pykspa | 785381c164670ccddbef375467c55da621d3f401a56f3e55a14161b108207eca

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	wjjqp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	wjjqp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	abqgjobtkla.exe

Pykspa
Pykspa is a worm spreads via Skype uses DGA and it's written in C++.
worm pykspa
Pykspa family
pykspa

UAC bypass 3 TTPs 24 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	wjjqp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	wjjqp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wjjqp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wjjqp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wjjqp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wjjqp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wjjqp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wjjqp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe

Detect Pykspa worm 2 IoCs

worm

resource	yara_rule
behavioral2/files/0x000d000000023f03-4.dat	family_pykspa
behavioral2/files/0x000700000002405d-86.dat	family_pykspa

Adds policy Run key to start application 2 TTPs 49 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jzcmocln = "jjwqcatfzqtbxueqkj.exe"	abqgjobtkla.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wjjqp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\uvjerqkxskoxusdqlly.exe"	wjjqp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jzcmocln = "hjyuiidrnglvtsesopdf.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jzcmocln = "uvjerqkxskoxusdqlly.exe"	abqgjobtkla.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jzcmocln = "hjyuiidrnglvtsesopdf.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jzcmocln = "uvjerqkxskoxusdqlly.exe"	wjjqp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jzcmocln = "trcuearbtijpjemw.exe"	wjjqp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wjjqp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\uvjerqkxskoxusdqlly.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jzcmocln = "wzpmbcynkekvuuhwtvknd.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jzcmocln = "azlepmepiyahcyhsl.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jzcmocln = "wzpmbcynkekvuuhwtvknd.exe"	wjjqp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jzcmocln = "wzpmbcynkekvuuhwtvknd.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jzcmocln = "jjwqcatfzqtbxueqkj.exe"	abqgjobtkla.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wjjqp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hjyuiidrnglvtsesopdf.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wjjqp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jjwqcatfzqtbxueqkj.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jzcmocln = "jjwqcatfzqtbxueqkj.exe"	wjjqp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wjjqp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jjwqcatfzqtbxueqkj.exe"	wjjqp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wjjqp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hjyuiidrnglvtsesopdf.exe"	abqgjobtkla.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	abqgjobtkla.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wjjqp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	abqgjobtkla.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wjjqp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jjwqcatfzqtbxueqkj.exe"	abqgjobtkla.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wjjqp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jjwqcatfzqtbxueqkj.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jzcmocln = "hjyuiidrnglvtsesopdf.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wjjqp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wzpmbcynkekvuuhwtvknd.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wjjqp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\uvjerqkxskoxusdqlly.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wjjqp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\uvjerqkxskoxusdqlly.exe"	wjjqp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jzcmocln = "trcuearbtijpjemw.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wjjqp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wzpmbcynkekvuuhwtvknd.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jzcmocln = "jjwqcatfzqtbxueqkj.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wjjqp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jjwqcatfzqtbxueqkj.exe"	abqgjobtkla.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wjjqp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wjjqp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hjyuiidrnglvtsesopdf.exe"	wjjqp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wjjqp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\uvjerqkxskoxusdqlly.exe"	abqgjobtkla.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jzcmocln = "uvjerqkxskoxusdqlly.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wjjqp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\trcuearbtijpjemw.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jzcmocln = "hjyuiidrnglvtsesopdf.exe"	wjjqp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jzcmocln = "hjyuiidrnglvtsesopdf.exe"	abqgjobtkla.exe

Disables RegEdit via registry modification 6 IoCs

defense_evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	abqgjobtkla.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	wjjqp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	wjjqp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	wjjqp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	wjjqp.exe

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	azlepmepiyahcyhsl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	azlepmepiyahcyhsl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	jjwqcatfzqtbxueqkj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	uvjerqkxskoxusdqlly.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	trcuearbtijpjemw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	wzpmbcynkekvuuhwtvknd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	wzpmbcynkekvuuhwtvknd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	azlepmepiyahcyhsl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	uvjerqkxskoxusdqlly.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	uvjerqkxskoxusdqlly.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	uvjerqkxskoxusdqlly.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	wzpmbcynkekvuuhwtvknd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	abqgjobtkla.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	uvjerqkxskoxusdqlly.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	hjyuiidrnglvtsesopdf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	azlepmepiyahcyhsl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	trcuearbtijpjemw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	wzpmbcynkekvuuhwtvknd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	hjyuiidrnglvtsesopdf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	uvjerqkxskoxusdqlly.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	trcuearbtijpjemw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	JaffaCakes118_8c87df8a10722c28d397f16720c90b80.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	azlepmepiyahcyhsl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	uvjerqkxskoxusdqlly.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	uvjerqkxskoxusdqlly.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	hjyuiidrnglvtsesopdf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	azlepmepiyahcyhsl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	wzpmbcynkekvuuhwtvknd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	wzpmbcynkekvuuhwtvknd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	wzpmbcynkekvuuhwtvknd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	uvjerqkxskoxusdqlly.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	azlepmepiyahcyhsl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	uvjerqkxskoxusdqlly.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	trcuearbtijpjemw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	azlepmepiyahcyhsl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	azlepmepiyahcyhsl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	trcuearbtijpjemw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	wzpmbcynkekvuuhwtvknd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	wzpmbcynkekvuuhwtvknd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	trcuearbtijpjemw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	jjwqcatfzqtbxueqkj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	trcuearbtijpjemw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	azlepmepiyahcyhsl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	azlepmepiyahcyhsl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	uvjerqkxskoxusdqlly.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	trcuearbtijpjemw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	uvjerqkxskoxusdqlly.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	wzpmbcynkekvuuhwtvknd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	trcuearbtijpjemw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	trcuearbtijpjemw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	jjwqcatfzqtbxueqkj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	uvjerqkxskoxusdqlly.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	azlepmepiyahcyhsl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	wzpmbcynkekvuuhwtvknd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	azlepmepiyahcyhsl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	wzpmbcynkekvuuhwtvknd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	trcuearbtijpjemw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	azlepmepiyahcyhsl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	azlepmepiyahcyhsl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	wzpmbcynkekvuuhwtvknd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	jjwqcatfzqtbxueqkj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	azlepmepiyahcyhsl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	azlepmepiyahcyhsl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	hjyuiidrnglvtsesopdf.exe

Executes dropped EXE 64 IoCs

pid	Process
1500	abqgjobtkla.exe
408	uvjerqkxskoxusdqlly.exe
1168	azlepmepiyahcyhsl.exe
4236	abqgjobtkla.exe
2732	azlepmepiyahcyhsl.exe
4164	wzpmbcynkekvuuhwtvknd.exe
2324	jjwqcatfzqtbxueqkj.exe
4196	abqgjobtkla.exe
4852	hjyuiidrnglvtsesopdf.exe
4340	azlepmepiyahcyhsl.exe
436	abqgjobtkla.exe
5056	trcuearbtijpjemw.exe
1356	abqgjobtkla.exe
2376	wjjqp.exe
1632	wjjqp.exe
668	jjwqcatfzqtbxueqkj.exe
3764	jjwqcatfzqtbxueqkj.exe
944	trcuearbtijpjemw.exe
1916	wzpmbcynkekvuuhwtvknd.exe
3816	abqgjobtkla.exe
3476	wzpmbcynkekvuuhwtvknd.exe
4380	abqgjobtkla.exe
3856	wzpmbcynkekvuuhwtvknd.exe
2368	uvjerqkxskoxusdqlly.exe
208	hjyuiidrnglvtsesopdf.exe
4880	wzpmbcynkekvuuhwtvknd.exe
5000	abqgjobtkla.exe
2456	azlepmepiyahcyhsl.exe
5092	hjyuiidrnglvtsesopdf.exe
3020	azlepmepiyahcyhsl.exe
2860	hjyuiidrnglvtsesopdf.exe
4360	wzpmbcynkekvuuhwtvknd.exe
3404	trcuearbtijpjemw.exe
2104	abqgjobtkla.exe
3580	wzpmbcynkekvuuhwtvknd.exe
4928	abqgjobtkla.exe
2224	trcuearbtijpjemw.exe
2716	abqgjobtkla.exe
4384	abqgjobtkla.exe
2948	uvjerqkxskoxusdqlly.exe
708	abqgjobtkla.exe
3828	abqgjobtkla.exe
1112	wzpmbcynkekvuuhwtvknd.exe
1976	azlepmepiyahcyhsl.exe
4664	azlepmepiyahcyhsl.exe
840	abqgjobtkla.exe
2088	jjwqcatfzqtbxueqkj.exe
2612	abqgjobtkla.exe
2340	wzpmbcynkekvuuhwtvknd.exe
972	trcuearbtijpjemw.exe
1500	abqgjobtkla.exe
2604	jjwqcatfzqtbxueqkj.exe
1608	wzpmbcynkekvuuhwtvknd.exe
2316	uvjerqkxskoxusdqlly.exe
2948	abqgjobtkla.exe
2368	uvjerqkxskoxusdqlly.exe
4432	jjwqcatfzqtbxueqkj.exe
3096	uvjerqkxskoxusdqlly.exe
408	azlepmepiyahcyhsl.exe
4480	wzpmbcynkekvuuhwtvknd.exe
4312	abqgjobtkla.exe
2060	azlepmepiyahcyhsl.exe
880	wzpmbcynkekvuuhwtvknd.exe
2984	abqgjobtkla.exe

Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs

defense_evasion

Safe Mode Boot

T1562.009

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys	wjjqp.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc	wjjqp.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager	wjjqp.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys	wjjqp.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc	wjjqp.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power	wjjqp.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

defense_evasion persistence privilege_escalation

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ohnafwinakg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\azlepmepiyahcyhsl.exe ."	abqgjobtkla.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\arvgjyilw = "azlepmepiyahcyhsl.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ujluviq = "trcuearbtijpjemw.exe ."	abqgjobtkla.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\tlqcgwhlxg = "wzpmbcynkekvuuhwtvknd.exe ."	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ohnafwinakg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\trcuearbtijpjemw.exe ."	wjjqp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ujluviq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\uvjerqkxskoxusdqlly.exe ."	wjjqp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\hvweeq = "jjwqcatfzqtbxueqkj.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ujluviq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\azlepmepiyahcyhsl.exe ."	wjjqp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\lfmagylrfqnp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wzpmbcynkekvuuhwtvknd.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ohnafwinakg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\azlepmepiyahcyhsl.exe ."	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ujluviq = "azlepmepiyahcyhsl.exe ."	abqgjobtkla.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hvweeq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\azlepmepiyahcyhsl.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ujluviq = "wzpmbcynkekvuuhwtvknd.exe ."	abqgjobtkla.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ujluviq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\trcuearbtijpjemw.exe ."	abqgjobtkla.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ujluviq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\azlepmepiyahcyhsl.exe ."	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\hvweeq = "jjwqcatfzqtbxueqkj.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\tlqcgwhlxg = "uvjerqkxskoxusdqlly.exe ."	abqgjobtkla.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ujluviq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wzpmbcynkekvuuhwtvknd.exe ."	wjjqp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\hvweeq = "jjwqcatfzqtbxueqkj.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hvweeq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\azlepmepiyahcyhsl.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\lfmagylrfqnp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hjyuiidrnglvtsesopdf.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ohnafwinakg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wzpmbcynkekvuuhwtvknd.exe ."	abqgjobtkla.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\tlqcgwhlxg = "wzpmbcynkekvuuhwtvknd.exe ."	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\lfmagylrfqnp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wzpmbcynkekvuuhwtvknd.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\lfmagylrfqnp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jjwqcatfzqtbxueqkj.exe"	wjjqp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\arvgjyilw = "azlepmepiyahcyhsl.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\lfmagylrfqnp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\uvjerqkxskoxusdqlly.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\tlqcgwhlxg = "uvjerqkxskoxusdqlly.exe ."	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ohnafwinakg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hjyuiidrnglvtsesopdf.exe ."	wjjqp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hvweeq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\uvjerqkxskoxusdqlly.exe"	wjjqp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ujluviq = "jjwqcatfzqtbxueqkj.exe ."	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\hvweeq = "hjyuiidrnglvtsesopdf.exe"	wjjqp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\arvgjyilw = "hjyuiidrnglvtsesopdf.exe"	wjjqp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ujluviq = "wzpmbcynkekvuuhwtvknd.exe ."	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\lfmagylrfqnp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hjyuiidrnglvtsesopdf.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\lfmagylrfqnp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\trcuearbtijpjemw.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\tlqcgwhlxg = "uvjerqkxskoxusdqlly.exe ."	abqgjobtkla.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\arvgjyilw = "wzpmbcynkekvuuhwtvknd.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ujluviq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\trcuearbtijpjemw.exe ."	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ohnafwinakg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\azlepmepiyahcyhsl.exe ."	wjjqp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hvweeq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wzpmbcynkekvuuhwtvknd.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\lfmagylrfqnp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\azlepmepiyahcyhsl.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ohnafwinakg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\azlepmepiyahcyhsl.exe ."	wjjqp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\hvweeq = "jjwqcatfzqtbxueqkj.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\arvgjyilw = "uvjerqkxskoxusdqlly.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hvweeq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\azlepmepiyahcyhsl.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ohnafwinakg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jjwqcatfzqtbxueqkj.exe ."	abqgjobtkla.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ujluviq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\trcuearbtijpjemw.exe ."	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\hvweeq = "uvjerqkxskoxusdqlly.exe"	wjjqp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\arvgjyilw = "hjyuiidrnglvtsesopdf.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\tlqcgwhlxg = "uvjerqkxskoxusdqlly.exe ."	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\hvweeq = "uvjerqkxskoxusdqlly.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ujluviq = "azlepmepiyahcyhsl.exe ."	wjjqp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\hvweeq = "trcuearbtijpjemw.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ujluviq = "jjwqcatfzqtbxueqkj.exe ."	wjjqp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\lfmagylrfqnp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\azlepmepiyahcyhsl.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ohnafwinakg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\azlepmepiyahcyhsl.exe ."	abqgjobtkla.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\arvgjyilw = "uvjerqkxskoxusdqlly.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\arvgjyilw = "wzpmbcynkekvuuhwtvknd.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\hvweeq = "trcuearbtijpjemw.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ujluviq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wzpmbcynkekvuuhwtvknd.exe ."	abqgjobtkla.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ujluviq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\uvjerqkxskoxusdqlly.exe ."	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ohnafwinakg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\azlepmepiyahcyhsl.exe ."	abqgjobtkla.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\arvgjyilw = "azlepmepiyahcyhsl.exe"	abqgjobtkla.exe

Checks whether UAC is enabled 1 TTPs 30 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	abqgjobtkla.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	abqgjobtkla.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wjjqp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wjjqp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	abqgjobtkla.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	abqgjobtkla.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wjjqp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	abqgjobtkla.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	abqgjobtkla.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wjjqp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	abqgjobtkla.exe

Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 3 IoCs

Possible Turn off User Account Control's privilege elevation for standard users.

Executable Installer File Permissions Weakness

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	wjjqp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	wjjqp.exe

Looks up external IP address via web service 7 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
40	whatismyip.everdot.org
42	whatismyipaddress.com
49	whatismyip.everdot.org
50	www.whatismyip.ca
25	whatismyip.everdot.org
33	www.whatismyip.ca
36	www.showmyipaddress.com

