pykspa | 325b211e430cc75911dd92060d498796f9d572db4d48dea79b0ef471720400f4

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	xanovjk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	xanovjk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	gncxrwpmqxm.exe

Pykspa
Pykspa is a worm spreads via Skype uses DGA and it's written in C++.
worm pykspa
Pykspa family
pykspa

UAC bypass 3 TTPs 16 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	gncxrwpmqxm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	xanovjk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	xanovjk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	xanovjk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	xanovjk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	xanovjk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	xanovjk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	gncxrwpmqxm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	gncxrwpmqxm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	gncxrwpmqxm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	xanovjk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	gncxrwpmqxm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	gncxrwpmqxm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	gncxrwpmqxm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	xanovjk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	gncxrwpmqxm.exe

Detect Pykspa worm 2 IoCs

worm

resource	yara_rule
behavioral2/files/0x00040000000227b2-4.dat	family_pykspa
behavioral2/files/0x000a0000000241bb-90.dat	family_pykspa

Adds policy Run key to start application 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mqegodfr = "zqrgbdsridqhglpehonef.exe"	gncxrwpmqxm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mqegodfr = "maykcbnjxpznjlmyyc.exe"	xanovjk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mqegodfr = "kaaoijxvlfrhfjmacigw.exe"	xanovjk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zalkp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\maykcbnjxpznjlmyyc.exe"	xanovjk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zalkp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zqrgbdsridqhglpehonef.exe"	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mqegodfr = "dqnypnytgxgtoppaz.exe"	xanovjk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zalkp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dqnypnytgxgtoppaz.exe"	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mqegodfr = "xmlyrrebqjujgjlyzeb.exe"	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mqegodfr = "kaaoijxvlfrhfjmacigw.exe"	xanovjk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zalkp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wieoeblfrhpbvvue.exe"	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mqegodfr = "dqnypnytgxgtoppaz.exe"	gncxrwpmqxm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zalkp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\maykcbnjxpznjlmyyc.exe"	gncxrwpmqxm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	xanovjk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mqegodfr = "zqrgbdsridqhglpehonef.exe"	gncxrwpmqxm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mqegodfr = "dqnypnytgxgtoppaz.exe"	gncxrwpmqxm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	xanovjk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zalkp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zqrgbdsridqhglpehonef.exe"	xanovjk.exe

Disables RegEdit via registry modification 6 IoCs

defense_evasion

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	xanovjk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	xanovjk.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	gncxrwpmqxm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	gncxrwpmqxm.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	xanovjk.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	xanovjk.exe

Checks computer location settings 2 TTPs 34 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	maykcbnjxpznjlmyyc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	wieoeblfrhpbvvue.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	kaaoijxvlfrhfjmacigw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	xmlyrrebqjujgjlyzeb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	zqrgbdsridqhglpehonef.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	wieoeblfrhpbvvue.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	maykcbnjxpznjlmyyc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	xmlyrrebqjujgjlyzeb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	kaaoijxvlfrhfjmacigw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	maykcbnjxpznjlmyyc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	xmlyrrebqjujgjlyzeb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	xmlyrrebqjujgjlyzeb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	xmlyrrebqjujgjlyzeb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	maykcbnjxpznjlmyyc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	xmlyrrebqjujgjlyzeb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	zqrgbdsridqhglpehonef.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	maykcbnjxpznjlmyyc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	xmlyrrebqjujgjlyzeb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	dqnypnytgxgtoppaz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	zqrgbdsridqhglpehonef.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	wieoeblfrhpbvvue.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	wieoeblfrhpbvvue.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	dqnypnytgxgtoppaz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	JaffaCakes118_8ce85fadb92eb13c1311e57baa44a3ef.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	wieoeblfrhpbvvue.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	kaaoijxvlfrhfjmacigw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	wieoeblfrhpbvvue.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	maykcbnjxpznjlmyyc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	wieoeblfrhpbvvue.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	zqrgbdsridqhglpehonef.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	maykcbnjxpznjlmyyc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	gncxrwpmqxm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	wieoeblfrhpbvvue.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	wieoeblfrhpbvvue.exe

Executes dropped EXE 64 IoCs

pid	Process
4788	gncxrwpmqxm.exe
3544	maykcbnjxpznjlmyyc.exe
4892	zqrgbdsridqhglpehonef.exe
3564	gncxrwpmqxm.exe
952	kaaoijxvlfrhfjmacigw.exe
4424	xmlyrrebqjujgjlyzeb.exe
2084	xmlyrrebqjujgjlyzeb.exe
3472	gncxrwpmqxm.exe
2188	maykcbnjxpznjlmyyc.exe
4728	gncxrwpmqxm.exe
1956	dqnypnytgxgtoppaz.exe
6076	maykcbnjxpznjlmyyc.exe
1636	gncxrwpmqxm.exe
3164	xanovjk.exe
2540	xanovjk.exe
5872	xmlyrrebqjujgjlyzeb.exe
5468	kaaoijxvlfrhfjmacigw.exe
2708	xmlyrrebqjujgjlyzeb.exe
6140	gncxrwpmqxm.exe
2896	wieoeblfrhpbvvue.exe
5500	maykcbnjxpznjlmyyc.exe
876	gncxrwpmqxm.exe
2312	wieoeblfrhpbvvue.exe
4800	kaaoijxvlfrhfjmacigw.exe
3836	wieoeblfrhpbvvue.exe
3440	xmlyrrebqjujgjlyzeb.exe
4608	xmlyrrebqjujgjlyzeb.exe
4892	gncxrwpmqxm.exe
4900	wieoeblfrhpbvvue.exe
5192	wieoeblfrhpbvvue.exe
5316	gncxrwpmqxm.exe
1500	maykcbnjxpznjlmyyc.exe
644	xmlyrrebqjujgjlyzeb.exe
5792	gncxrwpmqxm.exe
5176	gncxrwpmqxm.exe
6076	maykcbnjxpznjlmyyc.exe
2228	kaaoijxvlfrhfjmacigw.exe
5556	gncxrwpmqxm.exe
5824	dqnypnytgxgtoppaz.exe
2508	gncxrwpmqxm.exe
1944	maykcbnjxpznjlmyyc.exe
3408	gncxrwpmqxm.exe
4440	maykcbnjxpznjlmyyc.exe
3488	wieoeblfrhpbvvue.exe
5624	kaaoijxvlfrhfjmacigw.exe
2012	gncxrwpmqxm.exe
5424	maykcbnjxpznjlmyyc.exe
5152	gncxrwpmqxm.exe
2196	xmlyrrebqjujgjlyzeb.exe
548	kaaoijxvlfrhfjmacigw.exe
6012	gncxrwpmqxm.exe
3324	maykcbnjxpznjlmyyc.exe
4924	xmlyrrebqjujgjlyzeb.exe
2312	gncxrwpmqxm.exe
5920	zqrgbdsridqhglpehonef.exe
3560	zqrgbdsridqhglpehonef.exe
4784	wieoeblfrhpbvvue.exe
1680	maykcbnjxpznjlmyyc.exe
1928	dqnypnytgxgtoppaz.exe
5432	gncxrwpmqxm.exe
2040	kaaoijxvlfrhfjmacigw.exe
1904	gncxrwpmqxm.exe
3544	zqrgbdsridqhglpehonef.exe
2948	zqrgbdsridqhglpehonef.exe

Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs

defense_evasion

Safe Mode Boot

T1562.009

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power	xanovjk.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys	xanovjk.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc	xanovjk.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager	xanovjk.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys	xanovjk.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc	xanovjk.exe

Adds Run key to start application 2 TTPs 62 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

defense_evasion persistence privilege_escalation

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kmyyer = "maykcbnjxpznjlmyyc.exe"	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\xanovjk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xmlyrrebqjujgjlyzeb.exe ."	xanovjk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\xanovjk = "kaaoijxvlfrhfjmacigw.exe ."	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kmyyer = "wieoeblfrhpbvvue.exe"	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kmyyer = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dqnypnytgxgtoppaz.exe"	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rypufxcryjm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wieoeblfrhpbvvue.exe ."	xanovjk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\xanovjk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\maykcbnjxpznjlmyyc.exe ."	xanovjk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\xanovjk = "xmlyrrebqjujgjlyzeb.exe ."	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\xanovjk = "maykcbnjxpznjlmyyc.exe ."	xanovjk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wcswgxbpvf = "xmlyrrebqjujgjlyzeb.exe ."	xanovjk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kmyyer = "C:\\Users\\Admin\\AppData\\Local\\Temp\\maykcbnjxpznjlmyyc.exe"	xanovjk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kmyyer = "dqnypnytgxgtoppaz.exe"	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\xanovjk = "xmlyrrebqjujgjlyzeb.exe ."	xanovjk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dixajzcpu = "dqnypnytgxgtoppaz.exe"	xanovjk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\xanovjk = "maykcbnjxpznjlmyyc.exe ."	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\owougzfvdptb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xmlyrrebqjujgjlyzeb.exe"	xanovjk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\owougzfvdptb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xmlyrrebqjujgjlyzeb.exe"	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kmyyer = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xmlyrrebqjujgjlyzeb.exe"	xanovjk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kmyyer = "xmlyrrebqjujgjlyzeb.exe"	xanovjk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wcswgxbpvf = "wieoeblfrhpbvvue.exe ."	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wcswgxbpvf = "wieoeblfrhpbvvue.exe ."	xanovjk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rypufxcryjm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dqnypnytgxgtoppaz.exe ."	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\xanovjk = "xmlyrrebqjujgjlyzeb.exe ."	xanovjk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kmyyer = "zqrgbdsridqhglpehonef.exe"	xanovjk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rypufxcryjm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zqrgbdsridqhglpehonef.exe ."	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kmyyer = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zqrgbdsridqhglpehonef.exe"	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wcswgxbpvf = "wieoeblfrhpbvvue.exe ."	xanovjk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\owougzfvdptb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kaaoijxvlfrhfjmacigw.exe"	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kmyyer = "dqnypnytgxgtoppaz.exe"	xanovjk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\owougzfvdptb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kaaoijxvlfrhfjmacigw.exe"	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wcswgxbpvf = "zqrgbdsridqhglpehonef.exe ."	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\xanovjk = "zqrgbdsridqhglpehonef.exe ."	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\xanovjk = "wieoeblfrhpbvvue.exe ."	xanovjk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\xanovjk = "maykcbnjxpznjlmyyc.exe ."	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kmyyer = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xmlyrrebqjujgjlyzeb.exe"	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kmyyer = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wieoeblfrhpbvvue.exe"	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kmyyer = "maykcbnjxpznjlmyyc.exe"	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kmyyer = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xmlyrrebqjujgjlyzeb.exe"	xanovjk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dixajzcpu = "maykcbnjxpznjlmyyc.exe"	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wcswgxbpvf = "wieoeblfrhpbvvue.exe ."	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kmyyer = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dqnypnytgxgtoppaz.exe"	xanovjk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\owougzfvdptb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xmlyrrebqjujgjlyzeb.exe"	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dixajzcpu = "kaaoijxvlfrhfjmacigw.exe"	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kmyyer = "kaaoijxvlfrhfjmacigw.exe"	xanovjk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\xanovjk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kaaoijxvlfrhfjmacigw.exe ."	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kmyyer = "maykcbnjxpznjlmyyc.exe"	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\xanovjk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dqnypnytgxgtoppaz.exe ."	xanovjk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dixajzcpu = "kaaoijxvlfrhfjmacigw.exe"	xanovjk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\owougzfvdptb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wieoeblfrhpbvvue.exe"	xanovjk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dixajzcpu = "zqrgbdsridqhglpehonef.exe"	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wcswgxbpvf = "xmlyrrebqjujgjlyzeb.exe ."	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rypufxcryjm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wieoeblfrhpbvvue.exe ."	xanovjk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rypufxcryjm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\maykcbnjxpznjlmyyc.exe ."	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dixajzcpu = "kaaoijxvlfrhfjmacigw.exe"	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rypufxcryjm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\maykcbnjxpznjlmyyc.exe ."	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\xanovjk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\maykcbnjxpznjlmyyc.exe ."	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wcswgxbpvf = "xmlyrrebqjujgjlyzeb.exe ."	xanovjk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\owougzfvdptb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zqrgbdsridqhglpehonef.exe"	xanovjk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\xanovjk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zqrgbdsridqhglpehonef.exe ."	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\xanovjk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\maykcbnjxpznjlmyyc.exe ."	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dixajzcpu = "maykcbnjxpznjlmyyc.exe"	xanovjk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\xanovjk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kaaoijxvlfrhfjmacigw.exe ."	xanovjk.exe

Checks whether UAC is enabled 1 TTPs 14 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	gncxrwpmqxm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	gncxrwpmqxm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	xanovjk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	gncxrwpmqxm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	gncxrwpmqxm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	gncxrwpmqxm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	gncxrwpmqxm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	gncxrwpmqxm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	xanovjk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	xanovjk.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	xanovjk.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	gncxrwpmqxm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	gncxrwpmqxm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	gncxrwpmqxm.exe

Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 3 IoCs

Possible Turn off User Account Control's privilege elevation for standard users.

Executable Installer File Permissions Weakness

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	gncxrwpmqxm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	xanovjk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	xanovjk.exe

Looks up external IP address via web service 8 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
47	www.whatismyip.ca
23	www.whatismyip.ca
24	whatismyipaddress.com
29	whatismyip.everdot.org
37	www.whatismyip.ca
39	www.showmyipaddress.com
43	www.whatismyip.ca
46	whatismyip.everdot.org

Drops file in System32 directory 53 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\rypufxcryjmtidxcvshofkvnshozcjytn.lix	xanovjk.exe
File opened for modification	C:\Windows\SysWOW64\wieoeblfrhpbvvue.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\SysWOW64\dqnypnytgxgtoppaz.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\SysWOW64\xmlyrrebqjujgjlyzeb.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\SysWOW64\kaaoijxvlfrhfjmacigw.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\SysWOW64\wieoeblfrhpbvvue.exe	xanovjk.exe
File opened for modification	C:\Windows\SysWOW64\xmlyrrebqjujgjlyzeb.exe	xanovjk.exe
File opened for modification	C:\Windows\SysWOW64\awcwwdxbxxplpzickwawcw.dxb	xanovjk.exe
File opened for modification	C:\Windows\SysWOW64\qikawzpphdrjjpukowwoqg.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\SysWOW64\qikawzpphdrjjpukowwoqg.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\SysWOW64\kaaoijxvlfrhfjmacigw.exe	xanovjk.exe
File opened for modification	C:\Windows\SysWOW64\zqrgbdsridqhglpehonef.exe	xanovjk.exe
File opened for modification	C:\Windows\SysWOW64\wieoeblfrhpbvvue.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\SysWOW64\zqrgbdsridqhglpehonef.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\SysWOW64\kaaoijxvlfrhfjmacigw.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\SysWOW64\maykcbnjxpznjlmyyc.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\SysWOW64\maykcbnjxpznjlmyyc.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\SysWOW64\zqrgbdsridqhglpehonef.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\SysWOW64\qikawzpphdrjjpukowwoqg.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\SysWOW64\maykcbnjxpznjlmyyc.exe	xanovjk.exe
File created	C:\Windows\SysWOW64\awcwwdxbxxplpzickwawcw.dxb	xanovjk.exe
File opened for modification	C:\Windows\SysWOW64\wieoeblfrhpbvvue.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\SysWOW64\zqrgbdsridqhglpehonef.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\SysWOW64\wieoeblfrhpbvvue.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\SysWOW64\xmlyrrebqjujgjlyzeb.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\SysWOW64\zqrgbdsridqhglpehonef.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\SysWOW64\dqnypnytgxgtoppaz.exe	xanovjk.exe
File opened for modification	C:\Windows\SysWOW64\kaaoijxvlfrhfjmacigw.exe	xanovjk.exe
File opened for modification	C:\Windows\SysWOW64\maykcbnjxpznjlmyyc.exe	xanovjk.exe
File created	C:\Windows\SysWOW64\rypufxcryjmtidxcvshofkvnshozcjytn.lix	xanovjk.exe
File opened for modification	C:\Windows\SysWOW64\dqnypnytgxgtoppaz.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\SysWOW64\kaaoijxvlfrhfjmacigw.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\SysWOW64\maykcbnjxpznjlmyyc.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\SysWOW64\qikawzpphdrjjpukowwoqg.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\SysWOW64\maykcbnjxpznjlmyyc.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\SysWOW64\wieoeblfrhpbvvue.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\SysWOW64\zqrgbdsridqhglpehonef.exe	xanovjk.exe
File opened for modification	C:\Windows\SysWOW64\dqnypnytgxgtoppaz.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\SysWOW64\xmlyrrebqjujgjlyzeb.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\SysWOW64\xmlyrrebqjujgjlyzeb.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\SysWOW64\zqrgbdsridqhglpehonef.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\SysWOW64\qikawzpphdrjjpukowwoqg.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\SysWOW64\kaaoijxvlfrhfjmacigw.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\SysWOW64\wieoeblfrhpbvvue.exe	xanovjk.exe
File opened for modification	C:\Windows\SysWOW64\qikawzpphdrjjpukowwoqg.exe	xanovjk.exe
File opened for modification	C:\Windows\SysWOW64\qikawzpphdrjjpukowwoqg.exe	xanovjk.exe
File opened for modification	C:\Windows\SysWOW64\maykcbnjxpznjlmyyc.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\SysWOW64\kaaoijxvlfrhfjmacigw.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\SysWOW64\xmlyrrebqjujgjlyzeb.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\SysWOW64\dqnypnytgxgtoppaz.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\SysWOW64\dqnypnytgxgtoppaz.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\SysWOW64\xmlyrrebqjujgjlyzeb.exe	xanovjk.exe
File opened for modification	C:\Windows\SysWOW64\dqnypnytgxgtoppaz.exe	xanovjk.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\awcwwdxbxxplpzickwawcw.dxb	xanovjk.exe
File created	C:\Program Files (x86)\awcwwdxbxxplpzickwawcw.dxb	xanovjk.exe
File opened for modification	C:\Program Files (x86)\rypufxcryjmtidxcvshofkvnshozcjytn.lix	xanovjk.exe
File created	C:\Program Files (x86)\rypufxcryjmtidxcvshofkvnshozcjytn.lix	xanovjk.exe

