID:4024
- C:\Users\Admin\AppData\Local\Temp\ypeofdobvhfvehec.exe
  C:\Users\Admin\AppData\Local\Temp\ypeofdobvhfvehec.exe
  2⤵
  PID:3624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohykddqfbpphsxwwrb.exe .
1⤵
PID:4320
- C:\Users\Admin\AppData\Local\Temp\ohykddqfbpphsxwwrb.exe
  C:\Users\Admin\AppData\Local\Temp\ohykddqfbpphsxwwrb.exe .
  2⤵
  PID:1060
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\ohykddqfbpphsxwwrb.exe*."
    3⤵
    PID:1472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ypeofdobvhfvehec.exe
1⤵
PID:2280
- C:\Windows\ypeofdobvhfvehec.exe
  ypeofdobvhfvehec.exe
  2⤵
  PID:3472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fxnyqpbpkxwnxbzys.exe .
1⤵
PID:4484
- C:\Windows\fxnyqpbpkxwnxbzys.exe
  fxnyqpbpkxwnxbzys.exe .
  2⤵
  PID:2476
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\fxnyqpbpkxwnxbzys.exe*."
    3⤵
    PID:2844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ztlysthxujkdpvvwsdd.exe
1⤵
PID:4444
- C:\Windows\ztlysthxujkdpvvwsdd.exe
  ztlysthxujkdpvvwsdd.exe
  2⤵
  PID:3328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mhaojlarpfhbovwyvhid.exe .
1⤵
PID:3156
- C:\Windows\mhaojlarpfhbovwyvhid.exe
  mhaojlarpfhbovwyvhid.exe .
  2⤵
  PID:3516
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\mhaojlarpfhbovwyvhid.exe*."
    3⤵
    PID:1788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxrgcfvnmdgbpxzcanplf.exe
1⤵
PID:1624
- C:\Users\Admin\AppData\Local\Temp\bxrgcfvnmdgbpxzcanplf.exe
  C:\Users\Admin\AppData\Local\Temp\bxrgcfvnmdgbpxzcanplf.exe
  2⤵
  PID:3008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztlysthxujkdpvvwsdd.exe .
1⤵
PID:4832
- C:\Users\Admin\AppData\Local\Temp\ztlysthxujkdpvvwsdd.exe
  C:\Users\Admin\AppData\Local\Temp\ztlysthxujkdpvvwsdd.exe .
  2⤵
  PID:4628
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\ztlysthxujkdpvvwsdd.exe*."
    3⤵
    PID:4720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ypeofdobvhfvehec.exe
1⤵
PID:4808
- C:\Users\Admin\AppData\Local\Temp\ypeofdobvhfvehec.exe
  C:\Users\Admin\AppData\Local\Temp\ypeofdobvhfvehec.exe
  2⤵
  PID:2556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhaojlarpfhbovwyvhid.exe .
1⤵
PID:2616
- C:\Users\Admin\AppData\Local\Temp\mhaojlarpfhbovwyvhid.exe
  C:\Users\Admin\AppData\Local\Temp\mhaojlarpfhbovwyvhid.exe .
  2⤵
  PID:4824
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\mhaojlarpfhbovwyvhid.exe*."
    3⤵
    PID:216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxrgcfvnmdgbpxzcanplf.exe
1⤵
PID:2288
- C:\Windows\bxrgcfvnmdgbpxzcanplf.exe
  bxrgcfvnmdgbpxzcanplf.exe
  2⤵
  PID:1856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxrgcfvnmdgbpxzcanplf.exe .
1⤵
PID:1960
- C:\Windows\bxrgcfvnmdgbpxzcanplf.exe
  bxrgcfvnmdgbpxzcanplf.exe .
  2⤵
  PID:4348
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\bxrgcfvnmdgbpxzcanplf.exe*."
    3⤵
    PID:4600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mhaojlarpfhbovwyvhid.exe
1⤵
PID:4984
- C:\Windows\mhaojlarpfhbovwyvhid.exe
  mhaojlarpfhbovwyvhid.exe
  2⤵
  PID:3472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fxnyqpbpkxwnxbzys.exe .
1⤵
PID:4116
- C:\Windows\fxnyqpbpkxwnxbzys.exe
  fxnyqpbpkxwnxbzys.exe .
  2⤵
  PID:2968
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\fxnyqpbpkxwnxbzys.exe*."
    3⤵
    PID:4312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohykddqfbpphsxwwrb.exe
1⤵
PID:3024
- C:\Users\Admin\AppData\Local\Temp\ohykddqfbpphsxwwrb.exe
  C:\Users\Admin\AppData\Local\Temp\ohykddqfbpphsxwwrb.exe
  2⤵
  PID:3428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fxnyqpbpkxwnxbzys.exe .
1⤵
PID:3088
- C:\Users\Admin\AppData\Local\Temp\fxnyqpbpkxwnxbzys.exe
  C:\Users\Admin\AppData\Local\Temp\fxnyqpbpkxwnxbzys.exe .
  2⤵
  PID:3464
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\fxnyqpbpkxwnxbzys.exe*."
    3⤵
    PID:4004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohykddqfbpphsxwwrb.exe
1⤵
PID:4176
- C:\Users\Admin\AppData\Local\Temp\ohykddqfbpphsxwwrb.exe
  C:\Users\Admin\AppData\Local\Temp\ohykddqfbpphsxwwrb.exe
  2⤵
  PID:3156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxrgcfvnmdgbpxzcanplf.exe .
1⤵
PID:4972
- C:\Users\Admin\AppData\Local\Temp\bxrgcfvnmdgbpxzcanplf.exe
  C:\Users\Admin\AppData\Local\Temp\bxrgcfvnmdgbpxzcanplf.exe .
  2⤵
  PID:3976
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\bxrgcfvnmdgbpxzcanplf.exe*."
    3⤵
    PID:2676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ztlysthxujkdpvvwsdd.exe
1⤵
PID:116
- C:\Windows\ztlysthxujkdpvvwsdd.exe
  ztlysthxujkdpvvwsdd.exe
  2⤵
  PID:4304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxrgcfvnmdgbpxzcanplf.exe .
1⤵
PID:1596
- C:\Windows\bxrgcfvnmdgbpxzcanplf.exe
  bxrgcfvnmdgbpxzcanplf.exe .
  2⤵
  PID:3368
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\bxrgcfvnmdgbpxzcanplf.exe*."
    3⤵
    PID:4568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ohykddqfbpphsxwwrb.exe
1⤵
PID:4620
- C:\Windows\ohykddqfbpphsxwwrb.exe
  ohykddqfbpphsxwwrb.exe
  2⤵
  PID:3808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ohykddqfbpphsxwwrb.exe .
1⤵
PID:2288
- C:\Windows\ohykddqfbpphsxwwrb.exe
  ohykddqfbpphsxwwrb.exe .
  2⤵
  PID:1960
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\ohykddqfbpphsxwwrb.exe*."
    3⤵
    PID:3212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fxnyqpbpkxwnxbzys.exe
1⤵
PID:1948
- C:\Users\Admin\AppData\Local\Temp\fxnyqpbpkxwnxbzys.exe
  C:\Users\Admin\AppData\Local\Temp\fxnyqpbpkxwnxbzys.exe
  2⤵
  PID:2824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhaojlarpfhbovwyvhid.exe .
1⤵
PID:1456
- C:\Users\Admin\AppData\Local\Temp\mhaojlarpfhbovwyvhid.exe
  C:\Users\Admin\AppData\Local\Temp\mhaojlarpfhbovwyvhid.exe .
  2⤵
  PID:4312
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\mhaojlarpfhbovwyvhid.exe*."
    3⤵
    PID:4688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxrgcfvnmdgbpxzcanplf.exe
1⤵
PID:4292
- C:\Windows\bxrgcfvnmdgbpxzcanplf.exe
  bxrgcfvnmdgbpxzcanplf.exe
  2⤵
  PID:2640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fxnyqpbpkxwnxbzys.exe
1⤵
PID:4116
- C:\Windows\fxnyqpbpkxwnxbzys.exe
  fxnyqpbpkxwnxbzys.exe
  2⤵
  PID:232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ztlysthxujkdpvvwsdd.exe .
1⤵
PID:824
- C:\Windows\ztlysthxujkdpvvwsdd.exe
  ztlysthxujkdpvvwsdd.exe .
  2⤵
  PID:1812
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\ztlysthxujkdpvvwsdd.exe*."
    3⤵
    PID:4292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fxnyqpbpkxwnxbzys.exe
1⤵
PID:1188
- C:\Users\Admin\AppData\Local\Temp\fxnyqpbpkxwnxbzys.exe
  C:\Users\Admin\AppData\Local\Temp\fxnyqpbpkxwnxbzys.exe
  2⤵
  PID:3748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohykddqfbpphsxwwrb.exe .
1⤵
PID:2844
- C:\Users\Admin\AppData\Local\Temp\ohykddqfbpphsxwwrb.exe
  C:\Users\Admin\AppData\Local\Temp\ohykddqfbpphsxwwrb.exe .
  2⤵
  PID:1512
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\ohykddqfbpphsxwwrb.exe*."
    3⤵
    PID:2240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mhaojlarpfhbovwyvhid.exe .
1⤵
PID:3976
- C:\Windows\mhaojlarpfhbovwyvhid.exe
  mhaojlarpfhbovwyvhid.exe .
  2⤵
  PID:2264
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\mhaojlarpfhbovwyvhid.exe*."
    3⤵
    PID:4600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mhaojlarpfhbovwyvhid.exe
1⤵
PID:1220
- C:\Windows\mhaojlarpfhbovwyvhid.exe
  mhaojlarpfhbovwyvhid.exe
  2⤵
  PID:4600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ypeofdobvhfvehec.exe .
1⤵
PID:1200
- C:\Windows\ypeofdobvhfvehec.exe
  ypeofdobvhfvehec.exe .
  2⤵
  PID:2264
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\ypeofdobvhfvehec.exe*."
    3⤵
    PID:560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxrgcfvnmdgbpxzcanplf.exe
1⤵
PID:1472
- C:\Windows\bxrgcfvnmdgbpxzcanplf.exe
  bxrgcfvnmdgbpxzcanplf.exe
  2⤵
  PID:4108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztlysthxujkdpvvwsdd.exe
1⤵
PID:1972
- C:\Users\Admin\AppData\Local\Temp\ztlysthxujkdpvvwsdd.exe
  C:\Users\Admin\AppData\Local\Temp\ztlysthxujkdpvvwsdd.exe
  2⤵
  PID:4404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxrgcfvnmdgbpxzcanplf.exe .
1⤵
PID:3368
- C:\Windows\bxrgcfvnmdgbpxzcanplf.exe
  bxrgcfvnmdgbpxzcanplf.exe .
  2⤵
  PID:3232
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\bxrgcfvnmdgbpxzcanplf.exe*."
    3⤵
    PID:4564

