pykspa | 08565ab76bff7b276fa60584ca2adc3afafbce2ac1a47bd5cb014f744370e598

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	wearswdegok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	ppzafl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	ppzafl.exe

Pykspa
Pykspa is a worm spreads via Skype uses DGA and it's written in C++.
worm pykspa
Pykspa family
pykspa

UAC bypass 3 TTPs 6 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wearswdegok.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wearswdegok.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	wearswdegok.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wearswdegok.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ppzafl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ppzafl.exe

Detect Pykspa worm 2 IoCs

worm

resource	yara_rule
behavioral2/files/0x0005000000022f2f-4.dat	family_pykspa
behavioral2/files/0x000700000002426f-105.dat	family_pykspa

Adds policy Run key to start application 2 TTPs 9 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\cdoqwdj = "blfqfvkexpcdzfoa.exe"	ppzafl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	ppzafl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\cdoqwdj = "blfqfvkexpcdzfoa.exe"	ppzafl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vtba = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pdbqjdwurnejjtgwgrfd.exe"	ppzafl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vtba = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rdzmdvmidxmpnvgucl.exe"	ppzafl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wearswdegok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\cdoqwdj = "rdzmdvmidxmpnvgucl.exe"	wearswdegok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vtba = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pdbqjdwurnejjtgwgrfd.exe"	wearswdegok.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	ppzafl.exe

Blocklisted process makes network request 5 IoCs

flow	pid	Process
10	5860	Process not Found
12	5860	Process not Found
24	5860	Process not Found
25	5860	Process not Found
26	5860	Process not Found

Disables RegEdit via registry modification 4 IoCs

defense_evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	ppzafl.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	ppzafl.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	wearswdegok.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	wearswdegok.exe

Checks computer location settings 2 TTPs 12 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	blfqfvkexpcdzfoa.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	rdzmdvmidxmpnvgucl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	etsicxrqoldjkvjalxmlb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	wearswdegok.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	rdzmdvmidxmpnvgucl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	blfqfvkexpcdzfoa.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	itoaqhxsmftvszjwd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	JaffaCakes118_8cf88a6db7a1d9f426aac73a35f11ce5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	blfqfvkexpcdzfoa.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	cpmasldawrhlktfudna.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	pdbqjdwurnejjtgwgrfd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	rdzmdvmidxmpnvgucl.exe

Executes dropped EXE 36 IoCs

pid	Process
4920	wearswdegok.exe
5088	pdbqjdwurnejjtgwgrfd.exe
1624	blfqfvkexpcdzfoa.exe
5172	wearswdegok.exe
1504	rdzmdvmidxmpnvgucl.exe
1096	blfqfvkexpcdzfoa.exe
3972	wearswdegok.exe
1124	etsicxrqoldjkvjalxmlb.exe
4784	rdzmdvmidxmpnvgucl.exe
4668	wearswdegok.exe
2660	etsicxrqoldjkvjalxmlb.exe
4160	etsicxrqoldjkvjalxmlb.exe
5820	wearswdegok.exe
3056	ppzafl.exe
640	ppzafl.exe
2376	blfqfvkexpcdzfoa.exe
6132	rdzmdvmidxmpnvgucl.exe
3096	rdzmdvmidxmpnvgucl.exe
1544	wearswdegok.exe
4948	cpmasldawrhlktfudna.exe
3652	wearswdegok.exe
1588	etsicxrqoldjkvjalxmlb.exe
2300	rdzmdvmidxmpnvgucl.exe
5496	pdbqjdwurnejjtgwgrfd.exe
2108	blfqfvkexpcdzfoa.exe
5452	blfqfvkexpcdzfoa.exe
2560	wearswdegok.exe
5064	rdzmdvmidxmpnvgucl.exe
5040	wearswdegok.exe
4068	rdzmdvmidxmpnvgucl.exe
1112	itoaqhxsmftvszjwd.exe
5976	wearswdegok.exe
5640	blfqfvkexpcdzfoa.exe
3836	wearswdegok.exe
3092	blfqfvkexpcdzfoa.exe
1484	cpmasldawrhlktfudna.exe

Adds Run key to start application 2 TTPs 25 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

defense_evasion persistence privilege_escalation

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\edmmq = "pdbqjdwurnejjtgwgrfd.exe"	wearswdegok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wbqwgrbqerz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\blfqfvkexpcdzfoa.exe"	ppzafl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wbqwgrbqerz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rdzmdvmidxmpnvgucl.exe"	ppzafl.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\edmmq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\blfqfvkexpcdzfoa.exe"	ppzafl.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\edmmq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\blfqfvkexpcdzfoa.exe"	ppzafl.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ppzafl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cpmasldawrhlktfudna.exe ."	ppzafl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\edmmq = "rdzmdvmidxmpnvgucl.exe"	ppzafl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ppzafl = "blfqfvkexpcdzfoa.exe ."	wearswdegok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wbqwgrbqerz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\etsicxrqoldjkvjalxmlb.exe"	wearswdegok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bftyhraobn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rdzmdvmidxmpnvgucl.exe ."	wearswdegok.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\edmmq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\etsicxrqoldjkvjalxmlb.exe"	wearswdegok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\edmmq = "blfqfvkexpcdzfoa.exe"	ppzafl.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rtfipxeq = "etsicxrqoldjkvjalxmlb.exe"	ppzafl.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rtfipxeq = "rdzmdvmidxmpnvgucl.exe"	ppzafl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bftyhraobn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rdzmdvmidxmpnvgucl.exe ."	ppzafl.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ppzafl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pdbqjdwurnejjtgwgrfd.exe ."	ppzafl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\edmmq = "rdzmdvmidxmpnvgucl.exe"	wearswdegok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ppzafl = "rdzmdvmidxmpnvgucl.exe ."	ppzafl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ppzafl = "cpmasldawrhlktfudna.exe ."	ppzafl.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rtfipxeq = "rdzmdvmidxmpnvgucl.exe"	wearswdegok.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ilycktboa = "blfqfvkexpcdzfoa.exe ."	wearswdegok.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ppzafl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\etsicxrqoldjkvjalxmlb.exe ."	wearswdegok.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ilycktboa = "pdbqjdwurnejjtgwgrfd.exe ."	ppzafl.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ilycktboa = "blfqfvkexpcdzfoa.exe ."	ppzafl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bftyhraobn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\itoaqhxsmftvszjwd.exe ."	ppzafl.exe

Checks whether UAC is enabled 1 TTPs 6 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wearswdegok.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wearswdegok.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ppzafl.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ppzafl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ppzafl.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ppzafl.exe

Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 1 IoCs

Possible Turn off User Account Control's privilege elevation for standard users.