Drops file in Windows directory 53 IoCs

description	ioc	Process
File opened for modification	C:\Windows\wieoeblfrhpbvvue.exe	xanovjk.exe
File opened for modification	C:\Windows\zqrgbdsridqhglpehonef.exe	xanovjk.exe
File opened for modification	C:\Windows\xmlyrrebqjujgjlyzeb.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\xmlyrrebqjujgjlyzeb.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\zqrgbdsridqhglpehonef.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\kaaoijxvlfrhfjmacigw.exe	xanovjk.exe
File opened for modification	C:\Windows\wieoeblfrhpbvvue.exe	xanovjk.exe
File created	C:\Windows\awcwwdxbxxplpzickwawcw.dxb	xanovjk.exe
File created	C:\Windows\rypufxcryjmtidxcvshofkvnshozcjytn.lix	xanovjk.exe
File opened for modification	C:\Windows\kaaoijxvlfrhfjmacigw.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\maykcbnjxpznjlmyyc.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\dqnypnytgxgtoppaz.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\xmlyrrebqjujgjlyzeb.exe	xanovjk.exe
File opened for modification	C:\Windows\xmlyrrebqjujgjlyzeb.exe	xanovjk.exe
File opened for modification	C:\Windows\zqrgbdsridqhglpehonef.exe	xanovjk.exe
File opened for modification	C:\Windows\dqnypnytgxgtoppaz.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\wieoeblfrhpbvvue.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\qikawzpphdrjjpukowwoqg.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\dqnypnytgxgtoppaz.exe	xanovjk.exe
File opened for modification	C:\Windows\xmlyrrebqjujgjlyzeb.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\kaaoijxvlfrhfjmacigw.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\qikawzpphdrjjpukowwoqg.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\qikawzpphdrjjpukowwoqg.exe	xanovjk.exe
File opened for modification	C:\Windows\maykcbnjxpznjlmyyc.exe	xanovjk.exe
File opened for modification	C:\Windows\kaaoijxvlfrhfjmacigw.exe	xanovjk.exe
File opened for modification	C:\Windows\xmlyrrebqjujgjlyzeb.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\qikawzpphdrjjpukowwoqg.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\maykcbnjxpznjlmyyc.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\zqrgbdsridqhglpehonef.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\dqnypnytgxgtoppaz.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\kaaoijxvlfrhfjmacigw.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\maykcbnjxpznjlmyyc.exe	xanovjk.exe
File opened for modification	C:\Windows\zqrgbdsridqhglpehonef.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\dqnypnytgxgtoppaz.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\zqrgbdsridqhglpehonef.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\qikawzpphdrjjpukowwoqg.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\dqnypnytgxgtoppaz.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\wieoeblfrhpbvvue.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\wieoeblfrhpbvvue.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\dqnypnytgxgtoppaz.exe	xanovjk.exe
File opened for modification	C:\Windows\awcwwdxbxxplpzickwawcw.dxb	xanovjk.exe
File opened for modification	C:\Windows\rypufxcryjmtidxcvshofkvnshozcjytn.lix	xanovjk.exe
File opened for modification	C:\Windows\wieoeblfrhpbvvue.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\wieoeblfrhpbvvue.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\kaaoijxvlfrhfjmacigw.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\maykcbnjxpznjlmyyc.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\maykcbnjxpznjlmyyc.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\xmlyrrebqjujgjlyzeb.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\qikawzpphdrjjpukowwoqg.exe	xanovjk.exe
File opened for modification	C:\Windows\maykcbnjxpznjlmyyc.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\kaaoijxvlfrhfjmacigw.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\qikawzpphdrjjpukowwoqg.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\zqrgbdsridqhglpehonef.exe	gncxrwpmqxm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 41 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gncxrwpmqxm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wieoeblfrhpbvvue.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	maykcbnjxpznjlmyyc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xmlyrrebqjujgjlyzeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zqrgbdsridqhglpehonef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xmlyrrebqjujgjlyzeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xanovjk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wieoeblfrhpbvvue.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	maykcbnjxpznjlmyyc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dqnypnytgxgtoppaz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kaaoijxvlfrhfjmacigw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wieoeblfrhpbvvue.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zqrgbdsridqhglpehonef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kaaoijxvlfrhfjmacigw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wieoeblfrhpbvvue.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xmlyrrebqjujgjlyzeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xmlyrrebqjujgjlyzeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kaaoijxvlfrhfjmacigw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zqrgbdsridqhglpehonef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	maykcbnjxpznjlmyyc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xmlyrrebqjujgjlyzeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xmlyrrebqjujgjlyzeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_8ce85fadb92eb13c1311e57baa44a3ef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	maykcbnjxpznjlmyyc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	maykcbnjxpznjlmyyc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xmlyrrebqjujgjlyzeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	maykcbnjxpznjlmyyc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wieoeblfrhpbvvue.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wieoeblfrhpbvvue.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wieoeblfrhpbvvue.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wieoeblfrhpbvvue.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dqnypnytgxgtoppaz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dqnypnytgxgtoppaz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	maykcbnjxpznjlmyyc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dqnypnytgxgtoppaz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xmlyrrebqjujgjlyzeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wieoeblfrhpbvvue.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kaaoijxvlfrhfjmacigw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	maykcbnjxpznjlmyyc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zqrgbdsridqhglpehonef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wieoeblfrhpbvvue.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
5332	JaffaCakes118_8ce85fadb92eb13c1311e57baa44a3ef.exe
5332	JaffaCakes118_8ce85fadb92eb13c1311e57baa44a3ef.exe
5332	JaffaCakes118_8ce85fadb92eb13c1311e57baa44a3ef.exe
5332	JaffaCakes118_8ce85fadb92eb13c1311e57baa44a3ef.exe
5332	JaffaCakes118_8ce85fadb92eb13c1311e57baa44a3ef.exe
5332	JaffaCakes118_8ce85fadb92eb13c1311e57baa44a3ef.exe
5332	JaffaCakes118_8ce85fadb92eb13c1311e57baa44a3ef.exe
5332	JaffaCakes118_8ce85fadb92eb13c1311e57baa44a3ef.exe
5332	JaffaCakes118_8ce85fadb92eb13c1311e57baa44a3ef.exe
5332	JaffaCakes118_8ce85fadb92eb13c1311e57baa44a3ef.exe
5332	JaffaCakes118_8ce85fadb92eb13c1311e57baa44a3ef.exe
5332	JaffaCakes118_8ce85fadb92eb13c1311e57baa44a3ef.exe
5332	JaffaCakes118_8ce85fadb92eb13c1311e57baa44a3ef.exe
5332	JaffaCakes118_8ce85fadb92eb13c1311e57baa44a3ef.exe
3164	xanovjk.exe
3164	xanovjk.exe
5332	JaffaCakes118_8ce85fadb92eb13c1311e57baa44a3ef.exe
5332	JaffaCakes118_8ce85fadb92eb13c1311e57baa44a3ef.exe
5332	JaffaCakes118_8ce85fadb92eb13c1311e57baa44a3ef.exe
5332	JaffaCakes118_8ce85fadb92eb13c1311e57baa44a3ef.exe
5332	JaffaCakes118_8ce85fadb92eb13c1311e57baa44a3ef.exe
5332	JaffaCakes118_8ce85fadb92eb13c1311e57baa44a3ef.exe
5332	JaffaCakes118_8ce85fadb92eb13c1311e57baa44a3ef.exe
5332	JaffaCakes118_8ce85fadb92eb13c1311e57baa44a3ef.exe
5332	JaffaCakes118_8ce85fadb92eb13c1311e57baa44a3ef.exe
5332	JaffaCakes118_8ce85fadb92eb13c1311e57baa44a3ef.exe
5332	JaffaCakes118_8ce85fadb92eb13c1311e57baa44a3ef.exe
5332	JaffaCakes118_8ce85fadb92eb13c1311e57baa44a3ef.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3164	xanovjk.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5332 wrote to memory of 4788	5332	JaffaCakes118_8ce85fadb92eb13c1311e57baa44a3ef.exe	92
PID 5332 wrote to memory of 4788	5332	JaffaCakes118_8ce85fadb92eb13c1311e57baa44a3ef.exe	92
PID 5332 wrote to memory of 4788	5332	JaffaCakes118_8ce85fadb92eb13c1311e57baa44a3ef.exe	92
PID 5040 wrote to memory of 3544	5040	cmd.exe	95
PID 5040 wrote to memory of 3544	5040	cmd.exe	95
PID 5040 wrote to memory of 3544	5040	cmd.exe	95
PID 968 wrote to memory of 4892	968	cmd.exe	98
PID 968 wrote to memory of 4892	968	cmd.exe	98
PID 968 wrote to memory of 4892	968	cmd.exe	98
PID 4892 wrote to memory of 3564	4892	zqrgbdsridqhglpehonef.exe	101
PID 4892 wrote to memory of 3564	4892	zqrgbdsridqhglpehonef.exe	101
PID 4892 wrote to memory of 3564	4892	zqrgbdsridqhglpehonef.exe	101
PID 232 wrote to memory of 952	232	cmd.exe	104
PID 232 wrote to memory of 952	232	cmd.exe	104
PID 232 wrote to memory of 952	232	cmd.exe	104
PID 3808 wrote to memory of 4424	3808	cmd.exe	107
PID 3808 wrote to memory of 4424	3808	cmd.exe	107
PID 3808 wrote to memory of 4424	3808	cmd.exe	107
PID 3404 wrote to memory of 2084	3404	cmd.exe	241
PID 3404 wrote to memory of 2084	3404	cmd.exe	241
PID 3404 wrote to memory of 2084	3404	cmd.exe	241
PID 4424 wrote to memory of 3472	4424	xmlyrrebqjujgjlyzeb.exe	606
PID 4424 wrote to memory of 3472	4424	xmlyrrebqjujgjlyzeb.exe	606
PID 4424 wrote to memory of 3472	4424	xmlyrrebqjujgjlyzeb.exe	606
PID 2660 wrote to memory of 2188	2660	cmd.exe	114
PID 2660 wrote to memory of 2188	2660	cmd.exe	114
PID 2660 wrote to memory of 2188	2660	cmd.exe	114
PID 2188 wrote to memory of 4728	2188	maykcbnjxpznjlmyyc.exe	504
PID 2188 wrote to memory of 4728	2188	maykcbnjxpznjlmyyc.exe	504
PID 2188 wrote to memory of 4728	2188	maykcbnjxpznjlmyyc.exe	504
PID 3284 wrote to memory of 1956	3284	cmd.exe	120
PID 3284 wrote to memory of 1956	3284	cmd.exe	120
PID 3284 wrote to memory of 1956	3284	cmd.exe	120
PID 3480 wrote to memory of 6076	3480	cmd.exe	717
PID 3480 wrote to memory of 6076	3480	cmd.exe	717
PID 3480 wrote to memory of 6076	3480	cmd.exe	717
PID 6076 wrote to memory of 1636	6076	maykcbnjxpznjlmyyc.exe	124
PID 6076 wrote to memory of 1636	6076	maykcbnjxpznjlmyyc.exe	124
PID 6076 wrote to memory of 1636	6076	maykcbnjxpznjlmyyc.exe	124
PID 4788 wrote to memory of 3164	4788	gncxrwpmqxm.exe	125
PID 4788 wrote to memory of 3164	4788	gncxrwpmqxm.exe	125
PID 4788 wrote to memory of 3164	4788	gncxrwpmqxm.exe	125
PID 4788 wrote to memory of 2540	4788	gncxrwpmqxm.exe	126
PID 4788 wrote to memory of 2540	4788	gncxrwpmqxm.exe	126
PID 4788 wrote to memory of 2540	4788	gncxrwpmqxm.exe	126
PID 660 wrote to memory of 5872	660	cmd.exe	129
PID 660 wrote to memory of 5872	660	cmd.exe	129
PID 660 wrote to memory of 5872	660	cmd.exe	129
PID 5152 wrote to memory of 5468	5152	cmd.exe	132
PID 5152 wrote to memory of 5468	5152	cmd.exe	132
PID 5152 wrote to memory of 5468	5152	cmd.exe	132
PID 4304 wrote to memory of 2708	4304	cmd.exe	135
PID 4304 wrote to memory of 2708	4304	cmd.exe	135
PID 4304 wrote to memory of 2708	4304	cmd.exe	135
PID 2708 wrote to memory of 6140	2708	xmlyrrebqjujgjlyzeb.exe	796
PID 2708 wrote to memory of 6140	2708	xmlyrrebqjujgjlyzeb.exe	796
PID 2708 wrote to memory of 6140	2708	xmlyrrebqjujgjlyzeb.exe	796
PID 768 wrote to memory of 2896	768	cmd.exe	139
PID 768 wrote to memory of 2896	768	cmd.exe	139
PID 768 wrote to memory of 2896	768	cmd.exe	139
PID 4740 wrote to memory of 5500	4740	cmd.exe	357
PID 4740 wrote to memory of 5500	4740	cmd.exe	357
PID 4740 wrote to memory of 5500	4740	cmd.exe	357
PID 2896 wrote to memory of 876	2896	wieoeblfrhpbvvue.exe	148

System policy modification 1 TTPs 44 IoCs

defense_evasion

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	xanovjk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	xanovjk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	xanovjk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	gncxrwpmqxm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	gncxrwpmqxm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	xanovjk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	xanovjk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	gncxrwpmqxm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	gncxrwpmqxm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	xanovjk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	xanovjk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	gncxrwpmqxm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	gncxrwpmqxm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	gncxrwpmqxm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	xanovjk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	xanovjk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	xanovjk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	xanovjk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	xanovjk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	xanovjk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	gncxrwpmqxm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	gncxrwpmqxm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	xanovjk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	xanovjk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	gncxrwpmqxm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	gncxrwpmqxm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	xanovjk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	xanovjk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	gncxrwpmqxm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	gncxrwpmqxm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	gncxrwpmqxm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	xanovjk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	xanovjk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	xanovjk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	xanovjk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	gncxrwpmqxm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	xanovjk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	gncxrwpmqxm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	gncxrwpmqxm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	gncxrwpmqxm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	xanovjk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	gncxrwpmqxm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	xanovjk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	gncxrwpmqxm.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8ce85fadb92eb13c1311e57baa44a3ef.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8ce85fadb92eb13c1311e57baa44a3ef.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5332
- C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
  "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\jaffacakes118_8ce85fadb92eb13c1311e57baa44a3ef.exe*"
  2⤵
  - Modifies WinLogon for persistence
  - UAC bypass
  - Adds policy Run key to start application
  - Disables RegEdit via registry modification
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Hijack Execution Flow: Executable Installer File Permissions Weakness
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:4788
- - C:\Users\Admin\AppData\Local\Temp\xanovjk.exe
    "C:\Users\Admin\AppData\Local\Temp\xanovjk.exe" "-C:\Users\Admin\AppData\Local\Temp\wieoeblfrhpbvvue.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Impair Defenses: Safe Mode Boot
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Hijack Execution Flow: Executable Installer File Permissions Weakness
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:3164
- - C:\Users\Admin\AppData\Local\Temp\xanovjk.exe
    "C:\Users\Admin\AppData\Local\Temp\xanovjk.exe" "-C:\Users\Admin\AppData\Local\Temp\wieoeblfrhpbvvue.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Hijack Execution Flow: Executable Installer File Permissions Weakness
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:2540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c maykcbnjxpznjlmyyc.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:5040
- C:\Windows\maykcbnjxpznjlmyyc.exe
  maykcbnjxpznjlmyyc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zqrgbdsridqhglpehonef.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:968
- C:\Windows\zqrgbdsridqhglpehonef.exe
  zqrgbdsridqhglpehonef.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4892
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\zqrgbdsridqhglpehonef.exe*."
    3⤵
    - Executes dropped EXE
    PID:3564

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kaaoijxvlfrhfjmacigw.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:232
- C:\Windows\kaaoijxvlfrhfjmacigw.exe
  kaaoijxvlfrhfjmacigw.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xmlyrrebqjujgjlyzeb.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:3808
- C:\Windows\xmlyrrebqjujgjlyzeb.exe
  xmlyrrebqjujgjlyzeb.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4424
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\xmlyrrebqjujgjlyzeb.exe*."
    3⤵
    - Executes dropped EXE
    PID:3472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xmlyrrebqjujgjlyzeb.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:3404
- C:\Users\Admin\AppData\Local\Temp\xmlyrrebqjujgjlyzeb.exe
  C:\Users\Admin\AppData\Local\Temp\xmlyrrebqjujgjlyzeb.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\maykcbnjxpznjlmyyc.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:2660
- C:\Users\Admin\AppData\Local\Temp\maykcbnjxpznjlmyyc.exe
  C:\Users\Admin\AppData\Local\Temp\maykcbnjxpznjlmyyc.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2188
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\maykcbnjxpznjlmyyc.exe*."
    3⤵
    - Executes dropped EXE
    PID:4728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dqnypnytgxgtoppaz.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:3284
- C:\Users\Admin\AppData\Local\Temp\dqnypnytgxgtoppaz.exe
  C:\Users\Admin\AppData\Local\Temp\dqnypnytgxgtoppaz.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\maykcbnjxpznjlmyyc.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:3480
- C:\Users\Admin\AppData\Local\Temp\maykcbnjxpznjlmyyc.exe
  C:\Users\Admin\AppData\Local\Temp\maykcbnjxpznjlmyyc.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:6076
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\maykcbnjxpznjlmyyc.exe*."
    3⤵
    - Executes dropped EXE
    PID:1636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xmlyrrebqjujgjlyzeb.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:660
- C:\Windows\xmlyrrebqjujgjlyzeb.exe
  xmlyrrebqjujgjlyzeb.exe
  2⤵
  - Executes dropped EXE
  PID:5872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kaaoijxvlfrhfjmacigw.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:5152
- C:\Windows\kaaoijxvlfrhfjmacigw.exe
  kaaoijxvlfrhfjmacigw.exe
  2⤵
  - Executes dropped EXE
  PID:5468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xmlyrrebqjujgjlyzeb.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:4304
- C:\Windows\xmlyrrebqjujgjlyzeb.exe
  xmlyrrebqjujgjlyzeb.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2708
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\xmlyrrebqjujgjlyzeb.exe*."
    3⤵
    - Executes dropped EXE
    PID:6140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wieoeblfrhpbvvue.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:768
- C:\Windows\wieoeblfrhpbvvue.exe
  wieoeblfrhpbvvue.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2896
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\wieoeblfrhpbvvue.exe*."
    3⤵
    - Executes dropped EXE
    PID:876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c maykcbnjxpznjlmyyc.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4740
- C:\Windows\maykcbnjxpznjlmyyc.exe
  maykcbnjxpznjlmyyc.exe
  2⤵
  - Executes dropped EXE
  PID:5500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wieoeblfrhpbvvue.exe .
1⤵
PID:776
- C:\Windows\wieoeblfrhpbvvue.exe
  wieoeblfrhpbvvue.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2312
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\wieoeblfrhpbvvue.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:4892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kaaoijxvlfrhfjmacigw.exe
1⤵
PID:4864
- C:\Windows\kaaoijxvlfrhfjmacigw.exe
  kaaoijxvlfrhfjmacigw.exe
  2⤵
  - Executes dropped EXE
  PID:4800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wieoeblfrhpbvvue.exe
1⤵
PID:3328
- C:\Users\Admin\AppData\Local\Temp\wieoeblfrhpbvvue.exe
  C:\Users\Admin\AppData\Local\Temp\wieoeblfrhpbvvue.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xmlyrrebqjujgjlyzeb.exe .
1⤵
PID:744
- C:\Windows\xmlyrrebqjujgjlyzeb.exe
  xmlyrrebqjujgjlyzeb.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4608
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\xmlyrrebqjujgjlyzeb.exe*."
    3⤵
    - Executes dropped EXE
    PID:5316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wieoeblfrhpbvvue.exe .
1⤵
PID:4792
- C:\Users\Admin\AppData\Local\Temp\wieoeblfrhpbvvue.exe
  C:\Users\Admin\AppData\Local\Temp\wieoeblfrhpbvvue.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5192
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\wieoeblfrhpbvvue.exe*."
    3⤵
    - Executes dropped EXE
    PID:5176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xmlyrrebqjujgjlyzeb.exe
1⤵
PID:4624
- C:\Users\Admin\AppData\Local\Temp\xmlyrrebqjujgjlyzeb.exe
  C:\Users\Admin\AppData\Local\Temp\xmlyrrebqjujgjlyzeb.exe
  2⤵
  - Executes dropped EXE
  PID:3440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wieoeblfrhpbvvue.exe .
1⤵
PID:2244
- C:\Users\Admin\AppData\Local\Temp\wieoeblfrhpbvvue.exe
  C:\Users\Admin\AppData\Local\Temp\wieoeblfrhpbvvue.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4900
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\wieoeblfrhpbvvue.exe*."
    3⤵
    - Executes dropped EXE
    PID:5792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xmlyrrebqjujgjlyzeb.exe
1⤵
PID:1188
- C:\Users\Admin\AppData\Local\Temp\xmlyrrebqjujgjlyzeb.exe
  C:\Users\Admin\AppData\Local\Temp\xmlyrrebqjujgjlyzeb.exe
  2⤵
  - Executes dropped EXE
  PID:644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\maykcbnjxpznjlmyyc.exe .
1⤵
PID:5632
- C:\Users\Admin\AppData\Local\Temp\maykcbnjxpznjlmyyc.exe
  C:\Users\Admin\AppData\Local\Temp\maykcbnjxpznjlmyyc.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:6076
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\maykcbnjxpznjlmyyc.exe*."
    3⤵
    - Executes dropped EXE
    PID:5556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\maykcbnjxpznjlmyyc.exe
1⤵
PID:3508
- C:\Users\Admin\AppData\Local\Temp\maykcbnjxpznjlmyyc.exe
  C:\Users\Admin\AppData\Local\Temp\maykcbnjxpznjlmyyc.exe
  2⤵
  - Executes dropped EXE
  PID:1500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kaaoijxvlfrhfjmacigw.exe .
1⤵
PID:1344
- C:\Users\Admin\AppData\Local\Temp\kaaoijxvlfrhfjmacigw.exe
  C:\Users\Admin\AppData\Local\Temp\kaaoijxvlfrhfjmacigw.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2228
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\kaaoijxvlfrhfjmacigw.exe*."
    3⤵
    - Executes dropped EXE
    PID:2508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dqnypnytgxgtoppaz.exe
1⤵
PID:3300
- C:\Windows\dqnypnytgxgtoppaz.exe
  dqnypnytgxgtoppaz.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c maykcbnjxpznjlmyyc.exe .
1⤵
PID:2320
- C:\Windows\maykcbnjxpznjlmyyc.exe
  maykcbnjxpznjlmyyc.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1944
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\maykcbnjxpznjlmyyc.exe*."
    3⤵
    - Executes dropped EXE
    PID:3408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c maykcbnjxpznjlmyyc.exe
1⤵
PID:4292
- C:\Windows\maykcbnjxpznjlmyyc.exe
  maykcbnjxpznjlmyyc.exe
  2⤵
  - Executes dropped EXE
  PID:4440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wieoeblfrhpbvvue.exe .
1⤵
PID:2308
- C:\Windows\wieoeblfrhpbvvue.exe
  wieoeblfrhpbvvue.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3488
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\wieoeblfrhpbvvue.exe*."
    3⤵
    - Executes dropped EXE
    PID:2012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kaaoijxvlfrhfjmacigw.exe
1⤵
PID:1580
- C:\Users\Admin\AppData\Local\Temp\kaaoijxvlfrhfjmacigw.exe
  C:\Users\Admin\AppData\Local\Temp\kaaoijxvlfrhfjmacigw.exe
  2⤵
  - Executes dropped EXE
  PID:5624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\maykcbnjxpznjlmyyc.exe .
1⤵
PID:572
- C:\Users\Admin\AppData\Local\Temp\maykcbnjxpznjlmyyc.exe
  C:\Users\Admin\AppData\Local\Temp\maykcbnjxpznjlmyyc.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5424
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\maykcbnjxpznjlmyyc.exe*."
    3⤵
    - Executes dropped EXE
    PID:5152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xmlyrrebqjujgjlyzeb.exe
1⤵
PID:2924
- C:\Users\Admin\AppData\Local\Temp\xmlyrrebqjujgjlyzeb.exe
  C:\Users\Admin\AppData\Local\Temp\xmlyrrebqjujgjlyzeb.exe
  2⤵
  - Executes dropped EXE
  PID:2196