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxrgcfvnmdgbpxzcanplf.exe .
1⤵
PID:3164
- C:\Users\Admin\AppData\Local\Temp\bxrgcfvnmdgbpxzcanplf.exe
  C:\Users\Admin\AppData\Local\Temp\bxrgcfvnmdgbpxzcanplf.exe .
  2⤵
  PID:3748
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\bxrgcfvnmdgbpxzcanplf.exe*."
    3⤵
    PID:4292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohykddqfbpphsxwwrb.exe
1⤵
PID:4536
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3948
- C:\Users\Admin\AppData\Local\Temp\ohykddqfbpphsxwwrb.exe
  C:\Users\Admin\AppData\Local\Temp\ohykddqfbpphsxwwrb.exe
  2⤵
  PID:1596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ypeofdobvhfvehec.exe .
1⤵
PID:2136
- C:\Users\Admin\AppData\Local\Temp\ypeofdobvhfvehec.exe
  C:\Users\Admin\AppData\Local\Temp\ypeofdobvhfvehec.exe .
  2⤵
  PID:3284
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\ypeofdobvhfvehec.exe*."
    3⤵
    PID:4160

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxrgcfvnmdgbpxzcanplf.exe
1⤵
PID:2840
- C:\Users\Admin\AppData\Local\Temp\bxrgcfvnmdgbpxzcanplf.exe
  C:\Users\Admin\AppData\Local\Temp\bxrgcfvnmdgbpxzcanplf.exe
  2⤵
  PID:4956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohykddqfbpphsxwwrb.exe .
1⤵
PID:3024
- C:\Users\Admin\AppData\Local\Temp\ohykddqfbpphsxwwrb.exe
  C:\Users\Admin\AppData\Local\Temp\ohykddqfbpphsxwwrb.exe .
  2⤵
  PID:780
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\ohykddqfbpphsxwwrb.exe*."
    3⤵
    PID:3752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhaojlarpfhbovwyvhid.exe
1⤵
PID:1192
- C:\Users\Admin\AppData\Local\Temp\mhaojlarpfhbovwyvhid.exe
  C:\Users\Admin\AppData\Local\Temp\mhaojlarpfhbovwyvhid.exe
  2⤵
  PID:3428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ypeofdobvhfvehec.exe .
1⤵
PID:2612
- C:\Users\Admin\AppData\Local\Temp\ypeofdobvhfvehec.exe
  C:\Users\Admin\AppData\Local\Temp\ypeofdobvhfvehec.exe .
  2⤵
  PID:1592
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\ypeofdobvhfvehec.exe*."
    3⤵
    PID:4620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ztlysthxujkdpvvwsdd.exe
1⤵
PID:4648
- C:\Windows\ztlysthxujkdpvvwsdd.exe
  ztlysthxujkdpvvwsdd.exe
  2⤵
  PID:2536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxrgcfvnmdgbpxzcanplf.exe .
1⤵
PID:1400
- C:\Windows\bxrgcfvnmdgbpxzcanplf.exe
  bxrgcfvnmdgbpxzcanplf.exe .
  2⤵
  PID:3472
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\bxrgcfvnmdgbpxzcanplf.exe*."
    3⤵
    PID:4060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxrgcfvnmdgbpxzcanplf.exe
1⤵
PID:1232
- C:\Windows\bxrgcfvnmdgbpxzcanplf.exe
  bxrgcfvnmdgbpxzcanplf.exe
  2⤵
  PID:4932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ohykddqfbpphsxwwrb.exe .
1⤵
PID:1512
- C:\Windows\ohykddqfbpphsxwwrb.exe
  ohykddqfbpphsxwwrb.exe .
  2⤵
  PID:1456
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\ohykddqfbpphsxwwrb.exe*."
    3⤵
    PID:1920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztlysthxujkdpvvwsdd.exe
1⤵
PID:4956
- C:\Users\Admin\AppData\Local\Temp\ztlysthxujkdpvvwsdd.exe
  C:\Users\Admin\AppData\Local\Temp\ztlysthxujkdpvvwsdd.exe
  2⤵
  PID:3748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhaojlarpfhbovwyvhid.exe .
1⤵
PID:2548
- C:\Users\Admin\AppData\Local\Temp\mhaojlarpfhbovwyvhid.exe
  C:\Users\Admin\AppData\Local\Temp\mhaojlarpfhbovwyvhid.exe .
  2⤵
  PID:404
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\mhaojlarpfhbovwyvhid.exe*."
    3⤵
    PID:3648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fxnyqpbpkxwnxbzys.exe
1⤵
PID:4720
- C:\Users\Admin\AppData\Local\Temp\fxnyqpbpkxwnxbzys.exe
  C:\Users\Admin\AppData\Local\Temp\fxnyqpbpkxwnxbzys.exe
  2⤵
  PID:1192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxrgcfvnmdgbpxzcanplf.exe .
1⤵
PID:2920
- C:\Users\Admin\AppData\Local\Temp\bxrgcfvnmdgbpxzcanplf.exe
  C:\Users\Admin\AppData\Local\Temp\bxrgcfvnmdgbpxzcanplf.exe .
  2⤵
  PID:3916
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\bxrgcfvnmdgbpxzcanplf.exe*."
    3⤵
    PID:1320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fxnyqpbpkxwnxbzys.exe
1⤵
PID:1724
- C:\Windows\fxnyqpbpkxwnxbzys.exe
  fxnyqpbpkxwnxbzys.exe
  2⤵
  PID:2316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mhaojlarpfhbovwyvhid.exe .
1⤵
PID:4576
- C:\Windows\mhaojlarpfhbovwyvhid.exe
  mhaojlarpfhbovwyvhid.exe .
  2⤵
  PID:4444
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\mhaojlarpfhbovwyvhid.exe*."
    3⤵
    PID:4020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mhaojlarpfhbovwyvhid.exe
1⤵
PID:1204
- C:\Windows\mhaojlarpfhbovwyvhid.exe
  mhaojlarpfhbovwyvhid.exe
  2⤵
  PID:3080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fxnyqpbpkxwnxbzys.exe .
1⤵
PID:4304
- C:\Windows\fxnyqpbpkxwnxbzys.exe
  fxnyqpbpkxwnxbzys.exe .
  2⤵
  PID:552
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\fxnyqpbpkxwnxbzys.exe*."
    3⤵
    PID:4904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztlysthxujkdpvvwsdd.exe
1⤵
PID:1384
- C:\Users\Admin\AppData\Local\Temp\ztlysthxujkdpvvwsdd.exe
  C:\Users\Admin\AppData\Local\Temp\ztlysthxujkdpvvwsdd.exe
  2⤵
  PID:1804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhaojlarpfhbovwyvhid.exe .
1⤵
PID:1788
- C:\Users\Admin\AppData\Local\Temp\mhaojlarpfhbovwyvhid.exe
  C:\Users\Admin\AppData\Local\Temp\mhaojlarpfhbovwyvhid.exe .
  2⤵
  PID:2836
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\mhaojlarpfhbovwyvhid.exe*."
    3⤵
    PID:776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztlysthxujkdpvvwsdd.exe
1⤵
PID:2968
- C:\Users\Admin\AppData\Local\Temp\ztlysthxujkdpvvwsdd.exe
  C:\Users\Admin\AppData\Local\Temp\ztlysthxujkdpvvwsdd.exe
  2⤵
  PID:3668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohykddqfbpphsxwwrb.exe .
1⤵
PID:2684
- C:\Users\Admin\AppData\Local\Temp\ohykddqfbpphsxwwrb.exe
  C:\Users\Admin\AppData\Local\Temp\ohykddqfbpphsxwwrb.exe .
  2⤵
  PID:3368
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\ohykddqfbpphsxwwrb.exe*."
    3⤵
    PID:4348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ztlysthxujkdpvvwsdd.exe
1⤵
PID:2092
- C:\Windows\ztlysthxujkdpvvwsdd.exe
  ztlysthxujkdpvvwsdd.exe
  2⤵
  PID:3980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mhaojlarpfhbovwyvhid.exe .
1⤵
PID:2904
- C:\Windows\mhaojlarpfhbovwyvhid.exe
  mhaojlarpfhbovwyvhid.exe .
  2⤵
  PID:1428
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\mhaojlarpfhbovwyvhid.exe*."
    3⤵
    PID:3156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ztlysthxujkdpvvwsdd.exe
1⤵
PID:4404
- C:\Windows\ztlysthxujkdpvvwsdd.exe
  ztlysthxujkdpvvwsdd.exe
  2⤵
  PID:4780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ohykddqfbpphsxwwrb.exe .
1⤵
PID:1724
- C:\Windows\ohykddqfbpphsxwwrb.exe
  ohykddqfbpphsxwwrb.exe .
  2⤵
  PID:3856
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\ohykddqfbpphsxwwrb.exe*."
    3⤵
    PID:4584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxrgcfvnmdgbpxzcanplf.exe
1⤵
PID:4020
- C:\Users\Admin\AppData\Local\Temp\bxrgcfvnmdgbpxzcanplf.exe
  C:\Users\Admin\AppData\Local\Temp\bxrgcfvnmdgbpxzcanplf.exe
  2⤵
  PID:1804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ypeofdobvhfvehec.exe .
1⤵
PID:4388
- C:\Users\Admin\AppData\Local\Temp\ypeofdobvhfvehec.exe
  C:\Users\Admin\AppData\Local\Temp\ypeofdobvhfvehec.exe .
  2⤵
  PID:560
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\ypeofdobvhfvehec.exe*."
    3⤵
    PID:552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fxnyqpbpkxwnxbzys.exe
1⤵
PID:1620
- C:\Users\Admin\AppData\Local\Temp\fxnyqpbpkxwnxbzys.exe
  C:\Users\Admin\AppData\Local\Temp\fxnyqpbpkxwnxbzys.exe
  2⤵
  PID:3328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhaojlarpfhbovwyvhid.exe .
1⤵
PID:940
- C:\Users\Admin\AppData\Local\Temp\mhaojlarpfhbovwyvhid.exe
  C:\Users\Admin\AppData\Local\Temp\mhaojlarpfhbovwyvhid.exe .
  2⤵
  PID:4536
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\mhaojlarpfhbovwyvhid.exe*."
    3⤵
    PID:4760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ypeofdobvhfvehec.exe
1⤵
PID:4676
- C:\Windows\ypeofdobvhfvehec.exe
  ypeofdobvhfvehec.exe
  2⤵
  PID:2408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ypeofdobvhfvehec.exe .
1⤵
PID:2092
- C:\Windows\ypeofdobvhfvehec.exe
  ypeofdobvhfvehec.exe .
  2⤵
  PID:3264
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\ypeofdobvhfvehec.exe*."
    3⤵
    PID:4176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mhaojlarpfhbovwyvhid.exe
1⤵
PID:4780
- C:\Windows\mhaojlarpfhbovwyvhid.exe
  mhaojlarpfhbovwyvhid.exe
  2⤵
  PID:3712