Executable Installer File Permissions Weakness

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	wearswdegok.exe

Looks up external IP address via web service 7 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
52	www.whatismyip.ca
53	whatismyip.everdot.org
58	www.whatismyip.ca
31	whatismyipaddress.com
37	www.whatismyip.ca
45	www.showmyipaddress.com
48	whatismyip.everdot.org

Drops file in System32 directory 23 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\etsicxrqoldjkvjalxmlb.exe	ppzafl.exe
File opened for modification	C:\Windows\SysWOW64\etsicxrqoldjkvjalxmlb.exe	ppzafl.exe
File created	C:\Windows\SysWOW64\fzdyxxwadfcntjcyofzdyx.wad	ppzafl.exe
File opened for modification	C:\Windows\SysWOW64\pdbqjdwurnejjtgwgrfd.exe	wearswdegok.exe
File opened for modification	C:\Windows\SysWOW64\etsicxrqoldjkvjalxmlb.exe	wearswdegok.exe
File opened for modification	C:\Windows\SysWOW64\itoaqhxsmftvszjwd.exe	ppzafl.exe
File opened for modification	C:\Windows\SysWOW64\rdzmdvmidxmpnvgucl.exe	ppzafl.exe
File opened for modification	C:\Windows\SysWOW64\cpmasldawrhlktfudna.exe	ppzafl.exe
File opened for modification	C:\Windows\SysWOW64\pdbqjdwurnejjtgwgrfd.exe	ppzafl.exe
File opened for modification	C:\Windows\SysWOW64\vllcxtoonlelnzogsfvvmh.exe	ppzafl.exe
File opened for modification	C:\Windows\SysWOW64\itoaqhxsmftvszjwd.exe	ppzafl.exe
File opened for modification	C:\Windows\SysWOW64\cpmasldawrhlktfudna.exe	wearswdegok.exe
File opened for modification	C:\Windows\SysWOW64\rdzmdvmidxmpnvgucl.exe	ppzafl.exe
File opened for modification	C:\Windows\SysWOW64\cpmasldawrhlktfudna.exe	ppzafl.exe
File opened for modification	C:\Windows\SysWOW64\pdbqjdwurnejjtgwgrfd.exe	ppzafl.exe
File opened for modification	C:\Windows\SysWOW64\vllcxtoonlelnzogsfvvmh.exe	ppzafl.exe
File opened for modification	C:\Windows\SysWOW64\fzdyxxwadfcntjcyofzdyx.wad	ppzafl.exe
File opened for modification	C:\Windows\SysWOW64\blfqfvkexpcdzfoa.exe	wearswdegok.exe
File opened for modification	C:\Windows\SysWOW64\itoaqhxsmftvszjwd.exe	wearswdegok.exe
File opened for modification	C:\Windows\SysWOW64\rdzmdvmidxmpnvgucl.exe	wearswdegok.exe
File opened for modification	C:\Windows\SysWOW64\vllcxtoonlelnzogsfvvmh.exe	wearswdegok.exe
File opened for modification	C:\Windows\SysWOW64\blfqfvkexpcdzfoa.exe	ppzafl.exe
File opened for modification	C:\Windows\SysWOW64\blfqfvkexpcdzfoa.exe	ppzafl.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\fzdyxxwadfcntjcyofzdyx.wad	ppzafl.exe
File created	C:\Program Files (x86)\fzdyxxwadfcntjcyofzdyx.wad	ppzafl.exe