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kaaoijxvlfrhfjmacigw.exe .
1⤵
PID:4212
- C:\Users\Admin\AppData\Local\Temp\kaaoijxvlfrhfjmacigw.exe
  C:\Users\Admin\AppData\Local\Temp\kaaoijxvlfrhfjmacigw.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:548
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\kaaoijxvlfrhfjmacigw.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:6012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c maykcbnjxpznjlmyyc.exe
1⤵
PID:4976
- C:\Windows\maykcbnjxpznjlmyyc.exe
  maykcbnjxpznjlmyyc.exe
  2⤵
  - Executes dropped EXE
  PID:3324

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xmlyrrebqjujgjlyzeb.exe .
1⤵
PID:4392
- C:\Windows\xmlyrrebqjujgjlyzeb.exe
  xmlyrrebqjujgjlyzeb.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4924
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\xmlyrrebqjujgjlyzeb.exe*."
    3⤵
    - Executes dropped EXE
    PID:2312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zqrgbdsridqhglpehonef.exe
1⤵
PID:4488
- C:\Windows\zqrgbdsridqhglpehonef.exe
  zqrgbdsridqhglpehonef.exe
  2⤵
  - Executes dropped EXE
  PID:5920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zqrgbdsridqhglpehonef.exe
1⤵
PID:5880
- C:\Windows\zqrgbdsridqhglpehonef.exe
  zqrgbdsridqhglpehonef.exe
  2⤵
  - Executes dropped EXE
  PID:3560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wieoeblfrhpbvvue.exe .
1⤵
PID:5772
- C:\Windows\wieoeblfrhpbvvue.exe
  wieoeblfrhpbvvue.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4784
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\wieoeblfrhpbvvue.exe*."
    3⤵
    - Executes dropped EXE
    PID:5432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dqnypnytgxgtoppaz.exe
1⤵
PID:400
- C:\Windows\dqnypnytgxgtoppaz.exe
  dqnypnytgxgtoppaz.exe
  2⤵
  - Executes dropped EXE
  PID:1928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c maykcbnjxpznjlmyyc.exe .
1⤵
PID:2680
- C:\Windows\maykcbnjxpznjlmyyc.exe
  maykcbnjxpznjlmyyc.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1680
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\maykcbnjxpznjlmyyc.exe*."
    3⤵
    - Executes dropped EXE
    PID:1904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kaaoijxvlfrhfjmacigw.exe
1⤵
PID:1400
- C:\Users\Admin\AppData\Local\Temp\kaaoijxvlfrhfjmacigw.exe
  C:\Users\Admin\AppData\Local\Temp\kaaoijxvlfrhfjmacigw.exe
  2⤵
  - Executes dropped EXE
  PID:2040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqrgbdsridqhglpehonef.exe .
1⤵
PID:1664
- C:\Users\Admin\AppData\Local\Temp\zqrgbdsridqhglpehonef.exe
  C:\Users\Admin\AppData\Local\Temp\zqrgbdsridqhglpehonef.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3544
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\zqrgbdsridqhglpehonef.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:3548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xmlyrrebqjujgjlyzeb.exe .
1⤵
PID:2272
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4900
- C:\Windows\xmlyrrebqjujgjlyzeb.exe
  xmlyrrebqjujgjlyzeb.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4004
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\xmlyrrebqjujgjlyzeb.exe*."
    3⤵
    PID:3968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c maykcbnjxpznjlmyyc.exe
1⤵
PID:2084
- C:\Windows\maykcbnjxpznjlmyyc.exe
  maykcbnjxpznjlmyyc.exe
  2⤵
  PID:1812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xmlyrrebqjujgjlyzeb.exe .
1⤵
PID:456
- C:\Windows\xmlyrrebqjujgjlyzeb.exe
  xmlyrrebqjujgjlyzeb.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:5096
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\xmlyrrebqjujgjlyzeb.exe*."
    3⤵
    PID:3088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dqnypnytgxgtoppaz.exe
1⤵
PID:4216
- C:\Windows\dqnypnytgxgtoppaz.exe
  dqnypnytgxgtoppaz.exe
  2⤵
  PID:1488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqrgbdsridqhglpehonef.exe
1⤵
PID:4884
- C:\Users\Admin\AppData\Local\Temp\zqrgbdsridqhglpehonef.exe
  C:\Users\Admin\AppData\Local\Temp\zqrgbdsridqhglpehonef.exe
  2⤵
  - Executes dropped EXE
  PID:2948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wieoeblfrhpbvvue.exe
1⤵
PID:4524
- C:\Users\Admin\AppData\Local\Temp\wieoeblfrhpbvvue.exe
  C:\Users\Admin\AppData\Local\Temp\wieoeblfrhpbvvue.exe
  2⤵
  PID:5516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wieoeblfrhpbvvue.exe .
1⤵
PID:5360
- C:\Users\Admin\AppData\Local\Temp\wieoeblfrhpbvvue.exe
  C:\Users\Admin\AppData\Local\Temp\wieoeblfrhpbvvue.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:5656
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\wieoeblfrhpbvvue.exe*."
    3⤵
    PID:4272

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wieoeblfrhpbvvue.exe .
1⤵
PID:5860
- C:\Windows\wieoeblfrhpbvvue.exe
  wieoeblfrhpbvvue.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:5648
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\wieoeblfrhpbvvue.exe*."
    3⤵
    PID:2896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqrgbdsridqhglpehonef.exe .
1⤵
PID:3132
- C:\Users\Admin\AppData\Local\Temp\zqrgbdsridqhglpehonef.exe
  C:\Users\Admin\AppData\Local\Temp\zqrgbdsridqhglpehonef.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:5356
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\zqrgbdsridqhglpehonef.exe*."
    3⤵
    PID:2844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xmlyrrebqjujgjlyzeb.exe
1⤵
PID:3004
- C:\Users\Admin\AppData\Local\Temp\xmlyrrebqjujgjlyzeb.exe
  C:\Users\Admin\AppData\Local\Temp\xmlyrrebqjujgjlyzeb.exe
  2⤵
  PID:2260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wieoeblfrhpbvvue.exe .
1⤵
PID:3696
- C:\Users\Admin\AppData\Local\Temp\wieoeblfrhpbvvue.exe
  C:\Users\Admin\AppData\Local\Temp\wieoeblfrhpbvvue.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4836
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\wieoeblfrhpbvvue.exe*."
    3⤵
    PID:4772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dqnypnytgxgtoppaz.exe
1⤵
PID:1412
- C:\Users\Admin\AppData\Local\Temp\dqnypnytgxgtoppaz.exe
  C:\Users\Admin\AppData\Local\Temp\dqnypnytgxgtoppaz.exe
  2⤵
  PID:4344

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xmlyrrebqjujgjlyzeb.exe .
1⤵
PID:1196
- C:\Users\Admin\AppData\Local\Temp\xmlyrrebqjujgjlyzeb.exe
  C:\Users\Admin\AppData\Local\Temp\xmlyrrebqjujgjlyzeb.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:2912
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\xmlyrrebqjujgjlyzeb.exe*."
    3⤵
    PID:540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xmlyrrebqjujgjlyzeb.exe
1⤵
PID:536
- C:\Users\Admin\AppData\Local\Temp\xmlyrrebqjujgjlyzeb.exe
  C:\Users\Admin\AppData\Local\Temp\xmlyrrebqjujgjlyzeb.exe
  2⤵
  PID:468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dqnypnytgxgtoppaz.exe .
1⤵
PID:4220
- C:\Users\Admin\AppData\Local\Temp\dqnypnytgxgtoppaz.exe
  C:\Users\Admin\AppData\Local\Temp\dqnypnytgxgtoppaz.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:676
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\dqnypnytgxgtoppaz.exe*."
    3⤵
    PID:2788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c maykcbnjxpznjlmyyc.exe
1⤵
PID:4460
- C:\Windows\maykcbnjxpznjlmyyc.exe
  maykcbnjxpznjlmyyc.exe
  2⤵
  PID:4808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kaaoijxvlfrhfjmacigw.exe .
1⤵
PID:2304
- C:\Windows\kaaoijxvlfrhfjmacigw.exe
  kaaoijxvlfrhfjmacigw.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1492
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\kaaoijxvlfrhfjmacigw.exe*."
    3⤵
    PID:4620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kaaoijxvlfrhfjmacigw.exe
1⤵
PID:4924
- C:\Windows\kaaoijxvlfrhfjmacigw.exe
  kaaoijxvlfrhfjmacigw.exe
  2⤵
  PID:2280

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zqrgbdsridqhglpehonef.exe .
1⤵
PID:5732
- C:\Windows\zqrgbdsridqhglpehonef.exe
  zqrgbdsridqhglpehonef.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1916
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\zqrgbdsridqhglpehonef.exe*."
    3⤵
    PID:4908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xmlyrrebqjujgjlyzeb.exe
1⤵
PID:1824
- C:\Users\Admin\AppData\Local\Temp\xmlyrrebqjujgjlyzeb.exe
  C:\Users\Admin\AppData\Local\Temp\xmlyrrebqjujgjlyzeb.exe
  2⤵
  PID:2336

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dqnypnytgxgtoppaz.exe .
1⤵
PID:3432
- C:\Users\Admin\AppData\Local\Temp\dqnypnytgxgtoppaz.exe
  C:\Users\Admin\AppData\Local\Temp\dqnypnytgxgtoppaz.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:952
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\dqnypnytgxgtoppaz.exe*."
    3⤵
    PID:1660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqrgbdsridqhglpehonef.exe
1⤵
PID:5464
- C:\Users\Admin\AppData\Local\Temp\zqrgbdsridqhglpehonef.exe
  C:\Users\Admin\AppData\Local\Temp\zqrgbdsridqhglpehonef.exe
  2⤵
  PID:4520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\maykcbnjxpznjlmyyc.exe .
1⤵
PID:4624
- C:\Users\Admin\AppData\Local\Temp\maykcbnjxpznjlmyyc.exe
  C:\Users\Admin\AppData\Local\Temp\maykcbnjxpznjlmyyc.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:6012
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\maykcbnjxpznjlmyyc.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:3796

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wieoeblfrhpbvvue.exe
1⤵
PID:5192
- C:\Windows\wieoeblfrhpbvvue.exe
  wieoeblfrhpbvvue.exe
  2⤵
  PID:3788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c maykcbnjxpznjlmyyc.exe .
1⤵
PID:5820
- C:\Windows\maykcbnjxpznjlmyyc.exe
  maykcbnjxpznjlmyyc.exe .
  2⤵
  PID:4132
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\maykcbnjxpznjlmyyc.exe*."
    3⤵
    PID:4948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xmlyrrebqjujgjlyzeb.exe
1⤵
PID:1472
- C:\Windows\xmlyrrebqjujgjlyzeb.exe
  xmlyrrebqjujgjlyzeb.exe
  2⤵
  PID:4700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kaaoijxvlfrhfjmacigw.exe .
1⤵
PID:5968
- C:\Windows\kaaoijxvlfrhfjmacigw.exe
  kaaoijxvlfrhfjmacigw.exe .
  2⤵
  PID:5588
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\kaaoijxvlfrhfjmacigw.exe*."
    3⤵
    PID:4196

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kaaoijxvlfrhfjmacigw.exe
1⤵
PID:4776
- C:\Users\Admin\AppData\Local\Temp\kaaoijxvlfrhfjmacigw.exe
  C:\Users\Admin\AppData\Local\Temp\kaaoijxvlfrhfjmacigw.exe
  2⤵
  PID:5608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kaaoijxvlfrhfjmacigw.exe .
1⤵
PID:5576
- C:\Users\Admin\AppData\Local\Temp\kaaoijxvlfrhfjmacigw.exe
  C:\Users\Admin\AppData\Local\Temp\kaaoijxvlfrhfjmacigw.exe .
  2⤵
  PID:5056
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\kaaoijxvlfrhfjmacigw.exe*."
    3⤵
    PID:1924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqrgbdsridqhglpehonef.exe
1⤵
PID:5656
- C:\Users\Admin\AppData\Local\Temp\zqrgbdsridqhglpehonef.exe
  C:\Users\Admin\AppData\Local\Temp\zqrgbdsridqhglpehonef.exe
  2⤵
  PID:5648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqrgbdsridqhglpehonef.exe .
1⤵
PID:2896
- C:\Users\Admin\AppData\Local\Temp\zqrgbdsridqhglpehonef.exe
  C:\Users\Admin\AppData\Local\Temp\zqrgbdsridqhglpehonef.exe .
  2⤵
  PID:5452
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\zqrgbdsridqhglpehonef.exe*."
    3⤵
    PID:4500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dqnypnytgxgtoppaz.exe
1⤵
PID:3324
- C:\Windows\dqnypnytgxgtoppaz.exe
  dqnypnytgxgtoppaz.exe
  2⤵
  PID:5500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zqrgbdsridqhglpehonef.exe .
1⤵
PID:1020
- C:\Windows\zqrgbdsridqhglpehonef.exe
  zqrgbdsridqhglpehonef.exe .
  2⤵
  PID:1224
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\zqrgbdsridqhglpehonef.exe*."
    3⤵
    PID:3392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kaaoijxvlfrhfjmacigw.exe
1⤵
PID:1336
- C:\Windows\kaaoijxvlfrhfjmacigw.exe
  kaaoijxvlfrhfjmacigw.exe
  2⤵
  PID:3800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wieoeblfrhpbvvue.exe .
1⤵
PID:3364
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:540
- C:\Windows\wieoeblfrhpbvvue.exe
  wieoeblfrhpbvvue.exe .
  2⤵
  PID:2284
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\wieoeblfrhpbvvue.exe*."
    3⤵
    PID:1556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xmlyrrebqjujgjlyzeb.exe
1⤵
PID:4440
- C:\Users\Admin\AppData\Local\Temp\xmlyrrebqjujgjlyzeb.exe
  C:\Users\Admin\AppData\Local\Temp\xmlyrrebqjujgjlyzeb.exe
  2⤵
  PID:220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xmlyrrebqjujgjlyzeb.exe .
1⤵
PID:1484
- C:\Users\Admin\AppData\Local\Temp\xmlyrrebqjujgjlyzeb.exe
  C:\Users\Admin\AppData\Local\Temp\xmlyrrebqjujgjlyzeb.exe .
  2⤵
  PID:2012
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\xmlyrrebqjujgjlyzeb.exe*."
    3⤵
    PID:2040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kaaoijxvlfrhfjmacigw.exe
1⤵
PID:5136
- C:\Users\Admin\AppData\Local\Temp\kaaoijxvlfrhfjmacigw.exe
  C:\Users\Admin\AppData\Local\Temp\kaaoijxvlfrhfjmacigw.exe
  2⤵
  PID:5816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kaaoijxvlfrhfjmacigw.exe .
1⤵
PID:4316
- C:\Users\Admin\AppData\Local\Temp\kaaoijxvlfrhfjmacigw.exe
  C:\Users\Admin\AppData\Local\Temp\kaaoijxvlfrhfjmacigw.exe .
  2⤵
  PID:1904
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\kaaoijxvlfrhfjmacigw.exe*."
    3⤵
    PID:1052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dqnypnytgxgtoppaz.exe
1⤵
PID:3560
- C:\Windows\dqnypnytgxgtoppaz.exe
  dqnypnytgxgtoppaz.exe
  2⤵
  PID:5316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kaaoijxvlfrhfjmacigw.exe .
1⤵
PID:5972
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1660
- C:\Windows\kaaoijxvlfrhfjmacigw.exe
  kaaoijxvlfrhfjmacigw.exe .
  2⤵
  PID:400
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\kaaoijxvlfrhfjmacigw.exe*."
    3⤵
    PID:1680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c maykcbnjxpznjlmyyc.exe
1⤵
PID:4612
- C:\Windows\maykcbnjxpznjlmyyc.exe
  maykcbnjxpznjlmyyc.exe
  2⤵
  PID:2024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dqnypnytgxgtoppaz.exe .
1⤵
PID:1244
- C:\Windows\dqnypnytgxgtoppaz.exe
  dqnypnytgxgtoppaz.exe .
  2⤵
  PID:1404
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\dqnypnytgxgtoppaz.exe*."
    3⤵
    PID:5924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\maykcbnjxpznjlmyyc.exe
1⤵
PID:4540
- C:\Users\Admin\AppData\Local\Temp\maykcbnjxpznjlmyyc.exe
  C:\Users\Admin\AppData\Local\Temp\maykcbnjxpznjlmyyc.exe
  2⤵
  PID:4716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\maykcbnjxpznjlmyyc.exe .
1⤵
PID:2308
- C:\Users\Admin\AppData\Local\Temp\maykcbnjxpznjlmyyc.exe
  C:\Users\Admin\AppData\Local\Temp\maykcbnjxpznjlmyyc.exe .
  2⤵
  PID:1664
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\maykcbnjxpznjlmyyc.exe*."
    3⤵
    PID:1348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xmlyrrebqjujgjlyzeb.exe
1⤵
PID:2716
- C:\Users\Admin\AppData\Local\Temp\xmlyrrebqjujgjlyzeb.exe
  C:\Users\Admin\AppData\Local\Temp\xmlyrrebqjujgjlyzeb.exe
  2⤵
  PID:572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kaaoijxvlfrhfjmacigw.exe .
1⤵
PID:1416
- C:\Users\Admin\AppData\Local\Temp\kaaoijxvlfrhfjmacigw.exe
  C:\Users\Admin\AppData\Local\Temp\kaaoijxvlfrhfjmacigw.exe .
  2⤵
  PID:3680
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\kaaoijxvlfrhfjmacigw.exe*."
    3⤵
    PID:5608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zqrgbdsridqhglpehonef.exe
1⤵
PID:2924
- C:\Windows\zqrgbdsridqhglpehonef.exe
  zqrgbdsridqhglpehonef.exe
  2⤵
  PID:1344