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mhaojlarpfhbovwyvhid.exe .
1⤵
PID:4404
- C:\Windows\mhaojlarpfhbovwyvhid.exe
  mhaojlarpfhbovwyvhid.exe .
  2⤵
  PID:2360
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\mhaojlarpfhbovwyvhid.exe*."
    3⤵
    PID:2440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fxnyqpbpkxwnxbzys.exe
1⤵
PID:2676
- C:\Users\Admin\AppData\Local\Temp\fxnyqpbpkxwnxbzys.exe
  C:\Users\Admin\AppData\Local\Temp\fxnyqpbpkxwnxbzys.exe
  2⤵
  PID:4648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxrgcfvnmdgbpxzcanplf.exe .
1⤵
PID:748
- C:\Users\Admin\AppData\Local\Temp\bxrgcfvnmdgbpxzcanplf.exe
  C:\Users\Admin\AppData\Local\Temp\bxrgcfvnmdgbpxzcanplf.exe .
  2⤵
  PID:1784
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\bxrgcfvnmdgbpxzcanplf.exe*."
    3⤵
    PID:1728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhaojlarpfhbovwyvhid.exe
1⤵
PID:552
- C:\Users\Admin\AppData\Local\Temp\mhaojlarpfhbovwyvhid.exe
  C:\Users\Admin\AppData\Local\Temp\mhaojlarpfhbovwyvhid.exe
  2⤵
  PID:3020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxrgcfvnmdgbpxzcanplf.exe .
1⤵
PID:4576
- C:\Users\Admin\AppData\Local\Temp\bxrgcfvnmdgbpxzcanplf.exe
  C:\Users\Admin\AppData\Local\Temp\bxrgcfvnmdgbpxzcanplf.exe .
  2⤵
  PID:3884
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\bxrgcfvnmdgbpxzcanplf.exe*."
    3⤵
    PID:404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ypeofdobvhfvehec.exe
1⤵
PID:1588
- C:\Windows\ypeofdobvhfvehec.exe
  ypeofdobvhfvehec.exe
  2⤵
  PID:3084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ztlysthxujkdpvvwsdd.exe .
1⤵
PID:224
- C:\Windows\ztlysthxujkdpvvwsdd.exe
  ztlysthxujkdpvvwsdd.exe .
  2⤵
  PID:2288
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\ztlysthxujkdpvvwsdd.exe*."
    3⤵
    PID:2824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ypeofdobvhfvehec.exe
1⤵
PID:932
- C:\Windows\ypeofdobvhfvehec.exe
  ypeofdobvhfvehec.exe
  2⤵
  PID:2296

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ztlysthxujkdpvvwsdd.exe .
1⤵
PID:3264
- C:\Windows\ztlysthxujkdpvvwsdd.exe
  ztlysthxujkdpvvwsdd.exe .
  2⤵
  PID:2544
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\ztlysthxujkdpvvwsdd.exe*."
    3⤵
    PID:2360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztlysthxujkdpvvwsdd.exe
1⤵
PID:1856
- C:\Users\Admin\AppData\Local\Temp\ztlysthxujkdpvvwsdd.exe
  C:\Users\Admin\AppData\Local\Temp\ztlysthxujkdpvvwsdd.exe
  2⤵
  PID:3080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fxnyqpbpkxwnxbzys.exe .
1⤵
PID:3708
- C:\Users\Admin\AppData\Local\Temp\fxnyqpbpkxwnxbzys.exe
  C:\Users\Admin\AppData\Local\Temp\fxnyqpbpkxwnxbzys.exe .
  2⤵
  PID:4972
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\fxnyqpbpkxwnxbzys.exe*."
    3⤵
    PID:232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fxnyqpbpkxwnxbzys.exe
1⤵
PID:3212
- C:\Users\Admin\AppData\Local\Temp\fxnyqpbpkxwnxbzys.exe
  C:\Users\Admin\AppData\Local\Temp\fxnyqpbpkxwnxbzys.exe
  2⤵
  PID:4388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ypeofdobvhfvehec.exe .
1⤵
PID:2716
- C:\Users\Admin\AppData\Local\Temp\ypeofdobvhfvehec.exe
  C:\Users\Admin\AppData\Local\Temp\ypeofdobvhfvehec.exe .
  2⤵
  PID:1920
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\ypeofdobvhfvehec.exe*."
    3⤵
    PID:1768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxrgcfvnmdgbpxzcanplf.exe
1⤵
PID:4484
- C:\Windows\bxrgcfvnmdgbpxzcanplf.exe
  bxrgcfvnmdgbpxzcanplf.exe
  2⤵
  PID:3808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mhaojlarpfhbovwyvhid.exe .
1⤵
PID:5116
- C:\Windows\mhaojlarpfhbovwyvhid.exe
  mhaojlarpfhbovwyvhid.exe .
  2⤵
  PID:1104
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\mhaojlarpfhbovwyvhid.exe*."
    3⤵
    PID:4420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ohykddqfbpphsxwwrb.exe
1⤵
PID:1188
- C:\Windows\ohykddqfbpphsxwwrb.exe
  ohykddqfbpphsxwwrb.exe
  2⤵
  PID:3272