Drops file in Windows directory 23 IoCs

description	ioc	Process
File opened for modification	C:\Windows\itoaqhxsmftvszjwd.exe	ppzafl.exe
File opened for modification	C:\Windows\vllcxtoonlelnzogsfvvmh.exe	ppzafl.exe
File opened for modification	C:\Windows\etsicxrqoldjkvjalxmlb.exe	ppzafl.exe
File opened for modification	C:\Windows\itoaqhxsmftvszjwd.exe	wearswdegok.exe
File opened for modification	C:\Windows\cpmasldawrhlktfudna.exe	wearswdegok.exe
File opened for modification	C:\Windows\pdbqjdwurnejjtgwgrfd.exe	wearswdegok.exe
File opened for modification	C:\Windows\etsicxrqoldjkvjalxmlb.exe	wearswdegok.exe
File opened for modification	C:\Windows\blfqfvkexpcdzfoa.exe	ppzafl.exe
File opened for modification	C:\Windows\cpmasldawrhlktfudna.exe	ppzafl.exe
File opened for modification	C:\Windows\pdbqjdwurnejjtgwgrfd.exe	ppzafl.exe
File opened for modification	C:\Windows\vllcxtoonlelnzogsfvvmh.exe	ppzafl.exe
File opened for modification	C:\Windows\vllcxtoonlelnzogsfvvmh.exe	wearswdegok.exe
File opened for modification	C:\Windows\blfqfvkexpcdzfoa.exe	ppzafl.exe
File opened for modification	C:\Windows\rdzmdvmidxmpnvgucl.exe	ppzafl.exe
File opened for modification	C:\Windows\pdbqjdwurnejjtgwgrfd.exe	ppzafl.exe
File opened for modification	C:\Windows\itoaqhxsmftvszjwd.exe	ppzafl.exe
File opened for modification	C:\Windows\blfqfvkexpcdzfoa.exe	wearswdegok.exe
File opened for modification	C:\Windows\rdzmdvmidxmpnvgucl.exe	wearswdegok.exe
File opened for modification	C:\Windows\cpmasldawrhlktfudna.exe	ppzafl.exe
File opened for modification	C:\Windows\etsicxrqoldjkvjalxmlb.exe	ppzafl.exe
File opened for modification	C:\Windows\rdzmdvmidxmpnvgucl.exe	ppzafl.exe
File opened for modification	C:\Windows\fzdyxxwadfcntjcyofzdyx.wad	ppzafl.exe
File created	C:\Windows\fzdyxxwadfcntjcyofzdyx.wad	ppzafl.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	blfqfvkexpcdzfoa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	blfqfvkexpcdzfoa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ppzafl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	blfqfvkexpcdzfoa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rdzmdvmidxmpnvgucl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pdbqjdwurnejjtgwgrfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rdzmdvmidxmpnvgucl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	etsicxrqoldjkvjalxmlb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cpmasldawrhlktfudna.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cpmasldawrhlktfudna.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wearswdegok.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	etsicxrqoldjkvjalxmlb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rdzmdvmidxmpnvgucl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	etsicxrqoldjkvjalxmlb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pdbqjdwurnejjtgwgrfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	itoaqhxsmftvszjwd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_8cf88a6db7a1d9f426aac73a35f11ce5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rdzmdvmidxmpnvgucl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	blfqfvkexpcdzfoa.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1924	JaffaCakes118_8cf88a6db7a1d9f426aac73a35f11ce5.exe
1924	JaffaCakes118_8cf88a6db7a1d9f426aac73a35f11ce5.exe
1924	JaffaCakes118_8cf88a6db7a1d9f426aac73a35f11ce5.exe
1924	JaffaCakes118_8cf88a6db7a1d9f426aac73a35f11ce5.exe
1924	JaffaCakes118_8cf88a6db7a1d9f426aac73a35f11ce5.exe
1924	JaffaCakes118_8cf88a6db7a1d9f426aac73a35f11ce5.exe
1924	JaffaCakes118_8cf88a6db7a1d9f426aac73a35f11ce5.exe
1924	JaffaCakes118_8cf88a6db7a1d9f426aac73a35f11ce5.exe
1924	JaffaCakes118_8cf88a6db7a1d9f426aac73a35f11ce5.exe
1924	JaffaCakes118_8cf88a6db7a1d9f426aac73a35f11ce5.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1924 wrote to memory of 4920	1924	JaffaCakes118_8cf88a6db7a1d9f426aac73a35f11ce5.exe	88
PID 1924 wrote to memory of 4920	1924	JaffaCakes118_8cf88a6db7a1d9f426aac73a35f11ce5.exe	88
PID 1924 wrote to memory of 4920	1924	JaffaCakes118_8cf88a6db7a1d9f426aac73a35f11ce5.exe	88
PID 5112 wrote to memory of 5088	5112	cmd.exe	590
PID 5112 wrote to memory of 5088	5112	cmd.exe	590
PID 5112 wrote to memory of 5088	5112	cmd.exe	590
PID 1656 wrote to memory of 1624	1656	cmd.exe	724
PID 1656 wrote to memory of 1624	1656	cmd.exe	724
PID 1656 wrote to memory of 1624	1656	cmd.exe	724
PID 1624 wrote to memory of 5172	1624	blfqfvkexpcdzfoa.exe	95
PID 1624 wrote to memory of 5172	1624	blfqfvkexpcdzfoa.exe	95
PID 1624 wrote to memory of 5172	1624	blfqfvkexpcdzfoa.exe	95
PID 1284 wrote to memory of 1504	1284	cmd.exe	98
PID 1284 wrote to memory of 1504	1284	cmd.exe	98
PID 1284 wrote to memory of 1504	1284	cmd.exe	98
PID 1828 wrote to memory of 1096	1828	cmd.exe	891
PID 1828 wrote to memory of 1096	1828	cmd.exe	891
PID 1828 wrote to memory of 1096	1828	cmd.exe	891
PID 1096 wrote to memory of 3972	1096	blfqfvkexpcdzfoa.exe	960
PID 1096 wrote to memory of 3972	1096	blfqfvkexpcdzfoa.exe	960
PID 1096 wrote to memory of 3972	1096	blfqfvkexpcdzfoa.exe	960
PID 5104 wrote to memory of 1124	5104	cmd.exe	1180
PID 5104 wrote to memory of 1124	5104	cmd.exe	1180
PID 5104 wrote to memory of 1124	5104	cmd.exe	1180
PID 1104 wrote to memory of 4784	1104	cmd.exe	877
PID 1104 wrote to memory of 4784	1104	cmd.exe	877
PID 1104 wrote to memory of 4784	1104	cmd.exe	877
PID 4784 wrote to memory of 4668	4784	rdzmdvmidxmpnvgucl.exe	499
PID 4784 wrote to memory of 4668	4784	rdzmdvmidxmpnvgucl.exe	499
PID 4784 wrote to memory of 4668	4784	rdzmdvmidxmpnvgucl.exe	499
PID 1084 wrote to memory of 2660	1084	cmd.exe	406
PID 1084 wrote to memory of 2660	1084	cmd.exe	406
PID 1084 wrote to memory of 2660	1084	cmd.exe	406
PID 5932 wrote to memory of 4160	5932	cmd.exe	859
PID 5932 wrote to memory of 4160	5932	cmd.exe	859
PID 5932 wrote to memory of 4160	5932	cmd.exe	859
PID 4160 wrote to memory of 5820	4160	etsicxrqoldjkvjalxmlb.exe	852
PID 4160 wrote to memory of 5820	4160	etsicxrqoldjkvjalxmlb.exe	852
PID 4160 wrote to memory of 5820	4160	etsicxrqoldjkvjalxmlb.exe	852
PID 4920 wrote to memory of 3056	4920	wearswdegok.exe	117
PID 4920 wrote to memory of 3056	4920	wearswdegok.exe	117
PID 4920 wrote to memory of 3056	4920	wearswdegok.exe	117
PID 4920 wrote to memory of 640	4920	wearswdegok.exe	118
PID 4920 wrote to memory of 640	4920	wearswdegok.exe	118
PID 4920 wrote to memory of 640	4920	wearswdegok.exe	118
PID 5208 wrote to memory of 2376	5208	cmd.exe	838
PID 5208 wrote to memory of 2376	5208	cmd.exe	838
PID 5208 wrote to memory of 2376	5208	cmd.exe	838
PID 2412 wrote to memory of 6132	2412	cmd.exe	124
PID 2412 wrote to memory of 6132	2412	cmd.exe	124
PID 2412 wrote to memory of 6132	2412	cmd.exe	124
PID 1632 wrote to memory of 3096	1632	cmd.exe	127
PID 1632 wrote to memory of 3096	1632	cmd.exe	127
PID 1632 wrote to memory of 3096	1632	cmd.exe	127
PID 3096 wrote to memory of 1544	3096	rdzmdvmidxmpnvgucl.exe	1132
PID 3096 wrote to memory of 1544	3096	rdzmdvmidxmpnvgucl.exe	1132
PID 3096 wrote to memory of 1544	3096	rdzmdvmidxmpnvgucl.exe	1132
PID 5268 wrote to memory of 4948	5268	cmd.exe	131
PID 5268 wrote to memory of 4948	5268	cmd.exe	131
PID 5268 wrote to memory of 4948	5268	cmd.exe	131
PID 4948 wrote to memory of 3652	4948	cpmasldawrhlktfudna.exe	842
PID 4948 wrote to memory of 3652	4948	cpmasldawrhlktfudna.exe	842
PID 4948 wrote to memory of 3652	4948	cpmasldawrhlktfudna.exe	842
PID 1860 wrote to memory of 1588	1860	cmd.exe	137