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kaaoijxvlfrhfjmacigw.exe .
1⤵
PID:4796
- C:\Windows\kaaoijxvlfrhfjmacigw.exe
  kaaoijxvlfrhfjmacigw.exe .
  2⤵
  PID:5100
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\kaaoijxvlfrhfjmacigw.exe*."
    3⤵
    PID:5596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c maykcbnjxpznjlmyyc.exe
1⤵
PID:5648
- C:\Windows\maykcbnjxpznjlmyyc.exe
  maykcbnjxpznjlmyyc.exe
  2⤵
  PID:1516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wieoeblfrhpbvvue.exe .
1⤵
PID:3796
- C:\Windows\wieoeblfrhpbvvue.exe
  wieoeblfrhpbvvue.exe .
  2⤵
  PID:2840
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\wieoeblfrhpbvvue.exe*."
    3⤵
    PID:3132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kaaoijxvlfrhfjmacigw.exe
1⤵
PID:2896
- C:\Users\Admin\AppData\Local\Temp\kaaoijxvlfrhfjmacigw.exe
  C:\Users\Admin\AppData\Local\Temp\kaaoijxvlfrhfjmacigw.exe
  2⤵
  PID:4836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wieoeblfrhpbvvue.exe .
1⤵
PID:2356
- C:\Users\Admin\AppData\Local\Temp\wieoeblfrhpbvvue.exe
  C:\Users\Admin\AppData\Local\Temp\wieoeblfrhpbvvue.exe .
  2⤵
  PID:2832
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\wieoeblfrhpbvvue.exe*."
    3⤵
    PID:2508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xmlyrrebqjujgjlyzeb.exe
1⤵
PID:2320
- C:\Users\Admin\AppData\Local\Temp\xmlyrrebqjujgjlyzeb.exe
  C:\Users\Admin\AppData\Local\Temp\xmlyrrebqjujgjlyzeb.exe
  2⤵
  PID:1020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqrgbdsridqhglpehonef.exe .
1⤵
PID:2872
- C:\Users\Admin\AppData\Local\Temp\zqrgbdsridqhglpehonef.exe
  C:\Users\Admin\AppData\Local\Temp\zqrgbdsridqhglpehonef.exe .
  2⤵
  PID:4652
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\zqrgbdsridqhglpehonef.exe*."
    3⤵
    PID:4460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c maykcbnjxpznjlmyyc.exe
1⤵
PID:4440
- C:\Windows\maykcbnjxpznjlmyyc.exe
  maykcbnjxpznjlmyyc.exe
  2⤵
  PID:3472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kaaoijxvlfrhfjmacigw.exe .
1⤵
PID:3504
- C:\Windows\kaaoijxvlfrhfjmacigw.exe
  kaaoijxvlfrhfjmacigw.exe .
  2⤵
  PID:3376
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\kaaoijxvlfrhfjmacigw.exe*."
    3⤵
    PID:4620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zqrgbdsridqhglpehonef.exe
1⤵
PID:3556
- C:\Windows\zqrgbdsridqhglpehonef.exe
  zqrgbdsridqhglpehonef.exe
  2⤵
  PID:2304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zqrgbdsridqhglpehonef.exe .
1⤵
PID:876
- C:\Windows\zqrgbdsridqhglpehonef.exe
  zqrgbdsridqhglpehonef.exe .
  2⤵
  PID:4608
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\zqrgbdsridqhglpehonef.exe*."
    3⤵
    PID:4264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqrgbdsridqhglpehonef.exe
1⤵
PID:1688
- C:\Users\Admin\AppData\Local\Temp\zqrgbdsridqhglpehonef.exe
  C:\Users\Admin\AppData\Local\Temp\zqrgbdsridqhglpehonef.exe
  2⤵
  PID:4908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kaaoijxvlfrhfjmacigw.exe .
1⤵
PID:3856
- C:\Users\Admin\AppData\Local\Temp\kaaoijxvlfrhfjmacigw.exe
  C:\Users\Admin\AppData\Local\Temp\kaaoijxvlfrhfjmacigw.exe .
  2⤵
  PID:4520
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\kaaoijxvlfrhfjmacigw.exe*."
    3⤵
    PID:4748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqrgbdsridqhglpehonef.exe
1⤵
PID:3136
- C:\Users\Admin\AppData\Local\Temp\zqrgbdsridqhglpehonef.exe
  C:\Users\Admin\AppData\Local\Temp\zqrgbdsridqhglpehonef.exe
  2⤵
  PID:2604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wieoeblfrhpbvvue.exe .
1⤵
PID:4276
- C:\Users\Admin\AppData\Local\Temp\wieoeblfrhpbvvue.exe
  C:\Users\Admin\AppData\Local\Temp\wieoeblfrhpbvvue.exe .
  2⤵
  PID:2944
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\wieoeblfrhpbvvue.exe*."
    3⤵
    PID:632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c maykcbnjxpznjlmyyc.exe
1⤵
PID:1404
- C:\Windows\maykcbnjxpznjlmyyc.exe
  maykcbnjxpznjlmyyc.exe
  2⤵
  PID:5068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zqrgbdsridqhglpehonef.exe .
1⤵
PID:3424
- C:\Windows\zqrgbdsridqhglpehonef.exe
  zqrgbdsridqhglpehonef.exe .
  2⤵
  PID:3872
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\zqrgbdsridqhglpehonef.exe*."
    3⤵
    PID:2256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dqnypnytgxgtoppaz.exe
1⤵
PID:3088
- C:\Windows\dqnypnytgxgtoppaz.exe
  dqnypnytgxgtoppaz.exe
  2⤵
  PID:4700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dqnypnytgxgtoppaz.exe .
1⤵
PID:5948
- C:\Windows\dqnypnytgxgtoppaz.exe
  dqnypnytgxgtoppaz.exe .
  2⤵
  PID:4912
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\dqnypnytgxgtoppaz.exe*."
    3⤵
    PID:4388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xmlyrrebqjujgjlyzeb.exe
1⤵
PID:2348
- C:\Users\Admin\AppData\Local\Temp\xmlyrrebqjujgjlyzeb.exe
  C:\Users\Admin\AppData\Local\Temp\xmlyrrebqjujgjlyzeb.exe
  2⤵
  PID:4448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kaaoijxvlfrhfjmacigw.exe .
1⤵
PID:3056
- C:\Users\Admin\AppData\Local\Temp\kaaoijxvlfrhfjmacigw.exe
  C:\Users\Admin\AppData\Local\Temp\kaaoijxvlfrhfjmacigw.exe .
  2⤵
  PID:5812
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\kaaoijxvlfrhfjmacigw.exe*."
    3⤵
    PID:4300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kaaoijxvlfrhfjmacigw.exe
1⤵
PID:6140
- C:\Windows\kaaoijxvlfrhfjmacigw.exe
  kaaoijxvlfrhfjmacigw.exe
  2⤵
  PID:4268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zqrgbdsridqhglpehonef.exe .
1⤵
PID:4796
- C:\Windows\zqrgbdsridqhglpehonef.exe
  zqrgbdsridqhglpehonef.exe .
  2⤵
  PID:2840
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\zqrgbdsridqhglpehonef.exe*."
    3⤵
    PID:1120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kaaoijxvlfrhfjmacigw.exe
1⤵
PID:3928
- C:\Users\Admin\AppData\Local\Temp\kaaoijxvlfrhfjmacigw.exe
  C:\Users\Admin\AppData\Local\Temp\kaaoijxvlfrhfjmacigw.exe
  2⤵
  PID:2268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c maykcbnjxpznjlmyyc.exe
1⤵
PID:1644
- C:\Windows\maykcbnjxpznjlmyyc.exe
  maykcbnjxpznjlmyyc.exe
  2⤵
  PID:1212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wieoeblfrhpbvvue.exe .
1⤵
PID:3904
- C:\Users\Admin\AppData\Local\Temp\wieoeblfrhpbvvue.exe
  C:\Users\Admin\AppData\Local\Temp\wieoeblfrhpbvvue.exe .
  2⤵
  PID:2788
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\wieoeblfrhpbvvue.exe*."
    3⤵
    PID:2748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kaaoijxvlfrhfjmacigw.exe
1⤵
PID:4740
- C:\Windows\kaaoijxvlfrhfjmacigw.exe
  kaaoijxvlfrhfjmacigw.exe
  2⤵
  PID:5832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xmlyrrebqjujgjlyzeb.exe .
1⤵
PID:2832
- C:\Windows\xmlyrrebqjujgjlyzeb.exe
  xmlyrrebqjujgjlyzeb.exe .
  2⤵
  PID:4524
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\xmlyrrebqjujgjlyzeb.exe*."
    3⤵
    PID:2896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zqrgbdsridqhglpehonef.exe .
1⤵
PID:4728
- C:\Windows\zqrgbdsridqhglpehonef.exe
  zqrgbdsridqhglpehonef.exe .
  2⤵
  PID:3508
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\zqrgbdsridqhglpehonef.exe*."
    3⤵
    PID:5316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kaaoijxvlfrhfjmacigw.exe
1⤵
PID:2912
- C:\Users\Admin\AppData\Local\Temp\kaaoijxvlfrhfjmacigw.exe
  C:\Users\Admin\AppData\Local\Temp\kaaoijxvlfrhfjmacigw.exe
  2⤵
  PID:4296

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xmlyrrebqjujgjlyzeb.exe
1⤵
PID:552
- C:\Windows\xmlyrrebqjujgjlyzeb.exe
  xmlyrrebqjujgjlyzeb.exe
  2⤵
  PID:3424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqrgbdsridqhglpehonef.exe .
1⤵
PID:4896
- C:\Users\Admin\AppData\Local\Temp\zqrgbdsridqhglpehonef.exe
  C:\Users\Admin\AppData\Local\Temp\zqrgbdsridqhglpehonef.exe .
  2⤵
  PID:1688
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\zqrgbdsridqhglpehonef.exe*."
    3⤵
    PID:1936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xmlyrrebqjujgjlyzeb.exe .
1⤵
PID:4880
- C:\Windows\xmlyrrebqjujgjlyzeb.exe
  xmlyrrebqjujgjlyzeb.exe .
  2⤵
  PID:2652
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\xmlyrrebqjujgjlyzeb.exe*."
    3⤵
    PID:4300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xmlyrrebqjujgjlyzeb.exe
1⤵
PID:6024
- C:\Users\Admin\AppData\Local\Temp\xmlyrrebqjujgjlyzeb.exe
  C:\Users\Admin\AppData\Local\Temp\xmlyrrebqjujgjlyzeb.exe
  2⤵
  PID:6012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xmlyrrebqjujgjlyzeb.exe
1⤵
PID:2644
- C:\Users\Admin\AppData\Local\Temp\xmlyrrebqjujgjlyzeb.exe
  C:\Users\Admin\AppData\Local\Temp\xmlyrrebqjujgjlyzeb.exe
  2⤵
  PID:4972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kaaoijxvlfrhfjmacigw.exe .
1⤵
PID:3504
- C:\Users\Admin\AppData\Local\Temp\kaaoijxvlfrhfjmacigw.exe
  C:\Users\Admin\AppData\Local\Temp\kaaoijxvlfrhfjmacigw.exe .
  2⤵
  PID:4084
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\kaaoijxvlfrhfjmacigw.exe*."
    3⤵
    PID:3824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kaaoijxvlfrhfjmacigw.exe .
1⤵
PID:996
- C:\Users\Admin\AppData\Local\Temp\kaaoijxvlfrhfjmacigw.exe
  C:\Users\Admin\AppData\Local\Temp\kaaoijxvlfrhfjmacigw.exe .
  2⤵
  PID:5992
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\kaaoijxvlfrhfjmacigw.exe*."
    3⤵
    PID:5072

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zqrgbdsridqhglpehonef.exe
1⤵
PID:3864
- C:\Windows\zqrgbdsridqhglpehonef.exe
  zqrgbdsridqhglpehonef.exe
  2⤵
  PID:3908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dqnypnytgxgtoppaz.exe .
1⤵
PID:3432
- C:\Windows\dqnypnytgxgtoppaz.exe
  dqnypnytgxgtoppaz.exe .
  2⤵
  PID:4508
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\dqnypnytgxgtoppaz.exe*."
    3⤵
    PID:4380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kaaoijxvlfrhfjmacigw.exe
1⤵
PID:4520
- C:\Users\Admin\AppData\Local\Temp\kaaoijxvlfrhfjmacigw.exe
  C:\Users\Admin\AppData\Local\Temp\kaaoijxvlfrhfjmacigw.exe
  2⤵
  PID:1504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqrgbdsridqhglpehonef.exe .
1⤵
PID:3696
- C:\Users\Admin\AppData\Local\Temp\zqrgbdsridqhglpehonef.exe
  C:\Users\Admin\AppData\Local\Temp\zqrgbdsridqhglpehonef.exe .
  2⤵
  PID:3288
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\zqrgbdsridqhglpehonef.exe*."
    3⤵
    PID:4700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kaaoijxvlfrhfjmacigw.exe
1⤵
PID:4716
- C:\Windows\kaaoijxvlfrhfjmacigw.exe
  kaaoijxvlfrhfjmacigw.exe
  2⤵
  PID:3552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kaaoijxvlfrhfjmacigw.exe .
1⤵
PID:5688
- C:\Windows\kaaoijxvlfrhfjmacigw.exe
  kaaoijxvlfrhfjmacigw.exe .
  2⤵
  PID:1960
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\kaaoijxvlfrhfjmacigw.exe*."
    3⤵
    PID:4912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\maykcbnjxpznjlmyyc.exe
1⤵
PID:4948
- C:\Users\Admin\AppData\Local\Temp\maykcbnjxpznjlmyyc.exe
  C:\Users\Admin\AppData\Local\Temp\maykcbnjxpznjlmyyc.exe
  2⤵
  PID:5736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\maykcbnjxpznjlmyyc.exe .
1⤵
PID:4004
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:468
- C:\Users\Admin\AppData\Local\Temp\maykcbnjxpznjlmyyc.exe
  C:\Users\Admin\AppData\Local\Temp\maykcbnjxpznjlmyyc.exe .
  2⤵
  PID:2924
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\maykcbnjxpznjlmyyc.exe*."
    3⤵
    PID:5056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqrgbdsridqhglpehonef.exe
1⤵
PID:4228
- C:\Users\Admin\AppData\Local\Temp\zqrgbdsridqhglpehonef.exe
  C:\Users\Admin\AppData\Local\Temp\zqrgbdsridqhglpehonef.exe
  2⤵
  PID:5040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xmlyrrebqjujgjlyzeb.exe .
1⤵
PID:6072
- C:\Users\Admin\AppData\Local\Temp\xmlyrrebqjujgjlyzeb.exe
  C:\Users\Admin\AppData\Local\Temp\xmlyrrebqjujgjlyzeb.exe .
  2⤵
  PID:676
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\xmlyrrebqjujgjlyzeb.exe*."
    3⤵
    PID:2080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xmlyrrebqjujgjlyzeb.exe
1⤵
PID:5376
- C:\Windows\xmlyrrebqjujgjlyzeb.exe
  xmlyrrebqjujgjlyzeb.exe
  2⤵
  PID:5664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kaaoijxvlfrhfjmacigw.exe .
1⤵
PID:1644
- C:\Windows\kaaoijxvlfrhfjmacigw.exe
  kaaoijxvlfrhfjmacigw.exe .
  2⤵
  PID:3380
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\kaaoijxvlfrhfjmacigw.exe*."
    3⤵
    PID:2824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kaaoijxvlfrhfjmacigw.exe
1⤵
PID:2232
- C:\Windows\kaaoijxvlfrhfjmacigw.exe
  kaaoijxvlfrhfjmacigw.exe
  2⤵
  PID:3796

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wieoeblfrhpbvvue.exe .
1⤵
PID:60
- C:\Windows\wieoeblfrhpbvvue.exe
  wieoeblfrhpbvvue.exe .
  2⤵
  PID:4608
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\wieoeblfrhpbvvue.exe*."
    3⤵
    PID:952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xmlyrrebqjujgjlyzeb.exe
1⤵
PID:3948
- C:\Users\Admin\AppData\Local\Temp\xmlyrrebqjujgjlyzeb.exe
  C:\Users\Admin\AppData\Local\Temp\xmlyrrebqjujgjlyzeb.exe
  2⤵
  PID:1628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wieoeblfrhpbvvue.exe .
1⤵
PID:3800
- C:\Users\Admin\AppData\Local\Temp\wieoeblfrhpbvvue.exe
  C:\Users\Admin\AppData\Local\Temp\wieoeblfrhpbvvue.exe .
  2⤵
  PID:3100
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\wieoeblfrhpbvvue.exe*."
    3⤵
    PID:4084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dqnypnytgxgtoppaz.exe
1⤵
PID:4460
- C:\Users\Admin\AppData\Local\Temp\dqnypnytgxgtoppaz.exe
  C:\Users\Admin\AppData\Local\Temp\dqnypnytgxgtoppaz.exe
  2⤵
  PID:2356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wieoeblfrhpbvvue.exe .
1⤵
PID:3500
- C:\Users\Admin\AppData\Local\Temp\wieoeblfrhpbvvue.exe
  C:\Users\Admin\AppData\Local\Temp\wieoeblfrhpbvvue.exe .
  2⤵
  PID:3472
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\wieoeblfrhpbvvue.exe*."
    3⤵
    PID:2280