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\nrigwyvljelxxymcadtxom.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\jjwqcatfzqtbxueqkj.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\jjwqcatfzqtbxueqkj.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\nrigwyvljelxxymcadtxom.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\nrigwyvljelxxymcadtxom.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\wzpmbcynkekvuuhwtvknd.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\nrigwyvljelxxymcadtxom.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\jjwqcatfzqtbxueqkj.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\wzpmbcynkekvuuhwtvknd.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\uvjerqkxskoxusdqlly.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\trcuearbtijpjemw.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\trcuearbtijpjemw.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\uvjerqkxskoxusdqlly.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\hjyuiidrnglvtsesopdf.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\nrigwyvljelxxymcadtxom.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\nrigwyvljelxxymcadtxom.exe	wjjqp.exe
File opened for modification	C:\Windows\SysWOW64\wzpmbcynkekvuuhwtvknd.exe	wjjqp.exe
File opened for modification	C:\Windows\SysWOW64\nrigwyvljelxxymcadtxom.exe	wjjqp.exe
File opened for modification	C:\Windows\SysWOW64\wjjqpagfmqgbkurqxjivvcbmsry.snw	wjjqp.exe
File opened for modification	C:\Windows\SysWOW64\uvjerqkxskoxusdqlly.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\uvjerqkxskoxusdqlly.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\azlepmepiyahcyhsl.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\hjyuiidrnglvtsesopdf.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\azlepmepiyahcyhsl.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\hjyuiidrnglvtsesopdf.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\jjwqcatfzqtbxueqkj.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\uvjerqkxskoxusdqlly.exe	wjjqp.exe
File opened for modification	C:\Windows\SysWOW64\hjyuiidrnglvtsesopdf.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\nrigwyvljelxxymcadtxom.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\azlepmepiyahcyhsl.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\wzpmbcynkekvuuhwtvknd.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\nrigwyvljelxxymcadtxom.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\wzpmbcynkekvuuhwtvknd.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\nrigwyvljelxxymcadtxom.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\jjwqcatfzqtbxueqkj.exe	wjjqp.exe
File opened for modification	C:\Windows\SysWOW64\trcuearbtijpjemw.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\trcuearbtijpjemw.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\uvjerqkxskoxusdqlly.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\hjyuiidrnglvtsesopdf.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\azlepmepiyahcyhsl.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\trcuearbtijpjemw.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\wzpmbcynkekvuuhwtvknd.exe	abqgjobtkla.exe
File created	C:\Windows\SysWOW64\trcuearbtijpjemwolvtewgctdvklrlgoyqnxv.yie	wjjqp.exe
File opened for modification	C:\Windows\SysWOW64\azlepmepiyahcyhsl.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\jjwqcatfzqtbxueqkj.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\hjyuiidrnglvtsesopdf.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\uvjerqkxskoxusdqlly.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\nrigwyvljelxxymcadtxom.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\hjyuiidrnglvtsesopdf.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\azlepmepiyahcyhsl.exe	wjjqp.exe
File opened for modification	C:\Windows\SysWOW64\uvjerqkxskoxusdqlly.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\wzpmbcynkekvuuhwtvknd.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\hjyuiidrnglvtsesopdf.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\azlepmepiyahcyhsl.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\trcuearbtijpjemw.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\uvjerqkxskoxusdqlly.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\trcuearbtijpjemw.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\trcuearbtijpjemw.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\uvjerqkxskoxusdqlly.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\uvjerqkxskoxusdqlly.exe	wjjqp.exe
File opened for modification	C:\Windows\SysWOW64\trcuearbtijpjemw.exe	wjjqp.exe
File opened for modification	C:\Windows\SysWOW64\wzpmbcynkekvuuhwtvknd.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\azlepmepiyahcyhsl.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\trcuearbtijpjemw.exe	abqgjobtkla.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\wjjqpagfmqgbkurqxjivvcbmsry.snw	wjjqp.exe
File created	C:\Program Files (x86)\wjjqpagfmqgbkurqxjivvcbmsry.snw	wjjqp.exe
File opened for modification	C:\Program Files (x86)\trcuearbtijpjemwolvtewgctdvklrlgoyqnxv.yie	wjjqp.exe
File created	C:\Program Files (x86)\trcuearbtijpjemwolvtewgctdvklrlgoyqnxv.yie	wjjqp.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\nrigwyvljelxxymcadtxom.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\nrigwyvljelxxymcadtxom.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\wzpmbcynkekvuuhwtvknd.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\hjyuiidrnglvtsesopdf.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\azlepmepiyahcyhsl.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\trcuearbtijpjemw.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\hjyuiidrnglvtsesopdf.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\nrigwyvljelxxymcadtxom.exe	wjjqp.exe
File opened for modification	C:\Windows\uvjerqkxskoxusdqlly.exe	wjjqp.exe
File opened for modification	C:\Windows\jjwqcatfzqtbxueqkj.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\wzpmbcynkekvuuhwtvknd.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\nrigwyvljelxxymcadtxom.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\azlepmepiyahcyhsl.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\hjyuiidrnglvtsesopdf.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\azlepmepiyahcyhsl.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\hjyuiidrnglvtsesopdf.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\wzpmbcynkekvuuhwtvknd.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\azlepmepiyahcyhsl.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\uvjerqkxskoxusdqlly.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\uvjerqkxskoxusdqlly.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\uvjerqkxskoxusdqlly.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\wzpmbcynkekvuuhwtvknd.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\trcuearbtijpjemw.exe	wjjqp.exe
File created	C:\Windows\trcuearbtijpjemwolvtewgctdvklrlgoyqnxv.yie	wjjqp.exe
File opened for modification	C:\Windows\azlepmepiyahcyhsl.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\nrigwyvljelxxymcadtxom.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\azlepmepiyahcyhsl.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\nrigwyvljelxxymcadtxom.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\hjyuiidrnglvtsesopdf.exe	wjjqp.exe
File created	C:\Windows\wjjqpagfmqgbkurqxjivvcbmsry.snw	wjjqp.exe
File opened for modification	C:\Windows\uvjerqkxskoxusdqlly.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\uvjerqkxskoxusdqlly.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\trcuearbtijpjemw.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\jjwqcatfzqtbxueqkj.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\trcuearbtijpjemw.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\wzpmbcynkekvuuhwtvknd.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\trcuearbtijpjemw.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\trcuearbtijpjemw.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\jjwqcatfzqtbxueqkj.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\nrigwyvljelxxymcadtxom.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\nrigwyvljelxxymcadtxom.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\uvjerqkxskoxusdqlly.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\trcuearbtijpjemw.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\jjwqcatfzqtbxueqkj.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\wzpmbcynkekvuuhwtvknd.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\azlepmepiyahcyhsl.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\wzpmbcynkekvuuhwtvknd.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\hjyuiidrnglvtsesopdf.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\jjwqcatfzqtbxueqkj.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\wzpmbcynkekvuuhwtvknd.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\hjyuiidrnglvtsesopdf.exe	wjjqp.exe
File opened for modification	C:\Windows\nrigwyvljelxxymcadtxom.exe	wjjqp.exe
File opened for modification	C:\Windows\trcuearbtijpjemwolvtewgctdvklrlgoyqnxv.yie	wjjqp.exe
File opened for modification	C:\Windows\jjwqcatfzqtbxueqkj.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\nrigwyvljelxxymcadtxom.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\azlepmepiyahcyhsl.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\hjyuiidrnglvtsesopdf.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\nrigwyvljelxxymcadtxom.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\trcuearbtijpjemw.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\hjyuiidrnglvtsesopdf.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\jjwqcatfzqtbxueqkj.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\wjjqpagfmqgbkurqxjivvcbmsry.snw	wjjqp.exe
File opened for modification	C:\Windows\wzpmbcynkekvuuhwtvknd.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\uvjerqkxskoxusdqlly.exe	abqgjobtkla.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uvjerqkxskoxusdqlly.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wzpmbcynkekvuuhwtvknd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	trcuearbtijpjemw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uvjerqkxskoxusdqlly.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uvjerqkxskoxusdqlly.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	azlepmepiyahcyhsl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jjwqcatfzqtbxueqkj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wzpmbcynkekvuuhwtvknd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jjwqcatfzqtbxueqkj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wzpmbcynkekvuuhwtvknd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wzpmbcynkekvuuhwtvknd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	azlepmepiyahcyhsl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wzpmbcynkekvuuhwtvknd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uvjerqkxskoxusdqlly.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	azlepmepiyahcyhsl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uvjerqkxskoxusdqlly.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uvjerqkxskoxusdqlly.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wzpmbcynkekvuuhwtvknd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_8c87df8a10722c28d397f16720c90b80.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wzpmbcynkekvuuhwtvknd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uvjerqkxskoxusdqlly.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	azlepmepiyahcyhsl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hjyuiidrnglvtsesopdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uvjerqkxskoxusdqlly.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uvjerqkxskoxusdqlly.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wzpmbcynkekvuuhwtvknd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	trcuearbtijpjemw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jjwqcatfzqtbxueqkj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	azlepmepiyahcyhsl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wzpmbcynkekvuuhwtvknd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	azlepmepiyahcyhsl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	trcuearbtijpjemw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jjwqcatfzqtbxueqkj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jjwqcatfzqtbxueqkj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wzpmbcynkekvuuhwtvknd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uvjerqkxskoxusdqlly.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jjwqcatfzqtbxueqkj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jjwqcatfzqtbxueqkj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	azlepmepiyahcyhsl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	trcuearbtijpjemw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	trcuearbtijpjemw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	trcuearbtijpjemw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uvjerqkxskoxusdqlly.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hjyuiidrnglvtsesopdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	abqgjobtkla.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	trcuearbtijpjemw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	azlepmepiyahcyhsl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	azlepmepiyahcyhsl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hjyuiidrnglvtsesopdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	azlepmepiyahcyhsl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uvjerqkxskoxusdqlly.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hjyuiidrnglvtsesopdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jjwqcatfzqtbxueqkj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uvjerqkxskoxusdqlly.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	azlepmepiyahcyhsl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	azlepmepiyahcyhsl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	trcuearbtijpjemw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uvjerqkxskoxusdqlly.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wzpmbcynkekvuuhwtvknd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	trcuearbtijpjemw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	trcuearbtijpjemw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wjjqp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hjyuiidrnglvtsesopdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jjwqcatfzqtbxueqkj.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1936	JaffaCakes118_8c87df8a10722c28d397f16720c90b80.exe
1936	JaffaCakes118_8c87df8a10722c28d397f16720c90b80.exe
1936	JaffaCakes118_8c87df8a10722c28d397f16720c90b80.exe
1936	JaffaCakes118_8c87df8a10722c28d397f16720c90b80.exe
1936	JaffaCakes118_8c87df8a10722c28d397f16720c90b80.exe
1936	JaffaCakes118_8c87df8a10722c28d397f16720c90b80.exe
1936	JaffaCakes118_8c87df8a10722c28d397f16720c90b80.exe
1936	JaffaCakes118_8c87df8a10722c28d397f16720c90b80.exe
1936	JaffaCakes118_8c87df8a10722c28d397f16720c90b80.exe
1936	JaffaCakes118_8c87df8a10722c28d397f16720c90b80.exe
1936	JaffaCakes118_8c87df8a10722c28d397f16720c90b80.exe
1936	JaffaCakes118_8c87df8a10722c28d397f16720c90b80.exe
1936	JaffaCakes118_8c87df8a10722c28d397f16720c90b80.exe
1936	JaffaCakes118_8c87df8a10722c28d397f16720c90b80.exe
1936	JaffaCakes118_8c87df8a10722c28d397f16720c90b80.exe
1936	JaffaCakes118_8c87df8a10722c28d397f16720c90b80.exe
2376	wjjqp.exe
2376	wjjqp.exe
1936	JaffaCakes118_8c87df8a10722c28d397f16720c90b80.exe
1936	JaffaCakes118_8c87df8a10722c28d397f16720c90b80.exe
1936	JaffaCakes118_8c87df8a10722c28d397f16720c90b80.exe
1936	JaffaCakes118_8c87df8a10722c28d397f16720c90b80.exe
1936	JaffaCakes118_8c87df8a10722c28d397f16720c90b80.exe
1936	JaffaCakes118_8c87df8a10722c28d397f16720c90b80.exe
1936	JaffaCakes118_8c87df8a10722c28d397f16720c90b80.exe
1936	JaffaCakes118_8c87df8a10722c28d397f16720c90b80.exe
1936	JaffaCakes118_8c87df8a10722c28d397f16720c90b80.exe
1936	JaffaCakes118_8c87df8a10722c28d397f16720c90b80.exe
1936	JaffaCakes118_8c87df8a10722c28d397f16720c90b80.exe
1936	JaffaCakes118_8c87df8a10722c28d397f16720c90b80.exe
1936	JaffaCakes118_8c87df8a10722c28d397f16720c90b80.exe
1936	JaffaCakes118_8c87df8a10722c28d397f16720c90b80.exe
1936	JaffaCakes118_8c87df8a10722c28d397f16720c90b80.exe
1936	JaffaCakes118_8c87df8a10722c28d397f16720c90b80.exe
1936	JaffaCakes118_8c87df8a10722c28d397f16720c90b80.exe
1936	JaffaCakes118_8c87df8a10722c28d397f16720c90b80.exe
1936	JaffaCakes118_8c87df8a10722c28d397f16720c90b80.exe
1936	JaffaCakes118_8c87df8a10722c28d397f16720c90b80.exe
1936	JaffaCakes118_8c87df8a10722c28d397f16720c90b80.exe
1936	JaffaCakes118_8c87df8a10722c28d397f16720c90b80.exe
1936	JaffaCakes118_8c87df8a10722c28d397f16720c90b80.exe
1936	JaffaCakes118_8c87df8a10722c28d397f16720c90b80.exe
1936	JaffaCakes118_8c87df8a10722c28d397f16720c90b80.exe
1936	JaffaCakes118_8c87df8a10722c28d397f16720c90b80.exe
1936	JaffaCakes118_8c87df8a10722c28d397f16720c90b80.exe
1936	JaffaCakes118_8c87df8a10722c28d397f16720c90b80.exe
1936	JaffaCakes118_8c87df8a10722c28d397f16720c90b80.exe
1936	JaffaCakes118_8c87df8a10722c28d397f16720c90b80.exe
1936	JaffaCakes118_8c87df8a10722c28d397f16720c90b80.exe
1936	JaffaCakes118_8c87df8a10722c28d397f16720c90b80.exe
1936	JaffaCakes118_8c87df8a10722c28d397f16720c90b80.exe
1936	JaffaCakes118_8c87df8a10722c28d397f16720c90b80.exe
1936	JaffaCakes118_8c87df8a10722c28d397f16720c90b80.exe
1936	JaffaCakes118_8c87df8a10722c28d397f16720c90b80.exe
1936	JaffaCakes118_8c87df8a10722c28d397f16720c90b80.exe
1936	JaffaCakes118_8c87df8a10722c28d397f16720c90b80.exe
2376	wjjqp.exe
2376	wjjqp.exe
1936	JaffaCakes118_8c87df8a10722c28d397f16720c90b80.exe
1936	JaffaCakes118_8c87df8a10722c28d397f16720c90b80.exe
1936	JaffaCakes118_8c87df8a10722c28d397f16720c90b80.exe
1936	JaffaCakes118_8c87df8a10722c28d397f16720c90b80.exe
1936	JaffaCakes118_8c87df8a10722c28d397f16720c90b80.exe
1936	JaffaCakes118_8c87df8a10722c28d397f16720c90b80.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2376	wjjqp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1936 wrote to memory of 1500	1936	JaffaCakes118_8c87df8a10722c28d397f16720c90b80.exe	88
PID 1936 wrote to memory of 1500	1936	JaffaCakes118_8c87df8a10722c28d397f16720c90b80.exe	88
PID 1936 wrote to memory of 1500	1936	JaffaCakes118_8c87df8a10722c28d397f16720c90b80.exe	88
PID 116 wrote to memory of 408	116	cmd.exe	91
PID 116 wrote to memory of 408	116	cmd.exe	91
PID 116 wrote to memory of 408	116	cmd.exe	91
PID 3084 wrote to memory of 1168	3084	cmd.exe	94
PID 3084 wrote to memory of 1168	3084	cmd.exe	94
PID 3084 wrote to memory of 1168	3084	cmd.exe	94
PID 1168 wrote to memory of 4236	1168	azlepmepiyahcyhsl.exe	99
PID 1168 wrote to memory of 4236	1168	azlepmepiyahcyhsl.exe	99
PID 1168 wrote to memory of 4236	1168	azlepmepiyahcyhsl.exe	99
PID 2380 wrote to memory of 2732	2380	cmd.exe	133
PID 2380 wrote to memory of 2732	2380	cmd.exe	133
PID 2380 wrote to memory of 2732	2380	cmd.exe	133
PID 2784 wrote to memory of 4164	2784	cmd.exe	103
PID 2784 wrote to memory of 4164	2784	cmd.exe	103
PID 2784 wrote to memory of 4164	2784	cmd.exe	103
PID 5064 wrote to memory of 2324	5064	cmd.exe	108
PID 5064 wrote to memory of 2324	5064	cmd.exe	108
PID 5064 wrote to memory of 2324	5064	cmd.exe	108
PID 4164 wrote to memory of 4196	4164	wzpmbcynkekvuuhwtvknd.exe	109
PID 4164 wrote to memory of 4196	4164	wzpmbcynkekvuuhwtvknd.exe	109
PID 4164 wrote to memory of 4196	4164	wzpmbcynkekvuuhwtvknd.exe	109
PID 1272 wrote to memory of 4852	1272	cmd.exe	110
PID 1272 wrote to memory of 4852	1272	cmd.exe	110
PID 1272 wrote to memory of 4852	1272	cmd.exe	110
PID 4852 wrote to memory of 436	4852	hjyuiidrnglvtsesopdf.exe	114
PID 4852 wrote to memory of 436	4852	hjyuiidrnglvtsesopdf.exe	114
PID 4852 wrote to memory of 436	4852	hjyuiidrnglvtsesopdf.exe	114
PID 2860 wrote to memory of 4340	2860	cmd.exe	113
PID 2860 wrote to memory of 4340	2860	cmd.exe	113
PID 2860 wrote to memory of 4340	2860	cmd.exe	113
PID 4600 wrote to memory of 5056	4600	cmd.exe	117
PID 4600 wrote to memory of 5056	4600	cmd.exe	117
PID 4600 wrote to memory of 5056	4600	cmd.exe	117
PID 5056 wrote to memory of 1356	5056	trcuearbtijpjemw.exe	174
PID 5056 wrote to memory of 1356	5056	trcuearbtijpjemw.exe	174
PID 5056 wrote to memory of 1356	5056	trcuearbtijpjemw.exe	174
PID 1500 wrote to memory of 2376	1500	abqgjobtkla.exe	121
PID 1500 wrote to memory of 2376	1500	abqgjobtkla.exe	121
PID 1500 wrote to memory of 2376	1500	abqgjobtkla.exe	121
PID 1500 wrote to memory of 1632	1500	abqgjobtkla.exe	122
PID 1500 wrote to memory of 1632	1500	abqgjobtkla.exe	122
PID 1500 wrote to memory of 1632	1500	abqgjobtkla.exe	122
PID 2444 wrote to memory of 668	2444	cmd.exe	129
PID 2444 wrote to memory of 668	2444	cmd.exe	129
PID 2444 wrote to memory of 668	2444	cmd.exe	129
PID 180 wrote to memory of 3764	180	cmd.exe	134
PID 180 wrote to memory of 3764	180	cmd.exe	134
PID 180 wrote to memory of 3764	180	cmd.exe	134
PID 2316 wrote to memory of 944	2316	cmd.exe	135
PID 2316 wrote to memory of 944	2316	cmd.exe	135
PID 2316 wrote to memory of 944	2316	cmd.exe	135
PID 5036 wrote to memory of 1916	5036	cmd.exe	141
PID 5036 wrote to memory of 1916	5036	cmd.exe	141
PID 5036 wrote to memory of 1916	5036	cmd.exe	141
PID 3764 wrote to memory of 3816	3764	jjwqcatfzqtbxueqkj.exe	149
PID 3764 wrote to memory of 3816	3764	jjwqcatfzqtbxueqkj.exe	149
PID 3764 wrote to memory of 3816	3764	jjwqcatfzqtbxueqkj.exe	149
PID 1168 wrote to memory of 3476	1168	cmd.exe	334
PID 1168 wrote to memory of 3476	1168	cmd.exe	334
PID 1168 wrote to memory of 3476	1168	cmd.exe	334
PID 1916 wrote to memory of 4380	1916	wzpmbcynkekvuuhwtvknd.exe	153

System policy modification 1 TTPs 60 IoCs

defense_evasion

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	abqgjobtkla.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	wjjqp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	wjjqp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	wjjqp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	wjjqp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wjjqp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	wjjqp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	wjjqp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wjjqp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	wjjqp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	wjjqp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wjjqp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	wjjqp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	wjjqp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	abqgjobtkla.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	wjjqp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	abqgjobtkla.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	abqgjobtkla.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	wjjqp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	wjjqp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wjjqp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wjjqp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	abqgjobtkla.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	wjjqp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wjjqp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	wjjqp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	wjjqp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	wjjqp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	wjjqp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8c87df8a10722c28d397f16720c90b80.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8c87df8a10722c28d397f16720c90b80.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1936
- C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
  "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\jaffacakes118_8c87df8a10722c28d397f16720c90b80.exe*"
  2⤵
  - Modifies WinLogon for persistence
  - UAC bypass
  - Adds policy Run key to start application
  - Disables RegEdit via registry modification
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Hijack Execution Flow: Executable Installer File Permissions Weakness
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1500
- - C:\Users\Admin\AppData\Local\Temp\wjjqp.exe
    "C:\Users\Admin\AppData\Local\Temp\wjjqp.exe" "-C:\Users\Admin\AppData\Local\Temp\trcuearbtijpjemw.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Impair Defenses: Safe Mode Boot
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Hijack Execution Flow: Executable Installer File Permissions Weakness
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:2376
- - C:\Users\Admin\AppData\Local\Temp\wjjqp.exe
    "C:\Users\Admin\AppData\Local\Temp\wjjqp.exe" "-C:\Users\Admin\AppData\Local\Temp\trcuearbtijpjemw.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Hijack Execution Flow: Executable Installer File Permissions Weakness
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:1632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c uvjerqkxskoxusdqlly.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:116
- C:\Windows\uvjerqkxskoxusdqlly.exe
  uvjerqkxskoxusdqlly.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c azlepmepiyahcyhsl.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:3084
- C:\Windows\azlepmepiyahcyhsl.exe
  azlepmepiyahcyhsl.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1168
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\azlepmepiyahcyhsl.exe*."
    3⤵
    - Executes dropped EXE
    PID:4236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c azlepmepiyahcyhsl.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2380
- C:\Windows\azlepmepiyahcyhsl.exe
  azlepmepiyahcyhsl.exe
  2⤵
  - Executes dropped EXE
  PID:2732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wzpmbcynkekvuuhwtvknd.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:2784
- C:\Windows\wzpmbcynkekvuuhwtvknd.exe
  wzpmbcynkekvuuhwtvknd.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4164
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\wzpmbcynkekvuuhwtvknd.exe*."
    3⤵
    - Executes dropped EXE
    PID:4196