System policy modification 1 TTPs 16 IoCs

defense_evasion

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	wearswdegok.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wearswdegok.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	wearswdegok.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wearswdegok.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ppzafl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	ppzafl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wearswdegok.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	wearswdegok.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	wearswdegok.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	wearswdegok.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	wearswdegok.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	wearswdegok.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	wearswdegok.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	wearswdegok.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	ppzafl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ppzafl.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8cf88a6db7a1d9f426aac73a35f11ce5.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8cf88a6db7a1d9f426aac73a35f11ce5.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1924
- C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
  "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\jaffacakes118_8cf88a6db7a1d9f426aac73a35f11ce5.exe*"
  2⤵
  - Modifies WinLogon for persistence
  - UAC bypass
  - Adds policy Run key to start application
  - Disables RegEdit via registry modification
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Hijack Execution Flow: Executable Installer File Permissions Weakness
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:4920
- - C:\Users\Admin\AppData\Local\Temp\ppzafl.exe
    "C:\Users\Admin\AppData\Local\Temp\ppzafl.exe" "-c:\users\admin\appdata\local\temp\jaffacakes118_8cf88a6db7a1d9f426aac73a35f11ce5.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - System policy modification
    PID:3056
- - C:\Users\Admin\AppData\Local\Temp\ppzafl.exe
    "C:\Users\Admin\AppData\Local\Temp\ppzafl.exe" "-c:\users\admin\appdata\local\temp\jaffacakes118_8cf88a6db7a1d9f426aac73a35f11ce5.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:640
- C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
  "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\jaffacakes118_8cf88a6db7a1d9f426aac73a35f11ce5.exe"
  2⤵
  PID:3856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pdbqjdwurnejjtgwgrfd.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:5112
- C:\Windows\pdbqjdwurnejjtgwgrfd.exe
  pdbqjdwurnejjtgwgrfd.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c blfqfvkexpcdzfoa.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:1656
- C:\Windows\blfqfvkexpcdzfoa.exe
  blfqfvkexpcdzfoa.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1624
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\blfqfvkexpcdzfoa.exe*."
    3⤵
    - Executes dropped EXE
    PID:5172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rdzmdvmidxmpnvgucl.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:1284
- C:\Windows\rdzmdvmidxmpnvgucl.exe
  rdzmdvmidxmpnvgucl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c blfqfvkexpcdzfoa.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:1828
- C:\Windows\blfqfvkexpcdzfoa.exe
  blfqfvkexpcdzfoa.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1096
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\blfqfvkexpcdzfoa.exe*."
    3⤵
    - Executes dropped EXE
    PID:3972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\etsicxrqoldjkvjalxmlb.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:5104
- C:\Users\Admin\AppData\Local\Temp\etsicxrqoldjkvjalxmlb.exe
  C:\Users\Admin\AppData\Local\Temp\etsicxrqoldjkvjalxmlb.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rdzmdvmidxmpnvgucl.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:1104
- C:\Users\Admin\AppData\Local\Temp\rdzmdvmidxmpnvgucl.exe
  C:\Users\Admin\AppData\Local\Temp\rdzmdvmidxmpnvgucl.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4784
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\rdzmdvmidxmpnvgucl.exe*."
    3⤵
    - Executes dropped EXE
    PID:4668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\etsicxrqoldjkvjalxmlb.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:1084
- C:\Users\Admin\AppData\Local\Temp\etsicxrqoldjkvjalxmlb.exe
  C:\Users\Admin\AppData\Local\Temp\etsicxrqoldjkvjalxmlb.exe
  2⤵
  - Executes dropped EXE
  PID:2660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\etsicxrqoldjkvjalxmlb.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:5932
- C:\Users\Admin\AppData\Local\Temp\etsicxrqoldjkvjalxmlb.exe
  C:\Users\Admin\AppData\Local\Temp\etsicxrqoldjkvjalxmlb.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4160
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\etsicxrqoldjkvjalxmlb.exe*."
    3⤵
    - Executes dropped EXE
    PID:5820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c blfqfvkexpcdzfoa.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:5208
- C:\Windows\blfqfvkexpcdzfoa.exe
  blfqfvkexpcdzfoa.exe
  2⤵
  - Executes dropped EXE
  PID:2376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rdzmdvmidxmpnvgucl.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2412
- C:\Windows\rdzmdvmidxmpnvgucl.exe
  rdzmdvmidxmpnvgucl.exe
  2⤵
  - Executes dropped EXE
  PID:6132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rdzmdvmidxmpnvgucl.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:1632
- C:\Windows\rdzmdvmidxmpnvgucl.exe
  rdzmdvmidxmpnvgucl.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3096
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\rdzmdvmidxmpnvgucl.exe*."
    3⤵
    - Executes dropped EXE
    PID:1544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cpmasldawrhlktfudna.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:5268
- C:\Windows\cpmasldawrhlktfudna.exe
  cpmasldawrhlktfudna.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4948
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\cpmasldawrhlktfudna.exe*."
    3⤵
    - Executes dropped EXE
    PID:3652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c etsicxrqoldjkvjalxmlb.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:1860
- C:\Windows\etsicxrqoldjkvjalxmlb.exe
  etsicxrqoldjkvjalxmlb.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rdzmdvmidxmpnvgucl.exe
1⤵
PID:2572
- C:\Windows\rdzmdvmidxmpnvgucl.exe
  rdzmdvmidxmpnvgucl.exe
  2⤵
  - Executes dropped EXE
  PID:2300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pdbqjdwurnejjtgwgrfd.exe .
1⤵
PID:2364
- C:\Windows\pdbqjdwurnejjtgwgrfd.exe
  pdbqjdwurnejjtgwgrfd.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5496
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\pdbqjdwurnejjtgwgrfd.exe*."
    3⤵
    - Executes dropped EXE
    PID:2560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c blfqfvkexpcdzfoa.exe .
1⤵
PID:388
- C:\Windows\blfqfvkexpcdzfoa.exe
  blfqfvkexpcdzfoa.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2108
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\blfqfvkexpcdzfoa.exe*."
    3⤵
    - Executes dropped EXE
    PID:5040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\blfqfvkexpcdzfoa.exe
1⤵
PID:6064