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mhaojlarpfhbovwyvhid.exe .
1⤵
PID:3672
- C:\Windows\mhaojlarpfhbovwyvhid.exe
  mhaojlarpfhbovwyvhid.exe .
  2⤵
  PID:4176
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\mhaojlarpfhbovwyvhid.exe*."
    3⤵
    PID:2544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxrgcfvnmdgbpxzcanplf.exe
1⤵
PID:3752
- C:\Users\Admin\AppData\Local\Temp\bxrgcfvnmdgbpxzcanplf.exe
  C:\Users\Admin\AppData\Local\Temp\bxrgcfvnmdgbpxzcanplf.exe
  2⤵
  PID:3592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ypeofdobvhfvehec.exe .
1⤵
PID:3472
- C:\Users\Admin\AppData\Local\Temp\ypeofdobvhfvehec.exe
  C:\Users\Admin\AppData\Local\Temp\ypeofdobvhfvehec.exe .
  2⤵
  PID:632
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\ypeofdobvhfvehec.exe*."
    3⤵
    PID:3956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztlysthxujkdpvvwsdd.exe
1⤵
PID:4972
- C:\Users\Admin\AppData\Local\Temp\ztlysthxujkdpvvwsdd.exe
  C:\Users\Admin\AppData\Local\Temp\ztlysthxujkdpvvwsdd.exe
  2⤵
  PID:1432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhaojlarpfhbovwyvhid.exe .
1⤵
PID:888
- C:\Users\Admin\AppData\Local\Temp\mhaojlarpfhbovwyvhid.exe
  C:\Users\Admin\AppData\Local\Temp\mhaojlarpfhbovwyvhid.exe .
  2⤵
  PID:980
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\mhaojlarpfhbovwyvhid.exe*."
    3⤵
    PID:4784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxrgcfvnmdgbpxzcanplf.exe
1⤵
PID:4068
- C:\Windows\bxrgcfvnmdgbpxzcanplf.exe
  bxrgcfvnmdgbpxzcanplf.exe
  2⤵
  PID:208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fxnyqpbpkxwnxbzys.exe .
1⤵
PID:2968
- C:\Windows\fxnyqpbpkxwnxbzys.exe
  fxnyqpbpkxwnxbzys.exe .
  2⤵
  PID:3744
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\fxnyqpbpkxwnxbzys.exe*."
    3⤵
    PID:3080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxrgcfvnmdgbpxzcanplf.exe
1⤵
PID:776
- C:\Windows\bxrgcfvnmdgbpxzcanplf.exe
  bxrgcfvnmdgbpxzcanplf.exe
  2⤵
  PID:4792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxrgcfvnmdgbpxzcanplf.exe
1⤵
PID:2620
- C:\Windows\bxrgcfvnmdgbpxzcanplf.exe
  bxrgcfvnmdgbpxzcanplf.exe
  2⤵
  PID:2840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fxnyqpbpkxwnxbzys.exe .
1⤵
PID:2292
- C:\Windows\fxnyqpbpkxwnxbzys.exe
  fxnyqpbpkxwnxbzys.exe .
  2⤵
  PID:4908
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\fxnyqpbpkxwnxbzys.exe*."
    3⤵
    PID:1940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fxnyqpbpkxwnxbzys.exe .
1⤵
PID:2320
- C:\Windows\fxnyqpbpkxwnxbzys.exe
  fxnyqpbpkxwnxbzys.exe .
  2⤵
  PID:4984
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\fxnyqpbpkxwnxbzys.exe*."
    3⤵
    PID:4620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhaojlarpfhbovwyvhid.exe
1⤵
PID:2392
- C:\Users\Admin\AppData\Local\Temp\mhaojlarpfhbovwyvhid.exe
  C:\Users\Admin\AppData\Local\Temp\mhaojlarpfhbovwyvhid.exe
  2⤵
  PID:1940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mhaojlarpfhbovwyvhid.exe
1⤵
PID:4464
- C:\Windows\mhaojlarpfhbovwyvhid.exe
  mhaojlarpfhbovwyvhid.exe
  2⤵
  PID:1548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohykddqfbpphsxwwrb.exe .
1⤵
PID:2124
- C:\Users\Admin\AppData\Local\Temp\ohykddqfbpphsxwwrb.exe
  C:\Users\Admin\AppData\Local\Temp\ohykddqfbpphsxwwrb.exe .
  2⤵
  PID:4320
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\ohykddqfbpphsxwwrb.exe*."
    3⤵
    PID:5020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ohykddqfbpphsxwwrb.exe
1⤵
PID:3300
- C:\Windows\ohykddqfbpphsxwwrb.exe
  ohykddqfbpphsxwwrb.exe
  2⤵
  PID:1676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mhaojlarpfhbovwyvhid.exe .
1⤵
PID:708
- C:\Windows\mhaojlarpfhbovwyvhid.exe
  mhaojlarpfhbovwyvhid.exe .
  2⤵
  PID:352
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\mhaojlarpfhbovwyvhid.exe*."
    3⤵
    PID:960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhaojlarpfhbovwyvhid.exe
1⤵
PID:2904
- C:\Users\Admin\AppData\Local\Temp\mhaojlarpfhbovwyvhid.exe
  C:\Users\Admin\AppData\Local\Temp\mhaojlarpfhbovwyvhid.exe
  2⤵
  PID:2768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mhaojlarpfhbovwyvhid.exe .
1⤵
PID:1428
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4212
- C:\Windows\mhaojlarpfhbovwyvhid.exe
  mhaojlarpfhbovwyvhid.exe .
  2⤵
  PID:1752
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\mhaojlarpfhbovwyvhid.exe*."
    3⤵
    PID:4768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohykddqfbpphsxwwrb.exe .
1⤵
PID:1420
- C:\Users\Admin\AppData\Local\Temp\ohykddqfbpphsxwwrb.exe
  C:\Users\Admin\AppData\Local\Temp\ohykddqfbpphsxwwrb.exe .
  2⤵
  PID:5104
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\ohykddqfbpphsxwwrb.exe*."
    3⤵
    PID:5044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ypeofdobvhfvehec.exe
1⤵
PID:2400
- C:\Users\Admin\AppData\Local\Temp\ypeofdobvhfvehec.exe
  C:\Users\Admin\AppData\Local\Temp\ypeofdobvhfvehec.exe
  2⤵
  PID:3184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxrgcfvnmdgbpxzcanplf.exe .
1⤵
PID:748
- C:\Users\Admin\AppData\Local\Temp\bxrgcfvnmdgbpxzcanplf.exe
  C:\Users\Admin\AppData\Local\Temp\bxrgcfvnmdgbpxzcanplf.exe .
  2⤵
  PID:2392
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\bxrgcfvnmdgbpxzcanplf.exe*."
    3⤵
    PID:1904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fxnyqpbpkxwnxbzys.exe
1⤵
PID:1920
- C:\Windows\fxnyqpbpkxwnxbzys.exe
  fxnyqpbpkxwnxbzys.exe
  2⤵
  PID:2504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ohykddqfbpphsxwwrb.exe .
1⤵
PID:2412
- C:\Windows\ohykddqfbpphsxwwrb.exe
  ohykddqfbpphsxwwrb.exe .
  2⤵
  PID:4292
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\ohykddqfbpphsxwwrb.exe*."
    3⤵
    PID:2944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhaojlarpfhbovwyvhid.exe
1⤵
PID:4388
- C:\Users\Admin\AppData\Local\Temp\mhaojlarpfhbovwyvhid.exe
  C:\Users\Admin\AppData\Local\Temp\mhaojlarpfhbovwyvhid.exe
  2⤵
  PID:3148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohykddqfbpphsxwwrb.exe
1⤵
PID:2280
- C:\Users\Admin\AppData\Local\Temp\ohykddqfbpphsxwwrb.exe
  C:\Users\Admin\AppData\Local\Temp\ohykddqfbpphsxwwrb.exe
  2⤵
  PID:3700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhaojlarpfhbovwyvhid.exe .
1⤵
PID:4772
- C:\Users\Admin\AppData\Local\Temp\mhaojlarpfhbovwyvhid.exe
  C:\Users\Admin\AppData\Local\Temp\mhaojlarpfhbovwyvhid.exe .
  2⤵
  PID:2792
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\mhaojlarpfhbovwyvhid.exe*."
    3⤵
    PID:1984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxrgcfvnmdgbpxzcanplf.exe .
1⤵
PID:2104
- C:\Users\Admin\AppData\Local\Temp\bxrgcfvnmdgbpxzcanplf.exe
  C:\Users\Admin\AppData\Local\Temp\bxrgcfvnmdgbpxzcanplf.exe .
  2⤵
  PID:2288
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\bxrgcfvnmdgbpxzcanplf.exe*."
    3⤵
    PID:3692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohykddqfbpphsxwwrb.exe
1⤵
PID:4620
- C:\Users\Admin\AppData\Local\Temp\ohykddqfbpphsxwwrb.exe
  C:\Users\Admin\AppData\Local\Temp\ohykddqfbpphsxwwrb.exe
  2⤵
  PID:4924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxrgcfvnmdgbpxzcanplf.exe .
1⤵
PID:776
- C:\Users\Admin\AppData\Local\Temp\bxrgcfvnmdgbpxzcanplf.exe
  C:\Users\Admin\AppData\Local\Temp\bxrgcfvnmdgbpxzcanplf.exe .
  2⤵
  PID:3328
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\bxrgcfvnmdgbpxzcanplf.exe*."
    3⤵
    PID:1548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxrgcfvnmdgbpxzcanplf.exe
1⤵
PID:4764
- C:\Windows\bxrgcfvnmdgbpxzcanplf.exe
  bxrgcfvnmdgbpxzcanplf.exe
  2⤵
  PID:2668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxrgcfvnmdgbpxzcanplf.exe .
1⤵
PID:2320
- C:\Windows\bxrgcfvnmdgbpxzcanplf.exe
  bxrgcfvnmdgbpxzcanplf.exe .
  2⤵
  PID:1752
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\bxrgcfvnmdgbpxzcanplf.exe*."
    3⤵
    PID:2392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ypeofdobvhfvehec.exe
1⤵
PID:4360
- C:\Windows\ypeofdobvhfvehec.exe
  ypeofdobvhfvehec.exe
  2⤵
  PID:1904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ohykddqfbpphsxwwrb.exe .
1⤵
PID:5044
- C:\Windows\ohykddqfbpphsxwwrb.exe
  ohykddqfbpphsxwwrb.exe .
  2⤵
  PID:1592
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\ohykddqfbpphsxwwrb.exe*."
    3⤵
    PID:2360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxrgcfvnmdgbpxzcanplf.exe
1⤵
PID:1200
- C:\Users\Admin\AppData\Local\Temp\bxrgcfvnmdgbpxzcanplf.exe
  C:\Users\Admin\AppData\Local\Temp\bxrgcfvnmdgbpxzcanplf.exe
  2⤵
  PID:560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxrgcfvnmdgbpxzcanplf.exe .
1⤵
PID:632
- C:\Users\Admin\AppData\Local\Temp\bxrgcfvnmdgbpxzcanplf.exe
  C:\Users\Admin\AppData\Local\Temp\bxrgcfvnmdgbpxzcanplf.exe .
  2⤵
  PID:1812
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\bxrgcfvnmdgbpxzcanplf.exe*."
    3⤵
    PID:2472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztlysthxujkdpvvwsdd.exe
1⤵
PID:3620
- C:\Users\Admin\AppData\Local\Temp\ztlysthxujkdpvvwsdd.exe
  C:\Users\Admin\AppData\Local\Temp\ztlysthxujkdpvvwsdd.exe
  2⤵
  PID:1856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztlysthxujkdpvvwsdd.exe .
1⤵
PID:2888
- C:\Users\Admin\AppData\Local\Temp\ztlysthxujkdpvvwsdd.exe
  C:\Users\Admin\AppData\Local\Temp\ztlysthxujkdpvvwsdd.exe .
  2⤵
  PID:1204
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\ztlysthxujkdpvvwsdd.exe*."
    3⤵
    PID:2620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ztlysthxujkdpvvwsdd.exe
1⤵
PID:2528
- C:\Windows\ztlysthxujkdpvvwsdd.exe
  ztlysthxujkdpvvwsdd.exe
  2⤵
  PID:3356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fxnyqpbpkxwnxbzys.exe .
1⤵
PID:1436
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2548
- C:\Windows\fxnyqpbpkxwnxbzys.exe
  fxnyqpbpkxwnxbzys.exe .
  2⤵
  PID:4720
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\fxnyqpbpkxwnxbzys.exe*."
    3⤵
    PID:3164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fxnyqpbpkxwnxbzys.exe
1⤵
PID:3744
- C:\Windows\fxnyqpbpkxwnxbzys.exe
  fxnyqpbpkxwnxbzys.exe
  2⤵
  PID:4364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mhaojlarpfhbovwyvhid.exe .
1⤵
PID:2616
- C:\Windows\mhaojlarpfhbovwyvhid.exe
  mhaojlarpfhbovwyvhid.exe .
  2⤵
  PID:2392
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\mhaojlarpfhbovwyvhid.exe*."
    3⤵
    PID:4072