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jjwqcatfzqtbxueqkj.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:5064
- C:\Users\Admin\AppData\Local\Temp\jjwqcatfzqtbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\jjwqcatfzqtbxueqkj.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2324

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hjyuiidrnglvtsesopdf.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:1272
- C:\Users\Admin\AppData\Local\Temp\hjyuiidrnglvtsesopdf.exe
  C:\Users\Admin\AppData\Local\Temp\hjyuiidrnglvtsesopdf.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4852
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\hjyuiidrnglvtsesopdf.exe*."
    3⤵
    - Executes dropped EXE
    PID:436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\azlepmepiyahcyhsl.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2860
- C:\Users\Admin\AppData\Local\Temp\azlepmepiyahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\azlepmepiyahcyhsl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4340

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\trcuearbtijpjemw.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:4600
- C:\Users\Admin\AppData\Local\Temp\trcuearbtijpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\trcuearbtijpjemw.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5056
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\trcuearbtijpjemw.exe*."
    3⤵
    - Executes dropped EXE
    PID:1356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jjwqcatfzqtbxueqkj.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2444
- C:\Windows\jjwqcatfzqtbxueqkj.exe
  jjwqcatfzqtbxueqkj.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jjwqcatfzqtbxueqkj.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:180
- C:\Windows\jjwqcatfzqtbxueqkj.exe
  jjwqcatfzqtbxueqkj.exe .
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3764
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\jjwqcatfzqtbxueqkj.exe*."
    3⤵
    - Executes dropped EXE
    PID:3816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c trcuearbtijpjemw.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2316
- C:\Windows\trcuearbtijpjemw.exe
  trcuearbtijpjemw.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wzpmbcynkekvuuhwtvknd.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:5036
- C:\Windows\wzpmbcynkekvuuhwtvknd.exe
  wzpmbcynkekvuuhwtvknd.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1916
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\wzpmbcynkekvuuhwtvknd.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:4380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wzpmbcynkekvuuhwtvknd.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:1168
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2732
- C:\Windows\wzpmbcynkekvuuhwtvknd.exe
  wzpmbcynkekvuuhwtvknd.exe
  2⤵
  - Executes dropped EXE
  PID:3476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c uvjerqkxskoxusdqlly.exe .
1⤵
PID:2536
- C:\Windows\uvjerqkxskoxusdqlly.exe
  uvjerqkxskoxusdqlly.exe .
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2368
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\uvjerqkxskoxusdqlly.exe*."
    3⤵
    - Executes dropped EXE
    PID:5000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hjyuiidrnglvtsesopdf.exe
1⤵
PID:3652
- C:\Windows\hjyuiidrnglvtsesopdf.exe
  hjyuiidrnglvtsesopdf.exe
  2⤵
  - Executes dropped EXE
  PID:208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wzpmbcynkekvuuhwtvknd.exe
1⤵
PID:2100
- C:\Users\Admin\AppData\Local\Temp\wzpmbcynkekvuuhwtvknd.exe
  C:\Users\Admin\AppData\Local\Temp\wzpmbcynkekvuuhwtvknd.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c azlepmepiyahcyhsl.exe .
1⤵
PID:2684
- C:\Windows\azlepmepiyahcyhsl.exe
  azlepmepiyahcyhsl.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3020
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\azlepmepiyahcyhsl.exe*."
    3⤵
    - Executes dropped EXE
    PID:2104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hjyuiidrnglvtsesopdf.exe .
1⤵
PID:816
- C:\Users\Admin\AppData\Local\Temp\hjyuiidrnglvtsesopdf.exe
  C:\Users\Admin\AppData\Local\Temp\hjyuiidrnglvtsesopdf.exe .
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5092
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\hjyuiidrnglvtsesopdf.exe*."
    3⤵
    - Executes dropped EXE
    PID:4928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wzpmbcynkekvuuhwtvknd.exe
1⤵
PID:4664
- C:\Users\Admin\AppData\Local\Temp\wzpmbcynkekvuuhwtvknd.exe
  C:\Users\Admin\AppData\Local\Temp\wzpmbcynkekvuuhwtvknd.exe
  2⤵
  - Executes dropped EXE
  PID:4880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\azlepmepiyahcyhsl.exe .
1⤵
PID:4456
- C:\Users\Admin\AppData\Local\Temp\azlepmepiyahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\azlepmepiyahcyhsl.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2456
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\azlepmepiyahcyhsl.exe*."
    3⤵
    - Executes dropped EXE
    PID:2716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\trcuearbtijpjemw.exe
1⤵
PID:1440
- C:\Users\Admin\AppData\Local\Temp\trcuearbtijpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\trcuearbtijpjemw.exe
  2⤵
  - Executes dropped EXE
  PID:3404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wzpmbcynkekvuuhwtvknd.exe .
1⤵
PID:2660
- C:\Users\Admin\AppData\Local\Temp\wzpmbcynkekvuuhwtvknd.exe
  C:\Users\Admin\AppData\Local\Temp\wzpmbcynkekvuuhwtvknd.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4360
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\wzpmbcynkekvuuhwtvknd.exe*."
    3⤵
    - Executes dropped EXE
    PID:4384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hjyuiidrnglvtsesopdf.exe
1⤵
PID:4960
- C:\Users\Admin\AppData\Local\Temp\hjyuiidrnglvtsesopdf.exe
  C:\Users\Admin\AppData\Local\Temp\hjyuiidrnglvtsesopdf.exe
  2⤵
  - Executes dropped EXE
  PID:2860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\trcuearbtijpjemw.exe .
1⤵
PID:5048
- C:\Users\Admin\AppData\Local\Temp\trcuearbtijpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\trcuearbtijpjemw.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2224
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\trcuearbtijpjemw.exe*."
    3⤵
    - Executes dropped EXE
    PID:708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wzpmbcynkekvuuhwtvknd.exe
1⤵
PID:224
- C:\Windows\wzpmbcynkekvuuhwtvknd.exe
  wzpmbcynkekvuuhwtvknd.exe
  2⤵
  - Executes dropped EXE
  PID:3580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c uvjerqkxskoxusdqlly.exe .
1⤵
PID:1356
- C:\Windows\uvjerqkxskoxusdqlly.exe
  uvjerqkxskoxusdqlly.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2948
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\uvjerqkxskoxusdqlly.exe*."
    3⤵
    - Executes dropped EXE
    PID:3828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wzpmbcynkekvuuhwtvknd.exe
1⤵
PID:3300
- C:\Windows\wzpmbcynkekvuuhwtvknd.exe
  wzpmbcynkekvuuhwtvknd.exe
  2⤵
  - Executes dropped EXE
  PID:1112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c azlepmepiyahcyhsl.exe .
1⤵
PID:4032
- C:\Windows\azlepmepiyahcyhsl.exe
  azlepmepiyahcyhsl.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1976
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\azlepmepiyahcyhsl.exe*."
    3⤵
    - Executes dropped EXE
    PID:840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\azlepmepiyahcyhsl.exe
1⤵
PID:768
- C:\Users\Admin\AppData\Local\Temp\azlepmepiyahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\azlepmepiyahcyhsl.exe
  2⤵
  - Executes dropped EXE
  PID:4664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jjwqcatfzqtbxueqkj.exe .
1⤵
PID:4184
- C:\Users\Admin\AppData\Local\Temp\jjwqcatfzqtbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\jjwqcatfzqtbxueqkj.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2088
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\jjwqcatfzqtbxueqkj.exe*."
    3⤵
    - Executes dropped EXE
    PID:2612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wzpmbcynkekvuuhwtvknd.exe
1⤵
PID:4480
- C:\Users\Admin\AppData\Local\Temp\wzpmbcynkekvuuhwtvknd.exe
  C:\Users\Admin\AppData\Local\Temp\wzpmbcynkekvuuhwtvknd.exe
  2⤵
  - Executes dropped EXE
  PID:2340

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\trcuearbtijpjemw.exe .
1⤵
PID:3884
- C:\Users\Admin\AppData\Local\Temp\trcuearbtijpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\trcuearbtijpjemw.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:972
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\trcuearbtijpjemw.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:1500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jjwqcatfzqtbxueqkj.exe
1⤵
PID:4484
- C:\Windows\jjwqcatfzqtbxueqkj.exe
  jjwqcatfzqtbxueqkj.exe
  2⤵
  - Executes dropped EXE
  PID:2604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wzpmbcynkekvuuhwtvknd.exe .
1⤵
PID:4492
- C:\Windows\wzpmbcynkekvuuhwtvknd.exe
  wzpmbcynkekvuuhwtvknd.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1608
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\wzpmbcynkekvuuhwtvknd.exe*."
    3⤵
    - Executes dropped EXE
    PID:2948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c uvjerqkxskoxusdqlly.exe
1⤵
PID:816
- C:\Windows\uvjerqkxskoxusdqlly.exe
  uvjerqkxskoxusdqlly.exe
  2⤵
  - Executes dropped EXE
  PID:2316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c uvjerqkxskoxusdqlly.exe
1⤵
PID:3012
- C:\Windows\uvjerqkxskoxusdqlly.exe
  uvjerqkxskoxusdqlly.exe
  2⤵
  - Executes dropped EXE
  PID:2368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c azlepmepiyahcyhsl.exe .
1⤵
PID:5048
- C:\Windows\azlepmepiyahcyhsl.exe
  azlepmepiyahcyhsl.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:408
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\azlepmepiyahcyhsl.exe*."
    3⤵
    - Executes dropped EXE
    PID:2984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jjwqcatfzqtbxueqkj.exe .
1⤵
PID:4784
- C:\Windows\jjwqcatfzqtbxueqkj.exe
  jjwqcatfzqtbxueqkj.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:4432
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\jjwqcatfzqtbxueqkj.exe*."
    3⤵
    - Executes dropped EXE
    PID:4312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c uvjerqkxskoxusdqlly.exe
1⤵
PID:1616
- C:\Windows\uvjerqkxskoxusdqlly.exe
  uvjerqkxskoxusdqlly.exe
  2⤵
  - Executes dropped EXE
  PID:3096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wzpmbcynkekvuuhwtvknd.exe
1⤵
PID:5076
- C:\Users\Admin\AppData\Local\Temp\wzpmbcynkekvuuhwtvknd.exe
  C:\Users\Admin\AppData\Local\Temp\wzpmbcynkekvuuhwtvknd.exe
  2⤵
  - Executes dropped EXE
  PID:4480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\azlepmepiyahcyhsl.exe .
1⤵
PID:3696
- C:\Users\Admin\AppData\Local\Temp\azlepmepiyahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\azlepmepiyahcyhsl.exe .
  2⤵
  PID:2220
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\azlepmepiyahcyhsl.exe*."
    3⤵
    PID:2564

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c azlepmepiyahcyhsl.exe .
1⤵
PID:4824
- C:\Windows\azlepmepiyahcyhsl.exe
  azlepmepiyahcyhsl.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:2060
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\azlepmepiyahcyhsl.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:1000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wzpmbcynkekvuuhwtvknd.exe
1⤵
PID:2892
- C:\Windows\wzpmbcynkekvuuhwtvknd.exe
  wzpmbcynkekvuuhwtvknd.exe
  2⤵
  - Executes dropped EXE
  PID:880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wzpmbcynkekvuuhwtvknd.exe .
1⤵
PID:4436
- C:\Windows\wzpmbcynkekvuuhwtvknd.exe
  wzpmbcynkekvuuhwtvknd.exe .
  2⤵
  - Checks computer location settings
  PID:5020
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\wzpmbcynkekvuuhwtvknd.exe*."
    3⤵
    PID:5036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hjyuiidrnglvtsesopdf.exe
1⤵
PID:4064
- C:\Windows\hjyuiidrnglvtsesopdf.exe
  hjyuiidrnglvtsesopdf.exe
  2⤵
  PID:4508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jjwqcatfzqtbxueqkj.exe
1⤵
PID:4736
- C:\Users\Admin\AppData\Local\Temp\jjwqcatfzqtbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\jjwqcatfzqtbxueqkj.exe
  2⤵
  PID:2368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\azlepmepiyahcyhsl.exe
1⤵
PID:972
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2104
- C:\Users\Admin\AppData\Local\Temp\azlepmepiyahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\azlepmepiyahcyhsl.exe
  2⤵
  PID:2732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\trcuearbtijpjemw.exe .
1⤵
PID:3028
- C:\Users\Admin\AppData\Local\Temp\trcuearbtijpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\trcuearbtijpjemw.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:2260
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\trcuearbtijpjemw.exe*."
    3⤵
    PID:1500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hjyuiidrnglvtsesopdf.exe .
1⤵
PID:2212
- C:\Windows\hjyuiidrnglvtsesopdf.exe
  hjyuiidrnglvtsesopdf.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4184
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\hjyuiidrnglvtsesopdf.exe*."
    3⤵
    PID:4032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uvjerqkxskoxusdqlly.exe .
1⤵
PID:3440
- C:\Users\Admin\AppData\Local\Temp\uvjerqkxskoxusdqlly.exe
  C:\Users\Admin\AppData\Local\Temp\uvjerqkxskoxusdqlly.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:3944
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\uvjerqkxskoxusdqlly.exe*."
    3⤵
    PID:4968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uvjerqkxskoxusdqlly.exe
1⤵
PID:3056
- C:\Users\Admin\AppData\Local\Temp\uvjerqkxskoxusdqlly.exe
  C:\Users\Admin\AppData\Local\Temp\uvjerqkxskoxusdqlly.exe
  2⤵
  PID:5092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\azlepmepiyahcyhsl.exe .
1⤵
PID:4880
- C:\Users\Admin\AppData\Local\Temp\azlepmepiyahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\azlepmepiyahcyhsl.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:2980
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\azlepmepiyahcyhsl.exe*."
    3⤵
    PID:4576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uvjerqkxskoxusdqlly.exe
1⤵
PID:956
- C:\Users\Admin\AppData\Local\Temp\uvjerqkxskoxusdqlly.exe
  C:\Users\Admin\AppData\Local\Temp\uvjerqkxskoxusdqlly.exe
  2⤵
  PID:4972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uvjerqkxskoxusdqlly.exe .
1⤵
PID:3368
- C:\Users\Admin\AppData\Local\Temp\uvjerqkxskoxusdqlly.exe
  C:\Users\Admin\AppData\Local\Temp\uvjerqkxskoxusdqlly.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:2860
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\uvjerqkxskoxusdqlly.exe*."
    3⤵
    PID:4244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wzpmbcynkekvuuhwtvknd.exe
1⤵
PID:3096
- C:\Users\Admin\AppData\Local\Temp\wzpmbcynkekvuuhwtvknd.exe
  C:\Users\Admin\AppData\Local\Temp\wzpmbcynkekvuuhwtvknd.exe
  2⤵
  PID:2572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wzpmbcynkekvuuhwtvknd.exe .
1⤵
PID:3532
- C:\Users\Admin\AppData\Local\Temp\wzpmbcynkekvuuhwtvknd.exe
  C:\Users\Admin\AppData\Local\Temp\wzpmbcynkekvuuhwtvknd.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4492
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\wzpmbcynkekvuuhwtvknd.exe*."
    3⤵
    PID:3856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jjwqcatfzqtbxueqkj.exe
1⤵
PID:2892
- C:\Windows\jjwqcatfzqtbxueqkj.exe
  jjwqcatfzqtbxueqkj.exe
  2⤵
  PID:4704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wzpmbcynkekvuuhwtvknd.exe .
1⤵
PID:2784
- C:\Windows\wzpmbcynkekvuuhwtvknd.exe
  wzpmbcynkekvuuhwtvknd.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:5096
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\wzpmbcynkekvuuhwtvknd.exe*."
    3⤵
    PID:4432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hjyuiidrnglvtsesopdf.exe
1⤵
PID:1756
- C:\Windows\hjyuiidrnglvtsesopdf.exe
  hjyuiidrnglvtsesopdf.exe
  2⤵
  PID:2100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c uvjerqkxskoxusdqlly.exe .
1⤵
PID:1608
- C:\Windows\uvjerqkxskoxusdqlly.exe
  uvjerqkxskoxusdqlly.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4676
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\uvjerqkxskoxusdqlly.exe*."
    3⤵
    PID:640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hjyuiidrnglvtsesopdf.exe
1⤵
PID:2388
- C:\Users\Admin\AppData\Local\Temp\hjyuiidrnglvtsesopdf.exe
  C:\Users\Admin\AppData\Local\Temp\hjyuiidrnglvtsesopdf.exe
  2⤵
  PID:2716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\azlepmepiyahcyhsl.exe .
1⤵
PID:3992
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3020
- C:\Users\Admin\AppData\Local\Temp\azlepmepiyahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\azlepmepiyahcyhsl.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:3800
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\azlepmepiyahcyhsl.exe*."
    3⤵
    PID:3024