- C:\Users\Admin\AppData\Local\Temp\blfqfvkexpcdzfoa.exe
  C:\Users\Admin\AppData\Local\Temp\blfqfvkexpcdzfoa.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rdzmdvmidxmpnvgucl.exe
1⤵
PID:3608
- C:\Users\Admin\AppData\Local\Temp\rdzmdvmidxmpnvgucl.exe
  C:\Users\Admin\AppData\Local\Temp\rdzmdvmidxmpnvgucl.exe
  2⤵
  - Executes dropped EXE
  PID:5064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rdzmdvmidxmpnvgucl.exe .
1⤵
PID:1148
- C:\Users\Admin\AppData\Local\Temp\rdzmdvmidxmpnvgucl.exe
  C:\Users\Admin\AppData\Local\Temp\rdzmdvmidxmpnvgucl.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4068
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\rdzmdvmidxmpnvgucl.exe*."
    3⤵
    - Executes dropped EXE
    PID:5976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\itoaqhxsmftvszjwd.exe .
1⤵
PID:5116
- C:\Users\Admin\AppData\Local\Temp\itoaqhxsmftvszjwd.exe
  C:\Users\Admin\AppData\Local\Temp\itoaqhxsmftvszjwd.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1112
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\itoaqhxsmftvszjwd.exe*."
    3⤵
    - Executes dropped EXE
    PID:3836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\blfqfvkexpcdzfoa.exe
1⤵
PID:5172
- C:\Users\Admin\AppData\Local\Temp\blfqfvkexpcdzfoa.exe
  C:\Users\Admin\AppData\Local\Temp\blfqfvkexpcdzfoa.exe
  2⤵
  - Executes dropped EXE
  PID:5640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\blfqfvkexpcdzfoa.exe
1⤵
PID:2372
- C:\Users\Admin\AppData\Local\Temp\blfqfvkexpcdzfoa.exe
  C:\Users\Admin\AppData\Local\Temp\blfqfvkexpcdzfoa.exe
  2⤵
  - Executes dropped EXE
  PID:3092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cpmasldawrhlktfudna.exe .
1⤵
PID:424
- C:\Users\Admin\AppData\Local\Temp\cpmasldawrhlktfudna.exe
  C:\Users\Admin\AppData\Local\Temp\cpmasldawrhlktfudna.exe .
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1484
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\cpmasldawrhlktfudna.exe*."
    3⤵
    PID:2096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pdbqjdwurnejjtgwgrfd.exe .
1⤵
PID:6040
- C:\Users\Admin\AppData\Local\Temp\pdbqjdwurnejjtgwgrfd.exe
  C:\Users\Admin\AppData\Local\Temp\pdbqjdwurnejjtgwgrfd.exe .
  2⤵
  PID:4076
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\pdbqjdwurnejjtgwgrfd.exe*."
    3⤵
    PID:2764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rdzmdvmidxmpnvgucl.exe
1⤵
PID:4784
- C:\Windows\rdzmdvmidxmpnvgucl.exe
  rdzmdvmidxmpnvgucl.exe
  2⤵
  PID:2436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c etsicxrqoldjkvjalxmlb.exe
1⤵
PID:1144
- C:\Windows\etsicxrqoldjkvjalxmlb.exe
  etsicxrqoldjkvjalxmlb.exe
  2⤵
  PID:4100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c blfqfvkexpcdzfoa.exe .
1⤵
PID:1200
- C:\Windows\blfqfvkexpcdzfoa.exe
  blfqfvkexpcdzfoa.exe .
  2⤵
  PID:2600
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\blfqfvkexpcdzfoa.exe*."
    3⤵
    PID:4016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c blfqfvkexpcdzfoa.exe
1⤵
PID:5740
- C:\Windows\blfqfvkexpcdzfoa.exe
  blfqfvkexpcdzfoa.exe
  2⤵
  PID:3420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c itoaqhxsmftvszjwd.exe .
1⤵
PID:2404
- C:\Windows\itoaqhxsmftvszjwd.exe
  itoaqhxsmftvszjwd.exe .
  2⤵
  PID:5628
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\itoaqhxsmftvszjwd.exe*."
    3⤵
    PID:6104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\blfqfvkexpcdzfoa.exe
1⤵
PID:5888
- C:\Users\Admin\AppData\Local\Temp\blfqfvkexpcdzfoa.exe
  C:\Users\Admin\AppData\Local\Temp\blfqfvkexpcdzfoa.exe
  2⤵
  PID:5556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\blfqfvkexpcdzfoa.exe .
1⤵
PID:3652
- C:\Users\Admin\AppData\Local\Temp\blfqfvkexpcdzfoa.exe
  C:\Users\Admin\AppData\Local\Temp\blfqfvkexpcdzfoa.exe .
  2⤵
  PID:5288
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\blfqfvkexpcdzfoa.exe*."
    3⤵
    PID:4580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\itoaqhxsmftvszjwd.exe
1⤵
PID:1860
- C:\Users\Admin\AppData\Local\Temp\itoaqhxsmftvszjwd.exe
  C:\Users\Admin\AppData\Local\Temp\itoaqhxsmftvszjwd.exe
  2⤵
  PID:2572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\etsicxrqoldjkvjalxmlb.exe .
1⤵
PID:4680
- C:\Users\Admin\AppData\Local\Temp\etsicxrqoldjkvjalxmlb.exe
  C:\Users\Admin\AppData\Local\Temp\etsicxrqoldjkvjalxmlb.exe .
  2⤵
  PID:1336
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\etsicxrqoldjkvjalxmlb.exe*."
    3⤵
    PID:4216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cpmasldawrhlktfudna.exe
1⤵
PID:4520
- C:\Windows\cpmasldawrhlktfudna.exe
  cpmasldawrhlktfudna.exe
  2⤵
  PID:3908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rdzmdvmidxmpnvgucl.exe
1⤵
PID:5080
- C:\Windows\rdzmdvmidxmpnvgucl.exe
  rdzmdvmidxmpnvgucl.exe
  2⤵
  PID:3824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c etsicxrqoldjkvjalxmlb.exe .
1⤵
PID:1252
- C:\Windows\etsicxrqoldjkvjalxmlb.exe
  etsicxrqoldjkvjalxmlb.exe .
  2⤵
  PID:3836
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\etsicxrqoldjkvjalxmlb.exe*."
    3⤵
    PID:332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c blfqfvkexpcdzfoa.exe .
1⤵
PID:2136
- C:\Windows\blfqfvkexpcdzfoa.exe
  blfqfvkexpcdzfoa.exe .
  2⤵
  PID:5116
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\blfqfvkexpcdzfoa.exe*."
    3⤵
    PID:2456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c etsicxrqoldjkvjalxmlb.exe
1⤵
PID:4644
- C:\Windows\etsicxrqoldjkvjalxmlb.exe
  etsicxrqoldjkvjalxmlb.exe
  2⤵
  PID:2760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c blfqfvkexpcdzfoa.exe .
1⤵
PID:2372
- C:\Windows\blfqfvkexpcdzfoa.exe
  blfqfvkexpcdzfoa.exe .
  2⤵
  PID:1428
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\blfqfvkexpcdzfoa.exe*."
    3⤵
    PID:1872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c blfqfvkexpcdzfoa.exe
1⤵
PID:5596
- C:\Windows\blfqfvkexpcdzfoa.exe
  blfqfvkexpcdzfoa.exe
  2⤵
  PID:2012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\blfqfvkexpcdzfoa.exe
1⤵
PID:5644
- C:\Users\Admin\AppData\Local\Temp\blfqfvkexpcdzfoa.exe
  C:\Users\Admin\AppData\Local\Temp\blfqfvkexpcdzfoa.exe
  2⤵
  PID:6024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cpmasldawrhlktfudna.exe .
1⤵
PID:3556
- C:\Windows\cpmasldawrhlktfudna.exe
  cpmasldawrhlktfudna.exe .
  2⤵
  PID:4720
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\cpmasldawrhlktfudna.exe*."
    3⤵
    PID:724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pdbqjdwurnejjtgwgrfd.exe .
1⤵
PID:5820
- C:\Users\Admin\AppData\Local\Temp\pdbqjdwurnejjtgwgrfd.exe
  C:\Users\Admin\AppData\Local\Temp\pdbqjdwurnejjtgwgrfd.exe .
  2⤵
  PID:3544
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\pdbqjdwurnejjtgwgrfd.exe*."
    3⤵
    PID:6104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\blfqfvkexpcdzfoa.exe
1⤵
PID:5900
- C:\Users\Admin\AppData\Local\Temp\blfqfvkexpcdzfoa.exe
  C:\Users\Admin\AppData\Local\Temp\blfqfvkexpcdzfoa.exe
  2⤵
  PID:5972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rdzmdvmidxmpnvgucl.exe
1⤵
PID:4180
- C:\Windows\rdzmdvmidxmpnvgucl.exe
  rdzmdvmidxmpnvgucl.exe
  2⤵
  PID:5512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rdzmdvmidxmpnvgucl.exe .
1⤵
PID:4084
- C:\Users\Admin\AppData\Local\Temp\rdzmdvmidxmpnvgucl.exe
  C:\Users\Admin\AppData\Local\Temp\rdzmdvmidxmpnvgucl.exe .
  2⤵
  PID:1820
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\rdzmdvmidxmpnvgucl.exe*."
    3⤵
    PID:3180