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xmlyrrebqjujgjlyzeb.exe
1⤵
PID:5144
- C:\Windows\xmlyrrebqjujgjlyzeb.exe
  xmlyrrebqjujgjlyzeb.exe
  2⤵
  PID:3652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kaaoijxvlfrhfjmacigw.exe .
1⤵
PID:1788
- C:\Windows\kaaoijxvlfrhfjmacigw.exe
  kaaoijxvlfrhfjmacigw.exe .
  2⤵
  PID:572
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\kaaoijxvlfrhfjmacigw.exe*."
    3⤵
    PID:5224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dqnypnytgxgtoppaz.exe
1⤵
PID:3412
- C:\Windows\dqnypnytgxgtoppaz.exe
  dqnypnytgxgtoppaz.exe
  2⤵
  PID:5464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c maykcbnjxpznjlmyyc.exe .
1⤵
PID:1916
- C:\Windows\maykcbnjxpznjlmyyc.exe
  maykcbnjxpznjlmyyc.exe .
  2⤵
  PID:5780
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\maykcbnjxpznjlmyyc.exe*."
    3⤵
    PID:5924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqrgbdsridqhglpehonef.exe
1⤵
PID:4248
- C:\Users\Admin\AppData\Local\Temp\zqrgbdsridqhglpehonef.exe
  C:\Users\Admin\AppData\Local\Temp\zqrgbdsridqhglpehonef.exe
  2⤵
  PID:4468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wieoeblfrhpbvvue.exe .
1⤵
PID:3608
- C:\Users\Admin\AppData\Local\Temp\wieoeblfrhpbvvue.exe
  C:\Users\Admin\AppData\Local\Temp\wieoeblfrhpbvvue.exe .
  2⤵
  PID:2680
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\wieoeblfrhpbvvue.exe*."
    3⤵
    PID:4964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kaaoijxvlfrhfjmacigw.exe
1⤵
PID:3348
- C:\Users\Admin\AppData\Local\Temp\kaaoijxvlfrhfjmacigw.exe
  C:\Users\Admin\AppData\Local\Temp\kaaoijxvlfrhfjmacigw.exe
  2⤵
  PID:5100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\maykcbnjxpznjlmyyc.exe .
1⤵
PID:4344
- C:\Users\Admin\AppData\Local\Temp\maykcbnjxpznjlmyyc.exe
  C:\Users\Admin\AppData\Local\Temp\maykcbnjxpznjlmyyc.exe .
  2⤵
  PID:5108
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\maykcbnjxpznjlmyyc.exe*."
    3⤵
    PID:1420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dqnypnytgxgtoppaz.exe
1⤵
PID:4056
- C:\Windows\dqnypnytgxgtoppaz.exe
  dqnypnytgxgtoppaz.exe
  2⤵
  PID:4840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xmlyrrebqjujgjlyzeb.exe .
1⤵
PID:4740
- C:\Windows\xmlyrrebqjujgjlyzeb.exe
  xmlyrrebqjujgjlyzeb.exe .
  2⤵
  PID:2364
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\xmlyrrebqjujgjlyzeb.exe*."
    3⤵
    PID:2244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xmlyrrebqjujgjlyzeb.exe
1⤵
PID:4836
- C:\Windows\xmlyrrebqjujgjlyzeb.exe
  xmlyrrebqjujgjlyzeb.exe
  2⤵
  PID:3664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zqrgbdsridqhglpehonef.exe .
1⤵
PID:1484
- C:\Windows\zqrgbdsridqhglpehonef.exe
  zqrgbdsridqhglpehonef.exe .
  2⤵
  PID:4904
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\zqrgbdsridqhglpehonef.exe*."
    3⤵
    PID:724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wieoeblfrhpbvvue.exe
1⤵
PID:5764
- C:\Users\Admin\AppData\Local\Temp\wieoeblfrhpbvvue.exe
  C:\Users\Admin\AppData\Local\Temp\wieoeblfrhpbvvue.exe
  2⤵
  PID:1904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wieoeblfrhpbvvue.exe .
1⤵
PID:2344
- C:\Users\Admin\AppData\Local\Temp\wieoeblfrhpbvvue.exe
  C:\Users\Admin\AppData\Local\Temp\wieoeblfrhpbvvue.exe .
  2⤵
  PID:5728
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\wieoeblfrhpbvvue.exe*."
    3⤵
    PID:60

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kaaoijxvlfrhfjmacigw.exe
1⤵
PID:4888
- C:\Users\Admin\AppData\Local\Temp\kaaoijxvlfrhfjmacigw.exe
  C:\Users\Admin\AppData\Local\Temp\kaaoijxvlfrhfjmacigw.exe
  2⤵
  PID:4084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\maykcbnjxpznjlmyyc.exe .
1⤵
PID:1444
- C:\Users\Admin\AppData\Local\Temp\maykcbnjxpznjlmyyc.exe
  C:\Users\Admin\AppData\Local\Temp\maykcbnjxpznjlmyyc.exe .
  2⤵
  PID:3324
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\maykcbnjxpznjlmyyc.exe*."
    3⤵
    PID:4568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wieoeblfrhpbvvue.exe
1⤵
PID:1504
- C:\Windows\wieoeblfrhpbvvue.exe
  wieoeblfrhpbvvue.exe
  2⤵
  PID:4520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kaaoijxvlfrhfjmacigw.exe .
1⤵
PID:1832
- C:\Windows\kaaoijxvlfrhfjmacigw.exe
  kaaoijxvlfrhfjmacigw.exe .
  2⤵
  PID:3688
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\kaaoijxvlfrhfjmacigw.exe*."
    3⤵
    PID:4288

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wieoeblfrhpbvvue.exe
1⤵
PID:2572
- C:\Windows\wieoeblfrhpbvvue.exe
  wieoeblfrhpbvvue.exe
  2⤵
  PID:1472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xmlyrrebqjujgjlyzeb.exe .
1⤵
PID:3620
- C:\Windows\xmlyrrebqjujgjlyzeb.exe
  xmlyrrebqjujgjlyzeb.exe .
  2⤵
  PID:436
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\xmlyrrebqjujgjlyzeb.exe*."
    3⤵
    PID:4484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kaaoijxvlfrhfjmacigw.exe
1⤵
PID:2724
- C:\Users\Admin\AppData\Local\Temp\kaaoijxvlfrhfjmacigw.exe
  C:\Users\Admin\AppData\Local\Temp\kaaoijxvlfrhfjmacigw.exe
  2⤵
  PID:2736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wieoeblfrhpbvvue.exe .
1⤵
PID:3136
- C:\Users\Admin\AppData\Local\Temp\wieoeblfrhpbvvue.exe
  C:\Users\Admin\AppData\Local\Temp\wieoeblfrhpbvvue.exe .
  2⤵
  PID:5792
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\wieoeblfrhpbvvue.exe*."
    3⤵
    PID:5056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wieoeblfrhpbvvue.exe
1⤵
PID:1648
- C:\Users\Admin\AppData\Local\Temp\wieoeblfrhpbvvue.exe
  C:\Users\Admin\AppData\Local\Temp\wieoeblfrhpbvvue.exe
  2⤵
  PID:4008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kaaoijxvlfrhfjmacigw.exe .
1⤵
PID:968
- C:\Users\Admin\AppData\Local\Temp\kaaoijxvlfrhfjmacigw.exe
  C:\Users\Admin\AppData\Local\Temp\kaaoijxvlfrhfjmacigw.exe .
  2⤵
  PID:2272
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\kaaoijxvlfrhfjmacigw.exe*."
    3⤵
    PID:1524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wieoeblfrhpbvvue.exe
1⤵
PID:5400
- C:\Windows\wieoeblfrhpbvvue.exe
  wieoeblfrhpbvvue.exe
  2⤵
  PID:1176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c maykcbnjxpznjlmyyc.exe .
1⤵
PID:5152
- C:\Windows\maykcbnjxpznjlmyyc.exe
  maykcbnjxpznjlmyyc.exe .
  2⤵
  PID:5604
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\maykcbnjxpznjlmyyc.exe*."
    3⤵
    PID:1336

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c maykcbnjxpznjlmyyc.exe
1⤵
PID:4024
- C:\Windows\maykcbnjxpznjlmyyc.exe
  maykcbnjxpznjlmyyc.exe
  2⤵
  PID:5712

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dqnypnytgxgtoppaz.exe .
1⤵
PID:3328
- C:\Windows\dqnypnytgxgtoppaz.exe
  dqnypnytgxgtoppaz.exe .
  2⤵
  PID:4740
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\dqnypnytgxgtoppaz.exe*."
    3⤵
    PID:4292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\maykcbnjxpznjlmyyc.exe
1⤵
PID:4780
- C:\Users\Admin\AppData\Local\Temp\maykcbnjxpznjlmyyc.exe
  C:\Users\Admin\AppData\Local\Temp\maykcbnjxpznjlmyyc.exe
  2⤵
  PID:2208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wieoeblfrhpbvvue.exe .
1⤵
PID:3904
- C:\Users\Admin\AppData\Local\Temp\wieoeblfrhpbvvue.exe
  C:\Users\Admin\AppData\Local\Temp\wieoeblfrhpbvvue.exe .
  2⤵
  PID:4904
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\wieoeblfrhpbvvue.exe*."
    3⤵
    PID:2232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\maykcbnjxpznjlmyyc.exe
1⤵
PID:5424
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:6076
- C:\Users\Admin\AppData\Local\Temp\maykcbnjxpznjlmyyc.exe
  C:\Users\Admin\AppData\Local\Temp\maykcbnjxpznjlmyyc.exe
  2⤵
  PID:1332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dqnypnytgxgtoppaz.exe .
1⤵
PID:6012
- C:\Users\Admin\AppData\Local\Temp\dqnypnytgxgtoppaz.exe
  C:\Users\Admin\AppData\Local\Temp\dqnypnytgxgtoppaz.exe .
  2⤵
  PID:452
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\dqnypnytgxgtoppaz.exe*."
    3⤵
    PID:5956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dqnypnytgxgtoppaz.exe
1⤵
PID:4500
- C:\Windows\dqnypnytgxgtoppaz.exe
  dqnypnytgxgtoppaz.exe
  2⤵
  PID:4412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wieoeblfrhpbvvue.exe
1⤵
PID:1444
- C:\Windows\wieoeblfrhpbvvue.exe
  wieoeblfrhpbvvue.exe
  2⤵
  PID:3552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xmlyrrebqjujgjlyzeb.exe .
1⤵
PID:4924
- C:\Windows\xmlyrrebqjujgjlyzeb.exe
  xmlyrrebqjujgjlyzeb.exe .
  2⤵
  PID:4480
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\xmlyrrebqjujgjlyzeb.exe*."
    3⤵
    PID:996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kaaoijxvlfrhfjmacigw.exe .
1⤵
PID:6016
- C:\Windows\kaaoijxvlfrhfjmacigw.exe
  kaaoijxvlfrhfjmacigw.exe .
  2⤵
  PID:3944
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\kaaoijxvlfrhfjmacigw.exe*."
    3⤵
    PID:3412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c maykcbnjxpznjlmyyc.exe
1⤵
PID:1160
- C:\Windows\maykcbnjxpznjlmyyc.exe
  maykcbnjxpznjlmyyc.exe
  2⤵
  PID:5040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c maykcbnjxpznjlmyyc.exe
1⤵
PID:1872
- C:\Windows\maykcbnjxpznjlmyyc.exe
  maykcbnjxpznjlmyyc.exe
  2⤵
  PID:4568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wieoeblfrhpbvvue.exe .
1⤵
PID:4496
- C:\Windows\wieoeblfrhpbvvue.exe
  wieoeblfrhpbvvue.exe .
  2⤵
  PID:5848
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\wieoeblfrhpbvvue.exe*."
    3⤵
    PID:868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dqnypnytgxgtoppaz.exe
1⤵
PID:4356
- C:\Windows\dqnypnytgxgtoppaz.exe
  dqnypnytgxgtoppaz.exe
  2⤵
  PID:4244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dqnypnytgxgtoppaz.exe .
1⤵
PID:5068
- C:\Windows\dqnypnytgxgtoppaz.exe
  dqnypnytgxgtoppaz.exe .
  2⤵
  PID:2788
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\dqnypnytgxgtoppaz.exe*."
    3⤵
    PID:3644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dqnypnytgxgtoppaz.exe
1⤵
PID:2668
- C:\Users\Admin\AppData\Local\Temp\dqnypnytgxgtoppaz.exe
  C:\Users\Admin\AppData\Local\Temp\dqnypnytgxgtoppaz.exe
  2⤵
  PID:2636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c maykcbnjxpznjlmyyc.exe .
1⤵
PID:1616
- C:\Windows\maykcbnjxpznjlmyyc.exe
  maykcbnjxpznjlmyyc.exe .
  2⤵
  PID:5856
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\maykcbnjxpznjlmyyc.exe*."
    3⤵
    PID:3904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xmlyrrebqjujgjlyzeb.exe
1⤵
PID:1588
- C:\Users\Admin\AppData\Local\Temp\xmlyrrebqjujgjlyzeb.exe
  C:\Users\Admin\AppData\Local\Temp\xmlyrrebqjujgjlyzeb.exe
  2⤵
  PID:5664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wieoeblfrhpbvvue.exe .
1⤵
PID:3940
- C:\Users\Admin\AppData\Local\Temp\wieoeblfrhpbvvue.exe
  C:\Users\Admin\AppData\Local\Temp\wieoeblfrhpbvvue.exe .
  2⤵
  PID:4780
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\wieoeblfrhpbvvue.exe*."
    3⤵
    PID:3400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqrgbdsridqhglpehonef.exe .
1⤵
PID:3060
- C:\Users\Admin\AppData\Local\Temp\zqrgbdsridqhglpehonef.exe
  C:\Users\Admin\AppData\Local\Temp\zqrgbdsridqhglpehonef.exe .
  2⤵
  PID:4836
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\zqrgbdsridqhglpehonef.exe*."
    3⤵
    PID:3916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kaaoijxvlfrhfjmacigw.exe
1⤵
PID:4320
- C:\Windows\kaaoijxvlfrhfjmacigw.exe
  kaaoijxvlfrhfjmacigw.exe
  2⤵
  PID:1644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zqrgbdsridqhglpehonef.exe .
1⤵
PID:4964
- C:\Windows\zqrgbdsridqhglpehonef.exe
  zqrgbdsridqhglpehonef.exe .
  2⤵
  PID:3548
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\zqrgbdsridqhglpehonef.exe*."
    3⤵
    PID:3124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xmlyrrebqjujgjlyzeb.exe
1⤵
PID:2272
- C:\Users\Admin\AppData\Local\Temp\xmlyrrebqjujgjlyzeb.exe
  C:\Users\Admin\AppData\Local\Temp\xmlyrrebqjujgjlyzeb.exe
  2⤵
  PID:3392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xmlyrrebqjujgjlyzeb.exe
1⤵
PID:1320
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2228
- C:\Users\Admin\AppData\Local\Temp\xmlyrrebqjujgjlyzeb.exe
  C:\Users\Admin\AppData\Local\Temp\xmlyrrebqjujgjlyzeb.exe
  2⤵
  PID:3796

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\maykcbnjxpznjlmyyc.exe
1⤵
PID:968
- C:\Users\Admin\AppData\Local\Temp\maykcbnjxpznjlmyyc.exe
  C:\Users\Admin\AppData\Local\Temp\maykcbnjxpznjlmyyc.exe
  2⤵
  PID:388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dqnypnytgxgtoppaz.exe .
1⤵
PID:3844
- C:\Users\Admin\AppData\Local\Temp\dqnypnytgxgtoppaz.exe
  C:\Users\Admin\AppData\Local\Temp\dqnypnytgxgtoppaz.exe .
  2⤵
  PID:6140
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\dqnypnytgxgtoppaz.exe*."
    3⤵
    PID:1448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqrgbdsridqhglpehonef.exe .
1⤵
PID:1176
- C:\Users\Admin\AppData\Local\Temp\zqrgbdsridqhglpehonef.exe
  C:\Users\Admin\AppData\Local\Temp\zqrgbdsridqhglpehonef.exe .
  2⤵
  PID:4584
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\zqrgbdsridqhglpehonef.exe*."
    3⤵
    PID:5364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dqnypnytgxgtoppaz.exe .
1⤵
PID:5556
- C:\Users\Admin\AppData\Local\Temp\dqnypnytgxgtoppaz.exe
  C:\Users\Admin\AppData\Local\Temp\dqnypnytgxgtoppaz.exe .
  2⤵
  PID:5828
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\dqnypnytgxgtoppaz.exe*."
    3⤵
    PID:1788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xmlyrrebqjujgjlyzeb.exe
1⤵
PID:3564
- C:\Users\Admin\AppData\Local\Temp\xmlyrrebqjujgjlyzeb.exe
  C:\Users\Admin\AppData\Local\Temp\xmlyrrebqjujgjlyzeb.exe
  2⤵
  PID:5816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xmlyrrebqjujgjlyzeb.exe .
1⤵
PID:952
- C:\Users\Admin\AppData\Local\Temp\xmlyrrebqjujgjlyzeb.exe
  C:\Users\Admin\AppData\Local\Temp\xmlyrrebqjujgjlyzeb.exe .
  2⤵
  PID:4316
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\xmlyrrebqjujgjlyzeb.exe*."
    3⤵
    PID:4280

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wieoeblfrhpbvvue.exe
1⤵
PID:2724
- C:\Windows\wieoeblfrhpbvvue.exe
  wieoeblfrhpbvvue.exe
  2⤵
  PID:4132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dqnypnytgxgtoppaz.exe .
1⤵
PID:5772
- C:\Windows\dqnypnytgxgtoppaz.exe
  dqnypnytgxgtoppaz.exe .
  2⤵
  PID:1036
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\dqnypnytgxgtoppaz.exe*."
    3⤵
    PID:4552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c maykcbnjxpznjlmyyc.exe
1⤵
PID:1968
- C:\Windows\maykcbnjxpznjlmyyc.exe
  maykcbnjxpznjlmyyc.exe
  2⤵
  PID:1244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zqrgbdsridqhglpehonef.exe .
1⤵
PID:4912
- C:\Windows\zqrgbdsridqhglpehonef.exe
  zqrgbdsridqhglpehonef.exe .
  2⤵
  PID:1040
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\zqrgbdsridqhglpehonef.exe*."
    3⤵
    PID:2336

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\maykcbnjxpznjlmyyc.exe
1⤵
PID:1548
- C:\Users\Admin\AppData\Local\Temp\maykcbnjxpznjlmyyc.exe
  C:\Users\Admin\AppData\Local\Temp\maykcbnjxpznjlmyyc.exe
  2⤵
  PID:6116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\maykcbnjxpznjlmyyc.exe .
1⤵
PID:2260
- C:\Users\Admin\AppData\Local\Temp\maykcbnjxpznjlmyyc.exe
  C:\Users\Admin\AppData\Local\Temp\maykcbnjxpznjlmyyc.exe .
  2⤵
  PID:4740
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\maykcbnjxpznjlmyyc.exe*."
    3⤵
    PID:3744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\maykcbnjxpznjlmyyc.exe
1⤵
PID:3508
- C:\Users\Admin\AppData\Local\Temp\maykcbnjxpznjlmyyc.exe
  C:\Users\Admin\AppData\Local\Temp\maykcbnjxpznjlmyyc.exe
  2⤵
  PID:5104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kaaoijxvlfrhfjmacigw.exe .
1⤵
PID:3796
- C:\Users\Admin\AppData\Local\Temp\kaaoijxvlfrhfjmacigw.exe
  C:\Users\Admin\AppData\Local\Temp\kaaoijxvlfrhfjmacigw.exe .
  2⤵
  PID:3400
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\kaaoijxvlfrhfjmacigw.exe*."
    3⤵
    PID:2232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c maykcbnjxpznjlmyyc.exe
1⤵
PID:6088
- C:\Windows\maykcbnjxpznjlmyyc.exe
  maykcbnjxpznjlmyyc.exe
  2⤵
  PID:4308

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xmlyrrebqjujgjlyzeb.exe .
1⤵
PID:3504
- C:\Windows\xmlyrrebqjujgjlyzeb.exe
  xmlyrrebqjujgjlyzeb.exe .
  2⤵
  PID:1416
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\xmlyrrebqjujgjlyzeb.exe*."
    3⤵
    PID:2680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dqnypnytgxgtoppaz.exe
1⤵
PID:4344
- C:\Windows\dqnypnytgxgtoppaz.exe
  dqnypnytgxgtoppaz.exe
  2⤵
  PID:4236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wieoeblfrhpbvvue.exe .
1⤵
PID:1796
- C:\Windows\wieoeblfrhpbvvue.exe
  wieoeblfrhpbvvue.exe .
  2⤵
  PID:6100
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\wieoeblfrhpbvvue.exe*."
    3⤵
    PID:60