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhaojlarpfhbovwyvhid.exe
1⤵
PID:4044
- C:\Users\Admin\AppData\Local\Temp\mhaojlarpfhbovwyvhid.exe
  C:\Users\Admin\AppData\Local\Temp\mhaojlarpfhbovwyvhid.exe
  2⤵
  PID:5108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhaojlarpfhbovwyvhid.exe .
1⤵
PID:3024
- C:\Users\Admin\AppData\Local\Temp\mhaojlarpfhbovwyvhid.exe
  C:\Users\Admin\AppData\Local\Temp\mhaojlarpfhbovwyvhid.exe .
  2⤵
  PID:4064
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\mhaojlarpfhbovwyvhid.exe*."
    3⤵
    PID:1428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohykddqfbpphsxwwrb.exe
1⤵
PID:1432
- C:\Users\Admin\AppData\Local\Temp\ohykddqfbpphsxwwrb.exe
  C:\Users\Admin\AppData\Local\Temp\ohykddqfbpphsxwwrb.exe
  2⤵
  PID:1920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ypeofdobvhfvehec.exe .
1⤵
PID:3712
- C:\Users\Admin\AppData\Local\Temp\ypeofdobvhfvehec.exe
  C:\Users\Admin\AppData\Local\Temp\ypeofdobvhfvehec.exe .
  2⤵
  PID:2748
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\ypeofdobvhfvehec.exe*."
    3⤵
    PID:4664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ztlysthxujkdpvvwsdd.exe
1⤵
PID:5080
- C:\Windows\ztlysthxujkdpvvwsdd.exe
  ztlysthxujkdpvvwsdd.exe
  2⤵
  PID:980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ypeofdobvhfvehec.exe .
1⤵
PID:3620
- C:\Windows\ypeofdobvhfvehec.exe
  ypeofdobvhfvehec.exe .
  2⤵
  PID:2768
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\ypeofdobvhfvehec.exe*."
    3⤵
    PID:2536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxrgcfvnmdgbpxzcanplf.exe
1⤵
PID:1204
- C:\Windows\bxrgcfvnmdgbpxzcanplf.exe
  bxrgcfvnmdgbpxzcanplf.exe
  2⤵
  PID:1060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mhaojlarpfhbovwyvhid.exe .
1⤵
PID:3552
- C:\Windows\mhaojlarpfhbovwyvhid.exe
  mhaojlarpfhbovwyvhid.exe .
  2⤵
  PID:1548
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\mhaojlarpfhbovwyvhid.exe*."
    3⤵
    PID:2488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ypeofdobvhfvehec.exe
1⤵
PID:4648
- C:\Users\Admin\AppData\Local\Temp\ypeofdobvhfvehec.exe
  C:\Users\Admin\AppData\Local\Temp\ypeofdobvhfvehec.exe
  2⤵
  PID:3648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohykddqfbpphsxwwrb.exe .
1⤵
PID:3164
- C:\Users\Admin\AppData\Local\Temp\ohykddqfbpphsxwwrb.exe
  C:\Users\Admin\AppData\Local\Temp\ohykddqfbpphsxwwrb.exe .
  2⤵
  PID:4364
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\ohykddqfbpphsxwwrb.exe*."
    3⤵
    PID:1192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxrgcfvnmdgbpxzcanplf.exe
1⤵
PID:1676
- C:\Users\Admin\AppData\Local\Temp\bxrgcfvnmdgbpxzcanplf.exe
  C:\Users\Admin\AppData\Local\Temp\bxrgcfvnmdgbpxzcanplf.exe
  2⤵
  PID:2392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fxnyqpbpkxwnxbzys.exe .
1⤵
PID:1612
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4164
- C:\Users\Admin\AppData\Local\Temp\fxnyqpbpkxwnxbzys.exe
  C:\Users\Admin\AppData\Local\Temp\fxnyqpbpkxwnxbzys.exe .
  2⤵
  PID:3156
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\fxnyqpbpkxwnxbzys.exe*."
    3⤵
    PID:4676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ohykddqfbpphsxwwrb.exe
1⤵
PID:2332
- C:\Windows\ohykddqfbpphsxwwrb.exe
  ohykddqfbpphsxwwrb.exe
  2⤵
  PID:960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxrgcfvnmdgbpxzcanplf.exe .
1⤵
PID:2544
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4212
- C:\Windows\bxrgcfvnmdgbpxzcanplf.exe
  bxrgcfvnmdgbpxzcanplf.exe .
  2⤵
  PID:116
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\bxrgcfvnmdgbpxzcanplf.exe*."
    3⤵
    PID:1020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fxnyqpbpkxwnxbzys.exe
1⤵
PID:1960
- C:\Windows\fxnyqpbpkxwnxbzys.exe
  fxnyqpbpkxwnxbzys.exe
  2⤵
  PID:1060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxrgcfvnmdgbpxzcanplf.exe .
1⤵
PID:352
- C:\Windows\bxrgcfvnmdgbpxzcanplf.exe
  bxrgcfvnmdgbpxzcanplf.exe .
  2⤵
  PID:1940
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\bxrgcfvnmdgbpxzcanplf.exe*."
    3⤵
    PID:1232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxrgcfvnmdgbpxzcanplf.exe
1⤵
PID:2844
- C:\Users\Admin\AppData\Local\Temp\bxrgcfvnmdgbpxzcanplf.exe
  C:\Users\Admin\AppData\Local\Temp\bxrgcfvnmdgbpxzcanplf.exe
  2⤵
  PID:2296