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c blfqfvkexpcdzfoa.exe .
1⤵
PID:2600
- C:\Windows\blfqfvkexpcdzfoa.exe
  blfqfvkexpcdzfoa.exe .
  2⤵
  PID:2968
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\blfqfvkexpcdzfoa.exe*."
    3⤵
    PID:2260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\etsicxrqoldjkvjalxmlb.exe
1⤵
PID:2976
- C:\Users\Admin\AppData\Local\Temp\etsicxrqoldjkvjalxmlb.exe
  C:\Users\Admin\AppData\Local\Temp\etsicxrqoldjkvjalxmlb.exe
  2⤵
  PID:3816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\blfqfvkexpcdzfoa.exe .
1⤵
PID:6068
- C:\Users\Admin\AppData\Local\Temp\blfqfvkexpcdzfoa.exe
  C:\Users\Admin\AppData\Local\Temp\blfqfvkexpcdzfoa.exe .
  2⤵
  PID:3956
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\blfqfvkexpcdzfoa.exe*."
    3⤵
    PID:4756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\itoaqhxsmftvszjwd.exe
1⤵
PID:3532
- C:\Users\Admin\AppData\Local\Temp\itoaqhxsmftvszjwd.exe
  C:\Users\Admin\AppData\Local\Temp\itoaqhxsmftvszjwd.exe
  2⤵
  PID:3832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c etsicxrqoldjkvjalxmlb.exe
1⤵
PID:5368
- C:\Windows\etsicxrqoldjkvjalxmlb.exe
  etsicxrqoldjkvjalxmlb.exe
  2⤵
  PID:4216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rdzmdvmidxmpnvgucl.exe .
1⤵
PID:3012
- C:\Users\Admin\AppData\Local\Temp\rdzmdvmidxmpnvgucl.exe
  C:\Users\Admin\AppData\Local\Temp\rdzmdvmidxmpnvgucl.exe .
  2⤵
  PID:5452
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\rdzmdvmidxmpnvgucl.exe*."
    3⤵
    PID:940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c itoaqhxsmftvszjwd.exe .
1⤵
PID:916
- C:\Windows\itoaqhxsmftvszjwd.exe
  itoaqhxsmftvszjwd.exe .
  2⤵
  PID:6140
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\itoaqhxsmftvszjwd.exe*."
    3⤵
    PID:2936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pdbqjdwurnejjtgwgrfd.exe
1⤵
PID:4932
- C:\Users\Admin\AppData\Local\Temp\pdbqjdwurnejjtgwgrfd.exe
  C:\Users\Admin\AppData\Local\Temp\pdbqjdwurnejjtgwgrfd.exe
  2⤵
  PID:1944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\blfqfvkexpcdzfoa.exe .
1⤵
PID:3400
- C:\Users\Admin\AppData\Local\Temp\blfqfvkexpcdzfoa.exe
  C:\Users\Admin\AppData\Local\Temp\blfqfvkexpcdzfoa.exe .
  2⤵
  PID:5024
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\blfqfvkexpcdzfoa.exe*."
    3⤵
    PID:1252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rdzmdvmidxmpnvgucl.exe
1⤵
PID:5456
- C:\Users\Admin\AppData\Local\Temp\rdzmdvmidxmpnvgucl.exe
  C:\Users\Admin\AppData\Local\Temp\rdzmdvmidxmpnvgucl.exe
  2⤵
  PID:2760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cpmasldawrhlktfudna.exe .
1⤵
PID:3756
- C:\Users\Admin\AppData\Local\Temp\cpmasldawrhlktfudna.exe
  C:\Users\Admin\AppData\Local\Temp\cpmasldawrhlktfudna.exe .
  2⤵
  PID:5952
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\cpmasldawrhlktfudna.exe*."
    3⤵
    PID:4572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cpmasldawrhlktfudna.exe
1⤵
PID:3268
- C:\Windows\cpmasldawrhlktfudna.exe
  cpmasldawrhlktfudna.exe
  2⤵
  PID:5596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c blfqfvkexpcdzfoa.exe
1⤵
PID:1768
- C:\Windows\blfqfvkexpcdzfoa.exe
  blfqfvkexpcdzfoa.exe
  2⤵
  PID:5512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c blfqfvkexpcdzfoa.exe .
1⤵
PID:1264
- C:\Windows\blfqfvkexpcdzfoa.exe
  blfqfvkexpcdzfoa.exe .
  2⤵
  PID:3708
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\blfqfvkexpcdzfoa.exe*."
    3⤵
    PID:552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pdbqjdwurnejjtgwgrfd.exe .
1⤵
PID:1524
- C:\Windows\pdbqjdwurnejjtgwgrfd.exe
  pdbqjdwurnejjtgwgrfd.exe .
  2⤵
  PID:2716
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\pdbqjdwurnejjtgwgrfd.exe*."
    3⤵
    PID:6104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cpmasldawrhlktfudna.exe
1⤵
PID:2020
- C:\Windows\cpmasldawrhlktfudna.exe
  cpmasldawrhlktfudna.exe
  2⤵
  PID:1616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c etsicxrqoldjkvjalxmlb.exe .
1⤵
PID:1692
- C:\Windows\etsicxrqoldjkvjalxmlb.exe
  etsicxrqoldjkvjalxmlb.exe .
  2⤵
  PID:1144