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
PID:2572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wzpmbcynkekvuuhwtvknd.exe
1⤵
PID:816
- C:\Users\Admin\AppData\Local\Temp\wzpmbcynkekvuuhwtvknd.exe
  C:\Users\Admin\AppData\Local\Temp\wzpmbcynkekvuuhwtvknd.exe
  2⤵
  PID:2684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\trcuearbtijpjemw.exe .
1⤵
PID:1100
- C:\Users\Admin\AppData\Local\Temp\trcuearbtijpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\trcuearbtijpjemw.exe .
  2⤵
  - Checks computer location settings
  PID:1236
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\trcuearbtijpjemw.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:4260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hjyuiidrnglvtsesopdf.exe
1⤵
PID:4520
- C:\Windows\hjyuiidrnglvtsesopdf.exe
  hjyuiidrnglvtsesopdf.exe
  2⤵
  PID:2236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wzpmbcynkekvuuhwtvknd.exe .
1⤵
PID:4484
- C:\Windows\wzpmbcynkekvuuhwtvknd.exe
  wzpmbcynkekvuuhwtvknd.exe .
  2⤵
  - Checks computer location settings
  PID:4308
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\wzpmbcynkekvuuhwtvknd.exe*."
    3⤵
    PID:4688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hjyuiidrnglvtsesopdf.exe
1⤵
PID:2900
- C:\Windows\hjyuiidrnglvtsesopdf.exe
  hjyuiidrnglvtsesopdf.exe
  2⤵
  PID:3476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c trcuearbtijpjemw.exe .
1⤵
PID:4312
- C:\Windows\trcuearbtijpjemw.exe
  trcuearbtijpjemw.exe .
  2⤵
  - Checks computer location settings
  PID:428
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\trcuearbtijpjemw.exe*."
    3⤵
    PID:2792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hjyuiidrnglvtsesopdf.exe
1⤵
PID:3436
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3856
- C:\Users\Admin\AppData\Local\Temp\hjyuiidrnglvtsesopdf.exe
  C:\Users\Admin\AppData\Local\Temp\hjyuiidrnglvtsesopdf.exe
  2⤵
  PID:5092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\azlepmepiyahcyhsl.exe .
1⤵
PID:408
- C:\Users\Admin\AppData\Local\Temp\azlepmepiyahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\azlepmepiyahcyhsl.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:2100
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\azlepmepiyahcyhsl.exe*."
    3⤵
    PID:4792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\azlepmepiyahcyhsl.exe
1⤵
PID:440
- C:\Users\Admin\AppData\Local\Temp\azlepmepiyahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\azlepmepiyahcyhsl.exe
  2⤵
  PID:956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uvjerqkxskoxusdqlly.exe .
1⤵
PID:776
- C:\Users\Admin\AppData\Local\Temp\uvjerqkxskoxusdqlly.exe
  C:\Users\Admin\AppData\Local\Temp\uvjerqkxskoxusdqlly.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:3404
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\uvjerqkxskoxusdqlly.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:3028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wzpmbcynkekvuuhwtvknd.exe
1⤵
PID:2996
- C:\Windows\wzpmbcynkekvuuhwtvknd.exe
  wzpmbcynkekvuuhwtvknd.exe
  2⤵
  PID:396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c trcuearbtijpjemw.exe .
1⤵
PID:1800
- C:\Windows\trcuearbtijpjemw.exe
  trcuearbtijpjemw.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4196
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\trcuearbtijpjemw.exe*."
    3⤵
    PID:1340

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c uvjerqkxskoxusdqlly.exe
1⤵
PID:2180
- C:\Windows\uvjerqkxskoxusdqlly.exe
  uvjerqkxskoxusdqlly.exe
  2⤵
  PID:1100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c azlepmepiyahcyhsl.exe .
1⤵
PID:3092
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2060
- C:\Windows\azlepmepiyahcyhsl.exe
  azlepmepiyahcyhsl.exe .
  2⤵
  - Checks computer location settings
  PID:2908
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\azlepmepiyahcyhsl.exe*."
    3⤵
    PID:4112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\trcuearbtijpjemw.exe
1⤵
PID:1708
- C:\Users\Admin\AppData\Local\Temp\trcuearbtijpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\trcuearbtijpjemw.exe
  2⤵
  PID:4352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uvjerqkxskoxusdqlly.exe .
1⤵
PID:2004
- C:\Users\Admin\AppData\Local\Temp\uvjerqkxskoxusdqlly.exe
  C:\Users\Admin\AppData\Local\Temp\uvjerqkxskoxusdqlly.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:208
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\uvjerqkxskoxusdqlly.exe*."
    3⤵
    PID:4980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hjyuiidrnglvtsesopdf.exe
1⤵
PID:3368
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2604
- C:\Users\Admin\AppData\Local\Temp\hjyuiidrnglvtsesopdf.exe
  C:\Users\Admin\AppData\Local\Temp\hjyuiidrnglvtsesopdf.exe
  2⤵
  PID:2892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\trcuearbtijpjemw.exe .
1⤵
PID:4344
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3580
- C:\Users\Admin\AppData\Local\Temp\trcuearbtijpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\trcuearbtijpjemw.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1844
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\trcuearbtijpjemw.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:2352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c trcuearbtijpjemw.exe
1⤵
PID:3316
- C:\Windows\trcuearbtijpjemw.exe
  trcuearbtijpjemw.exe
  2⤵
  PID:4212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jjwqcatfzqtbxueqkj.exe .
1⤵
PID:432
- C:\Windows\jjwqcatfzqtbxueqkj.exe
  jjwqcatfzqtbxueqkj.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1152
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\jjwqcatfzqtbxueqkj.exe*."
    3⤵
    PID:1912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c azlepmepiyahcyhsl.exe
1⤵
PID:548
- C:\Windows\azlepmepiyahcyhsl.exe
  azlepmepiyahcyhsl.exe
  2⤵
  PID:4844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wzpmbcynkekvuuhwtvknd.exe .
1⤵
PID:4452
- C:\Windows\wzpmbcynkekvuuhwtvknd.exe
  wzpmbcynkekvuuhwtvknd.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:2340
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\wzpmbcynkekvuuhwtvknd.exe*."
    3⤵
    PID:3924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\azlepmepiyahcyhsl.exe
1⤵
PID:4960
- C:\Users\Admin\AppData\Local\Temp\azlepmepiyahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\azlepmepiyahcyhsl.exe
  2⤵
  PID:4236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uvjerqkxskoxusdqlly.exe .
1⤵
PID:4600
- C:\Users\Admin\AppData\Local\Temp\uvjerqkxskoxusdqlly.exe
  C:\Users\Admin\AppData\Local\Temp\uvjerqkxskoxusdqlly.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1580
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\uvjerqkxskoxusdqlly.exe*."
    3⤵
    PID:1236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wzpmbcynkekvuuhwtvknd.exe
1⤵
PID:3708
- C:\Users\Admin\AppData\Local\Temp\wzpmbcynkekvuuhwtvknd.exe
  C:\Users\Admin\AppData\Local\Temp\wzpmbcynkekvuuhwtvknd.exe
  2⤵
  PID:3440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jjwqcatfzqtbxueqkj.exe .
1⤵
PID:5076
- C:\Users\Admin\AppData\Local\Temp\jjwqcatfzqtbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\jjwqcatfzqtbxueqkj.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1168
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\jjwqcatfzqtbxueqkj.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:4704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jjwqcatfzqtbxueqkj.exe
1⤵
PID:3044
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4688
- C:\Windows\jjwqcatfzqtbxueqkj.exe
  jjwqcatfzqtbxueqkj.exe
  2⤵
  PID:2320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c azlepmepiyahcyhsl.exe .
1⤵
PID:2536
- C:\Windows\azlepmepiyahcyhsl.exe
  azlepmepiyahcyhsl.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:2000
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\azlepmepiyahcyhsl.exe*."
    3⤵
    PID:5096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wzpmbcynkekvuuhwtvknd.exe
1⤵
PID:2892
- C:\Windows\wzpmbcynkekvuuhwtvknd.exe
  wzpmbcynkekvuuhwtvknd.exe
  2⤵
  PID:1712

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c uvjerqkxskoxusdqlly.exe .
1⤵
PID:4580
- C:\Windows\uvjerqkxskoxusdqlly.exe
  uvjerqkxskoxusdqlly.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4480
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\uvjerqkxskoxusdqlly.exe*."
    3⤵
    PID:1152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hjyuiidrnglvtsesopdf.exe
1⤵
PID:4072
- C:\Users\Admin\AppData\Local\Temp\hjyuiidrnglvtsesopdf.exe
  C:\Users\Admin\AppData\Local\Temp\hjyuiidrnglvtsesopdf.exe
  2⤵
  PID:440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jjwqcatfzqtbxueqkj.exe .
1⤵
PID:376
- C:\Users\Admin\AppData\Local\Temp\jjwqcatfzqtbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\jjwqcatfzqtbxueqkj.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1608
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\jjwqcatfzqtbxueqkj.exe*."
    3⤵
    PID:1972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\trcuearbtijpjemw.exe
1⤵
PID:1980
- C:\Users\Admin\AppData\Local\Temp\trcuearbtijpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\trcuearbtijpjemw.exe
  2⤵
  PID:2684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uvjerqkxskoxusdqlly.exe .
1⤵
PID:2196
- C:\Users\Admin\AppData\Local\Temp\uvjerqkxskoxusdqlly.exe
  C:\Users\Admin\AppData\Local\Temp\uvjerqkxskoxusdqlly.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:3596
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\uvjerqkxskoxusdqlly.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:3344

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hjyuiidrnglvtsesopdf.exe
1⤵
PID:2108
- C:\Windows\hjyuiidrnglvtsesopdf.exe
  hjyuiidrnglvtsesopdf.exe
  2⤵
  PID:4600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c trcuearbtijpjemw.exe .
1⤵
PID:4744
- C:\Windows\trcuearbtijpjemw.exe
  trcuearbtijpjemw.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:944
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\trcuearbtijpjemw.exe*."
    3⤵
    PID:3300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c azlepmepiyahcyhsl.exe
1⤵
PID:3708
- C:\Windows\azlepmepiyahcyhsl.exe
  azlepmepiyahcyhsl.exe
  2⤵
  PID:3832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c uvjerqkxskoxusdqlly.exe .
1⤵
PID:1576
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2368
- C:\Windows\uvjerqkxskoxusdqlly.exe
  uvjerqkxskoxusdqlly.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:208
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\uvjerqkxskoxusdqlly.exe*."
    3⤵
    PID:2184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jjwqcatfzqtbxueqkj.exe
1⤵
PID:3944
- C:\Windows\jjwqcatfzqtbxueqkj.exe
  jjwqcatfzqtbxueqkj.exe
  2⤵
  PID:2660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uvjerqkxskoxusdqlly.exe
1⤵
PID:1916
- C:\Users\Admin\AppData\Local\Temp\uvjerqkxskoxusdqlly.exe
  C:\Users\Admin\AppData\Local\Temp\uvjerqkxskoxusdqlly.exe
  2⤵
  PID:2392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wzpmbcynkekvuuhwtvknd.exe .
1⤵
PID:2372
- C:\Users\Admin\AppData\Local\Temp\wzpmbcynkekvuuhwtvknd.exe
  C:\Users\Admin\AppData\Local\Temp\wzpmbcynkekvuuhwtvknd.exe .
  2⤵
  PID:2092
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\wzpmbcynkekvuuhwtvknd.exe*."
    3⤵
    PID:3748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hjyuiidrnglvtsesopdf.exe
1⤵
PID:2536
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:880
- C:\Windows\hjyuiidrnglvtsesopdf.exe
  hjyuiidrnglvtsesopdf.exe
  2⤵
  PID:3392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c azlepmepiyahcyhsl.exe .
1⤵
PID:1616
- C:\Windows\azlepmepiyahcyhsl.exe
  azlepmepiyahcyhsl.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4740
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\azlepmepiyahcyhsl.exe*."
    3⤵
    PID:1624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jjwqcatfzqtbxueqkj.exe .
1⤵
PID:4580
- C:\Windows\jjwqcatfzqtbxueqkj.exe
  jjwqcatfzqtbxueqkj.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1448
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\jjwqcatfzqtbxueqkj.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:2352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\azlepmepiyahcyhsl.exe
1⤵
PID:2864
- C:\Users\Admin\AppData\Local\Temp\azlepmepiyahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\azlepmepiyahcyhsl.exe
  2⤵
  PID:2112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hjyuiidrnglvtsesopdf.exe
1⤵
PID:3856
- C:\Windows\hjyuiidrnglvtsesopdf.exe
  hjyuiidrnglvtsesopdf.exe
  2⤵
  PID:3816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c uvjerqkxskoxusdqlly.exe .
1⤵
PID:996
- C:\Windows\uvjerqkxskoxusdqlly.exe
  uvjerqkxskoxusdqlly.exe .
  2⤵
  - Checks computer location settings
  PID:4664
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\uvjerqkxskoxusdqlly.exe*."
    3⤵
    PID:3476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hjyuiidrnglvtsesopdf.exe .
1⤵
PID:1504
- C:\Users\Admin\AppData\Local\Temp\hjyuiidrnglvtsesopdf.exe
  C:\Users\Admin\AppData\Local\Temp\hjyuiidrnglvtsesopdf.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1340
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\hjyuiidrnglvtsesopdf.exe*."
    3⤵
    PID:2784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c uvjerqkxskoxusdqlly.exe
1⤵
PID:396
- C:\Windows\uvjerqkxskoxusdqlly.exe
  uvjerqkxskoxusdqlly.exe
  2⤵
  PID:4540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jjwqcatfzqtbxueqkj.exe
1⤵
PID:848
- C:\Users\Admin\AppData\Local\Temp\jjwqcatfzqtbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\jjwqcatfzqtbxueqkj.exe
  2⤵
  PID:3792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\azlepmepiyahcyhsl.exe .
1⤵
PID:940
- C:\Users\Admin\AppData\Local\Temp\azlepmepiyahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\azlepmepiyahcyhsl.exe .
  2⤵
  - Checks computer location settings
  PID:840
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\azlepmepiyahcyhsl.exe*."
    3⤵
    PID:5012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c azlepmepiyahcyhsl.exe .
1⤵
PID:1800
- C:\Windows\azlepmepiyahcyhsl.exe
  azlepmepiyahcyhsl.exe .
  2⤵
  - Checks computer location settings
  PID:2148
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\azlepmepiyahcyhsl.exe*."
    3⤵
    PID:4788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jjwqcatfzqtbxueqkj.exe
1⤵
PID:4112
- C:\Users\Admin\AppData\Local\Temp\jjwqcatfzqtbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\jjwqcatfzqtbxueqkj.exe
  2⤵
  PID:1152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jjwqcatfzqtbxueqkj.exe .
1⤵
PID:1708
- C:\Users\Admin\AppData\Local\Temp\jjwqcatfzqtbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\jjwqcatfzqtbxueqkj.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2436
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\jjwqcatfzqtbxueqkj.exe*."
    3⤵
    PID:1616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uvjerqkxskoxusdqlly.exe
1⤵
PID:2900
- C:\Users\Admin\AppData\Local\Temp\uvjerqkxskoxusdqlly.exe
  C:\Users\Admin\AppData\Local\Temp\uvjerqkxskoxusdqlly.exe
  2⤵
  PID:3048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\azlepmepiyahcyhsl.exe .
1⤵
PID:2004
- C:\Users\Admin\AppData\Local\Temp\azlepmepiyahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\azlepmepiyahcyhsl.exe .
  2⤵
  - Checks computer location settings
  PID:2768
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\azlepmepiyahcyhsl.exe*."
    3⤵
    PID:4676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\trcuearbtijpjemw.exe
1⤵
PID:3692
- C:\Users\Admin\AppData\Local\Temp\trcuearbtijpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\trcuearbtijpjemw.exe
  2⤵
  PID:3924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\azlepmepiyahcyhsl.exe .
1⤵
PID:2536
- C:\Users\Admin\AppData\Local\Temp\azlepmepiyahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\azlepmepiyahcyhsl.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4164
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\azlepmepiyahcyhsl.exe*."
    3⤵
    PID:1448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jjwqcatfzqtbxueqkj.exe
1⤵
PID:2684
- C:\Windows\jjwqcatfzqtbxueqkj.exe
  jjwqcatfzqtbxueqkj.exe
  2⤵
  PID:3068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hjyuiidrnglvtsesopdf.exe .
1⤵
PID:1272
- C:\Windows\hjyuiidrnglvtsesopdf.exe
  hjyuiidrnglvtsesopdf.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4008
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\hjyuiidrnglvtsesopdf.exe*."
    3⤵
    PID:4484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c azlepmepiyahcyhsl.exe
1⤵
PID:4184
- C:\Windows\azlepmepiyahcyhsl.exe
  azlepmepiyahcyhsl.exe
  2⤵
  PID:3476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c uvjerqkxskoxusdqlly.exe .
1⤵
PID:1340
- C:\Windows\uvjerqkxskoxusdqlly.exe
  uvjerqkxskoxusdqlly.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:548
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\uvjerqkxskoxusdqlly.exe*."
    3⤵
    PID:3944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wzpmbcynkekvuuhwtvknd.exe
1⤵
PID:4580
- C:\Users\Admin\AppData\Local\Temp\wzpmbcynkekvuuhwtvknd.exe
  C:\Users\Admin\AppData\Local\Temp\wzpmbcynkekvuuhwtvknd.exe
  2⤵
  PID:5088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\azlepmepiyahcyhsl.exe .
1⤵
PID:3392
- C:\Users\Admin\AppData\Local\Temp\azlepmepiyahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\azlepmepiyahcyhsl.exe .
  2⤵
  - Checks computer location settings
  PID:376
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\azlepmepiyahcyhsl.exe*."
    3⤵
    PID:1504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\trcuearbtijpjemw.exe
1⤵
PID:1240
- C:\Users\Admin\AppData\Local\Temp\trcuearbtijpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\trcuearbtijpjemw.exe
  2⤵
  PID:3924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jjwqcatfzqtbxueqkj.exe .
1⤵
PID:1576
- C:\Users\Admin\AppData\Local\Temp\jjwqcatfzqtbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\jjwqcatfzqtbxueqkj.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3092
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\jjwqcatfzqtbxueqkj.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:4844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c trcuearbtijpjemw.exe
1⤵
PID:5056
- C:\Windows\trcuearbtijpjemw.exe
  trcuearbtijpjemw.exe
  2⤵
  PID:4480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c trcuearbtijpjemw.exe .
1⤵
PID:1500
- C:\Windows\trcuearbtijpjemw.exe
  trcuearbtijpjemw.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4880
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\trcuearbtijpjemw.exe*."
    3⤵
    PID:3448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c uvjerqkxskoxusdqlly.exe
1⤵
PID:1080
- C:\Windows\uvjerqkxskoxusdqlly.exe
  uvjerqkxskoxusdqlly.exe
  2⤵
  PID:1608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wzpmbcynkekvuuhwtvknd.exe .
1⤵
PID:1076
- C:\Windows\wzpmbcynkekvuuhwtvknd.exe
  wzpmbcynkekvuuhwtvknd.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:2944
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\wzpmbcynkekvuuhwtvknd.exe*."
    3⤵
    PID:384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uvjerqkxskoxusdqlly.exe
1⤵
PID:1620
- C:\Users\Admin\AppData\Local\Temp\uvjerqkxskoxusdqlly.exe
  C:\Users\Admin\AppData\Local\Temp\uvjerqkxskoxusdqlly.exe
  2⤵
  PID:1916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uvjerqkxskoxusdqlly.exe .
1⤵
PID:4968
- C:\Users\Admin\AppData\Local\Temp\uvjerqkxskoxusdqlly.exe
  C:\Users\Admin\AppData\Local\Temp\uvjerqkxskoxusdqlly.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:2336
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\uvjerqkxskoxusdqlly.exe*."
    3⤵
    PID:2476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hjyuiidrnglvtsesopdf.exe
1⤵
PID:3064
- C:\Users\Admin\AppData\Local\Temp\hjyuiidrnglvtsesopdf.exe
  C:\Users\Admin\AppData\Local\Temp\hjyuiidrnglvtsesopdf.exe
  2⤵
  PID:4744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wzpmbcynkekvuuhwtvknd.exe .
1⤵
PID:764
- C:\Users\Admin\AppData\Local\Temp\wzpmbcynkekvuuhwtvknd.exe
  C:\Users\Admin\AppData\Local\Temp\wzpmbcynkekvuuhwtvknd.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:3828
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\wzpmbcynkekvuuhwtvknd.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:3984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c uvjerqkxskoxusdqlly.exe
1⤵
PID:4336
- C:\Windows\uvjerqkxskoxusdqlly.exe
  uvjerqkxskoxusdqlly.exe
  2⤵
  PID:748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c trcuearbtijpjemw.exe .
1⤵
PID:1012
- C:\Windows\trcuearbtijpjemw.exe
  trcuearbtijpjemw.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:2900
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\trcuearbtijpjemw.exe*."
    3⤵
    PID:3612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c uvjerqkxskoxusdqlly.exe
1⤵
PID:4492
- C:\Windows\uvjerqkxskoxusdqlly.exe
  uvjerqkxskoxusdqlly.exe
  2⤵
  PID:2284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wzpmbcynkekvuuhwtvknd.exe .
1⤵
PID:4852
- C:\Windows\wzpmbcynkekvuuhwtvknd.exe
  wzpmbcynkekvuuhwtvknd.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:816
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\wzpmbcynkekvuuhwtvknd.exe*."
    3⤵
    PID:2436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uvjerqkxskoxusdqlly.exe
1⤵
PID:4480
- C:\Users\Admin\AppData\Local\Temp\uvjerqkxskoxusdqlly.exe
  C:\Users\Admin\AppData\Local\Temp\uvjerqkxskoxusdqlly.exe
  2⤵
  PID:3852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wzpmbcynkekvuuhwtvknd.exe .
1⤵
PID:4784
- C:\Users\Admin\AppData\Local\Temp\wzpmbcynkekvuuhwtvknd.exe
  C:\Users\Admin\AppData\Local\Temp\wzpmbcynkekvuuhwtvknd.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:3068
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\wzpmbcynkekvuuhwtvknd.exe*."
    3⤵
    PID:1916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\azlepmepiyahcyhsl.exe
1⤵
PID:3580
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4972
- C:\Users\Admin\AppData\Local\Temp\azlepmepiyahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\azlepmepiyahcyhsl.exe
  2⤵
  PID:2660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\azlepmepiyahcyhsl.exe .
1⤵
PID:4832
- C:\Users\Admin\AppData\Local\Temp\azlepmepiyahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\azlepmepiyahcyhsl.exe .
  2⤵
  PID:2260
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\azlepmepiyahcyhsl.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jjwqcatfzqtbxueqkj.exe
1⤵
PID:4744
- C:\Windows\jjwqcatfzqtbxueqkj.exe
  jjwqcatfzqtbxueqkj.exe
  2⤵
  PID:5076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c azlepmepiyahcyhsl.exe .
1⤵
PID:4856
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2908
- C:\Windows\azlepmepiyahcyhsl.exe
  azlepmepiyahcyhsl.exe .
  2⤵
  - Checks computer location settings
  PID:556
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\azlepmepiyahcyhsl.exe*."
    3⤵
    PID:1980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wzpmbcynkekvuuhwtvknd.exe
1⤵
PID:2088
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2612
- C:\Windows\wzpmbcynkekvuuhwtvknd.exe
  wzpmbcynkekvuuhwtvknd.exe
  2⤵
  PID:2036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wzpmbcynkekvuuhwtvknd.exe .
1⤵
PID:1972
- C:\Windows\wzpmbcynkekvuuhwtvknd.exe
  wzpmbcynkekvuuhwtvknd.exe .
  2⤵
  PID:3652
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\wzpmbcynkekvuuhwtvknd.exe*."
    3⤵
    PID:2392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uvjerqkxskoxusdqlly.exe
1⤵
PID:3520
- C:\Users\Admin\AppData\Local\Temp\uvjerqkxskoxusdqlly.exe
  C:\Users\Admin\AppData\Local\Temp\uvjerqkxskoxusdqlly.exe
  2⤵
  PID:4308