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xmlyrrebqjujgjlyzeb.exe
1⤵
PID:4488
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:6076
- C:\Users\Admin\AppData\Local\Temp\xmlyrrebqjujgjlyzeb.exe
  C:\Users\Admin\AppData\Local\Temp\xmlyrrebqjujgjlyzeb.exe
  2⤵
  PID:1224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\maykcbnjxpznjlmyyc.exe .
1⤵
PID:452
- C:\Users\Admin\AppData\Local\Temp\maykcbnjxpznjlmyyc.exe
  C:\Users\Admin\AppData\Local\Temp\maykcbnjxpznjlmyyc.exe .
  2⤵
  PID:5364
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\maykcbnjxpznjlmyyc.exe*."
    3⤵
    PID:4316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\maykcbnjxpznjlmyyc.exe
1⤵
PID:5624
- C:\Users\Admin\AppData\Local\Temp\maykcbnjxpznjlmyyc.exe
  C:\Users\Admin\AppData\Local\Temp\maykcbnjxpznjlmyyc.exe
  2⤵
  PID:3544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xmlyrrebqjujgjlyzeb.exe .
1⤵
PID:5700
- C:\Users\Admin\AppData\Local\Temp\xmlyrrebqjujgjlyzeb.exe
  C:\Users\Admin\AppData\Local\Temp\xmlyrrebqjujgjlyzeb.exe .
  2⤵
  PID:5832
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\xmlyrrebqjujgjlyzeb.exe*."
    3⤵
    PID:4020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wieoeblfrhpbvvue.exe
1⤵
PID:2256
- C:\Windows\wieoeblfrhpbvvue.exe
  wieoeblfrhpbvvue.exe
  2⤵
  PID:952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zqrgbdsridqhglpehonef.exe .
1⤵
PID:2192
- C:\Windows\zqrgbdsridqhglpehonef.exe
  zqrgbdsridqhglpehonef.exe .
  2⤵
  PID:4092
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\zqrgbdsridqhglpehonef.exe*."
    3⤵
    PID:4808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kaaoijxvlfrhfjmacigw.exe
1⤵
PID:1912
- C:\Windows\kaaoijxvlfrhfjmacigw.exe
  kaaoijxvlfrhfjmacigw.exe
  2⤵
  PID:996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xmlyrrebqjujgjlyzeb.exe .
1⤵
PID:4976
- C:\Windows\xmlyrrebqjujgjlyzeb.exe
  xmlyrrebqjujgjlyzeb.exe .
  2⤵
  PID:5432
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\xmlyrrebqjujgjlyzeb.exe*."
    3⤵
    PID:5040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dqnypnytgxgtoppaz.exe
1⤵
PID:3572
- C:\Users\Admin\AppData\Local\Temp\dqnypnytgxgtoppaz.exe
  C:\Users\Admin\AppData\Local\Temp\dqnypnytgxgtoppaz.exe
  2⤵
  PID:5992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wieoeblfrhpbvvue.exe .
1⤵
PID:1824
- C:\Users\Admin\AppData\Local\Temp\wieoeblfrhpbvvue.exe
  C:\Users\Admin\AppData\Local\Temp\wieoeblfrhpbvvue.exe .
  2⤵
  PID:4552
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\wieoeblfrhpbvvue.exe*."
    3⤵
    PID:2968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wieoeblfrhpbvvue.exe
1⤵
PID:1244
- C:\Users\Admin\AppData\Local\Temp\wieoeblfrhpbvvue.exe
  C:\Users\Admin\AppData\Local\Temp\wieoeblfrhpbvvue.exe
  2⤵
  PID:2636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kaaoijxvlfrhfjmacigw.exe .
1⤵
PID:2948
- C:\Users\Admin\AppData\Local\Temp\kaaoijxvlfrhfjmacigw.exe
  C:\Users\Admin\AppData\Local\Temp\kaaoijxvlfrhfjmacigw.exe .
  2⤵
  PID:4220
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\kaaoijxvlfrhfjmacigw.exe*."
    3⤵
    PID:5688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kaaoijxvlfrhfjmacigw.exe
1⤵
PID:1636
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2012
- C:\Windows\kaaoijxvlfrhfjmacigw.exe
  kaaoijxvlfrhfjmacigw.exe
  2⤵
  PID:3392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kaaoijxvlfrhfjmacigw.exe .
1⤵
PID:5936
- C:\Windows\kaaoijxvlfrhfjmacigw.exe
  kaaoijxvlfrhfjmacigw.exe .
  2⤵
  PID:5752
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\kaaoijxvlfrhfjmacigw.exe*."
    3⤵
    PID:388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zqrgbdsridqhglpehonef.exe
1⤵
PID:4484
- C:\Windows\zqrgbdsridqhglpehonef.exe
  zqrgbdsridqhglpehonef.exe
  2⤵
  PID:3796

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c maykcbnjxpznjlmyyc.exe .
1⤵
PID:3636
- C:\Windows\maykcbnjxpznjlmyyc.exe
  maykcbnjxpznjlmyyc.exe .
  2⤵
  PID:1556
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\maykcbnjxpznjlmyyc.exe*."
    3⤵
    PID:2628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dqnypnytgxgtoppaz.exe
1⤵
PID:2736
- C:\Users\Admin\AppData\Local\Temp\dqnypnytgxgtoppaz.exe
  C:\Users\Admin\AppData\Local\Temp\dqnypnytgxgtoppaz.exe
  2⤵
  PID:4692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dqnypnytgxgtoppaz.exe .
1⤵
PID:4440
- C:\Users\Admin\AppData\Local\Temp\dqnypnytgxgtoppaz.exe
  C:\Users\Admin\AppData\Local\Temp\dqnypnytgxgtoppaz.exe .
  2⤵
  PID:5280
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\dqnypnytgxgtoppaz.exe*."
    3⤵
    PID:2924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wieoeblfrhpbvvue.exe
1⤵
PID:776
- C:\Users\Admin\AppData\Local\Temp\wieoeblfrhpbvvue.exe
  C:\Users\Admin\AppData\Local\Temp\wieoeblfrhpbvvue.exe
  2⤵
  PID:3408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wieoeblfrhpbvvue.exe .
1⤵
PID:5748
- C:\Users\Admin\AppData\Local\Temp\wieoeblfrhpbvvue.exe
  C:\Users\Admin\AppData\Local\Temp\wieoeblfrhpbvvue.exe .
  2⤵
  PID:1320
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\wieoeblfrhpbvvue.exe*."
    3⤵
    PID:6140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kaaoijxvlfrhfjmacigw.exe
1⤵
PID:2344
- C:\Windows\kaaoijxvlfrhfjmacigw.exe
  kaaoijxvlfrhfjmacigw.exe
  2⤵
  PID:2932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dqnypnytgxgtoppaz.exe .
1⤵
PID:4476
- C:\Windows\dqnypnytgxgtoppaz.exe
  dqnypnytgxgtoppaz.exe .
  2⤵
  PID:3916
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\dqnypnytgxgtoppaz.exe*."
    3⤵
    PID:3612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c maykcbnjxpznjlmyyc.exe
1⤵
PID:5136
- C:\Windows\maykcbnjxpznjlmyyc.exe
  maykcbnjxpznjlmyyc.exe
  2⤵
  PID:552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zqrgbdsridqhglpehonef.exe .
1⤵
PID:4280
- C:\Windows\zqrgbdsridqhglpehonef.exe
  zqrgbdsridqhglpehonef.exe .
  2⤵
  PID:2524
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\zqrgbdsridqhglpehonef.exe*."
    3⤵
    PID:5152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xmlyrrebqjujgjlyzeb.exe
1⤵
PID:2232
- C:\Users\Admin\AppData\Local\Temp\xmlyrrebqjujgjlyzeb.exe
  C:\Users\Admin\AppData\Local\Temp\xmlyrrebqjujgjlyzeb.exe
  2⤵
  PID:2208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kaaoijxvlfrhfjmacigw.exe .
1⤵
PID:632
- C:\Users\Admin\AppData\Local\Temp\kaaoijxvlfrhfjmacigw.exe
  C:\Users\Admin\AppData\Local\Temp\kaaoijxvlfrhfjmacigw.exe .
  2⤵
  PID:1336
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\kaaoijxvlfrhfjmacigw.exe*."
    3⤵
    PID:1792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kaaoijxvlfrhfjmacigw.exe
1⤵
PID:5760
- C:\Users\Admin\AppData\Local\Temp\kaaoijxvlfrhfjmacigw.exe
  C:\Users\Admin\AppData\Local\Temp\kaaoijxvlfrhfjmacigw.exe
  2⤵
  PID:2752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dqnypnytgxgtoppaz.exe .
1⤵
PID:5148
- C:\Users\Admin\AppData\Local\Temp\dqnypnytgxgtoppaz.exe
  C:\Users\Admin\AppData\Local\Temp\dqnypnytgxgtoppaz.exe .
  2⤵
  PID:996
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\dqnypnytgxgtoppaz.exe*."
    3⤵
    PID:2708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dqnypnytgxgtoppaz.exe
1⤵
PID:3572
- C:\Windows\dqnypnytgxgtoppaz.exe
  dqnypnytgxgtoppaz.exe
  2⤵
  PID:4288

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zqrgbdsridqhglpehonef.exe
1⤵
PID:5820
- C:\Windows\zqrgbdsridqhglpehonef.exe
  zqrgbdsridqhglpehonef.exe
  2⤵
  PID:1192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kaaoijxvlfrhfjmacigw.exe .
1⤵
PID:3872
- C:\Windows\kaaoijxvlfrhfjmacigw.exe
  kaaoijxvlfrhfjmacigw.exe .
  2⤵
  PID:5292
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\kaaoijxvlfrhfjmacigw.exe*."
    3⤵
    PID:2948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wieoeblfrhpbvvue.exe .
1⤵
PID:5064
- C:\Windows\wieoeblfrhpbvvue.exe
  wieoeblfrhpbvvue.exe .
  2⤵
  PID:2200
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\wieoeblfrhpbvvue.exe*."
    3⤵
    PID:644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c maykcbnjxpznjlmyyc.exe
1⤵
PID:4520
- C:\Windows\maykcbnjxpznjlmyyc.exe
  maykcbnjxpznjlmyyc.exe
  2⤵
  PID:1580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kaaoijxvlfrhfjmacigw.exe
1⤵
PID:2300
- C:\Windows\kaaoijxvlfrhfjmacigw.exe
  kaaoijxvlfrhfjmacigw.exe
  2⤵
  PID:5792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c maykcbnjxpznjlmyyc.exe .
1⤵
PID:4624
- C:\Windows\maykcbnjxpznjlmyyc.exe
  maykcbnjxpznjlmyyc.exe .
  2⤵
  PID:2628
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\maykcbnjxpznjlmyyc.exe*."
    3⤵
    PID:3844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dqnypnytgxgtoppaz.exe .
1⤵
PID:4272
- C:\Windows\dqnypnytgxgtoppaz.exe
  dqnypnytgxgtoppaz.exe .
  2⤵
  PID:4948
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\dqnypnytgxgtoppaz.exe*."
    3⤵
    PID:4588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dqnypnytgxgtoppaz.exe
1⤵
PID:1872
- C:\Users\Admin\AppData\Local\Temp\dqnypnytgxgtoppaz.exe
  C:\Users\Admin\AppData\Local\Temp\dqnypnytgxgtoppaz.exe
  2⤵
  PID:5856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xmlyrrebqjujgjlyzeb.exe
1⤵
PID:4164
- C:\Windows\xmlyrrebqjujgjlyzeb.exe
  xmlyrrebqjujgjlyzeb.exe
  2⤵
  PID:6116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wieoeblfrhpbvvue.exe
1⤵
PID:1472
- C:\Users\Admin\AppData\Local\Temp\wieoeblfrhpbvvue.exe
  C:\Users\Admin\AppData\Local\Temp\wieoeblfrhpbvvue.exe
  2⤵
  PID:1348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\maykcbnjxpznjlmyyc.exe .
1⤵
PID:760
- C:\Users\Admin\AppData\Local\Temp\maykcbnjxpznjlmyyc.exe
  C:\Users\Admin\AppData\Local\Temp\maykcbnjxpznjlmyyc.exe .
  2⤵
  PID:5364
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\maykcbnjxpznjlmyyc.exe*."
    3⤵
    PID:4844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\maykcbnjxpznjlmyyc.exe .
1⤵
PID:388
- C:\Users\Admin\AppData\Local\Temp\maykcbnjxpznjlmyyc.exe
  C:\Users\Admin\AppData\Local\Temp\maykcbnjxpznjlmyyc.exe .
  2⤵
  PID:3664
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\maykcbnjxpznjlmyyc.exe*."
    3⤵
    PID:5656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dqnypnytgxgtoppaz.exe .
1⤵
PID:6000
- C:\Windows\dqnypnytgxgtoppaz.exe
  dqnypnytgxgtoppaz.exe .
  2⤵
  PID:60
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\dqnypnytgxgtoppaz.exe*."
    3⤵
    PID:4280

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\maykcbnjxpznjlmyyc.exe
1⤵
PID:4692
- C:\Users\Admin\AppData\Local\Temp\maykcbnjxpznjlmyyc.exe
  C:\Users\Admin\AppData\Local\Temp\maykcbnjxpznjlmyyc.exe
  2⤵
  PID:5108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dqnypnytgxgtoppaz.exe
1⤵
PID:1556
- C:\Windows\dqnypnytgxgtoppaz.exe
  dqnypnytgxgtoppaz.exe
  2⤵
  PID:2632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dqnypnytgxgtoppaz.exe
1⤵
PID:3552
- C:\Users\Admin\AppData\Local\Temp\dqnypnytgxgtoppaz.exe
  C:\Users\Admin\AppData\Local\Temp\dqnypnytgxgtoppaz.exe
  2⤵
  PID:5012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\maykcbnjxpznjlmyyc.exe .
1⤵
PID:5268
- C:\Users\Admin\AppData\Local\Temp\maykcbnjxpznjlmyyc.exe
  C:\Users\Admin\AppData\Local\Temp\maykcbnjxpznjlmyyc.exe .
  2⤵
  PID:1448
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\maykcbnjxpznjlmyyc.exe*."
    3⤵
    PID:1976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dqnypnytgxgtoppaz.exe .
1⤵
PID:5732
- C:\Windows\dqnypnytgxgtoppaz.exe
  dqnypnytgxgtoppaz.exe .
  2⤵
  PID:3324
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\dqnypnytgxgtoppaz.exe*."
    3⤵
    PID:6020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kaaoijxvlfrhfjmacigw.exe .
1⤵
PID:744
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4784
- C:\Users\Admin\AppData\Local\Temp\kaaoijxvlfrhfjmacigw.exe
  C:\Users\Admin\AppData\Local\Temp\kaaoijxvlfrhfjmacigw.exe .
  2⤵
  PID:2244
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\kaaoijxvlfrhfjmacigw.exe*."
    3⤵
    PID:4448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dqnypnytgxgtoppaz.exe
1⤵
PID:5688
- C:\Users\Admin\AppData\Local\Temp\dqnypnytgxgtoppaz.exe
  C:\Users\Admin\AppData\Local\Temp\dqnypnytgxgtoppaz.exe
  2⤵
  PID:1928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dqnypnytgxgtoppaz.exe .
1⤵
PID:3928
- C:\Users\Admin\AppData\Local\Temp\dqnypnytgxgtoppaz.exe
  C:\Users\Admin\AppData\Local\Temp\dqnypnytgxgtoppaz.exe .
  2⤵
  PID:3608
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\dqnypnytgxgtoppaz.exe*."
    3⤵
    PID:1128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dqnypnytgxgtoppaz.exe
1⤵
PID:5316
- C:\Users\Admin\AppData\Local\Temp\dqnypnytgxgtoppaz.exe
  C:\Users\Admin\AppData\Local\Temp\dqnypnytgxgtoppaz.exe
  2⤵
  PID:3288

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\maykcbnjxpznjlmyyc.exe .
1⤵
PID:4888
- C:\Users\Admin\AppData\Local\Temp\maykcbnjxpznjlmyyc.exe
  C:\Users\Admin\AppData\Local\Temp\maykcbnjxpznjlmyyc.exe .
  2⤵
  PID:3652
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\maykcbnjxpznjlmyyc.exe*."
    3⤵
    PID:1508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wieoeblfrhpbvvue.exe
1⤵
PID:572
- C:\Windows\wieoeblfrhpbvvue.exe
  wieoeblfrhpbvvue.exe
  2⤵
  PID:5820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kaaoijxvlfrhfjmacigw.exe .
1⤵
PID:5228
- C:\Windows\kaaoijxvlfrhfjmacigw.exe
  kaaoijxvlfrhfjmacigw.exe .
  2⤵
  PID:5304
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\kaaoijxvlfrhfjmacigw.exe*."
    3⤵
    PID:3872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wieoeblfrhpbvvue.exe
1⤵
PID:2280
- C:\Windows\wieoeblfrhpbvvue.exe
  wieoeblfrhpbvvue.exe
  2⤵
  PID:3328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kaaoijxvlfrhfjmacigw.exe .
1⤵
PID:1244
- C:\Windows\kaaoijxvlfrhfjmacigw.exe
  kaaoijxvlfrhfjmacigw.exe .
  2⤵
  PID:4568
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\kaaoijxvlfrhfjmacigw.exe*."
    3⤵
    PID:2572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dqnypnytgxgtoppaz.exe
1⤵
PID:2188
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5792
- C:\Users\Admin\AppData\Local\Temp\dqnypnytgxgtoppaz.exe
  C:\Users\Admin\AppData\Local\Temp\dqnypnytgxgtoppaz.exe
  2⤵
  PID:2300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xmlyrrebqjujgjlyzeb.exe .
1⤵
PID:3468
- C:\Users\Admin\AppData\Local\Temp\xmlyrrebqjujgjlyzeb.exe
  C:\Users\Admin\AppData\Local\Temp\xmlyrrebqjujgjlyzeb.exe .
  2⤵
  PID:4596
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\xmlyrrebqjujgjlyzeb.exe*."
    3⤵
    PID:1428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xmlyrrebqjujgjlyzeb.exe
1⤵
PID:5856
- C:\Users\Admin\AppData\Local\Temp\xmlyrrebqjujgjlyzeb.exe
  C:\Users\Admin\AppData\Local\Temp\xmlyrrebqjujgjlyzeb.exe
  2⤵
  PID:1628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xmlyrrebqjujgjlyzeb.exe .
1⤵
PID:3948
- C:\Users\Admin\AppData\Local\Temp\xmlyrrebqjujgjlyzeb.exe
  C:\Users\Admin\AppData\Local\Temp\xmlyrrebqjujgjlyzeb.exe .
  2⤵
  PID:2344
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\xmlyrrebqjujgjlyzeb.exe*."
    3⤵
    PID:1648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dqnypnytgxgtoppaz.exe
1⤵
PID:2260
- C:\Windows\dqnypnytgxgtoppaz.exe
  dqnypnytgxgtoppaz.exe
  2⤵
  PID:5192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zqrgbdsridqhglpehonef.exe .
1⤵
PID:2408
- C:\Windows\zqrgbdsridqhglpehonef.exe
  zqrgbdsridqhglpehonef.exe .
  2⤵
  PID:968
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\zqrgbdsridqhglpehonef.exe*."
    3⤵
    PID:4832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wieoeblfrhpbvvue.exe
1⤵
PID:6076
- C:\Windows\wieoeblfrhpbvvue.exe
  wieoeblfrhpbvvue.exe
  2⤵
  PID:1956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dqnypnytgxgtoppaz.exe .
1⤵
PID:552
- C:\Windows\dqnypnytgxgtoppaz.exe
  dqnypnytgxgtoppaz.exe .
  2⤵
  PID:6140
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\dqnypnytgxgtoppaz.exe*."
    3⤵
    PID:1616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\maykcbnjxpznjlmyyc.exe
1⤵
PID:3664
- C:\Users\Admin\AppData\Local\Temp\maykcbnjxpznjlmyyc.exe
  C:\Users\Admin\AppData\Local\Temp\maykcbnjxpznjlmyyc.exe
  2⤵
  PID:2716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wieoeblfrhpbvvue.exe .
1⤵
PID:6072
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4924
- C:\Users\Admin\AppData\Local\Temp\wieoeblfrhpbvvue.exe
  C:\Users\Admin\AppData\Local\Temp\wieoeblfrhpbvvue.exe .
  2⤵
  PID:1500
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\wieoeblfrhpbvvue.exe*."
    3⤵
    PID:2840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\maykcbnjxpznjlmyyc.exe
1⤵
PID:2028
- C:\Users\Admin\AppData\Local\Temp\maykcbnjxpznjlmyyc.exe
  C:\Users\Admin\AppData\Local\Temp\maykcbnjxpznjlmyyc.exe
  2⤵
  PID:5640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kaaoijxvlfrhfjmacigw.exe .
1⤵
PID:4300
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1680
- C:\Users\Admin\AppData\Local\Temp\kaaoijxvlfrhfjmacigw.exe
  C:\Users\Admin\AppData\Local\Temp\kaaoijxvlfrhfjmacigw.exe .
  2⤵
  PID:4536
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\kaaoijxvlfrhfjmacigw.exe*."
    3⤵
    PID:4324