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\etsicxrqoldjkvjalxmlb.exe*."
    3⤵
    PID:4532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cpmasldawrhlktfudna.exe
1⤵
PID:5588
- C:\Windows\cpmasldawrhlktfudna.exe
  cpmasldawrhlktfudna.exe
  2⤵
  PID:3584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rdzmdvmidxmpnvgucl.exe
1⤵
PID:5600
- C:\Users\Admin\AppData\Local\Temp\rdzmdvmidxmpnvgucl.exe
  C:\Users\Admin\AppData\Local\Temp\rdzmdvmidxmpnvgucl.exe
  2⤵
  PID:3960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c itoaqhxsmftvszjwd.exe .
1⤵
PID:5352
- C:\Windows\itoaqhxsmftvszjwd.exe
  itoaqhxsmftvszjwd.exe .
  2⤵
  PID:1020
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\itoaqhxsmftvszjwd.exe*."
    3⤵
    PID:2076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\itoaqhxsmftvszjwd.exe .
1⤵
PID:1700
- C:\Users\Admin\AppData\Local\Temp\itoaqhxsmftvszjwd.exe
  C:\Users\Admin\AppData\Local\Temp\itoaqhxsmftvszjwd.exe .
  2⤵
  PID:4504
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\itoaqhxsmftvszjwd.exe*."
    3⤵
    PID:1384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cpmasldawrhlktfudna.exe
1⤵
PID:3328
- C:\Users\Admin\AppData\Local\Temp\cpmasldawrhlktfudna.exe
  C:\Users\Admin\AppData\Local\Temp\cpmasldawrhlktfudna.exe
  2⤵
  PID:4460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c blfqfvkexpcdzfoa.exe
1⤵
PID:4216
- C:\Windows\blfqfvkexpcdzfoa.exe
  blfqfvkexpcdzfoa.exe
  2⤵
  PID:5704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pdbqjdwurnejjtgwgrfd.exe .
1⤵
PID:5068
- C:\Users\Admin\AppData\Local\Temp\pdbqjdwurnejjtgwgrfd.exe
  C:\Users\Admin\AppData\Local\Temp\pdbqjdwurnejjtgwgrfd.exe .
  2⤵
  PID:2316
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\pdbqjdwurnejjtgwgrfd.exe*."
    3⤵
    PID:4548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rdzmdvmidxmpnvgucl.exe
1⤵
PID:5368
- C:\Users\Admin\AppData\Local\Temp\rdzmdvmidxmpnvgucl.exe
  C:\Users\Admin\AppData\Local\Temp\rdzmdvmidxmpnvgucl.exe
  2⤵
  PID:4392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pdbqjdwurnejjtgwgrfd.exe .
1⤵
PID:2212
- C:\Windows\pdbqjdwurnejjtgwgrfd.exe
  pdbqjdwurnejjtgwgrfd.exe .
  2⤵
  PID:3480
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\pdbqjdwurnejjtgwgrfd.exe*."
    3⤵
    PID:4656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\blfqfvkexpcdzfoa.exe .
1⤵
PID:1172
- C:\Users\Admin\AppData\Local\Temp\blfqfvkexpcdzfoa.exe
  C:\Users\Admin\AppData\Local\Temp\blfqfvkexpcdzfoa.exe .
  2⤵
  PID:4036
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\blfqfvkexpcdzfoa.exe*."
    3⤵
    PID:5620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cpmasldawrhlktfudna.exe
1⤵
PID:3672
- C:\Users\Admin\AppData\Local\Temp\cpmasldawrhlktfudna.exe
  C:\Users\Admin\AppData\Local\Temp\cpmasldawrhlktfudna.exe
  2⤵
  PID:2660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rdzmdvmidxmpnvgucl.exe
1⤵
PID:4712
- C:\Windows\rdzmdvmidxmpnvgucl.exe
  rdzmdvmidxmpnvgucl.exe
  2⤵
  PID:1500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pdbqjdwurnejjtgwgrfd.exe .
1⤵
PID:4680
- C:\Users\Admin\AppData\Local\Temp\pdbqjdwurnejjtgwgrfd.exe
  C:\Users\Admin\AppData\Local\Temp\pdbqjdwurnejjtgwgrfd.exe .
  2⤵
  PID:5668
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\pdbqjdwurnejjtgwgrfd.exe*."
    3⤵
    PID:4440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c blfqfvkexpcdzfoa.exe .
1⤵
PID:5772
- C:\Windows\blfqfvkexpcdzfoa.exe
  blfqfvkexpcdzfoa.exe .
  2⤵
  PID:4872
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\blfqfvkexpcdzfoa.exe*."
    3⤵
    PID:3820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cpmasldawrhlktfudna.exe
1⤵
PID:5632
- C:\Users\Admin\AppData\Local\Temp\cpmasldawrhlktfudna.exe
  C:\Users\Admin\AppData\Local\Temp\cpmasldawrhlktfudna.exe
  2⤵
  PID:3176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rdzmdvmidxmpnvgucl.exe .
1⤵
PID:528
- C:\Users\Admin\AppData\Local\Temp\rdzmdvmidxmpnvgucl.exe
  C:\Users\Admin\AppData\Local\Temp\rdzmdvmidxmpnvgucl.exe .
  2⤵
  PID:4744
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\rdzmdvmidxmpnvgucl.exe*."
    3⤵
    PID:4564