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\azlepmepiyahcyhsl.exe .
1⤵
PID:840
- C:\Users\Admin\AppData\Local\Temp\azlepmepiyahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\azlepmepiyahcyhsl.exe .
  2⤵
  PID:2708
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\azlepmepiyahcyhsl.exe*."
    3⤵
    PID:3752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hjyuiidrnglvtsesopdf.exe
1⤵
PID:3236
- C:\Users\Admin\AppData\Local\Temp\hjyuiidrnglvtsesopdf.exe
  C:\Users\Admin\AppData\Local\Temp\hjyuiidrnglvtsesopdf.exe
  2⤵
  PID:4296

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hjyuiidrnglvtsesopdf.exe .
1⤵
PID:3404
- C:\Users\Admin\AppData\Local\Temp\hjyuiidrnglvtsesopdf.exe
  C:\Users\Admin\AppData\Local\Temp\hjyuiidrnglvtsesopdf.exe .
  2⤵
  PID:5012
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\hjyuiidrnglvtsesopdf.exe*."
    3⤵
    PID:2092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c azlepmepiyahcyhsl.exe
1⤵
PID:4784
- C:\Windows\azlepmepiyahcyhsl.exe
  azlepmepiyahcyhsl.exe
  2⤵
  PID:4980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c uvjerqkxskoxusdqlly.exe .
1⤵
PID:1076
- C:\Windows\uvjerqkxskoxusdqlly.exe
  uvjerqkxskoxusdqlly.exe .
  2⤵
  PID:1968
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\uvjerqkxskoxusdqlly.exe*."
    3⤵
    PID:552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jjwqcatfzqtbxueqkj.exe
1⤵
PID:1428
- C:\Windows\jjwqcatfzqtbxueqkj.exe
  jjwqcatfzqtbxueqkj.exe
  2⤵
  PID:3856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jjwqcatfzqtbxueqkj.exe .
1⤵
PID:3720
- C:\Windows\jjwqcatfzqtbxueqkj.exe
  jjwqcatfzqtbxueqkj.exe .
  2⤵
  PID:4744
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\jjwqcatfzqtbxueqkj.exe*."
    3⤵
    PID:2732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\azlepmepiyahcyhsl.exe
1⤵
PID:3064
- C:\Users\Admin\AppData\Local\Temp\azlepmepiyahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\azlepmepiyahcyhsl.exe
  2⤵
  PID:2108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hjyuiidrnglvtsesopdf.exe .
1⤵
PID:3596
- C:\Users\Admin\AppData\Local\Temp\hjyuiidrnglvtsesopdf.exe
  C:\Users\Admin\AppData\Local\Temp\hjyuiidrnglvtsesopdf.exe .
  2⤵
  PID:5020
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\hjyuiidrnglvtsesopdf.exe*."
    3⤵
    PID:3024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\azlepmepiyahcyhsl.exe
1⤵
PID:1240
- C:\Users\Admin\AppData\Local\Temp\azlepmepiyahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\azlepmepiyahcyhsl.exe
  2⤵
  PID:4928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uvjerqkxskoxusdqlly.exe .
1⤵
PID:4412
- C:\Users\Admin\AppData\Local\Temp\uvjerqkxskoxusdqlly.exe
  C:\Users\Admin\AppData\Local\Temp\uvjerqkxskoxusdqlly.exe .
  2⤵
  PID:956
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\uvjerqkxskoxusdqlly.exe*."
    3⤵
    PID:536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wzpmbcynkekvuuhwtvknd.exe
1⤵
PID:3584
- C:\Windows\wzpmbcynkekvuuhwtvknd.exe
  wzpmbcynkekvuuhwtvknd.exe
  2⤵
  PID:2880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jjwqcatfzqtbxueqkj.exe .
1⤵
PID:5068
- C:\Windows\jjwqcatfzqtbxueqkj.exe
  jjwqcatfzqtbxueqkj.exe .
  2⤵
  PID:1500
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\jjwqcatfzqtbxueqkj.exe*."
    3⤵
    PID:2944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c azlepmepiyahcyhsl.exe
1⤵
PID:2768
- C:\Windows\azlepmepiyahcyhsl.exe
  azlepmepiyahcyhsl.exe
  2⤵
  PID:2072

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c azlepmepiyahcyhsl.exe .
1⤵
PID:4540
- C:\Windows\azlepmepiyahcyhsl.exe
  azlepmepiyahcyhsl.exe .
  2⤵
  PID:4664
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\azlepmepiyahcyhsl.exe*."
    3⤵
    PID:748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\azlepmepiyahcyhsl.exe
1⤵
PID:4280
- C:\Users\Admin\AppData\Local\Temp\azlepmepiyahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\azlepmepiyahcyhsl.exe
  2⤵
  PID:3624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wzpmbcynkekvuuhwtvknd.exe .
1⤵
PID:4828
- C:\Users\Admin\AppData\Local\Temp\wzpmbcynkekvuuhwtvknd.exe
  C:\Users\Admin\AppData\Local\Temp\wzpmbcynkekvuuhwtvknd.exe .
  2⤵
  PID:1456
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\wzpmbcynkekvuuhwtvknd.exe*."
    3⤵
    PID:1648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hjyuiidrnglvtsesopdf.exe
1⤵
PID:2564
- C:\Users\Admin\AppData\Local\Temp\hjyuiidrnglvtsesopdf.exe
  C:\Users\Admin\AppData\Local\Temp\hjyuiidrnglvtsesopdf.exe
  2⤵
  PID:4692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wzpmbcynkekvuuhwtvknd.exe .
1⤵
PID:2612
- C:\Users\Admin\AppData\Local\Temp\wzpmbcynkekvuuhwtvknd.exe
  C:\Users\Admin\AppData\Local\Temp\wzpmbcynkekvuuhwtvknd.exe .
  2⤵
  PID:2392
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\wzpmbcynkekvuuhwtvknd.exe*."
    3⤵
    PID:2284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wzpmbcynkekvuuhwtvknd.exe
1⤵
PID:2688
- C:\Windows\wzpmbcynkekvuuhwtvknd.exe
  wzpmbcynkekvuuhwtvknd.exe
  2⤵
  PID:2848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c uvjerqkxskoxusdqlly.exe .
1⤵
PID:4312
- C:\Windows\uvjerqkxskoxusdqlly.exe
  uvjerqkxskoxusdqlly.exe .
  2⤵
  PID:768
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\uvjerqkxskoxusdqlly.exe*."
    3⤵
    PID:4504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wzpmbcynkekvuuhwtvknd.exe
1⤵
PID:3748
- C:\Windows\wzpmbcynkekvuuhwtvknd.exe
  wzpmbcynkekvuuhwtvknd.exe
  2⤵
  PID:2892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hjyuiidrnglvtsesopdf.exe
1⤵
PID:1580
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3392
- C:\Windows\hjyuiidrnglvtsesopdf.exe
  hjyuiidrnglvtsesopdf.exe
  2⤵
  PID:1076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c trcuearbtijpjemw.exe .
1⤵
PID:4172
- C:\Windows\trcuearbtijpjemw.exe
  trcuearbtijpjemw.exe .
  2⤵
  PID:1000
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\trcuearbtijpjemw.exe*."
    3⤵
    PID:440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hjyuiidrnglvtsesopdf.exe .
1⤵
PID:1500
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5092
- C:\Windows\hjyuiidrnglvtsesopdf.exe
  hjyuiidrnglvtsesopdf.exe .
  2⤵
  PID:556
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\hjyuiidrnglvtsesopdf.exe*."
    3⤵
    PID:1972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wzpmbcynkekvuuhwtvknd.exe
1⤵
PID:4940
- C:\Windows\wzpmbcynkekvuuhwtvknd.exe
  wzpmbcynkekvuuhwtvknd.exe
  2⤵
  PID:1176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jjwqcatfzqtbxueqkj.exe
1⤵
PID:1448
- C:\Users\Admin\AppData\Local\Temp\jjwqcatfzqtbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\jjwqcatfzqtbxueqkj.exe
  2⤵
  PID:3368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c trcuearbtijpjemw.exe
1⤵
PID:400
- C:\Windows\trcuearbtijpjemw.exe
  trcuearbtijpjemw.exe
  2⤵
  PID:4828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wzpmbcynkekvuuhwtvknd.exe .
1⤵
PID:3468
- C:\Users\Admin\AppData\Local\Temp\wzpmbcynkekvuuhwtvknd.exe
  C:\Users\Admin\AppData\Local\Temp\wzpmbcynkekvuuhwtvknd.exe .
  2⤵
  PID:532
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\wzpmbcynkekvuuhwtvknd.exe*."
    3⤵
    PID:1100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jjwqcatfzqtbxueqkj.exe .
1⤵
PID:4540
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2260
- C:\Windows\jjwqcatfzqtbxueqkj.exe
  jjwqcatfzqtbxueqkj.exe .
  2⤵
  PID:2236
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\jjwqcatfzqtbxueqkj.exe*."
    3⤵
    PID:5084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c uvjerqkxskoxusdqlly.exe .
1⤵
PID:4832
- C:\Windows\uvjerqkxskoxusdqlly.exe
  uvjerqkxskoxusdqlly.exe .
  2⤵
  PID:1440
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\uvjerqkxskoxusdqlly.exe*."
    3⤵
    PID:944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\trcuearbtijpjemw.exe
1⤵
PID:4828
- C:\Users\Admin\AppData\Local\Temp\trcuearbtijpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\trcuearbtijpjemw.exe
  2⤵
  PID:5108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c azlepmepiyahcyhsl.exe
1⤵
PID:440
- C:\Windows\azlepmepiyahcyhsl.exe
  azlepmepiyahcyhsl.exe
  2⤵
  PID:2456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uvjerqkxskoxusdqlly.exe .
1⤵
PID:940
- C:\Users\Admin\AppData\Local\Temp\uvjerqkxskoxusdqlly.exe
  C:\Users\Admin\AppData\Local\Temp\uvjerqkxskoxusdqlly.exe .
  2⤵
  PID:1596
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\uvjerqkxskoxusdqlly.exe*."
    3⤵
    PID:2072

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\azlepmepiyahcyhsl.exe
1⤵
PID:1000
- C:\Users\Admin\AppData\Local\Temp\azlepmepiyahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\azlepmepiyahcyhsl.exe
  2⤵
  PID:3832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c azlepmepiyahcyhsl.exe .
1⤵
PID:2788
- C:\Windows\azlepmepiyahcyhsl.exe
  azlepmepiyahcyhsl.exe .
  2⤵
  PID:2036
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\azlepmepiyahcyhsl.exe*."
    3⤵
    PID:4704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\trcuearbtijpjemw.exe .
1⤵
PID:4520
- C:\Users\Admin\AppData\Local\Temp\trcuearbtijpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\trcuearbtijpjemw.exe .
  2⤵
  PID:4740
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\trcuearbtijpjemw.exe*."
    3⤵
    PID:4384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hjyuiidrnglvtsesopdf.exe
1⤵
PID:620
- C:\Users\Admin\AppData\Local\Temp\hjyuiidrnglvtsesopdf.exe
  C:\Users\Admin\AppData\Local\Temp\hjyuiidrnglvtsesopdf.exe
  2⤵
  PID:2656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hjyuiidrnglvtsesopdf.exe .
1⤵
PID:4296
- C:\Users\Admin\AppData\Local\Temp\hjyuiidrnglvtsesopdf.exe
  C:\Users\Admin\AppData\Local\Temp\hjyuiidrnglvtsesopdf.exe .
  2⤵
  PID:3832
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\hjyuiidrnglvtsesopdf.exe*."
    3⤵
    PID:208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jjwqcatfzqtbxueqkj.exe
1⤵
PID:5104
- C:\Users\Admin\AppData\Local\Temp\jjwqcatfzqtbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\jjwqcatfzqtbxueqkj.exe
  2⤵
  PID:2052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\trcuearbtijpjemw.exe .
1⤵
PID:1336
- C:\Users\Admin\AppData\Local\Temp\trcuearbtijpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\trcuearbtijpjemw.exe .
  2⤵
  PID:4872
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\trcuearbtijpjemw.exe*."
    3⤵
    PID:2860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hjyuiidrnglvtsesopdf.exe
1⤵
PID:3904
- C:\Users\Admin\AppData\Local\Temp\hjyuiidrnglvtsesopdf.exe
  C:\Users\Admin\AppData\Local\Temp\hjyuiidrnglvtsesopdf.exe
  2⤵
  PID:5068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\trcuearbtijpjemw.exe .
1⤵
PID:1972
- C:\Users\Admin\AppData\Local\Temp\trcuearbtijpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\trcuearbtijpjemw.exe .
  2⤵
  PID:4892
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\trcuearbtijpjemw.exe*."
    3⤵
    PID:1616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c uvjerqkxskoxusdqlly.exe
1⤵
PID:4196
- C:\Windows\uvjerqkxskoxusdqlly.exe
  uvjerqkxskoxusdqlly.exe
  2⤵
  PID:1112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c azlepmepiyahcyhsl.exe .
1⤵
PID:5108
- C:\Windows\azlepmepiyahcyhsl.exe
  azlepmepiyahcyhsl.exe .
  2⤵
  PID:1120
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\azlepmepiyahcyhsl.exe*."
    3⤵
    PID:4384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c uvjerqkxskoxusdqlly.exe
1⤵
PID:4260
- C:\Windows\uvjerqkxskoxusdqlly.exe
  uvjerqkxskoxusdqlly.exe
  2⤵
  PID:3652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c uvjerqkxskoxusdqlly.exe .
1⤵
PID:4932
- C:\Windows\uvjerqkxskoxusdqlly.exe
  uvjerqkxskoxusdqlly.exe .
  2⤵
  PID:3904
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\uvjerqkxskoxusdqlly.exe*."
    3⤵
    PID:3844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\azlepmepiyahcyhsl.exe
1⤵
PID:2008
- C:\Users\Admin\AppData\Local\Temp\azlepmepiyahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\azlepmepiyahcyhsl.exe
  2⤵
  PID:940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\azlepmepiyahcyhsl.exe .
1⤵
PID:4992
- C:\Users\Admin\AppData\Local\Temp\azlepmepiyahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\azlepmepiyahcyhsl.exe .
  2⤵
  PID:4648
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\azlepmepiyahcyhsl.exe*."
    3⤵
    PID:2656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uvjerqkxskoxusdqlly.exe
1⤵
PID:3984
- C:\Users\Admin\AppData\Local\Temp\uvjerqkxskoxusdqlly.exe
  C:\Users\Admin\AppData\Local\Temp\uvjerqkxskoxusdqlly.exe
  2⤵
  PID:752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uvjerqkxskoxusdqlly.exe .
1⤵
PID:1492
- C:\Users\Admin\AppData\Local\Temp\uvjerqkxskoxusdqlly.exe
  C:\Users\Admin\AppData\Local\Temp\uvjerqkxskoxusdqlly.exe .
  2⤵
  PID:3520
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\uvjerqkxskoxusdqlly.exe*."
    3⤵
    PID:4528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wzpmbcynkekvuuhwtvknd.exe
1⤵
PID:2672
- C:\Windows\wzpmbcynkekvuuhwtvknd.exe
  wzpmbcynkekvuuhwtvknd.exe
  2⤵
  PID:4280