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dqnypnytgxgtoppaz.exe
1⤵
PID:5444
- C:\Windows\dqnypnytgxgtoppaz.exe
  dqnypnytgxgtoppaz.exe
  2⤵
  PID:3288

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c maykcbnjxpznjlmyyc.exe .
1⤵
PID:5632
- C:\Windows\maykcbnjxpznjlmyyc.exe
  maykcbnjxpznjlmyyc.exe .
  2⤵
  PID:4264
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\maykcbnjxpznjlmyyc.exe*."
    3⤵
    PID:2508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kaaoijxvlfrhfjmacigw.exe
1⤵
PID:4296
- C:\Windows\kaaoijxvlfrhfjmacigw.exe
  kaaoijxvlfrhfjmacigw.exe
  2⤵
  PID:3372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wieoeblfrhpbvvue.exe .
1⤵
PID:4900
- C:\Windows\wieoeblfrhpbvvue.exe
  wieoeblfrhpbvvue.exe .
  2⤵
  PID:744
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\wieoeblfrhpbvvue.exe*."
    3⤵
    PID:3744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kaaoijxvlfrhfjmacigw.exe
1⤵
PID:3348
- C:\Users\Admin\AppData\Local\Temp\kaaoijxvlfrhfjmacigw.exe
  C:\Users\Admin\AppData\Local\Temp\kaaoijxvlfrhfjmacigw.exe
  2⤵
  PID:3500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wieoeblfrhpbvvue.exe .
1⤵
PID:2208
- C:\Users\Admin\AppData\Local\Temp\wieoeblfrhpbvvue.exe
  C:\Users\Admin\AppData\Local\Temp\wieoeblfrhpbvvue.exe .
  2⤵
  PID:4068
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\wieoeblfrhpbvvue.exe*."
    3⤵
    PID:4304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dqnypnytgxgtoppaz.exe
1⤵
PID:4888
- C:\Users\Admin\AppData\Local\Temp\dqnypnytgxgtoppaz.exe
  C:\Users\Admin\AppData\Local\Temp\dqnypnytgxgtoppaz.exe
  2⤵
  PID:3908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dqnypnytgxgtoppaz.exe .
1⤵
PID:1912
- C:\Users\Admin\AppData\Local\Temp\dqnypnytgxgtoppaz.exe
  C:\Users\Admin\AppData\Local\Temp\dqnypnytgxgtoppaz.exe .
  2⤵
  PID:4568
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\dqnypnytgxgtoppaz.exe*."
    3⤵
    PID:5404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dqnypnytgxgtoppaz.exe
1⤵
PID:2736
- C:\Windows\dqnypnytgxgtoppaz.exe
  dqnypnytgxgtoppaz.exe
  2⤵
  PID:3408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c maykcbnjxpznjlmyyc.exe .
1⤵
PID:4520
- C:\Windows\maykcbnjxpznjlmyyc.exe
  maykcbnjxpznjlmyyc.exe .
  2⤵
  PID:3864
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\maykcbnjxpznjlmyyc.exe*."
    3⤵
    PID:5856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zqrgbdsridqhglpehonef.exe
1⤵
PID:5956
- C:\Windows\zqrgbdsridqhglpehonef.exe
  zqrgbdsridqhglpehonef.exe
  2⤵
  PID:4972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xmlyrrebqjujgjlyzeb.exe .
1⤵
PID:3504
- C:\Windows\xmlyrrebqjujgjlyzeb.exe
  xmlyrrebqjujgjlyzeb.exe .
  2⤵
  PID:3948
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\xmlyrrebqjujgjlyzeb.exe*."
    3⤵
    PID:3380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kaaoijxvlfrhfjmacigw.exe
1⤵
PID:3904
- C:\Users\Admin\AppData\Local\Temp\kaaoijxvlfrhfjmacigw.exe
  C:\Users\Admin\AppData\Local\Temp\kaaoijxvlfrhfjmacigw.exe
  2⤵
  PID:2844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dqnypnytgxgtoppaz.exe .
1⤵
PID:4956
- C:\Users\Admin\AppData\Local\Temp\dqnypnytgxgtoppaz.exe
  C:\Users\Admin\AppData\Local\Temp\dqnypnytgxgtoppaz.exe .
  2⤵
  PID:1492
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\dqnypnytgxgtoppaz.exe*."
    3⤵
    PID:1788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kaaoijxvlfrhfjmacigw.exe
1⤵
PID:5764
- C:\Users\Admin\AppData\Local\Temp\kaaoijxvlfrhfjmacigw.exe
  C:\Users\Admin\AppData\Local\Temp\kaaoijxvlfrhfjmacigw.exe
  2⤵
  PID:4292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\maykcbnjxpznjlmyyc.exe .
1⤵
PID:4216
- C:\Users\Admin\AppData\Local\Temp\maykcbnjxpznjlmyyc.exe
  C:\Users\Admin\AppData\Local\Temp\maykcbnjxpznjlmyyc.exe .
  2⤵
  PID:6076
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\maykcbnjxpznjlmyyc.exe*."
    3⤵
    PID:4824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dqnypnytgxgtoppaz.exe
1⤵
PID:6008
- C:\Windows\dqnypnytgxgtoppaz.exe
  dqnypnytgxgtoppaz.exe
  2⤵
  PID:4600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wieoeblfrhpbvvue.exe .
1⤵
PID:3324
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1928
- C:\Windows\wieoeblfrhpbvvue.exe
  wieoeblfrhpbvvue.exe .
  2⤵
  PID:5320
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\wieoeblfrhpbvvue.exe*."
    3⤵
    PID:3556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dqnypnytgxgtoppaz.exe
1⤵
PID:2584
- C:\Windows\dqnypnytgxgtoppaz.exe
  dqnypnytgxgtoppaz.exe
  2⤵
  PID:1484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dqnypnytgxgtoppaz.exe .
1⤵
PID:2748
- C:\Windows\dqnypnytgxgtoppaz.exe
  dqnypnytgxgtoppaz.exe .
  2⤵
  PID:4896
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\dqnypnytgxgtoppaz.exe*."
    3⤵
    PID:4300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dqnypnytgxgtoppaz.exe
1⤵
PID:3620
- C:\Users\Admin\AppData\Local\Temp\dqnypnytgxgtoppaz.exe
  C:\Users\Admin\AppData\Local\Temp\dqnypnytgxgtoppaz.exe
  2⤵
  PID:4500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wieoeblfrhpbvvue.exe .
1⤵
PID:5480
- C:\Users\Admin\AppData\Local\Temp\wieoeblfrhpbvvue.exe
  C:\Users\Admin\AppData\Local\Temp\wieoeblfrhpbvvue.exe .
  2⤵
  PID:3452
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\wieoeblfrhpbvvue.exe*."
    3⤵
    PID:4252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqrgbdsridqhglpehonef.exe
1⤵
PID:1132
- C:\Users\Admin\AppData\Local\Temp\zqrgbdsridqhglpehonef.exe
  C:\Users\Admin\AppData\Local\Temp\zqrgbdsridqhglpehonef.exe
  2⤵
  PID:6024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqrgbdsridqhglpehonef.exe .
1⤵
PID:3284
- C:\Users\Admin\AppData\Local\Temp\zqrgbdsridqhglpehonef.exe
  C:\Users\Admin\AppData\Local\Temp\zqrgbdsridqhglpehonef.exe .
  2⤵
  PID:4308
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\zqrgbdsridqhglpehonef.exe*."
    3⤵
    PID:6100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kaaoijxvlfrhfjmacigw.exe
1⤵
PID:5588
- C:\Windows\kaaoijxvlfrhfjmacigw.exe
  kaaoijxvlfrhfjmacigw.exe
  2⤵
  PID:1712

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zqrgbdsridqhglpehonef.exe
1⤵
PID:5416
- C:\Windows\zqrgbdsridqhglpehonef.exe
  zqrgbdsridqhglpehonef.exe
  2⤵
  PID:5648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wieoeblfrhpbvvue.exe .
1⤵
PID:632
- C:\Windows\wieoeblfrhpbvvue.exe
  wieoeblfrhpbvvue.exe .
  2⤵
  PID:2280
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\wieoeblfrhpbvvue.exe*."
    3⤵
    PID:4288

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xmlyrrebqjujgjlyzeb.exe .
1⤵
PID:1548
- C:\Windows\xmlyrrebqjujgjlyzeb.exe
  xmlyrrebqjujgjlyzeb.exe .
  2⤵
  PID:1412
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\xmlyrrebqjujgjlyzeb.exe*."
    3⤵
    PID:2188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dqnypnytgxgtoppaz.exe
1⤵
PID:3652
- C:\Windows\dqnypnytgxgtoppaz.exe
  dqnypnytgxgtoppaz.exe
  2⤵
  PID:5744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c maykcbnjxpznjlmyyc.exe
1⤵
PID:4984
- C:\Windows\maykcbnjxpznjlmyyc.exe
  maykcbnjxpznjlmyyc.exe
  2⤵
  PID:4388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kaaoijxvlfrhfjmacigw.exe .
1⤵
PID:5040
- C:\Windows\kaaoijxvlfrhfjmacigw.exe
  kaaoijxvlfrhfjmacigw.exe .
  2⤵
  PID:4496
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\kaaoijxvlfrhfjmacigw.exe*."
    3⤵
    PID:2628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dqnypnytgxgtoppaz.exe .
1⤵
PID:4888
- C:\Windows\dqnypnytgxgtoppaz.exe
  dqnypnytgxgtoppaz.exe .
  2⤵
  PID:5816
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\dqnypnytgxgtoppaz.exe*."
    3⤵
    PID:5728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqrgbdsridqhglpehonef.exe
1⤵
PID:220
- C:\Users\Admin\AppData\Local\Temp\zqrgbdsridqhglpehonef.exe
  C:\Users\Admin\AppData\Local\Temp\zqrgbdsridqhglpehonef.exe
  2⤵
  PID:4908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dqnypnytgxgtoppaz.exe
1⤵
PID:5228
- C:\Users\Admin\AppData\Local\Temp\dqnypnytgxgtoppaz.exe
  C:\Users\Admin\AppData\Local\Temp\dqnypnytgxgtoppaz.exe
  2⤵
  PID:5108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wieoeblfrhpbvvue.exe .
1⤵
PID:3636
- C:\Users\Admin\AppData\Local\Temp\wieoeblfrhpbvvue.exe
  C:\Users\Admin\AppData\Local\Temp\wieoeblfrhpbvvue.exe .
  2⤵
  PID:5508
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\wieoeblfrhpbvvue.exe*."
    3⤵
    PID:6012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqrgbdsridqhglpehonef.exe .
1⤵
PID:3408
- C:\Users\Admin\AppData\Local\Temp\zqrgbdsridqhglpehonef.exe
  C:\Users\Admin\AppData\Local\Temp\zqrgbdsridqhglpehonef.exe .
  2⤵
  PID:4820
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\zqrgbdsridqhglpehonef.exe*."
    3⤵
    PID:3468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dqnypnytgxgtoppaz.exe
1⤵
PID:4236
- C:\Windows\dqnypnytgxgtoppaz.exe
  dqnypnytgxgtoppaz.exe
  2⤵
  PID:5924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\maykcbnjxpznjlmyyc.exe
1⤵
PID:1960
- C:\Users\Admin\AppData\Local\Temp\maykcbnjxpznjlmyyc.exe
  C:\Users\Admin\AppData\Local\Temp\maykcbnjxpznjlmyyc.exe
  2⤵
  PID:5668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wieoeblfrhpbvvue.exe
1⤵
PID:1428
- C:\Users\Admin\AppData\Local\Temp\wieoeblfrhpbvvue.exe
  C:\Users\Admin\AppData\Local\Temp\wieoeblfrhpbvvue.exe
  2⤵
  PID:5700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wieoeblfrhpbvvue.exe .
1⤵
PID:5360
- C:\Users\Admin\AppData\Local\Temp\wieoeblfrhpbvvue.exe
  C:\Users\Admin\AppData\Local\Temp\wieoeblfrhpbvvue.exe .
  2⤵
  PID:4684
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\wieoeblfrhpbvvue.exe*."
    3⤵
    PID:1812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wieoeblfrhpbvvue.exe .
1⤵
PID:2836
- C:\Users\Admin\AppData\Local\Temp\wieoeblfrhpbvvue.exe
  C:\Users\Admin\AppData\Local\Temp\wieoeblfrhpbvvue.exe .
  2⤵
  PID:4184
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\wieoeblfrhpbvvue.exe*."
    3⤵
    PID:1548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wieoeblfrhpbvvue.exe .
1⤵
PID:4588
- C:\Windows\wieoeblfrhpbvvue.exe
  wieoeblfrhpbvvue.exe .
  2⤵
  PID:4168
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\wieoeblfrhpbvvue.exe*."
    3⤵
    PID:5488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wieoeblfrhpbvvue.exe
1⤵
PID:4700
- C:\Windows\wieoeblfrhpbvvue.exe
  wieoeblfrhpbvvue.exe
  2⤵
  PID:2844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c maykcbnjxpznjlmyyc.exe .
1⤵
PID:1088
- C:\Windows\maykcbnjxpznjlmyyc.exe
  maykcbnjxpznjlmyyc.exe .
  2⤵
  PID:3548
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\maykcbnjxpznjlmyyc.exe*."
    3⤵
    PID:2992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqrgbdsridqhglpehonef.exe
1⤵
PID:4880
- C:\Users\Admin\AppData\Local\Temp\zqrgbdsridqhglpehonef.exe
  C:\Users\Admin\AppData\Local\Temp\zqrgbdsridqhglpehonef.exe
  2⤵
  PID:3664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xmlyrrebqjujgjlyzeb.exe .
1⤵
PID:2716
- C:\Users\Admin\AppData\Local\Temp\xmlyrrebqjujgjlyzeb.exe
  C:\Users\Admin\AppData\Local\Temp\xmlyrrebqjujgjlyzeb.exe .
  2⤵
  PID:1488
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\xmlyrrebqjujgjlyzeb.exe*."
    3⤵
    PID:4908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c maykcbnjxpznjlmyyc.exe
1⤵
PID:232
- C:\Windows\maykcbnjxpznjlmyyc.exe
  maykcbnjxpznjlmyyc.exe
  2⤵
  PID:5356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\maykcbnjxpznjlmyyc.exe
1⤵
PID:3024
- C:\Users\Admin\AppData\Local\Temp\maykcbnjxpznjlmyyc.exe
  C:\Users\Admin\AppData\Local\Temp\maykcbnjxpznjlmyyc.exe
  2⤵
  PID:5420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wieoeblfrhpbvvue.exe .
1⤵
PID:3524
- C:\Users\Admin\AppData\Local\Temp\wieoeblfrhpbvvue.exe
  C:\Users\Admin\AppData\Local\Temp\wieoeblfrhpbvvue.exe .
  2⤵
  PID:3404
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\wieoeblfrhpbvvue.exe*."
    3⤵
    PID:2072

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zqrgbdsridqhglpehonef.exe .
1⤵
PID:2760
- C:\Windows\zqrgbdsridqhglpehonef.exe
  zqrgbdsridqhglpehonef.exe .
  2⤵
  PID:2824
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\zqrgbdsridqhglpehonef.exe*."
    3⤵
    PID:2984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kaaoijxvlfrhfjmacigw.exe
1⤵
PID:5424
- C:\Windows\kaaoijxvlfrhfjmacigw.exe
  kaaoijxvlfrhfjmacigw.exe
  2⤵
  PID:3360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xmlyrrebqjujgjlyzeb.exe .
1⤵
PID:5480
- C:\Windows\xmlyrrebqjujgjlyzeb.exe
  xmlyrrebqjujgjlyzeb.exe .
  2⤵
  PID:5732
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\xmlyrrebqjujgjlyzeb.exe*."
    3⤵
    PID:5860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\maykcbnjxpznjlmyyc.exe
1⤵
PID:4264
- C:\Users\Admin\AppData\Local\Temp\maykcbnjxpznjlmyyc.exe
  C:\Users\Admin\AppData\Local\Temp\maykcbnjxpznjlmyyc.exe
  2⤵
  PID:6088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\maykcbnjxpznjlmyyc.exe .
1⤵
PID:3944
- C:\Users\Admin\AppData\Local\Temp\maykcbnjxpznjlmyyc.exe
  C:\Users\Admin\AppData\Local\Temp\maykcbnjxpznjlmyyc.exe .
  2⤵
  PID:2924
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\maykcbnjxpznjlmyyc.exe*."
    3⤵
    PID:3376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kaaoijxvlfrhfjmacigw.exe
1⤵
PID:3372
- C:\Users\Admin\AppData\Local\Temp\kaaoijxvlfrhfjmacigw.exe
  C:\Users\Admin\AppData\Local\Temp\kaaoijxvlfrhfjmacigw.exe
  2⤵
  PID:3652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wieoeblfrhpbvvue.exe .
1⤵
PID:5276
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1904
- C:\Users\Admin\AppData\Local\Temp\wieoeblfrhpbvvue.exe
  C:\Users\Admin\AppData\Local\Temp\wieoeblfrhpbvvue.exe .
  2⤵
  PID:5748
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\wieoeblfrhpbvvue.exe*."
    3⤵
    PID:4972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dqnypnytgxgtoppaz.exe
1⤵
PID:3292
- C:\Windows\dqnypnytgxgtoppaz.exe
  dqnypnytgxgtoppaz.exe
  2⤵
  PID:2708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xmlyrrebqjujgjlyzeb.exe .
1⤵
PID:1792
- C:\Windows\xmlyrrebqjujgjlyzeb.exe
  xmlyrrebqjujgjlyzeb.exe .
  2⤵
  PID:4888
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\xmlyrrebqjujgjlyzeb.exe*."
    3⤵
    PID:4796