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztlysthxujkdpvvwsdd.exe .
1⤵
PID:3064
- C:\Users\Admin\AppData\Local\Temp\ztlysthxujkdpvvwsdd.exe
  C:\Users\Admin\AppData\Local\Temp\ztlysthxujkdpvvwsdd.exe .
  2⤵
  PID:4772
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\ztlysthxujkdpvvwsdd.exe*."
    3⤵
    PID:1724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxrgcfvnmdgbpxzcanplf.exe
1⤵
PID:2488
- C:\Users\Admin\AppData\Local\Temp\bxrgcfvnmdgbpxzcanplf.exe
  C:\Users\Admin\AppData\Local\Temp\bxrgcfvnmdgbpxzcanplf.exe
  2⤵
  PID:1436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohykddqfbpphsxwwrb.exe .
1⤵
PID:3600
- C:\Users\Admin\AppData\Local\Temp\ohykddqfbpphsxwwrb.exe
  C:\Users\Admin\AppData\Local\Temp\ohykddqfbpphsxwwrb.exe .
  2⤵
  PID:4720
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\ohykddqfbpphsxwwrb.exe*."
    3⤵
    PID:4484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ohykddqfbpphsxwwrb.exe
1⤵
PID:2840
- C:\Windows\ohykddqfbpphsxwwrb.exe
  ohykddqfbpphsxwwrb.exe
  2⤵
  PID:4824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ohykddqfbpphsxwwrb.exe .
1⤵
PID:3704
- C:\Windows\ohykddqfbpphsxwwrb.exe
  ohykddqfbpphsxwwrb.exe .
  2⤵
  PID:1804
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\ohykddqfbpphsxwwrb.exe*."
    3⤵
    PID:3976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ztlysthxujkdpvvwsdd.exe
1⤵
PID:4024
- C:\Windows\ztlysthxujkdpvvwsdd.exe
  ztlysthxujkdpvvwsdd.exe
  2⤵
  PID:3416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ohykddqfbpphsxwwrb.exe .
1⤵
PID:4784
- C:\Windows\ohykddqfbpphsxwwrb.exe
  ohykddqfbpphsxwwrb.exe .
  2⤵
  PID:3148
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\ohykddqfbpphsxwwrb.exe*."
    3⤵
    PID:4032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fxnyqpbpkxwnxbzys.exe
1⤵
PID:960
- C:\Users\Admin\AppData\Local\Temp\fxnyqpbpkxwnxbzys.exe
  C:\Users\Admin\AppData\Local\Temp\fxnyqpbpkxwnxbzys.exe
  2⤵
  PID:3056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fxnyqpbpkxwnxbzys.exe .
1⤵
PID:1920
- C:\Users\Admin\AppData\Local\Temp\fxnyqpbpkxwnxbzys.exe
  C:\Users\Admin\AppData\Local\Temp\fxnyqpbpkxwnxbzys.exe .
  2⤵
  PID:3732
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\fxnyqpbpkxwnxbzys.exe*."
    3⤵
    PID:1060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fxnyqpbpkxwnxbzys.exe
1⤵
PID:2668
- C:\Users\Admin\AppData\Local\Temp\fxnyqpbpkxwnxbzys.exe
  C:\Users\Admin\AppData\Local\Temp\fxnyqpbpkxwnxbzys.exe
  2⤵
  PID:4980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohykddqfbpphsxwwrb.exe .
1⤵
PID:4004
- C:\Users\Admin\AppData\Local\Temp\ohykddqfbpphsxwwrb.exe
  C:\Users\Admin\AppData\Local\Temp\ohykddqfbpphsxwwrb.exe .
  2⤵
  PID:3428
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\ohykddqfbpphsxwwrb.exe*."
    3⤵
    PID:1588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxrgcfvnmdgbpxzcanplf.exe
1⤵
PID:3980
- C:\Windows\bxrgcfvnmdgbpxzcanplf.exe
  bxrgcfvnmdgbpxzcanplf.exe
  2⤵
  PID:4964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxrgcfvnmdgbpxzcanplf.exe .
1⤵
PID:5060
- C:\Windows\bxrgcfvnmdgbpxzcanplf.exe
  bxrgcfvnmdgbpxzcanplf.exe .
  2⤵
  PID:3744
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\bxrgcfvnmdgbpxzcanplf.exe*."
    3⤵
    PID:1624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ypeofdobvhfvehec.exe
1⤵
PID:2716
- C:\Windows\ypeofdobvhfvehec.exe
  ypeofdobvhfvehec.exe
  2⤵
  PID:3668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ztlysthxujkdpvvwsdd.exe
1⤵
PID:940
- C:\Windows\ztlysthxujkdpvvwsdd.exe
  ztlysthxujkdpvvwsdd.exe
  2⤵
  PID:5116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxrgcfvnmdgbpxzcanplf.exe
1⤵
PID:4364
- C:\Windows\bxrgcfvnmdgbpxzcanplf.exe
  bxrgcfvnmdgbpxzcanplf.exe
  2⤵
  PID:2616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ztlysthxujkdpvvwsdd.exe .
1⤵
PID:3552
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3672
- C:\Windows\ztlysthxujkdpvvwsdd.exe
  ztlysthxujkdpvvwsdd.exe .
  2⤵
  PID:2868
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\ztlysthxujkdpvvwsdd.exe*."
    3⤵
    PID:2316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fxnyqpbpkxwnxbzys.exe .
1⤵
PID:3600
- C:\Windows\fxnyqpbpkxwnxbzys.exe
  fxnyqpbpkxwnxbzys.exe .
  2⤵
  PID:1020
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\fxnyqpbpkxwnxbzys.exe*."
    3⤵
    PID:5068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohykddqfbpphsxwwrb.exe
1⤵
PID:3964
- C:\Users\Admin\AppData\Local\Temp\ohykddqfbpphsxwwrb.exe
  C:\Users\Admin\AppData\Local\Temp\ohykddqfbpphsxwwrb.exe
  2⤵
  PID:2504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ztlysthxujkdpvvwsdd.exe .
1⤵
PID:1400
- C:\Windows\ztlysthxujkdpvvwsdd.exe
  ztlysthxujkdpvvwsdd.exe .
  2⤵
  PID:1532
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\ztlysthxujkdpvvwsdd.exe*."
    3⤵
    PID:1924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztlysthxujkdpvvwsdd.exe .
1⤵
PID:1428
- C:\Users\Admin\AppData\Local\Temp\ztlysthxujkdpvvwsdd.exe
  C:\Users\Admin\AppData\Local\Temp\ztlysthxujkdpvvwsdd.exe .
  2⤵
  PID:2240
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\ztlysthxujkdpvvwsdd.exe*."
    3⤵
    PID:1856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ztlysthxujkdpvvwsdd.exe
1⤵
PID:4436
- C:\Windows\ztlysthxujkdpvvwsdd.exe
  ztlysthxujkdpvvwsdd.exe
  2⤵
  PID:4536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ohykddqfbpphsxwwrb.exe
1⤵
PID:3060
- C:\Windows\ohykddqfbpphsxwwrb.exe
  ohykddqfbpphsxwwrb.exe
  2⤵
  PID:4364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ztlysthxujkdpvvwsdd.exe .
1⤵
PID:3264
- C:\Windows\ztlysthxujkdpvvwsdd.exe
  ztlysthxujkdpvvwsdd.exe .
  2⤵
  PID:2792
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\ztlysthxujkdpvvwsdd.exe*."
    3⤵
    PID:3708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztlysthxujkdpvvwsdd.exe
1⤵
PID:1620
- C:\Users\Admin\AppData\Local\Temp\ztlysthxujkdpvvwsdd.exe
  C:\Users\Admin\AppData\Local\Temp\ztlysthxujkdpvvwsdd.exe
  2⤵
  PID:456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fxnyqpbpkxwnxbzys.exe .
1⤵
PID:2332
- C:\Windows\fxnyqpbpkxwnxbzys.exe
  fxnyqpbpkxwnxbzys.exe .
  2⤵
  PID:3980
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\fxnyqpbpkxwnxbzys.exe*."
    3⤵
    PID:2844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohykddqfbpphsxwwrb.exe
1⤵
PID:2476
- C:\Users\Admin\AppData\Local\Temp\ohykddqfbpphsxwwrb.exe
  C:\Users\Admin\AppData\Local\Temp\ohykddqfbpphsxwwrb.exe
  2⤵
  PID:4044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fxnyqpbpkxwnxbzys.exe
1⤵
PID:2320
- C:\Users\Admin\AppData\Local\Temp\fxnyqpbpkxwnxbzys.exe
  C:\Users\Admin\AppData\Local\Temp\fxnyqpbpkxwnxbzys.exe
  2⤵
  PID:4480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhaojlarpfhbovwyvhid.exe .
1⤵
PID:4780
- C:\Users\Admin\AppData\Local\Temp\mhaojlarpfhbovwyvhid.exe
  C:\Users\Admin\AppData\Local\Temp\mhaojlarpfhbovwyvhid.exe .
  2⤵
  PID:220
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\mhaojlarpfhbovwyvhid.exe*."
    3⤵
    PID:3328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhaojlarpfhbovwyvhid.exe .
1⤵
PID:2280
- C:\Users\Admin\AppData\Local\Temp\mhaojlarpfhbovwyvhid.exe
  C:\Users\Admin\AppData\Local\Temp\mhaojlarpfhbovwyvhid.exe .
  2⤵
  PID:4428
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\mhaojlarpfhbovwyvhid.exe*."
    3⤵
    PID:3980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhaojlarpfhbovwyvhid.exe .
1⤵
PID:4972
- C:\Users\Admin\AppData\Local\Temp\mhaojlarpfhbovwyvhid.exe
  C:\Users\Admin\AppData\Local\Temp\mhaojlarpfhbovwyvhid.exe .
  2⤵
  PID:3204
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\mhaojlarpfhbovwyvhid.exe*."
    3⤵
    PID:2104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohykddqfbpphsxwwrb.exe
1⤵
PID:1204
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:352
- C:\Users\Admin\AppData\Local\Temp\ohykddqfbpphsxwwrb.exe
  C:\Users\Admin\AppData\Local\Temp\ohykddqfbpphsxwwrb.exe
  2⤵
  PID:1804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ypeofdobvhfvehec.exe .
1⤵
PID:4072
- C:\Users\Admin\AppData\Local\Temp\ypeofdobvhfvehec.exe
  C:\Users\Admin\AppData\Local\Temp\ypeofdobvhfvehec.exe .
  2⤵
  PID:4152
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\ypeofdobvhfvehec.exe*."
    3⤵
    PID:2920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohykddqfbpphsxwwrb.exe
1⤵
PID:2836
- C:\Users\Admin\AppData\Local\Temp\ohykddqfbpphsxwwrb.exe
  C:\Users\Admin\AppData\Local\Temp\ohykddqfbpphsxwwrb.exe
  2⤵
  PID:2976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fxnyqpbpkxwnxbzys.exe .
1⤵
PID:2128
- C:\Users\Admin\AppData\Local\Temp\fxnyqpbpkxwnxbzys.exe
  C:\Users\Admin\AppData\Local\Temp\fxnyqpbpkxwnxbzys.exe .
  2⤵
  PID:3764
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\fxnyqpbpkxwnxbzys.exe*."
    3⤵
    PID:4572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mhaojlarpfhbovwyvhid.exe
1⤵
PID:4908
- C:\Windows\mhaojlarpfhbovwyvhid.exe
  mhaojlarpfhbovwyvhid.exe
  2⤵
  PID:4388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mhaojlarpfhbovwyvhid.exe .
1⤵
PID:4852
- C:\Windows\mhaojlarpfhbovwyvhid.exe
  mhaojlarpfhbovwyvhid.exe .
  2⤵
  PID:560
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\mhaojlarpfhbovwyvhid.exe*."
    3⤵
    PID:980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fxnyqpbpkxwnxbzys.exe
1⤵
PID:552
- C:\Windows\fxnyqpbpkxwnxbzys.exe
  fxnyqpbpkxwnxbzys.exe
  2⤵
  PID:1612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mhaojlarpfhbovwyvhid.exe .
1⤵
PID:2952
- C:\Windows\mhaojlarpfhbovwyvhid.exe
  mhaojlarpfhbovwyvhid.exe .
  2⤵
  PID:4536
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\mhaojlarpfhbovwyvhid.exe*."
    3⤵
    PID:3916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhaojlarpfhbovwyvhid.exe
1⤵
PID:5068
- C:\Users\Admin\AppData\Local\Temp\mhaojlarpfhbovwyvhid.exe
  C:\Users\Admin\AppData\Local\Temp\mhaojlarpfhbovwyvhid.exe
  2⤵
  PID:2668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohykddqfbpphsxwwrb.exe .
1⤵
PID:1200
- C:\Users\Admin\AppData\Local\Temp\ohykddqfbpphsxwwrb.exe
  C:\Users\Admin\AppData\Local\Temp\ohykddqfbpphsxwwrb.exe .
  2⤵
  PID:848
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\ohykddqfbpphsxwwrb.exe*."
    3⤵
    PID:1620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztlysthxujkdpvvwsdd.exe
1⤵
PID:3300
- C:\Users\Admin\AppData\Local\Temp\ztlysthxujkdpvvwsdd.exe
  C:\Users\Admin\AppData\Local\Temp\ztlysthxujkdpvvwsdd.exe
  2⤵
  PID:2868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxrgcfvnmdgbpxzcanplf.exe .
1⤵
PID:932
- C:\Users\Admin\AppData\Local\Temp\bxrgcfvnmdgbpxzcanplf.exe
  C:\Users\Admin\AppData\Local\Temp\bxrgcfvnmdgbpxzcanplf.exe .
  2⤵
  PID:224
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\bxrgcfvnmdgbpxzcanplf.exe*."
    3⤵
    PID:2620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxrgcfvnmdgbpxzcanplf.exe
1⤵
PID:1856
- C:\Windows\bxrgcfvnmdgbpxzcanplf.exe
  bxrgcfvnmdgbpxzcanplf.exe
  2⤵
  PID:1188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxrgcfvnmdgbpxzcanplf.exe .
1⤵
PID:5060
- C:\Windows\bxrgcfvnmdgbpxzcanplf.exe
  bxrgcfvnmdgbpxzcanplf.exe .
  2⤵
  PID:5116
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\bxrgcfvnmdgbpxzcanplf.exe*."
    3⤵
    PID:2792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxrgcfvnmdgbpxzcanplf.exe
1⤵
PID:4420
- C:\Windows\bxrgcfvnmdgbpxzcanplf.exe
  bxrgcfvnmdgbpxzcanplf.exe
  2⤵
  PID:3956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ypeofdobvhfvehec.exe .
1⤵
PID:2716
- C:\Windows\ypeofdobvhfvehec.exe
  ypeofdobvhfvehec.exe .
  2⤵
  PID:216
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\ypeofdobvhfvehec.exe*."
    3⤵
    PID:940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ypeofdobvhfvehec.exe
1⤵
PID:2684
- C:\Users\Admin\AppData\Local\Temp\ypeofdobvhfvehec.exe
  C:\Users\Admin\AppData\Local\Temp\ypeofdobvhfvehec.exe
  2⤵
  PID:4168