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c trcuearbtijpjemw.exe .
1⤵
PID:4436
- C:\Windows\trcuearbtijpjemw.exe
  trcuearbtijpjemw.exe .
  2⤵
  PID:2184
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\trcuearbtijpjemw.exe*."
    3⤵
    PID:2688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jjwqcatfzqtbxueqkj.exe
1⤵
PID:1168
- C:\Windows\jjwqcatfzqtbxueqkj.exe
  jjwqcatfzqtbxueqkj.exe
  2⤵
  PID:4484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c trcuearbtijpjemw.exe .
1⤵
PID:972
- C:\Windows\trcuearbtijpjemw.exe
  trcuearbtijpjemw.exe .
  2⤵
  PID:3828
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\trcuearbtijpjemw.exe*."
    3⤵
    PID:5068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\azlepmepiyahcyhsl.exe
1⤵
PID:4164
- C:\Users\Admin\AppData\Local\Temp\azlepmepiyahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\azlepmepiyahcyhsl.exe
  2⤵
  PID:3856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\azlepmepiyahcyhsl.exe .
1⤵
PID:2892
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1500
- C:\Users\Admin\AppData\Local\Temp\azlepmepiyahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\azlepmepiyahcyhsl.exe .
  2⤵
  PID:3696
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\azlepmepiyahcyhsl.exe*."
    3⤵
    PID:4740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wzpmbcynkekvuuhwtvknd.exe
1⤵
PID:2336
- C:\Users\Admin\AppData\Local\Temp\wzpmbcynkekvuuhwtvknd.exe
  C:\Users\Admin\AppData\Local\Temp\wzpmbcynkekvuuhwtvknd.exe
  2⤵
  PID:2984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\trcuearbtijpjemw.exe .
1⤵
PID:4940
- C:\Users\Admin\AppData\Local\Temp\trcuearbtijpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\trcuearbtijpjemw.exe .
  2⤵
  PID:3904
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\trcuearbtijpjemw.exe*."
    3⤵
    PID:3884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jjwqcatfzqtbxueqkj.exe
1⤵
PID:3984
- C:\Windows\jjwqcatfzqtbxueqkj.exe
  jjwqcatfzqtbxueqkj.exe
  2⤵
  PID:2708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c trcuearbtijpjemw.exe .
1⤵
PID:2456
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3944
- C:\Windows\trcuearbtijpjemw.exe
  trcuearbtijpjemw.exe .
  2⤵
  PID:4988
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\trcuearbtijpjemw.exe*."
    3⤵
    PID:2380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wzpmbcynkekvuuhwtvknd.exe
1⤵
PID:3012
- C:\Windows\wzpmbcynkekvuuhwtvknd.exe
  wzpmbcynkekvuuhwtvknd.exe
  2⤵
  PID:2672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hjyuiidrnglvtsesopdf.exe .
1⤵
PID:1428
- C:\Windows\hjyuiidrnglvtsesopdf.exe
  hjyuiidrnglvtsesopdf.exe .
  2⤵
  PID:3820
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\hjyuiidrnglvtsesopdf.exe*."
    3⤵
    PID:4032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jjwqcatfzqtbxueqkj.exe
1⤵
PID:2684
- C:\Users\Admin\AppData\Local\Temp\jjwqcatfzqtbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\jjwqcatfzqtbxueqkj.exe
  2⤵
  PID:3700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hjyuiidrnglvtsesopdf.exe .
1⤵
PID:3624
- C:\Users\Admin\AppData\Local\Temp\hjyuiidrnglvtsesopdf.exe
  C:\Users\Admin\AppData\Local\Temp\hjyuiidrnglvtsesopdf.exe .
  2⤵
  PID:708
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\hjyuiidrnglvtsesopdf.exe*."
    3⤵
    PID:640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hjyuiidrnglvtsesopdf.exe
1⤵
PID:1676
- C:\Users\Admin\AppData\Local\Temp\hjyuiidrnglvtsesopdf.exe
  C:\Users\Admin\AppData\Local\Temp\hjyuiidrnglvtsesopdf.exe
  2⤵
  PID:2872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\trcuearbtijpjemw.exe .
1⤵
PID:1148
- C:\Users\Admin\AppData\Local\Temp\trcuearbtijpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\trcuearbtijpjemw.exe .
  2⤵
  PID:4524
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\trcuearbtijpjemw.exe*."
    3⤵
    PID:4236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wzpmbcynkekvuuhwtvknd.exe
1⤵
PID:4872
- C:\Windows\wzpmbcynkekvuuhwtvknd.exe
  wzpmbcynkekvuuhwtvknd.exe
  2⤵
  PID:2436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c uvjerqkxskoxusdqlly.exe .
1⤵
PID:840
- C:\Windows\uvjerqkxskoxusdqlly.exe
  uvjerqkxskoxusdqlly.exe .
  2⤵
  PID:4788
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\uvjerqkxskoxusdqlly.exe*."
    3⤵
    PID:3212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jjwqcatfzqtbxueqkj.exe
1⤵
PID:3920
- C:\Windows\jjwqcatfzqtbxueqkj.exe
  jjwqcatfzqtbxueqkj.exe
  2⤵
  PID:4212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wzpmbcynkekvuuhwtvknd.exe .
1⤵
PID:1012
- C:\Windows\wzpmbcynkekvuuhwtvknd.exe
  wzpmbcynkekvuuhwtvknd.exe .
  2⤵
  PID:5020
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\wzpmbcynkekvuuhwtvknd.exe*."
    3⤵
    PID:3700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\azlepmepiyahcyhsl.exe
1⤵
PID:2448
- C:\Users\Admin\AppData\Local\Temp\azlepmepiyahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\azlepmepiyahcyhsl.exe
  2⤵
  PID:1844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\trcuearbtijpjemw.exe .
1⤵
PID:2672
- C:\Users\Admin\AppData\Local\Temp\trcuearbtijpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\trcuearbtijpjemw.exe .
  2⤵
  PID:2688
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\trcuearbtijpjemw.exe*."
    3⤵
    PID:3820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\trcuearbtijpjemw.exe
1⤵
PID:1100
- C:\Users\Admin\AppData\Local\Temp\trcuearbtijpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\trcuearbtijpjemw.exe
  2⤵
  PID:3668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\trcuearbtijpjemw.exe .
1⤵
PID:536
- C:\Users\Admin\AppData\Local\Temp\trcuearbtijpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\trcuearbtijpjemw.exe .
  2⤵
  PID:1616
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\trcuearbtijpjemw.exe*."
    3⤵
    PID:3440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jjwqcatfzqtbxueqkj.exe
1⤵
PID:2352
- C:\Windows\jjwqcatfzqtbxueqkj.exe
  jjwqcatfzqtbxueqkj.exe
  2⤵
  PID:2872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c uvjerqkxskoxusdqlly.exe .
1⤵
PID:5068
- C:\Windows\uvjerqkxskoxusdqlly.exe
  uvjerqkxskoxusdqlly.exe .
  2⤵
  PID:956
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\uvjerqkxskoxusdqlly.exe*."
    3⤵
    PID:4260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wzpmbcynkekvuuhwtvknd.exe
1⤵
PID:4352
- C:\Windows\wzpmbcynkekvuuhwtvknd.exe
  wzpmbcynkekvuuhwtvknd.exe
  2⤵
  PID:2340

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jjwqcatfzqtbxueqkj.exe .
1⤵
PID:2900
- C:\Windows\jjwqcatfzqtbxueqkj.exe
  jjwqcatfzqtbxueqkj.exe .
  2⤵
  PID:4648
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\jjwqcatfzqtbxueqkj.exe*."
    3⤵
    PID:3832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jjwqcatfzqtbxueqkj.exe
1⤵
PID:3404
- C:\Users\Admin\AppData\Local\Temp\jjwqcatfzqtbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\jjwqcatfzqtbxueqkj.exe
  2⤵
  PID:4516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\trcuearbtijpjemw.exe .
1⤵
PID:1692
- C:\Users\Admin\AppData\Local\Temp\trcuearbtijpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\trcuearbtijpjemw.exe .
  2⤵
  PID:3212
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\trcuearbtijpjemw.exe*."
    3⤵
    PID:840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\trcuearbtijpjemw.exe
1⤵
PID:404
- C:\Users\Admin\AppData\Local\Temp\trcuearbtijpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\trcuearbtijpjemw.exe
  2⤵
  PID:1844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jjwqcatfzqtbxueqkj.exe .
1⤵
PID:1336
- C:\Users\Admin\AppData\Local\Temp\jjwqcatfzqtbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\jjwqcatfzqtbxueqkj.exe .
  2⤵
  PID:4296
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\jjwqcatfzqtbxueqkj.exe*."
    3⤵
    PID:4492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c trcuearbtijpjemw.exe
1⤵
PID:1220
- C:\Windows\trcuearbtijpjemw.exe
  trcuearbtijpjemw.exe
  2⤵
  PID:4864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hjyuiidrnglvtsesopdf.exe .
1⤵
PID:3012
- C:\Windows\hjyuiidrnglvtsesopdf.exe
  hjyuiidrnglvtsesopdf.exe .
  2⤵
  PID:2768
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\hjyuiidrnglvtsesopdf.exe*."
    3⤵
    PID:5088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c trcuearbtijpjemw.exe
1⤵
PID:412
- C:\Windows\trcuearbtijpjemw.exe
  trcuearbtijpjemw.exe
  2⤵
  PID:2004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c trcuearbtijpjemw.exe .
1⤵
PID:708
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:640
- C:\Windows\trcuearbtijpjemw.exe
  trcuearbtijpjemw.exe .
  2⤵
  PID:4852
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\trcuearbtijpjemw.exe*."
    3⤵
    PID:4260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\azlepmepiyahcyhsl.exe
1⤵
PID:692
- C:\Users\Admin\AppData\Local\Temp\azlepmepiyahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\azlepmepiyahcyhsl.exe
  2⤵
  PID:1272

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wzpmbcynkekvuuhwtvknd.exe .
1⤵
PID:768
- C:\Users\Admin\AppData\Local\Temp\wzpmbcynkekvuuhwtvknd.exe
  C:\Users\Admin\AppData\Local\Temp\wzpmbcynkekvuuhwtvknd.exe .
  2⤵
  PID:2052
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\wzpmbcynkekvuuhwtvknd.exe*."
    3⤵
    PID:2656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c trcuearbtijpjemw.exe
1⤵
PID:4740
- C:\Windows\trcuearbtijpjemw.exe
  trcuearbtijpjemw.exe
  2⤵
  PID:1500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c trcuearbtijpjemw.exe .
1⤵
PID:3056
- C:\Windows\trcuearbtijpjemw.exe
  trcuearbtijpjemw.exe .
  2⤵
  PID:1080
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\trcuearbtijpjemw.exe*."
    3⤵
    PID:3920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wzpmbcynkekvuuhwtvknd.exe
1⤵
PID:656
- C:\Users\Admin\AppData\Local\Temp\wzpmbcynkekvuuhwtvknd.exe
  C:\Users\Admin\AppData\Local\Temp\wzpmbcynkekvuuhwtvknd.exe
  2⤵
  PID:440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c trcuearbtijpjemw.exe
1⤵
PID:3436
- C:\Windows\trcuearbtijpjemw.exe
  trcuearbtijpjemw.exe
  2⤵
  PID:4960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hjyuiidrnglvtsesopdf.exe .
1⤵
PID:2880
- C:\Users\Admin\AppData\Local\Temp\hjyuiidrnglvtsesopdf.exe
  C:\Users\Admin\AppData\Local\Temp\hjyuiidrnglvtsesopdf.exe .
  2⤵
  PID:3520
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\hjyuiidrnglvtsesopdf.exe*."
    3⤵
    PID:4760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jjwqcatfzqtbxueqkj.exe
1⤵
PID:2112
- C:\Windows\jjwqcatfzqtbxueqkj.exe
  jjwqcatfzqtbxueqkj.exe
  2⤵
  PID:2856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hjyuiidrnglvtsesopdf.exe .
1⤵
PID:2448
- C:\Windows\hjyuiidrnglvtsesopdf.exe
  hjyuiidrnglvtsesopdf.exe .
  2⤵
  PID:2892
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\hjyuiidrnglvtsesopdf.exe*."
    3⤵
    PID:3580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jjwqcatfzqtbxueqkj.exe .
1⤵
PID:2148
- C:\Windows\jjwqcatfzqtbxueqkj.exe
  jjwqcatfzqtbxueqkj.exe .
  2⤵
  PID:4172
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\jjwqcatfzqtbxueqkj.exe*."
    3⤵
    PID:3468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wzpmbcynkekvuuhwtvknd.exe
1⤵
PID:4340
- C:\Users\Admin\AppData\Local\Temp\wzpmbcynkekvuuhwtvknd.exe
  C:\Users\Admin\AppData\Local\Temp\wzpmbcynkekvuuhwtvknd.exe
  2⤵
  PID:3692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uvjerqkxskoxusdqlly.exe .
1⤵
PID:3984
- C:\Users\Admin\AppData\Local\Temp\uvjerqkxskoxusdqlly.exe
  C:\Users\Admin\AppData\Local\Temp\uvjerqkxskoxusdqlly.exe .
  2⤵
  PID:1500
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\uvjerqkxskoxusdqlly.exe*."
    3⤵
    PID:1060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wzpmbcynkekvuuhwtvknd.exe
1⤵
PID:2388
- C:\Windows\wzpmbcynkekvuuhwtvknd.exe
  wzpmbcynkekvuuhwtvknd.exe
  2⤵
  PID:3248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jjwqcatfzqtbxueqkj.exe .
1⤵
PID:2792
- C:\Windows\jjwqcatfzqtbxueqkj.exe
  jjwqcatfzqtbxueqkj.exe .
  2⤵
  PID:4856
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\jjwqcatfzqtbxueqkj.exe*."
    3⤵
    PID:536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\trcuearbtijpjemw.exe
1⤵
PID:5076
- C:\Users\Admin\AppData\Local\Temp\trcuearbtijpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\trcuearbtijpjemw.exe
  2⤵
  PID:4872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hjyuiidrnglvtsesopdf.exe
1⤵
PID:2848
- C:\Users\Admin\AppData\Local\Temp\hjyuiidrnglvtsesopdf.exe
  C:\Users\Admin\AppData\Local\Temp\hjyuiidrnglvtsesopdf.exe
  2⤵
  PID:2692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uvjerqkxskoxusdqlly.exe .
1⤵
PID:552
- C:\Users\Admin\AppData\Local\Temp\uvjerqkxskoxusdqlly.exe
  C:\Users\Admin\AppData\Local\Temp\uvjerqkxskoxusdqlly.exe .
  2⤵
  PID:2380
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\uvjerqkxskoxusdqlly.exe*."
    3⤵
    PID:1064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\azlepmepiyahcyhsl.exe .
1⤵
PID:1120
- C:\Users\Admin\AppData\Local\Temp\azlepmepiyahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\azlepmepiyahcyhsl.exe .
  2⤵
  PID:4516
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\azlepmepiyahcyhsl.exe*."
    3⤵
    PID:3692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hjyuiidrnglvtsesopdf.exe
1⤵
PID:1272
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:428
- C:\Windows\hjyuiidrnglvtsesopdf.exe
  hjyuiidrnglvtsesopdf.exe
  2⤵
  PID:4648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jjwqcatfzqtbxueqkj.exe
1⤵
PID:632
- C:\Users\Admin\AppData\Local\Temp\jjwqcatfzqtbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\jjwqcatfzqtbxueqkj.exe
  2⤵
  PID:2196