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wieoeblfrhpbvvue.exe
1⤵
PID:3124
- C:\Windows\wieoeblfrhpbvvue.exe
  wieoeblfrhpbvvue.exe
  2⤵
  PID:2600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dqnypnytgxgtoppaz.exe .
1⤵
PID:3612
- C:\Windows\dqnypnytgxgtoppaz.exe
  dqnypnytgxgtoppaz.exe .
  2⤵
  PID:660
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\dqnypnytgxgtoppaz.exe*."
    3⤵
    PID:232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kaaoijxvlfrhfjmacigw.exe
1⤵
PID:5972
- C:\Users\Admin\AppData\Local\Temp\kaaoijxvlfrhfjmacigw.exe
  C:\Users\Admin\AppData\Local\Temp\kaaoijxvlfrhfjmacigw.exe
  2⤵
  PID:2748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dqnypnytgxgtoppaz.exe .
1⤵
PID:6044
- C:\Users\Admin\AppData\Local\Temp\dqnypnytgxgtoppaz.exe
  C:\Users\Admin\AppData\Local\Temp\dqnypnytgxgtoppaz.exe .
  2⤵
  PID:3556
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\dqnypnytgxgtoppaz.exe*."
    3⤵
    PID:1976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dqnypnytgxgtoppaz.exe
1⤵
PID:5636
- C:\Users\Admin\AppData\Local\Temp\dqnypnytgxgtoppaz.exe
  C:\Users\Admin\AppData\Local\Temp\dqnypnytgxgtoppaz.exe
  2⤵
  PID:572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wieoeblfrhpbvvue.exe .
1⤵
PID:4896
- C:\Users\Admin\AppData\Local\Temp\wieoeblfrhpbvvue.exe
  C:\Users\Admin\AppData\Local\Temp\wieoeblfrhpbvvue.exe .
  2⤵
  PID:2752
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\wieoeblfrhpbvvue.exe*."
    3⤵
    PID:5424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c maykcbnjxpznjlmyyc.exe
1⤵
PID:3800
- C:\Windows\maykcbnjxpznjlmyyc.exe
  maykcbnjxpznjlmyyc.exe
  2⤵
  PID:5400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wieoeblfrhpbvvue.exe .
1⤵
PID:5208
- C:\Windows\wieoeblfrhpbvvue.exe
  wieoeblfrhpbvvue.exe .
  2⤵
  PID:5860
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\wieoeblfrhpbvvue.exe*."
    3⤵
    PID:4372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kaaoijxvlfrhfjmacigw.exe
1⤵
PID:4368
- C:\Windows\kaaoijxvlfrhfjmacigw.exe
  kaaoijxvlfrhfjmacigw.exe
  2⤵
  PID:4296

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xmlyrrebqjujgjlyzeb.exe .
1⤵
PID:3600
- C:\Windows\xmlyrrebqjujgjlyzeb.exe
  xmlyrrebqjujgjlyzeb.exe .
  2⤵
  PID:5820
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\xmlyrrebqjujgjlyzeb.exe*."
    3⤵
    PID:4552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dqnypnytgxgtoppaz.exe
1⤵
PID:1336
- C:\Users\Admin\AppData\Local\Temp\dqnypnytgxgtoppaz.exe
  C:\Users\Admin\AppData\Local\Temp\dqnypnytgxgtoppaz.exe
  2⤵
  PID:4132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\maykcbnjxpznjlmyyc.exe .
1⤵
PID:4356
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1812
- C:\Users\Admin\AppData\Local\Temp\maykcbnjxpznjlmyyc.exe
  C:\Users\Admin\AppData\Local\Temp\maykcbnjxpznjlmyyc.exe .
  2⤵
  PID:1800
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\maykcbnjxpznjlmyyc.exe*."
    3⤵
    PID:3472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kaaoijxvlfrhfjmacigw.exe
1⤵
PID:1636
- C:\Users\Admin\AppData\Local\Temp\kaaoijxvlfrhfjmacigw.exe
  C:\Users\Admin\AppData\Local\Temp\kaaoijxvlfrhfjmacigw.exe
  2⤵
  PID:5440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kaaoijxvlfrhfjmacigw.exe .
1⤵
PID:556
- C:\Users\Admin\AppData\Local\Temp\kaaoijxvlfrhfjmacigw.exe
  C:\Users\Admin\AppData\Local\Temp\kaaoijxvlfrhfjmacigw.exe .
  2⤵
  PID:5108
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\kaaoijxvlfrhfjmacigw.exe*."
    3⤵
    PID:4696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wieoeblfrhpbvvue.exe
1⤵
PID:1428
- C:\Windows\wieoeblfrhpbvvue.exe
  wieoeblfrhpbvvue.exe
  2⤵
  PID:5012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c maykcbnjxpznjlmyyc.exe .
1⤵
PID:3736
- C:\Windows\maykcbnjxpznjlmyyc.exe
  maykcbnjxpznjlmyyc.exe .
  2⤵
  PID:3544
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\maykcbnjxpznjlmyyc.exe*."
    3⤵
    PID:2308

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wieoeblfrhpbvvue.exe
1⤵
PID:4436
- C:\Windows\wieoeblfrhpbvvue.exe
  wieoeblfrhpbvvue.exe
  2⤵
  PID:6100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zqrgbdsridqhglpehonef.exe .
1⤵
PID:1716
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2280
- C:\Windows\zqrgbdsridqhglpehonef.exe
  zqrgbdsridqhglpehonef.exe .
  2⤵
  PID:5180
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\zqrgbdsridqhglpehonef.exe*."
    3⤵
    PID:4468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\maykcbnjxpznjlmyyc.exe
1⤵
PID:4812
- C:\Users\Admin\AppData\Local\Temp\maykcbnjxpznjlmyyc.exe
  C:\Users\Admin\AppData\Local\Temp\maykcbnjxpznjlmyyc.exe
  2⤵
  PID:5960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wieoeblfrhpbvvue.exe .
1⤵
PID:1332
- C:\Users\Admin\AppData\Local\Temp\wieoeblfrhpbvvue.exe
  C:\Users\Admin\AppData\Local\Temp\wieoeblfrhpbvvue.exe .
  2⤵
  PID:6092
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\wieoeblfrhpbvvue.exe*."
    3⤵
    PID:6140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xmlyrrebqjujgjlyzeb.exe
1⤵
PID:6080
- C:\Users\Admin\AppData\Local\Temp\xmlyrrebqjujgjlyzeb.exe
  C:\Users\Admin\AppData\Local\Temp\xmlyrrebqjujgjlyzeb.exe
  2⤵
  PID:4848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wieoeblfrhpbvvue.exe .
1⤵
PID:216
- C:\Users\Admin\AppData\Local\Temp\wieoeblfrhpbvvue.exe
  C:\Users\Admin\AppData\Local\Temp\wieoeblfrhpbvvue.exe .
  2⤵
  PID:2648
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\wieoeblfrhpbvvue.exe*."
    3⤵
    PID:3208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wieoeblfrhpbvvue.exe
1⤵
PID:4244
- C:\Windows\wieoeblfrhpbvvue.exe
  wieoeblfrhpbvvue.exe
  2⤵
  PID:2992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dqnypnytgxgtoppaz.exe .
1⤵
PID:4392
- C:\Windows\dqnypnytgxgtoppaz.exe
  dqnypnytgxgtoppaz.exe .
  2⤵
  PID:5192
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\dqnypnytgxgtoppaz.exe*."
    3⤵
    PID:372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c maykcbnjxpznjlmyyc.exe
1⤵
PID:1488
- C:\Windows\maykcbnjxpznjlmyyc.exe
  maykcbnjxpznjlmyyc.exe
  2⤵
  PID:3784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zqrgbdsridqhglpehonef.exe .
1⤵
PID:2084
- C:\Windows\zqrgbdsridqhglpehonef.exe
  zqrgbdsridqhglpehonef.exe .
  2⤵
  PID:1644
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\zqrgbdsridqhglpehonef.exe*."
    3⤵
    PID:1132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kaaoijxvlfrhfjmacigw.exe
1⤵
PID:1688
- C:\Users\Admin\AppData\Local\Temp\kaaoijxvlfrhfjmacigw.exe
  C:\Users\Admin\AppData\Local\Temp\kaaoijxvlfrhfjmacigw.exe
  2⤵
  PID:4716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kaaoijxvlfrhfjmacigw.exe .
1⤵
PID:3548
- C:\Users\Admin\AppData\Local\Temp\kaaoijxvlfrhfjmacigw.exe
  C:\Users\Admin\AppData\Local\Temp\kaaoijxvlfrhfjmacigw.exe .
  2⤵
  PID:5712
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\kaaoijxvlfrhfjmacigw.exe*."
    3⤵
    PID:2928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dqnypnytgxgtoppaz.exe
1⤵
PID:4384
- C:\Users\Admin\AppData\Local\Temp\dqnypnytgxgtoppaz.exe
  C:\Users\Admin\AppData\Local\Temp\dqnypnytgxgtoppaz.exe
  2⤵
  PID:2612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xmlyrrebqjujgjlyzeb.exe .
1⤵
PID:4896
- C:\Users\Admin\AppData\Local\Temp\xmlyrrebqjujgjlyzeb.exe
  C:\Users\Admin\AppData\Local\Temp\xmlyrrebqjujgjlyzeb.exe .
  2⤵
  PID:5316
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\xmlyrrebqjujgjlyzeb.exe*."
    3⤵
    PID:2192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dqnypnytgxgtoppaz.exe
1⤵
PID:1064
- C:\Windows\dqnypnytgxgtoppaz.exe
  dqnypnytgxgtoppaz.exe
  2⤵
  PID:4248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zqrgbdsridqhglpehonef.exe
1⤵
PID:1920
- C:\Windows\zqrgbdsridqhglpehonef.exe
  zqrgbdsridqhglpehonef.exe
  2⤵
  PID:2032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wieoeblfrhpbvvue.exe .
1⤵
PID:2304
- C:\Windows\wieoeblfrhpbvvue.exe
  wieoeblfrhpbvvue.exe .
  2⤵
  PID:1628
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\wieoeblfrhpbvvue.exe*."
    3⤵
    PID:4388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wieoeblfrhpbvvue.exe .
1⤵
PID:4508
- C:\Windows\wieoeblfrhpbvvue.exe
  wieoeblfrhpbvvue.exe .
  2⤵
  PID:3300
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\wieoeblfrhpbvvue.exe*."
    3⤵
    PID:2284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c maykcbnjxpznjlmyyc.exe
1⤵
PID:2656
- C:\Windows\maykcbnjxpznjlmyyc.exe
  maykcbnjxpznjlmyyc.exe
  2⤵
  PID:4780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xmlyrrebqjujgjlyzeb.exe .
1⤵
PID:1412
- C:\Windows\xmlyrrebqjujgjlyzeb.exe
  xmlyrrebqjujgjlyzeb.exe .
  2⤵
  PID:2308
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\xmlyrrebqjujgjlyzeb.exe*."
    3⤵
    PID:4168

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c maykcbnjxpznjlmyyc.exe
1⤵
PID:744
- C:\Windows\maykcbnjxpznjlmyyc.exe
  maykcbnjxpznjlmyyc.exe
  2⤵
  PID:1472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dqnypnytgxgtoppaz.exe
1⤵
PID:5376
- C:\Users\Admin\AppData\Local\Temp\dqnypnytgxgtoppaz.exe
  C:\Users\Admin\AppData\Local\Temp\dqnypnytgxgtoppaz.exe
  2⤵
  PID:5104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kaaoijxvlfrhfjmacigw.exe .
1⤵
PID:3608
- C:\Windows\kaaoijxvlfrhfjmacigw.exe
  kaaoijxvlfrhfjmacigw.exe .
  2⤵
  PID:3740
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\kaaoijxvlfrhfjmacigw.exe*."
    3⤵
    PID:6092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kaaoijxvlfrhfjmacigw.exe .
1⤵
PID:3524
- C:\Users\Admin\AppData\Local\Temp\kaaoijxvlfrhfjmacigw.exe
  C:\Users\Admin\AppData\Local\Temp\kaaoijxvlfrhfjmacigw.exe .
  2⤵
  PID:4700
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\kaaoijxvlfrhfjmacigw.exe*."
    3⤵
    PID:6140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dqnypnytgxgtoppaz.exe
1⤵
PID:4480
- C:\Users\Admin\AppData\Local\Temp\dqnypnytgxgtoppaz.exe
  C:\Users\Admin\AppData\Local\Temp\dqnypnytgxgtoppaz.exe
  2⤵
  PID:3696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wieoeblfrhpbvvue.exe .
1⤵
PID:1516
- C:\Users\Admin\AppData\Local\Temp\wieoeblfrhpbvvue.exe
  C:\Users\Admin\AppData\Local\Temp\wieoeblfrhpbvvue.exe .
  2⤵
  PID:5228
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\wieoeblfrhpbvvue.exe*."
    3⤵
    PID:4872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wieoeblfrhpbvvue.exe
1⤵
PID:1056
- C:\Users\Admin\AppData\Local\Temp\wieoeblfrhpbvvue.exe
  C:\Users\Admin\AppData\Local\Temp\wieoeblfrhpbvvue.exe
  2⤵
  PID:3088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xmlyrrebqjujgjlyzeb.exe .
1⤵
PID:5748
- C:\Users\Admin\AppData\Local\Temp\xmlyrrebqjujgjlyzeb.exe
  C:\Users\Admin\AppData\Local\Temp\xmlyrrebqjujgjlyzeb.exe .
  2⤵
  PID:1400
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\xmlyrrebqjujgjlyzeb.exe*."
    3⤵
    PID:4908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kaaoijxvlfrhfjmacigw.exe
1⤵
PID:2660
- C:\Users\Admin\AppData\Local\Temp\kaaoijxvlfrhfjmacigw.exe
  C:\Users\Admin\AppData\Local\Temp\kaaoijxvlfrhfjmacigw.exe
  2⤵
  PID:1604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dqnypnytgxgtoppaz.exe
1⤵
PID:5144
- C:\Windows\dqnypnytgxgtoppaz.exe
  dqnypnytgxgtoppaz.exe
  2⤵
  PID:1308

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kaaoijxvlfrhfjmacigw.exe .
1⤵
PID:5960
- C:\Users\Admin\AppData\Local\Temp\kaaoijxvlfrhfjmacigw.exe
  C:\Users\Admin\AppData\Local\Temp\kaaoijxvlfrhfjmacigw.exe .
  2⤵
  PID:3060
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\kaaoijxvlfrhfjmacigw.exe*."
    3⤵
    PID:4440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xmlyrrebqjujgjlyzeb.exe .
1⤵
PID:6004
- C:\Windows\xmlyrrebqjujgjlyzeb.exe
  xmlyrrebqjujgjlyzeb.exe .
  2⤵
  PID:5532
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\xmlyrrebqjujgjlyzeb.exe*."
    3⤵
    PID:1764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wieoeblfrhpbvvue.exe
1⤵
PID:1184
- C:\Windows\wieoeblfrhpbvvue.exe
  wieoeblfrhpbvvue.exe
  2⤵
  PID:3924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zqrgbdsridqhglpehonef.exe .
1⤵
PID:5136
- C:\Windows\zqrgbdsridqhglpehonef.exe
  zqrgbdsridqhglpehonef.exe .
  2⤵
  PID:5756
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\zqrgbdsridqhglpehonef.exe*."
    3⤵
    PID:2016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqrgbdsridqhglpehonef.exe
1⤵
PID:2648
- C:\Users\Admin\AppData\Local\Temp\zqrgbdsridqhglpehonef.exe
  C:\Users\Admin\AppData\Local\Temp\zqrgbdsridqhglpehonef.exe
  2⤵
  PID:3452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqrgbdsridqhglpehonef.exe .
1⤵
PID:4056
- C:\Users\Admin\AppData\Local\Temp\zqrgbdsridqhglpehonef.exe
  C:\Users\Admin\AppData\Local\Temp\zqrgbdsridqhglpehonef.exe .
  2⤵
  PID:4624
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\zqrgbdsridqhglpehonef.exe*."
    3⤵
    PID:4264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kaaoijxvlfrhfjmacigw.exe
1⤵
PID:4924
- C:\Users\Admin\AppData\Local\Temp\kaaoijxvlfrhfjmacigw.exe
  C:\Users\Admin\AppData\Local\Temp\kaaoijxvlfrhfjmacigw.exe
  2⤵
  PID:2644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wieoeblfrhpbvvue.exe
1⤵
PID:1160
- C:\Windows\wieoeblfrhpbvvue.exe
  wieoeblfrhpbvvue.exe
  2⤵
  PID:2824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xmlyrrebqjujgjlyzeb.exe .
1⤵
PID:1596
- C:\Users\Admin\AppData\Local\Temp\xmlyrrebqjujgjlyzeb.exe
  C:\Users\Admin\AppData\Local\Temp\xmlyrrebqjujgjlyzeb.exe .
  2⤵
  PID:2612
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\xmlyrrebqjujgjlyzeb.exe*."
    3⤵
    PID:2900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wieoeblfrhpbvvue.exe .
1⤵
PID:3556
- C:\Windows\wieoeblfrhpbvvue.exe
  wieoeblfrhpbvvue.exe .
  2⤵
  PID:2936
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\wieoeblfrhpbvvue.exe*."
    3⤵
    PID:3500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kaaoijxvlfrhfjmacigw.exe
1⤵
PID:4176
- C:\Windows\kaaoijxvlfrhfjmacigw.exe
  kaaoijxvlfrhfjmacigw.exe
  2⤵
  PID:5596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wieoeblfrhpbvvue.exe .
1⤵
PID:2132
- C:\Windows\wieoeblfrhpbvvue.exe
  wieoeblfrhpbvvue.exe .
  2⤵
  PID:6084
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\wieoeblfrhpbvvue.exe*."
    3⤵
    PID:4368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wieoeblfrhpbvvue.exe
1⤵
PID:5996
- C:\Users\Admin\AppData\Local\Temp\wieoeblfrhpbvvue.exe
  C:\Users\Admin\AppData\Local\Temp\wieoeblfrhpbvvue.exe
  2⤵
  PID:760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dqnypnytgxgtoppaz.exe .
1⤵
PID:4324
- C:\Users\Admin\AppData\Local\Temp\dqnypnytgxgtoppaz.exe
  C:\Users\Admin\AppData\Local\Temp\dqnypnytgxgtoppaz.exe .
  2⤵
  PID:1128
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\dqnypnytgxgtoppaz.exe*."
    3⤵
    PID:4508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqrgbdsridqhglpehonef.exe
1⤵
PID:3132
- C:\Users\Admin\AppData\Local\Temp\zqrgbdsridqhglpehonef.exe
  C:\Users\Admin\AppData\Local\Temp\zqrgbdsridqhglpehonef.exe
  2⤵
  PID:3328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kaaoijxvlfrhfjmacigw.exe .
1⤵
PID:2820
- C:\Users\Admin\AppData\Local\Temp\kaaoijxvlfrhfjmacigw.exe
  C:\Users\Admin\AppData\Local\Temp\kaaoijxvlfrhfjmacigw.exe .
  2⤵
  PID:2844
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\kaaoijxvlfrhfjmacigw.exe*."
    3⤵
    PID:2944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xmlyrrebqjujgjlyzeb.exe
1⤵
PID:556
- C:\Windows\xmlyrrebqjujgjlyzeb.exe
  xmlyrrebqjujgjlyzeb.exe
  2⤵
  PID:1636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xmlyrrebqjujgjlyzeb.exe .
1⤵
PID:2872
- C:\Windows\xmlyrrebqjujgjlyzeb.exe
  xmlyrrebqjujgjlyzeb.exe .
  2⤵
  PID:2708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Winlogon Helper DLL

T1547.004

Hijack Execution Flow

T1574

Executable Installer File Permissions Weakness

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Winlogon Helper DLL

T1547.004

Hijack Execution Flow

T1574

Executable Installer File Permissions Weakness

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hijack Execution Flow

T1574

Executable Installer File Permissions Weakness

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Safe Mode Boot

T1562.009

Modify Registry