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhaojlarpfhbovwyvhid.exe .
1⤵
PID:4060
- C:\Users\Admin\AppData\Local\Temp\mhaojlarpfhbovwyvhid.exe
  C:\Users\Admin\AppData\Local\Temp\mhaojlarpfhbovwyvhid.exe .
  2⤵
  PID:3700
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\mhaojlarpfhbovwyvhid.exe*."
    3⤵
    PID:888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fxnyqpbpkxwnxbzys.exe
1⤵
PID:5104
- C:\Users\Admin\AppData\Local\Temp\fxnyqpbpkxwnxbzys.exe
  C:\Users\Admin\AppData\Local\Temp\fxnyqpbpkxwnxbzys.exe
  2⤵
  PID:3600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohykddqfbpphsxwwrb.exe .
1⤵
PID:2036
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2092
- C:\Users\Admin\AppData\Local\Temp\ohykddqfbpphsxwwrb.exe
  C:\Users\Admin\AppData\Local\Temp\ohykddqfbpphsxwwrb.exe .
  2⤵
  PID:4700
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\ohykddqfbpphsxwwrb.exe*."
    3⤵
    PID:3212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxrgcfvnmdgbpxzcanplf.exe
1⤵
PID:2740
- C:\Windows\bxrgcfvnmdgbpxzcanplf.exe
  bxrgcfvnmdgbpxzcanplf.exe
  2⤵
  PID:3088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ztlysthxujkdpvvwsdd.exe .
1⤵
PID:1812
- C:\Windows\ztlysthxujkdpvvwsdd.exe
  ztlysthxujkdpvvwsdd.exe .
  2⤵
  PID:1920
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\ztlysthxujkdpvvwsdd.exe*."
    3⤵
    PID:3300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mhaojlarpfhbovwyvhid.exe
1⤵
PID:4772
- C:\Windows\mhaojlarpfhbovwyvhid.exe
  mhaojlarpfhbovwyvhid.exe
  2⤵
  PID:4068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ztlysthxujkdpvvwsdd.exe .
1⤵
PID:2292
- C:\Windows\ztlysthxujkdpvvwsdd.exe
  ztlysthxujkdpvvwsdd.exe .
  2⤵
  PID:224
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\ztlysthxujkdpvvwsdd.exe*."
    3⤵
    PID:1624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ypeofdobvhfvehec.exe
1⤵
PID:4572
- C:\Users\Admin\AppData\Local\Temp\ypeofdobvhfvehec.exe
  C:\Users\Admin\AppData\Local\Temp\ypeofdobvhfvehec.exe
  2⤵
  PID:4484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohykddqfbpphsxwwrb.exe .
1⤵
PID:3712
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4972
- C:\Users\Admin\AppData\Local\Temp\ohykddqfbpphsxwwrb.exe
  C:\Users\Admin\AppData\Local\Temp\ohykddqfbpphsxwwrb.exe .
  2⤵
  PID:2472
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\ohykddqfbpphsxwwrb.exe*."
    3⤵
    PID:1340

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztlysthxujkdpvvwsdd.exe
1⤵
PID:3752
- C:\Users\Admin\AppData\Local\Temp\ztlysthxujkdpvvwsdd.exe
  C:\Users\Admin\AppData\Local\Temp\ztlysthxujkdpvvwsdd.exe
  2⤵
  PID:2020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohykddqfbpphsxwwrb.exe .
1⤵
PID:648
- C:\Users\Admin\AppData\Local\Temp\ohykddqfbpphsxwwrb.exe
  C:\Users\Admin\AppData\Local\Temp\ohykddqfbpphsxwwrb.exe .
  2⤵
  PID:5108
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\ohykddqfbpphsxwwrb.exe*."
    3⤵
    PID:1900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ohykddqfbpphsxwwrb.exe
1⤵
PID:2392
- C:\Windows\ohykddqfbpphsxwwrb.exe
  ohykddqfbpphsxwwrb.exe
  2⤵
  PID:4608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fxnyqpbpkxwnxbzys.exe .
1⤵
PID:1456
- C:\Windows\fxnyqpbpkxwnxbzys.exe
  fxnyqpbpkxwnxbzys.exe .
  2⤵
  PID:4824
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\fxnyqpbpkxwnxbzys.exe*."
    3⤵
    PID:4480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ztlysthxujkdpvvwsdd.exe
1⤵
PID:4832
- C:\Windows\ztlysthxujkdpvvwsdd.exe
  ztlysthxujkdpvvwsdd.exe
  2⤵
  PID:232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fxnyqpbpkxwnxbzys.exe .
1⤵
PID:5000
- C:\Windows\fxnyqpbpkxwnxbzys.exe
  fxnyqpbpkxwnxbzys.exe .
  2⤵
  PID:2436
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\fxnyqpbpkxwnxbzys.exe*."
    3⤵
    PID:4036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztlysthxujkdpvvwsdd.exe
1⤵
PID:1784
- C:\Users\Admin\AppData\Local\Temp\ztlysthxujkdpvvwsdd.exe
  C:\Users\Admin\AppData\Local\Temp\ztlysthxujkdpvvwsdd.exe
  2⤵
  PID:4032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ypeofdobvhfvehec.exe .
1⤵
PID:2036
- C:\Users\Admin\AppData\Local\Temp\ypeofdobvhfvehec.exe
  C:\Users\Admin\AppData\Local\Temp\ypeofdobvhfvehec.exe .
  2⤵
  PID:3860
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\ypeofdobvhfvehec.exe*."
    3⤵
    PID:3020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhaojlarpfhbovwyvhid.exe
1⤵
PID:3916
- C:\Users\Admin\AppData\Local\Temp\mhaojlarpfhbovwyvhid.exe
  C:\Users\Admin\AppData\Local\Temp\mhaojlarpfhbovwyvhid.exe
  2⤵
  PID:3692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztlysthxujkdpvvwsdd.exe .
1⤵
PID:3652
- C:\Users\Admin\AppData\Local\Temp\ztlysthxujkdpvvwsdd.exe
  C:\Users\Admin\AppData\Local\Temp\ztlysthxujkdpvvwsdd.exe .
  2⤵
  PID:1168
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\ztlysthxujkdpvvwsdd.exe*."
    3⤵
    PID:1920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxrgcfvnmdgbpxzcanplf.exe
1⤵
PID:4772
- C:\Windows\bxrgcfvnmdgbpxzcanplf.exe
  bxrgcfvnmdgbpxzcanplf.exe
  2⤵
  PID:3216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fxnyqpbpkxwnxbzys.exe .
1⤵
PID:224
- C:\Windows\fxnyqpbpkxwnxbzys.exe
  fxnyqpbpkxwnxbzys.exe .
  2⤵
  PID:3328
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\fxnyqpbpkxwnxbzys.exe*."
    3⤵
    PID:4020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxrgcfvnmdgbpxzcanplf.exe
1⤵
PID:3080
- C:\Windows\bxrgcfvnmdgbpxzcanplf.exe
  bxrgcfvnmdgbpxzcanplf.exe
  2⤵
  PID:1676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ohykddqfbpphsxwwrb.exe .
1⤵
PID:1932
- C:\Windows\ohykddqfbpphsxwwrb.exe
  ohykddqfbpphsxwwrb.exe .
  2⤵
  PID:4420
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\ohykddqfbpphsxwwrb.exe*."
    3⤵
    PID:4576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ypeofdobvhfvehec.exe
1⤵
PID:2920
- C:\Users\Admin\AppData\Local\Temp\ypeofdobvhfvehec.exe
  C:\Users\Admin\AppData\Local\Temp\ypeofdobvhfvehec.exe
  2⤵
  PID:4568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fxnyqpbpkxwnxbzys.exe .
1⤵
PID:2408
- C:\Users\Admin\AppData\Local\Temp\fxnyqpbpkxwnxbzys.exe
  C:\Users\Admin\AppData\Local\Temp\fxnyqpbpkxwnxbzys.exe .
  2⤵
  PID:2412
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\fxnyqpbpkxwnxbzys.exe*."
    3⤵
    PID:1036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhaojlarpfhbovwyvhid.exe
1⤵
PID:1400
- C:\Users\Admin\AppData\Local\Temp\mhaojlarpfhbovwyvhid.exe
  C:\Users\Admin\AppData\Local\Temp\mhaojlarpfhbovwyvhid.exe
  2⤵
  PID:3700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ypeofdobvhfvehec.exe .
1⤵
PID:1232
- C:\Users\Admin\AppData\Local\Temp\ypeofdobvhfvehec.exe
  C:\Users\Admin\AppData\Local\Temp\ypeofdobvhfvehec.exe .
  2⤵
  PID:3884
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\ypeofdobvhfvehec.exe*."
    3⤵
    PID:1804
  - - C:\Users\Admin\AppData\Local\Temp\zflpwgp.exe
      "C:\Users\Admin\AppData\Local\Temp\zflpwgp.exe" "-c:\users\admin\appdata\local\temp\ypeofdobvhfvehec.exe"
      4⤵
      PID:1168
  - - C:\Users\Admin\AppData\Local\Temp\zflpwgp.exe
      "C:\Users\Admin\AppData\Local\Temp\zflpwgp.exe" "-c:\users\admin\appdata\local\temp\ypeofdobvhfvehec.exe"
      4⤵
      PID:3748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fvlzqkdwkxwnxbzys.exe
1⤵
PID:2716
- C:\Windows\fvlzqkdwkxwnxbzys.exe
  fvlzqkdwkxwnxbzys.exe
  2⤵
  PID:2668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ztlysthxujkdpvvwsdd.exe
1⤵
PID:3600
- C:\Windows\ztlysthxujkdpvvwsdd.exe
  ztlysthxujkdpvvwsdd.exe
  2⤵
  PID:4292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mfypjgcypfhbovwyvhib.exe .
1⤵
PID:2880
- C:\Windows\mfypjgcypfhbovwyvhib.exe
  mfypjgcypfhbovwyvhib.exe .
  2⤵
  PID:1612
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\mfypjgcypfhbovwyvhib.exe*."
    3⤵
    PID:2104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ypeofdobvhfvehec.exe .
1⤵
PID:2124
- C:\Windows\ypeofdobvhfvehec.exe
  ypeofdobvhfvehec.exe .
  2⤵
  PID:2592
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\ypeofdobvhfvehec.exe*."
    3⤵
    PID:1320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ofwldysmbpphsxwwrb.exe
1⤵
PID:3088
- C:\Windows\ofwldysmbpphsxwwrb.exe
  ofwldysmbpphsxwwrb.exe
  2⤵
  PID:3652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ztlysthxujkdpvvwsdd.exe
1⤵
PID:4840
- C:\Windows\ztlysthxujkdpvvwsdd.exe
  ztlysthxujkdpvvwsdd.exe
  2⤵
  PID:1544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zrjzsojeujkdpvvwsdd.exe .
1⤵
PID:3692
- C:\Windows\zrjzsojeujkdpvvwsdd.exe
  zrjzsojeujkdpvvwsdd.exe .
  2⤵
  PID:4348
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\zrjzsojeujkdpvvwsdd.exe*."
    3⤵
    PID:4780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ohykddqfbpphsxwwrb.exe .
1⤵
PID:1900
- C:\Windows\ohykddqfbpphsxwwrb.exe
  ohykddqfbpphsxwwrb.exe .
  2⤵
  PID:2412
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\ohykddqfbpphsxwwrb.exe*."
    3⤵
    PID:2716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bvphcaxumdgbpxzcanpjd.exe
1⤵
PID:848
- C:\Users\Admin\AppData\Local\Temp\bvphcaxumdgbpxzcanpjd.exe
  C:\Users\Admin\AppData\Local\Temp\bvphcaxumdgbpxzcanpjd.exe
  2⤵
  PID:3100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhaojlarpfhbovwyvhid.exe
1⤵
PID:2748
- C:\Users\Admin\AppData\Local\Temp\mhaojlarpfhbovwyvhid.exe
  C:\Users\Admin\AppData\Local\Temp\mhaojlarpfhbovwyvhid.exe
  2⤵
  PID:404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ypeofdobvhfvehec.exe
1⤵
PID:4784
- C:\Windows\ypeofdobvhfvehec.exe
  ypeofdobvhfvehec.exe
  2⤵
  PID:3916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yncpfyqivhfvehec.exe .
1⤵
PID:4760
- C:\Users\Admin\AppData\Local\Temp\yncpfyqivhfvehec.exe
  C:\Users\Admin\AppData\Local\Temp\yncpfyqivhfvehec.exe .
  2⤵
  PID:4388
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\yncpfyqivhfvehec.exe*."
    3⤵
    PID:4772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohykddqfbpphsxwwrb.exe .
1⤵
PID:1960
- C:\Users\Admin\AppData\Local\Temp\ohykddqfbpphsxwwrb.exe
  C:\Users\Admin\AppData\Local\Temp\ohykddqfbpphsxwwrb.exe .
  2⤵
  PID:2840
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\ohykddqfbpphsxwwrb.exe*."
    3⤵
    PID:2032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxrgcfvnmdgbpxzcanplf.exe .
1⤵
PID:2292
- C:\Windows\bxrgcfvnmdgbpxzcanplf.exe
  bxrgcfvnmdgbpxzcanplf.exe .
  2⤵
  PID:4168
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\bxrgcfvnmdgbpxzcanplf.exe*."
    3⤵
    PID:1168