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c azlepmepiyahcyhsl.exe .
1⤵
PID:5104
- C:\Windows\azlepmepiyahcyhsl.exe
  azlepmepiyahcyhsl.exe .
  2⤵
  PID:644
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\azlepmepiyahcyhsl.exe*."
    3⤵
    PID:2320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uvjerqkxskoxusdqlly.exe .
1⤵
PID:2036
- C:\Users\Admin\AppData\Local\Temp\uvjerqkxskoxusdqlly.exe
  C:\Users\Admin\AppData\Local\Temp\uvjerqkxskoxusdqlly.exe .
  2⤵
  PID:1240
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\uvjerqkxskoxusdqlly.exe*."
    3⤵
    PID:4648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wzpmbcynkekvuuhwtvknd.exe
1⤵
PID:4584
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1972
- C:\Windows\wzpmbcynkekvuuhwtvknd.exe
  wzpmbcynkekvuuhwtvknd.exe
  2⤵
  PID:1076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c uvjerqkxskoxusdqlly.exe .
1⤵
PID:4788
- C:\Windows\uvjerqkxskoxusdqlly.exe
  uvjerqkxskoxusdqlly.exe .
  2⤵
  PID:1336
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\uvjerqkxskoxusdqlly.exe*."
    3⤵
    PID:1100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\azlepmepiyahcyhsl.exe
1⤵
PID:4008
- C:\Users\Admin\AppData\Local\Temp\azlepmepiyahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\azlepmepiyahcyhsl.exe
  2⤵
  PID:5084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\azlepmepiyahcyhsl.exe .
1⤵
PID:1176
- C:\Users\Admin\AppData\Local\Temp\azlepmepiyahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\azlepmepiyahcyhsl.exe .
  2⤵
  PID:3404
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\azlepmepiyahcyhsl.exe*."
    3⤵
    PID:2088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hjyuiidrnglvtsesopdf.exe
1⤵
PID:432
- C:\Users\Admin\AppData\Local\Temp\hjyuiidrnglvtsesopdf.exe
  C:\Users\Admin\AppData\Local\Temp\hjyuiidrnglvtsesopdf.exe
  2⤵
  PID:3464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uvjerqkxskoxusdqlly.exe .
1⤵
PID:3792
- C:\Users\Admin\AppData\Local\Temp\uvjerqkxskoxusdqlly.exe
  C:\Users\Admin\AppData\Local\Temp\uvjerqkxskoxusdqlly.exe .
  2⤵
  PID:3056
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\uvjerqkxskoxusdqlly.exe*."
    3⤵
    PID:3028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hjyuiidrnglvtsesopdf.exe
1⤵
PID:3584
- C:\Windows\hjyuiidrnglvtsesopdf.exe
  hjyuiidrnglvtsesopdf.exe
  2⤵
  PID:1152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wzpmbcynkekvuuhwtvknd.exe .
1⤵
PID:4972
- C:\Windows\wzpmbcynkekvuuhwtvknd.exe
  wzpmbcynkekvuuhwtvknd.exe .
  2⤵
  PID:4032
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\wzpmbcynkekvuuhwtvknd.exe*."
    3⤵
    PID:5084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wzpmbcynkekvuuhwtvknd.exe
1⤵
PID:1708
- C:\Windows\wzpmbcynkekvuuhwtvknd.exe
  wzpmbcynkekvuuhwtvknd.exe
  2⤵
  PID:4940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c trcuearbtijpjemw.exe .
1⤵
PID:1120
- C:\Windows\trcuearbtijpjemw.exe
  trcuearbtijpjemw.exe .
  2⤵
  PID:4112
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\trcuearbtijpjemw.exe*."
    3⤵
    PID:1620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\trcuearbtijpjemw.exe
1⤵
PID:5056
- C:\Users\Admin\AppData\Local\Temp\trcuearbtijpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\trcuearbtijpjemw.exe
  2⤵
  PID:5104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uvjerqkxskoxusdqlly.exe .
1⤵
PID:2212
- C:\Users\Admin\AppData\Local\Temp\uvjerqkxskoxusdqlly.exe
  C:\Users\Admin\AppData\Local\Temp\uvjerqkxskoxusdqlly.exe .
  2⤵
  PID:2052
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\uvjerqkxskoxusdqlly.exe*."
    3⤵
    PID:4780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\trcuearbtijpjemw.exe
1⤵
PID:2784
- C:\Users\Admin\AppData\Local\Temp\trcuearbtijpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\trcuearbtijpjemw.exe
  2⤵
  PID:2184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hjyuiidrnglvtsesopdf.exe .
1⤵
PID:5016
- C:\Users\Admin\AppData\Local\Temp\hjyuiidrnglvtsesopdf.exe
  C:\Users\Admin\AppData\Local\Temp\hjyuiidrnglvtsesopdf.exe .
  2⤵
  PID:4308
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\hjyuiidrnglvtsesopdf.exe*."
    3⤵
    PID:432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wzpmbcynkekvuuhwtvknd.exe
1⤵
PID:3964
- C:\Windows\wzpmbcynkekvuuhwtvknd.exe
  wzpmbcynkekvuuhwtvknd.exe
  2⤵
  PID:5068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hjyuiidrnglvtsesopdf.exe .
1⤵
PID:2104
- C:\Windows\hjyuiidrnglvtsesopdf.exe
  hjyuiidrnglvtsesopdf.exe .
  2⤵
  PID:4452
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\hjyuiidrnglvtsesopdf.exe*."
    3⤵
    PID:1220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c trcuearbtijpjemw.exe
1⤵
PID:3056
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1168
- C:\Windows\trcuearbtijpjemw.exe
  trcuearbtijpjemw.exe
  2⤵
  PID:2792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wzpmbcynkekvuuhwtvknd.exe .
1⤵
PID:2340
- C:\Windows\wzpmbcynkekvuuhwtvknd.exe
  wzpmbcynkekvuuhwtvknd.exe .
  2⤵
  PID:1216
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\wzpmbcynkekvuuhwtvknd.exe*."
    3⤵
    PID:4484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jjwqcatfzqtbxueqkj.exe
1⤵
PID:1692
- C:\Users\Admin\AppData\Local\Temp\jjwqcatfzqtbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\jjwqcatfzqtbxueqkj.exe
  2⤵
  PID:1152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uvjerqkxskoxusdqlly.exe .
1⤵
PID:4524
- C:\Users\Admin\AppData\Local\Temp\uvjerqkxskoxusdqlly.exe
  C:\Users\Admin\AppData\Local\Temp\uvjerqkxskoxusdqlly.exe .
  2⤵
  PID:2716
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\uvjerqkxskoxusdqlly.exe*."
    3⤵
    PID:644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\azlepmepiyahcyhsl.exe
1⤵
PID:224
- C:\Users\Admin\AppData\Local\Temp\azlepmepiyahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\azlepmepiyahcyhsl.exe
  2⤵
  PID:552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\azlepmepiyahcyhsl.exe .
1⤵
PID:2604
- C:\Users\Admin\AppData\Local\Temp\azlepmepiyahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\azlepmepiyahcyhsl.exe .
  2⤵
  PID:1440
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\azlepmepiyahcyhsl.exe*."
    3⤵
    PID:4260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c trcuearbtijpjemw.exe
1⤵
PID:2036
- C:\Windows\trcuearbtijpjemw.exe
  trcuearbtijpjemw.exe
  2⤵
  PID:1912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c uvjerqkxskoxusdqlly.exe .
1⤵
PID:4432
- C:\Windows\uvjerqkxskoxusdqlly.exe
  uvjerqkxskoxusdqlly.exe .
  2⤵
  PID:764
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\uvjerqkxskoxusdqlly.exe*."
    3⤵
    PID:4412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c trcuearbtijpjemw.exe
1⤵
PID:4280
- C:\Windows\trcuearbtijpjemw.exe
  trcuearbtijpjemw.exe
  2⤵
  PID:4464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wzpmbcynkekvuuhwtvknd.exe .
1⤵
PID:1036
- C:\Windows\wzpmbcynkekvuuhwtvknd.exe
  wzpmbcynkekvuuhwtvknd.exe .
  2⤵
  PID:180
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\wzpmbcynkekvuuhwtvknd.exe*."
    3⤵
    PID:400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hjyuiidrnglvtsesopdf.exe
1⤵
PID:3844
- C:\Users\Admin\AppData\Local\Temp\hjyuiidrnglvtsesopdf.exe
  C:\Users\Admin\AppData\Local\Temp\hjyuiidrnglvtsesopdf.exe
  2⤵
  PID:3828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\trcuearbtijpjemw.exe .
1⤵
PID:3440
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2792
- C:\Users\Admin\AppData\Local\Temp\trcuearbtijpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\trcuearbtijpjemw.exe .
  2⤵
  PID:944
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\trcuearbtijpjemw.exe*."
    3⤵
    PID:3856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\azlepmepiyahcyhsl.exe
1⤵
PID:412
- C:\Users\Admin\AppData\Local\Temp\azlepmepiyahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\azlepmepiyahcyhsl.exe
  2⤵
  PID:3316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jjwqcatfzqtbxueqkj.exe .
1⤵
PID:1000
- C:\Users\Admin\AppData\Local\Temp\jjwqcatfzqtbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\jjwqcatfzqtbxueqkj.exe .
  2⤵
  PID:4484
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\jjwqcatfzqtbxueqkj.exe*."
    3⤵
    PID:4184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jjwqcatfzqtbxueqkj.exe
1⤵
PID:1916
- C:\Windows\jjwqcatfzqtbxueqkj.exe
  jjwqcatfzqtbxueqkj.exe
  2⤵
  PID:3096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c azlepmepiyahcyhsl.exe .
1⤵
PID:4344
- C:\Windows\azlepmepiyahcyhsl.exe
  azlepmepiyahcyhsl.exe .
  2⤵
  PID:4972
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\azlepmepiyahcyhsl.exe*."
    3⤵
    PID:2352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c uvjerqkxskoxusdqlly.exe
1⤵
PID:5084
- C:\Windows\uvjerqkxskoxusdqlly.exe
  uvjerqkxskoxusdqlly.exe
  2⤵
  PID:2732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c trcuearbtijpjemw.exe .
1⤵
PID:5056
- C:\Windows\trcuearbtijpjemw.exe
  trcuearbtijpjemw.exe .
  2⤵
  PID:4600
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\trcuearbtijpjemw.exe*."
    3⤵
    PID:1912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wzpmbcynkekvuuhwtvknd.exe
1⤵
PID:2324
- C:\Users\Admin\AppData\Local\Temp\wzpmbcynkekvuuhwtvknd.exe
  C:\Users\Admin\AppData\Local\Temp\wzpmbcynkekvuuhwtvknd.exe
  2⤵
  PID:2184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hjyuiidrnglvtsesopdf.exe .
1⤵
PID:1800
- C:\Users\Admin\AppData\Local\Temp\hjyuiidrnglvtsesopdf.exe
  C:\Users\Admin\AppData\Local\Temp\hjyuiidrnglvtsesopdf.exe .
  2⤵
  PID:1968
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\hjyuiidrnglvtsesopdf.exe*."
    3⤵
    PID:2220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\azlepmepiyahcyhsl.exe
1⤵
PID:3048
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3476
- C:\Users\Admin\AppData\Local\Temp\azlepmepiyahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\azlepmepiyahcyhsl.exe
  2⤵
  PID:2456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jjwqcatfzqtbxueqkj.exe .
1⤵
PID:1600
- C:\Users\Admin\AppData\Local\Temp\jjwqcatfzqtbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\jjwqcatfzqtbxueqkj.exe .
  2⤵
  PID:2536
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\jjwqcatfzqtbxueqkj.exe*."
    3⤵
    PID:1224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c azlepmepiyahcyhsl.exe
1⤵
PID:4804
- C:\Windows\azlepmepiyahcyhsl.exe
  azlepmepiyahcyhsl.exe
  2⤵
  PID:3788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c trcuearbtijpjemw.exe .
1⤵
PID:5068
- C:\Windows\trcuearbtijpjemw.exe
  trcuearbtijpjemw.exe .
  2⤵
  PID:4892
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\trcuearbtijpjemw.exe*."
    3⤵
    PID:3612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c uvjerqkxskoxusdqlly.exe
1⤵
PID:1844
- C:\Windows\uvjerqkxskoxusdqlly.exe
  uvjerqkxskoxusdqlly.exe
  2⤵
  PID:816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jjwqcatfzqtbxueqkj.exe .
1⤵
PID:3436
- C:\Windows\jjwqcatfzqtbxueqkj.exe
  jjwqcatfzqtbxueqkj.exe .
  2⤵
  PID:2856
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\jjwqcatfzqtbxueqkj.exe*."
    3⤵
    PID:3896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hjyuiidrnglvtsesopdf.exe
1⤵
PID:4968
- C:\Users\Admin\AppData\Local\Temp\hjyuiidrnglvtsesopdf.exe
  C:\Users\Admin\AppData\Local\Temp\hjyuiidrnglvtsesopdf.exe
  2⤵
  PID:1196

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\azlepmepiyahcyhsl.exe .
1⤵
PID:4032
- C:\Users\Admin\AppData\Local\Temp\azlepmepiyahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\azlepmepiyahcyhsl.exe .
  2⤵
  PID:5108
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\azlepmepiyahcyhsl.exe*."
    3⤵
    PID:1648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\azlepmepiyahcyhsl.exe
1⤵
PID:4584
- C:\Users\Admin\AppData\Local\Temp\azlepmepiyahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\azlepmepiyahcyhsl.exe
  2⤵
  PID:3380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wzpmbcynkekvuuhwtvknd.exe .
1⤵
PID:5104
- C:\Users\Admin\AppData\Local\Temp\wzpmbcynkekvuuhwtvknd.exe
  C:\Users\Admin\AppData\Local\Temp\wzpmbcynkekvuuhwtvknd.exe .
  2⤵
  PID:3600
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\wzpmbcynkekvuuhwtvknd.exe*."
    3⤵
    PID:4072

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wzpmbcynkekvuuhwtvknd.exe
1⤵
PID:1456
- C:\Windows\wzpmbcynkekvuuhwtvknd.exe
  wzpmbcynkekvuuhwtvknd.exe
  2⤵
  PID:552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jjwqcatfzqtbxueqkj.exe .
1⤵
PID:776
- C:\Windows\jjwqcatfzqtbxueqkj.exe
  jjwqcatfzqtbxueqkj.exe .
  2⤵
  PID:3956
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\jjwqcatfzqtbxueqkj.exe*."
    3⤵
    PID:1100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c uvjerqkxskoxusdqlly.exe
1⤵
PID:5048
- C:\Windows\uvjerqkxskoxusdqlly.exe
  uvjerqkxskoxusdqlly.exe
  2⤵
  PID:1092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wzpmbcynkekvuuhwtvknd.exe
1⤵
PID:3668
- C:\Windows\wzpmbcynkekvuuhwtvknd.exe
  wzpmbcynkekvuuhwtvknd.exe
  2⤵
  PID:2136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c trcuearbtijpjemw.exe .
1⤵
PID:4740
- C:\Windows\trcuearbtijpjemw.exe
  trcuearbtijpjemw.exe .
  2⤵
  PID:3832
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\trcuearbtijpjemw.exe*."
    3⤵
    PID:1580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c azlepmepiyahcyhsl.exe .
1⤵
PID:3376
- C:\Windows\azlepmepiyahcyhsl.exe
  azlepmepiyahcyhsl.exe .
  2⤵
  PID:3440
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\azlepmepiyahcyhsl.exe*."
    3⤵
    PID:1620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jjwqcatfzqtbxueqkj.exe
1⤵
PID:4932
- C:\Users\Admin\AppData\Local\Temp\jjwqcatfzqtbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\jjwqcatfzqtbxueqkj.exe
  2⤵
  PID:3856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uvjerqkxskoxusdqlly.exe .
1⤵
PID:4784
- C:\Users\Admin\AppData\Local\Temp\uvjerqkxskoxusdqlly.exe
  C:\Users\Admin\AppData\Local\Temp\uvjerqkxskoxusdqlly.exe .
  2⤵
  PID:5012
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\uvjerqkxskoxusdqlly.exe*."
    3⤵
    PID:3956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wzpmbcynkekvuuhwtvknd.exe
1⤵
PID:4172
- C:\Windows\wzpmbcynkekvuuhwtvknd.exe
  wzpmbcynkekvuuhwtvknd.exe
  2⤵
  PID:1916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hjyuiidrnglvtsesopdf.exe
1⤵
PID:1220
- C:\Windows\hjyuiidrnglvtsesopdf.exe
  hjyuiidrnglvtsesopdf.exe
  2⤵
  PID:4760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jjwqcatfzqtbxueqkj.exe .
1⤵
PID:940
- C:\Windows\jjwqcatfzqtbxueqkj.exe
  jjwqcatfzqtbxueqkj.exe .
  2⤵
  PID:208
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\jjwqcatfzqtbxueqkj.exe*."
    3⤵
    PID:4568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\trcuearbtijpjemw.exe
1⤵
PID:548
- C:\Users\Admin\AppData\Local\Temp\trcuearbtijpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\trcuearbtijpjemw.exe
  2⤵
  PID:4940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wzpmbcynkekvuuhwtvknd.exe
1⤵
PID:656
- C:\Users\Admin\AppData\Local\Temp\wzpmbcynkekvuuhwtvknd.exe
  C:\Users\Admin\AppData\Local\Temp\wzpmbcynkekvuuhwtvknd.exe
  2⤵
  PID:5056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c trcuearbtijpjemw.exe .
1⤵
PID:3584
- C:\Windows\trcuearbtijpjemw.exe
  trcuearbtijpjemw.exe .
  2⤵
  PID:5104
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\trcuearbtijpjemw.exe*."
    3⤵
    PID:2124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wzpmbcynkekvuuhwtvknd.exe .
1⤵
PID:3896
- C:\Users\Admin\AppData\Local\Temp\wzpmbcynkekvuuhwtvknd.exe
  C:\Users\Admin\AppData\Local\Temp\wzpmbcynkekvuuhwtvknd.exe .
  2⤵
  PID:692
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\wzpmbcynkekvuuhwtvknd.exe*."
    3⤵
    PID:4008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hjyuiidrnglvtsesopdf.exe .
1⤵
PID:4968
- C:\Users\Admin\AppData\Local\Temp\hjyuiidrnglvtsesopdf.exe
  C:\Users\Admin\AppData\Local\Temp\hjyuiidrnglvtsesopdf.exe .
  2⤵
  PID:4820
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\hjyuiidrnglvtsesopdf.exe*."
    3⤵
    PID:1756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jjwqcatfzqtbxueqkj.exe
1⤵
PID:3752
- C:\Windows\jjwqcatfzqtbxueqkj.exe
  jjwqcatfzqtbxueqkj.exe
  2⤵
  PID:768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jjwqcatfzqtbxueqkj.exe .
1⤵
PID:1708
- C:\Windows\jjwqcatfzqtbxueqkj.exe
  jjwqcatfzqtbxueqkj.exe .
  2⤵
  PID:2136
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\jjwqcatfzqtbxueqkj.exe*."
    3⤵
    PID:220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\azlepmepiyahcyhsl.exe
1⤵
PID:3700
- C:\Users\Admin\AppData\Local\Temp\azlepmepiyahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\azlepmepiyahcyhsl.exe
  2⤵
  PID:3820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jjwqcatfzqtbxueqkj.exe
1⤵
PID:3800
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4880
- C:\Users\Admin\AppData\Local\Temp\jjwqcatfzqtbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\jjwqcatfzqtbxueqkj.exe
  2⤵
  PID:3020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\trcuearbtijpjemw.exe .
1⤵
PID:1176
- C:\Users\Admin\AppData\Local\Temp\trcuearbtijpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\trcuearbtijpjemw.exe .
  2⤵
  PID:944
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\trcuearbtijpjemw.exe*."
    3⤵
    PID:2764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\trcuearbtijpjemw.exe .
1⤵
PID:848
- C:\Users\Admin\AppData\Local\Temp\trcuearbtijpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\trcuearbtijpjemw.exe .
  2⤵
  PID:4844
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\trcuearbtijpjemw.exe*."
    3⤵
    PID:3844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wzpmbcynkekvuuhwtvknd.exe
1⤵
PID:4892
- C:\Users\Admin\AppData\Local\Temp\wzpmbcynkekvuuhwtvknd.exe
  C:\Users\Admin\AppData\Local\Temp\wzpmbcynkekvuuhwtvknd.exe
  2⤵
  PID:4284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uvjerqkxskoxusdqlly.exe .
1⤵
PID:4184
- C:\Users\Admin\AppData\Local\Temp\uvjerqkxskoxusdqlly.exe
  C:\Users\Admin\AppData\Local\Temp\uvjerqkxskoxusdqlly.exe .
  2⤵
  PID:2944
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\uvjerqkxskoxusdqlly.exe*."
    3⤵
    PID:972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c azlepmepiyahcyhsl.exe
1⤵
PID:4956
- C:\Windows\azlepmepiyahcyhsl.exe
  azlepmepiyahcyhsl.exe
  2⤵
  PID:2036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jjwqcatfzqtbxueqkj.exe .
1⤵
PID:3856
- C:\Windows\jjwqcatfzqtbxueqkj.exe
  jjwqcatfzqtbxueqkj.exe .
  2⤵
  PID:3064
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\jjwqcatfzqtbxueqkj.exe*."
    3⤵
    PID:4932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c trcuearbtijpjemw.exe
1⤵
PID:4452
- C:\Windows\trcuearbtijpjemw.exe
  trcuearbtijpjemw.exe
  2⤵
  PID:996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c uvjerqkxskoxusdqlly.exe .
1⤵
PID:4432
- C:\Windows\uvjerqkxskoxusdqlly.exe
  uvjerqkxskoxusdqlly.exe .
  2⤵
  PID:2284
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\uvjerqkxskoxusdqlly.exe*."
    3⤵
    PID:1580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\trcuearbtijpjemw.exe
1⤵
PID:3624
- C:\Users\Admin\AppData\Local\Temp\trcuearbtijpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\trcuearbtijpjemw.exe
  2⤵
  PID:2200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wzpmbcynkekvuuhwtvknd.exe .
1⤵
PID:2100
- C:\Users\Admin\AppData\Local\Temp\wzpmbcynkekvuuhwtvknd.exe
  C:\Users\Admin\AppData\Local\Temp\wzpmbcynkekvuuhwtvknd.exe .
  2⤵
  PID:3436
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\wzpmbcynkekvuuhwtvknd.exe*."
    3⤵
    PID:4524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\azlepmepiyahcyhsl.exe
1⤵
PID:4312
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4196
- C:\Users\Admin\AppData\Local\Temp\azlepmepiyahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\azlepmepiyahcyhsl.exe
  2⤵
  PID:944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hjyuiidrnglvtsesopdf.exe .
1⤵
PID:2764
- C:\Users\Admin\AppData\Local\Temp\hjyuiidrnglvtsesopdf.exe
  C:\Users\Admin\AppData\Local\Temp\hjyuiidrnglvtsesopdf.exe .
  2⤵
  PID:700
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\hjyuiidrnglvtsesopdf.exe*."
    3⤵
    PID:1596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hjyuiidrnglvtsesopdf.exe
1⤵
PID:3852
- C:\Windows\hjyuiidrnglvtsesopdf.exe
  hjyuiidrnglvtsesopdf.exe
  2⤵
  PID:5092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c trcuearbtijpjemw.exe .
1⤵
PID:548
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4352
- C:\Windows\trcuearbtijpjemw.exe
  trcuearbtijpjemw.exe .
  2⤵
  PID:4280
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\trcuearbtijpjemw.exe*."
    3⤵
    PID:1712