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mfypjgcypfhbovwyvhib.exe
1⤵
PID:3708
- C:\Users\Admin\AppData\Local\Temp\mfypjgcypfhbovwyvhib.exe
  C:\Users\Admin\AppData\Local\Temp\mfypjgcypfhbovwyvhib.exe
  2⤵
  PID:220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztlysthxujkdpvvwsdd.exe
1⤵
PID:2676
- C:\Users\Admin\AppData\Local\Temp\ztlysthxujkdpvvwsdd.exe
  C:\Users\Admin\AppData\Local\Temp\ztlysthxujkdpvvwsdd.exe
  2⤵
  PID:2968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fvlzqkdwkxwnxbzys.exe .
1⤵
PID:1788
- C:\Users\Admin\AppData\Local\Temp\fvlzqkdwkxwnxbzys.exe
  C:\Users\Admin\AppData\Local\Temp\fvlzqkdwkxwnxbzys.exe .
  2⤵
  PID:4068
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\fvlzqkdwkxwnxbzys.exe*."
    3⤵
    PID:2740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxrgcfvnmdgbpxzcanplf.exe
1⤵
PID:4360
- C:\Windows\bxrgcfvnmdgbpxzcanplf.exe
  bxrgcfvnmdgbpxzcanplf.exe
  2⤵
  PID:4780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxrgcfvnmdgbpxzcanplf.exe .
1⤵
PID:4004
- C:\Users\Admin\AppData\Local\Temp\bxrgcfvnmdgbpxzcanplf.exe
  C:\Users\Admin\AppData\Local\Temp\bxrgcfvnmdgbpxzcanplf.exe .
  2⤵
  PID:1812
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\bxrgcfvnmdgbpxzcanplf.exe*."
    3⤵
    PID:3100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ypeofdobvhfvehec.exe .
1⤵
PID:1400
- C:\Windows\ypeofdobvhfvehec.exe
  ypeofdobvhfvehec.exe .
  2⤵
  PID:3020
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\ypeofdobvhfvehec.exe*."
    3⤵
    PID:4632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ypeofdobvhfvehec.exe
1⤵
PID:4312
- C:\Windows\ypeofdobvhfvehec.exe
  ypeofdobvhfvehec.exe
  2⤵
  PID:4956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohykddqfbpphsxwwrb.exe
1⤵
PID:888
- C:\Users\Admin\AppData\Local\Temp\ohykddqfbpphsxwwrb.exe
  C:\Users\Admin\AppData\Local\Temp\ohykddqfbpphsxwwrb.exe
  2⤵
  PID:4984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ztlysthxujkdpvvwsdd.exe .
1⤵
PID:3356
- C:\Windows\ztlysthxujkdpvvwsdd.exe
  ztlysthxujkdpvvwsdd.exe .
  2⤵
  PID:4620
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\ztlysthxujkdpvvwsdd.exe*."
    3⤵
    PID:116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhaojlarpfhbovwyvhid.exe .
1⤵
PID:2620
- C:\Users\Admin\AppData\Local\Temp\mhaojlarpfhbovwyvhid.exe
  C:\Users\Admin\AppData\Local\Temp\mhaojlarpfhbovwyvhid.exe .
  2⤵
  PID:4192
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\mhaojlarpfhbovwyvhid.exe*."
    3⤵
    PID:3064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mhaojlarpfhbovwyvhid.exe
1⤵
PID:3652
- C:\Windows\mhaojlarpfhbovwyvhid.exe
  mhaojlarpfhbovwyvhid.exe
  2⤵
  PID:2412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ypeofdobvhfvehec.exe
1⤵
PID:4924
- C:\Users\Admin\AppData\Local\Temp\ypeofdobvhfvehec.exe
  C:\Users\Admin\AppData\Local\Temp\ypeofdobvhfvehec.exe
  2⤵
  PID:2024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ztlysthxujkdpvvwsdd.exe .
1⤵
PID:560
- C:\Windows\ztlysthxujkdpvvwsdd.exe
  ztlysthxujkdpvvwsdd.exe .
  2⤵
  PID:648
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\ztlysthxujkdpvvwsdd.exe*."
    3⤵
    PID:3712

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxrgcfvnmdgbpxzcanplf.exe .
1⤵
PID:1784
- C:\Users\Admin\AppData\Local\Temp\bxrgcfvnmdgbpxzcanplf.exe
  C:\Users\Admin\AppData\Local\Temp\bxrgcfvnmdgbpxzcanplf.exe .
  2⤵
  PID:4152
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\bxrgcfvnmdgbpxzcanplf.exe*."
    3⤵
    PID:3164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztlysthxujkdpvvwsdd.exe
1⤵
PID:3088
- C:\Users\Admin\AppData\Local\Temp\ztlysthxujkdpvvwsdd.exe
  C:\Users\Admin\AppData\Local\Temp\ztlysthxujkdpvvwsdd.exe
  2⤵
  PID:1456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohykddqfbpphsxwwrb.exe .
1⤵
PID:4576
- C:\Users\Admin\AppData\Local\Temp\ohykddqfbpphsxwwrb.exe
  C:\Users\Admin\AppData\Local\Temp\ohykddqfbpphsxwwrb.exe .
  2⤵
  PID:208
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\ohykddqfbpphsxwwrb.exe*."
    3⤵
    PID:1984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fxnyqpbpkxwnxbzys.exe
1⤵
PID:2264
- C:\Users\Admin\AppData\Local\Temp\fxnyqpbpkxwnxbzys.exe
  C:\Users\Admin\AppData\Local\Temp\fxnyqpbpkxwnxbzys.exe
  2⤵
  PID:2840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohykddqfbpphsxwwrb.exe .
1⤵
PID:3132
- C:\Users\Admin\AppData\Local\Temp\ohykddqfbpphsxwwrb.exe
  C:\Users\Admin\AppData\Local\Temp\ohykddqfbpphsxwwrb.exe .
  2⤵
  PID:3916
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\ohykddqfbpphsxwwrb.exe*."
    3⤵
    PID:3464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxrgcfvnmdgbpxzcanplf.exe
1⤵
PID:3292
- C:\Windows\bxrgcfvnmdgbpxzcanplf.exe
  bxrgcfvnmdgbpxzcanplf.exe
  2⤵
  PID:1812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fxnyqpbpkxwnxbzys.exe .
1⤵
PID:552
- C:\Windows\fxnyqpbpkxwnxbzys.exe
  fxnyqpbpkxwnxbzys.exe .
  2⤵
  PID:4904
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\fxnyqpbpkxwnxbzys.exe*."
    3⤵
    PID:4192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yncpfyqivhfvehec.exe
1⤵
PID:2844
- C:\Windows\yncpfyqivhfvehec.exe
  yncpfyqivhfvehec.exe
  2⤵
  PID:1984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ztlysthxujkdpvvwsdd.exe
1⤵
PID:1456
- C:\Windows\ztlysthxujkdpvvwsdd.exe
  ztlysthxujkdpvvwsdd.exe
  2⤵
  PID:1588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ypeofdobvhfvehec.exe .
1⤵
PID:2968
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4824
- C:\Windows\ypeofdobvhfvehec.exe
  ypeofdobvhfvehec.exe .
  2⤵
  PID:3956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yncpfyqivhfvehec.exe .
1⤵
PID:632
- C:\Windows\yncpfyqivhfvehec.exe
  yncpfyqivhfvehec.exe .
  2⤵
  PID:4536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztlysthxujkdpvvwsdd.exe
1⤵
PID:3604
- C:\Users\Admin\AppData\Local\Temp\ztlysthxujkdpvvwsdd.exe
  C:\Users\Admin\AppData\Local\Temp\ztlysthxujkdpvvwsdd.exe
  2⤵
  PID:4276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohykddqfbpphsxwwrb.exe .
1⤵
PID:2348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fvlzqkdwkxwnxbzys.exe
1⤵
PID:4608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zrjzsojeujkdpvvwsdd.exe .
1⤵
PID:4428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Winlogon Helper DLL

T1547.004

Hijack Execution Flow

T1574

Executable Installer File Permissions Weakness

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Winlogon Helper DLL

T1547.004

Hijack Execution Flow

T1574

Executable Installer File Permissions Weakness

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hijack Execution Flow

T1574

Executable Installer File Permissions Weakness

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Safe Mode Boot

T1562.009

Modify Registry