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jjwqcatfzqtbxueqkj.exe
1⤵
PID:3476
- C:\Windows\jjwqcatfzqtbxueqkj.exe
  jjwqcatfzqtbxueqkj.exe
  2⤵
  PID:4464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c azlepmepiyahcyhsl.exe .
1⤵
PID:1000
- C:\Windows\azlepmepiyahcyhsl.exe
  azlepmepiyahcyhsl.exe .
  2⤵
  PID:3096
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\azlepmepiyahcyhsl.exe*."
    3⤵
    PID:708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\trcuearbtijpjemw.exe
1⤵
PID:208
- C:\Users\Admin\AppData\Local\Temp\trcuearbtijpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\trcuearbtijpjemw.exe
  2⤵
  PID:3256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jjwqcatfzqtbxueqkj.exe .
1⤵
PID:748
- C:\Users\Admin\AppData\Local\Temp\jjwqcatfzqtbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\jjwqcatfzqtbxueqkj.exe .
  2⤵
  PID:2124
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\jjwqcatfzqtbxueqkj.exe*."
    3⤵
    PID:2340

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wzpmbcynkekvuuhwtvknd.exe
1⤵
PID:400
- C:\Users\Admin\AppData\Local\Temp\wzpmbcynkekvuuhwtvknd.exe
  C:\Users\Admin\AppData\Local\Temp\wzpmbcynkekvuuhwtvknd.exe
  2⤵
  PID:3020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\azlepmepiyahcyhsl.exe .
1⤵
PID:4296
- C:\Users\Admin\AppData\Local\Temp\azlepmepiyahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\azlepmepiyahcyhsl.exe .
  2⤵
  PID:3612
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\azlepmepiyahcyhsl.exe*."
    3⤵
    PID:4236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jjwqcatfzqtbxueqkj.exe
1⤵
PID:3856
- C:\Windows\jjwqcatfzqtbxueqkj.exe
  jjwqcatfzqtbxueqkj.exe
  2⤵
  PID:2136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jjwqcatfzqtbxueqkj.exe .
1⤵
PID:4308
- C:\Windows\jjwqcatfzqtbxueqkj.exe
  jjwqcatfzqtbxueqkj.exe .
  2⤵
  PID:3904
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\jjwqcatfzqtbxueqkj.exe*."
    3⤵
    PID:4780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c trcuearbtijpjemw.exe
1⤵
PID:3668
- C:\Windows\trcuearbtijpjemw.exe
  trcuearbtijpjemw.exe
  2⤵
  PID:1692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hjyuiidrnglvtsesopdf.exe .
1⤵
PID:4524
- C:\Windows\hjyuiidrnglvtsesopdf.exe
  hjyuiidrnglvtsesopdf.exe .
  2⤵
  PID:1620
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\hjyuiidrnglvtsesopdf.exe*."
    3⤵
    PID:2764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hjyuiidrnglvtsesopdf.exe
1⤵
PID:944
- C:\Users\Admin\AppData\Local\Temp\hjyuiidrnglvtsesopdf.exe
  C:\Users\Admin\AppData\Local\Temp\hjyuiidrnglvtsesopdf.exe
  2⤵
  PID:4172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uvjerqkxskoxusdqlly.exe .
1⤵
PID:620
- C:\Users\Admin\AppData\Local\Temp\uvjerqkxskoxusdqlly.exe
  C:\Users\Admin\AppData\Local\Temp\uvjerqkxskoxusdqlly.exe .
  2⤵
  PID:848
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\uvjerqkxskoxusdqlly.exe*."
    3⤵
    PID:4600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\azlepmepiyahcyhsl.exe
1⤵
PID:3076
- C:\Users\Admin\AppData\Local\Temp\azlepmepiyahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\azlepmepiyahcyhsl.exe
  2⤵
  PID:1176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uvjerqkxskoxusdqlly.exe .
1⤵
PID:4480
- C:\Users\Admin\AppData\Local\Temp\uvjerqkxskoxusdqlly.exe
  C:\Users\Admin\AppData\Local\Temp\uvjerqkxskoxusdqlly.exe .
  2⤵
  PID:2660
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\uvjerqkxskoxusdqlly.exe*."
    3⤵
    PID:4380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c uvjerqkxskoxusdqlly.exe
1⤵
PID:3476
- C:\Windows\uvjerqkxskoxusdqlly.exe
  uvjerqkxskoxusdqlly.exe
  2⤵
  PID:208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c azlepmepiyahcyhsl.exe .
1⤵
PID:2996
- C:\Windows\azlepmepiyahcyhsl.exe
  azlepmepiyahcyhsl.exe .
  2⤵
  PID:2716
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\azlepmepiyahcyhsl.exe*."
    3⤵
    PID:1060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c trcuearbtijpjemw.exe
1⤵
PID:3772
- C:\Windows\trcuearbtijpjemw.exe
  trcuearbtijpjemw.exe
  2⤵
  PID:2656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c uvjerqkxskoxusdqlly.exe .
1⤵
PID:4436
- C:\Windows\uvjerqkxskoxusdqlly.exe
  uvjerqkxskoxusdqlly.exe .
  2⤵
  PID:3752
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\uvjerqkxskoxusdqlly.exe*."
    3⤵
    PID:1092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jjwqcatfzqtbxueqkj.exe
1⤵
PID:2988
- C:\Users\Admin\AppData\Local\Temp\jjwqcatfzqtbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\jjwqcatfzqtbxueqkj.exe
  2⤵
  PID:3788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hjyuiidrnglvtsesopdf.exe .
1⤵
PID:2768
- C:\Users\Admin\AppData\Local\Temp\hjyuiidrnglvtsesopdf.exe
  C:\Users\Admin\AppData\Local\Temp\hjyuiidrnglvtsesopdf.exe .
  2⤵
  PID:3028
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\hjyuiidrnglvtsesopdf.exe*."
    3⤵
    PID:5036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jjwqcatfzqtbxueqkj.exe
1⤵
PID:1580
- C:\Users\Admin\AppData\Local\Temp\jjwqcatfzqtbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\jjwqcatfzqtbxueqkj.exe
  2⤵
  PID:4648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hjyuiidrnglvtsesopdf.exe .
1⤵
PID:3700
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4112
- C:\Users\Admin\AppData\Local\Temp\hjyuiidrnglvtsesopdf.exe
  C:\Users\Admin\AppData\Local\Temp\hjyuiidrnglvtsesopdf.exe .
  2⤵
  PID:3708
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\hjyuiidrnglvtsesopdf.exe*."
    3⤵
    PID:2892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hjyuiidrnglvtsesopdf.exe
1⤵
PID:4172
- C:\Windows\hjyuiidrnglvtsesopdf.exe
  hjyuiidrnglvtsesopdf.exe
  2⤵
  PID:2184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hjyuiidrnglvtsesopdf.exe .
1⤵
PID:4412
- C:\Windows\hjyuiidrnglvtsesopdf.exe
  hjyuiidrnglvtsesopdf.exe .
  2⤵
  PID:4760
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\hjyuiidrnglvtsesopdf.exe*."
    3⤵
    PID:4664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c uvjerqkxskoxusdqlly.exe
1⤵
PID:1440
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2092
- C:\Windows\uvjerqkxskoxusdqlly.exe
  uvjerqkxskoxusdqlly.exe
  2⤵
  PID:1272

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hjyuiidrnglvtsesopdf.exe .
1⤵
PID:780
- C:\Windows\hjyuiidrnglvtsesopdf.exe
  hjyuiidrnglvtsesopdf.exe .
  2⤵
  PID:5032
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\hjyuiidrnglvtsesopdf.exe*."
    3⤵
    PID:384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wzpmbcynkekvuuhwtvknd.exe
1⤵
PID:3580
- C:\Users\Admin\AppData\Local\Temp\wzpmbcynkekvuuhwtvknd.exe
  C:\Users\Admin\AppData\Local\Temp\wzpmbcynkekvuuhwtvknd.exe
  2⤵
  PID:5092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jjwqcatfzqtbxueqkj.exe .
1⤵
PID:2564
- C:\Users\Admin\AppData\Local\Temp\jjwqcatfzqtbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\jjwqcatfzqtbxueqkj.exe .
  2⤵
  PID:5012
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\jjwqcatfzqtbxueqkj.exe*."
    3⤵
    PID:816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hjyuiidrnglvtsesopdf.exe
1⤵
PID:3652
- C:\Users\Admin\AppData\Local\Temp\hjyuiidrnglvtsesopdf.exe
  C:\Users\Admin\AppData\Local\Temp\hjyuiidrnglvtsesopdf.exe
  2⤵
  PID:4856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hjyuiidrnglvtsesopdf.exe .
1⤵
PID:2088
- C:\Users\Admin\AppData\Local\Temp\hjyuiidrnglvtsesopdf.exe
  C:\Users\Admin\AppData\Local\Temp\hjyuiidrnglvtsesopdf.exe .
  2⤵
  PID:1344
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\hjyuiidrnglvtsesopdf.exe*."
    3⤵
    PID:556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wzpmbcynkekvuuhwtvknd.exe
1⤵
PID:5016
- C:\Windows\wzpmbcynkekvuuhwtvknd.exe
  wzpmbcynkekvuuhwtvknd.exe
  2⤵
  PID:2840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c azlepmepiyahcyhsl.exe
1⤵
PID:3788
- C:\Windows\azlepmepiyahcyhsl.exe
  azlepmepiyahcyhsl.exe
  2⤵
  PID:2108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wzpmbcynkekvuuhwtvknd.exe .
1⤵
PID:3748
- C:\Windows\wzpmbcynkekvuuhwtvknd.exe
  wzpmbcynkekvuuhwtvknd.exe .
  2⤵
  PID:996
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\wzpmbcynkekvuuhwtvknd.exe*."
    3⤵
    PID:2336

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c azlepmepiyahcyhsl.exe .
1⤵
PID:2036
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3832
- C:\Windows\azlepmepiyahcyhsl.exe
  azlepmepiyahcyhsl.exe .
  2⤵
  PID:1076
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\azlepmepiyahcyhsl.exe*."
    3⤵
    PID:3828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c azlepmepiyahcyhsl.exe
1⤵
PID:4832
- C:\Windows\azlepmepiyahcyhsl.exe
  azlepmepiyahcyhsl.exe
  2⤵
  PID:4808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wzpmbcynkekvuuhwtvknd.exe
1⤵
PID:4496
- C:\Windows\wzpmbcynkekvuuhwtvknd.exe
  wzpmbcynkekvuuhwtvknd.exe
  2⤵
  PID:1100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c uvjerqkxskoxusdqlly.exe .
1⤵
PID:2788
- C:\Windows\uvjerqkxskoxusdqlly.exe
  uvjerqkxskoxusdqlly.exe .
  2⤵
  PID:2792
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\uvjerqkxskoxusdqlly.exe*."
    3⤵
    PID:4956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c trcuearbtijpjemw.exe
1⤵
PID:1512
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5096
- C:\Windows\trcuearbtijpjemw.exe
  trcuearbtijpjemw.exe
  2⤵
  PID:4280

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c uvjerqkxskoxusdqlly.exe .
1⤵
PID:2332
- C:\Windows\uvjerqkxskoxusdqlly.exe
  uvjerqkxskoxusdqlly.exe .
  2⤵
  PID:2392
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\uvjerqkxskoxusdqlly.exe*."
    3⤵
    PID:208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uvjerqkxskoxusdqlly.exe
1⤵
PID:2368
- C:\Users\Admin\AppData\Local\Temp\uvjerqkxskoxusdqlly.exe
  C:\Users\Admin\AppData\Local\Temp\uvjerqkxskoxusdqlly.exe
  2⤵
  PID:4868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jjwqcatfzqtbxueqkj.exe
1⤵
PID:1976
- C:\Users\Admin\AppData\Local\Temp\jjwqcatfzqtbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\jjwqcatfzqtbxueqkj.exe
  2⤵
  PID:5084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c azlepmepiyahcyhsl.exe .
1⤵
PID:1620
- C:\Windows\azlepmepiyahcyhsl.exe
  azlepmepiyahcyhsl.exe .
  2⤵
  PID:3432
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\azlepmepiyahcyhsl.exe*."
    3⤵
    PID:4864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hjyuiidrnglvtsesopdf.exe .
1⤵
PID:1020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jjwqcatfzqtbxueqkj.exe .
1⤵
PID:1036
- C:\Users\Admin\AppData\Local\Temp\jjwqcatfzqtbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\jjwqcatfzqtbxueqkj.exe .
  2⤵
  PID:404
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\jjwqcatfzqtbxueqkj.exe*."
    3⤵
    PID:3828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jjwqcatfzqtbxueqkj.exe
1⤵
PID:1172
- C:\Windows\jjwqcatfzqtbxueqkj.exe
  jjwqcatfzqtbxueqkj.exe
  2⤵
  PID:2456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wzpmbcynkekvuuhwtvknd.exe
1⤵
PID:3844
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1712
- C:\Users\Admin\AppData\Local\Temp\wzpmbcynkekvuuhwtvknd.exe
  C:\Users\Admin\AppData\Local\Temp\wzpmbcynkekvuuhwtvknd.exe
  2⤵
  PID:1220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uvjerqkxskoxusdqlly.exe
1⤵
PID:956
- C:\Users\Admin\AppData\Local\Temp\uvjerqkxskoxusdqlly.exe
  C:\Users\Admin\AppData\Local\Temp\uvjerqkxskoxusdqlly.exe
  2⤵
  PID:3192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hjyuiidrnglvtsesopdf.exe .
1⤵
PID:4328
- C:\Windows\hjyuiidrnglvtsesopdf.exe
  hjyuiidrnglvtsesopdf.exe .
  2⤵
  PID:1120
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\hjyuiidrnglvtsesopdf.exe*."
    3⤵
    PID:3760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\azlepmepiyahcyhsl.exe .
1⤵
PID:3896
- C:\Users\Admin\AppData\Local\Temp\azlepmepiyahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\azlepmepiyahcyhsl.exe .
  2⤵
  PID:3624
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\azlepmepiyahcyhsl.exe*."
    3⤵
    PID:4464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wzpmbcynkekvuuhwtvknd.exe .
1⤵
PID:4584
- C:\Users\Admin\AppData\Local\Temp\wzpmbcynkekvuuhwtvknd.exe
  C:\Users\Admin\AppData\Local\Temp\wzpmbcynkekvuuhwtvknd.exe .
  2⤵
  PID:2860
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\wzpmbcynkekvuuhwtvknd.exe*."
    3⤵
    PID:2088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hjyuiidrnglvtsesopdf.exe
1⤵
PID:2124
- C:\Users\Admin\AppData\Local\Temp\hjyuiidrnglvtsesopdf.exe
  C:\Users\Admin\AppData\Local\Temp\hjyuiidrnglvtsesopdf.exe
  2⤵
  PID:4212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jjwqcatfzqtbxueqkj.exe .
1⤵
PID:2988
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1152
- C:\Users\Admin\AppData\Local\Temp\jjwqcatfzqtbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\jjwqcatfzqtbxueqkj.exe .
  2⤵
  PID:2284
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\jjwqcatfzqtbxueqkj.exe*."
    3⤵
    PID:4520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uvjerqkxskoxusdqlly.exe
1⤵
PID:4844
- C:\Users\Admin\AppData\Local\Temp\uvjerqkxskoxusdqlly.exe
  C:\Users\Admin\AppData\Local\Temp\uvjerqkxskoxusdqlly.exe
  2⤵
  PID:4172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jjwqcatfzqtbxueqkj.exe .
1⤵
PID:2784
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3048
- C:\Users\Admin\AppData\Local\Temp\jjwqcatfzqtbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\jjwqcatfzqtbxueqkj.exe .
  2⤵
  PID:4156
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\jjwqcatfzqtbxueqkj.exe*."
    3⤵
    PID:2104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jjwqcatfzqtbxueqkj.exe
1⤵
PID:3956
- C:\Windows\jjwqcatfzqtbxueqkj.exe
  jjwqcatfzqtbxueqkj.exe
  2⤵
  PID:1060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c trcuearbtijpjemw.exe .
1⤵
PID:2052
- C:\Windows\trcuearbtijpjemw.exe
  trcuearbtijpjemw.exe .
  2⤵
  PID:3904
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\trcuearbtijpjemw.exe*."
    3⤵
    PID:4980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wzpmbcynkekvuuhwtvknd.exe
1⤵
PID:1352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jjwqcatfzqtbxueqkj.exe .
1⤵
PID:1844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Winlogon Helper DLL

T1547.004

Hijack Execution Flow

T1574

Executable Installer File Permissions Weakness

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Winlogon Helper DLL

T1547.004

Hijack Execution Flow

T1574

Executable Installer File Permissions Weakness

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hijack Execution Flow

T1574

Executable Installer File Permissions Weakness

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Safe Mode Boot

T1562.009

Modify Registry