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\etsicxrqoldjkvjalxmlb.exe
1⤵
PID:636
- C:\Users\Admin\AppData\Local\Temp\etsicxrqoldjkvjalxmlb.exe
  C:\Users\Admin\AppData\Local\Temp\etsicxrqoldjkvjalxmlb.exe
  2⤵
  PID:3416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\itoaqhxsmftvszjwd.exe .
1⤵
PID:380
- C:\Users\Admin\AppData\Local\Temp\itoaqhxsmftvszjwd.exe
  C:\Users\Admin\AppData\Local\Temp\itoaqhxsmftvszjwd.exe .
  2⤵
  PID:5920
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\itoaqhxsmftvszjwd.exe*."
    3⤵
    PID:5596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c blfqfvkexpcdzfoa.exe
1⤵
PID:4472
- C:\Windows\blfqfvkexpcdzfoa.exe
  blfqfvkexpcdzfoa.exe
  2⤵
  PID:2376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pdbqjdwurnejjtgwgrfd.exe
1⤵
PID:768
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5496
- C:\Windows\pdbqjdwurnejjtgwgrfd.exe
  pdbqjdwurnejjtgwgrfd.exe
  2⤵
  PID:464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c etsicxrqoldjkvjalxmlb.exe .
1⤵
PID:4188
- C:\Windows\etsicxrqoldjkvjalxmlb.exe
  etsicxrqoldjkvjalxmlb.exe .
  2⤵
  PID:4168
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\etsicxrqoldjkvjalxmlb.exe*."
    3⤵
    PID:5664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c itoaqhxsmftvszjwd.exe .
1⤵
PID:1804
- C:\Windows\itoaqhxsmftvszjwd.exe
  itoaqhxsmftvszjwd.exe .
  2⤵
  PID:5244
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\itoaqhxsmftvszjwd.exe*."
    3⤵
    PID:4620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c itoaqhxsmftvszjwd.exe
1⤵
PID:5024
- C:\Windows\itoaqhxsmftvszjwd.exe
  itoaqhxsmftvszjwd.exe
  2⤵
  PID:5844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c blfqfvkexpcdzfoa.exe .
1⤵
PID:3012
- C:\Windows\blfqfvkexpcdzfoa.exe
  blfqfvkexpcdzfoa.exe .
  2⤵
  PID:5444
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\blfqfvkexpcdzfoa.exe*."
    3⤵
    PID:3176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cpmasldawrhlktfudna.exe
1⤵
PID:2804
- C:\Users\Admin\AppData\Local\Temp\cpmasldawrhlktfudna.exe
  C:\Users\Admin\AppData\Local\Temp\cpmasldawrhlktfudna.exe
  2⤵
  PID:3120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rdzmdvmidxmpnvgucl.exe
1⤵
PID:5044
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2660
- C:\Windows\rdzmdvmidxmpnvgucl.exe
  rdzmdvmidxmpnvgucl.exe
  2⤵
  PID:1376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pdbqjdwurnejjtgwgrfd.exe .
1⤵
PID:3400
- C:\Windows\pdbqjdwurnejjtgwgrfd.exe
  pdbqjdwurnejjtgwgrfd.exe .
  2⤵
  PID:5656
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\pdbqjdwurnejjtgwgrfd.exe*."
    3⤵
    PID:5936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cpmasldawrhlktfudna.exe .
1⤵
PID:4304
- C:\Users\Admin\AppData\Local\Temp\cpmasldawrhlktfudna.exe
  C:\Users\Admin\AppData\Local\Temp\cpmasldawrhlktfudna.exe .
  2⤵
  PID:212
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\cpmasldawrhlktfudna.exe*."
    3⤵
    PID:2972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rdzmdvmidxmpnvgucl.exe
1⤵
PID:4712
- C:\Users\Admin\AppData\Local\Temp\rdzmdvmidxmpnvgucl.exe
  C:\Users\Admin\AppData\Local\Temp\rdzmdvmidxmpnvgucl.exe
  2⤵
  PID:5772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pdbqjdwurnejjtgwgrfd.exe
1⤵
PID:2212
- C:\Windows\pdbqjdwurnejjtgwgrfd.exe
  pdbqjdwurnejjtgwgrfd.exe
  2⤵
  PID:5924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rdzmdvmidxmpnvgucl.exe .
1⤵
PID:2936
- C:\Users\Admin\AppData\Local\Temp\rdzmdvmidxmpnvgucl.exe
  C:\Users\Admin\AppData\Local\Temp\rdzmdvmidxmpnvgucl.exe .
  2⤵
  PID:4528
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\rdzmdvmidxmpnvgucl.exe*."
    3⤵
    PID:5596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\blfqfvkexpcdzfoa.exe
1⤵
PID:4872
- C:\Users\Admin\AppData\Local\Temp\blfqfvkexpcdzfoa.exe
  C:\Users\Admin\AppData\Local\Temp\blfqfvkexpcdzfoa.exe
  2⤵
  PID:2248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pdbqjdwurnejjtgwgrfd.exe .
1⤵
PID:2176
- C:\Windows\pdbqjdwurnejjtgwgrfd.exe
  pdbqjdwurnejjtgwgrfd.exe .
  2⤵
  PID:1664
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\pdbqjdwurnejjtgwgrfd.exe*."
    3⤵
    PID:5392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pdbqjdwurnejjtgwgrfd.exe .
1⤵
PID:5776
- C:\Users\Admin\AppData\Local\Temp\pdbqjdwurnejjtgwgrfd.exe
  C:\Users\Admin\AppData\Local\Temp\pdbqjdwurnejjtgwgrfd.exe .
  2⤵
  PID:3268
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\pdbqjdwurnejjtgwgrfd.exe*."
    3⤵
    PID:2372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\blfqfvkexpcdzfoa.exe
1⤵
PID:636
- C:\Users\Admin\AppData\Local\Temp\blfqfvkexpcdzfoa.exe
  C:\Users\Admin\AppData\Local\Temp\blfqfvkexpcdzfoa.exe
  2⤵
  PID:5484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c itoaqhxsmftvszjwd.exe
1⤵
PID:3008
- C:\Windows\itoaqhxsmftvszjwd.exe
  itoaqhxsmftvszjwd.exe
  2⤵
  PID:2552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\etsicxrqoldjkvjalxmlb.exe .
1⤵
PID:3780
- C:\Users\Admin\AppData\Local\Temp\etsicxrqoldjkvjalxmlb.exe
  C:\Users\Admin\AppData\Local\Temp\etsicxrqoldjkvjalxmlb.exe .
  2⤵
  PID:4704
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\etsicxrqoldjkvjalxmlb.exe*."
    3⤵
    PID:1108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rdzmdvmidxmpnvgucl.exe .
1⤵
PID:1564
- C:\Windows\rdzmdvmidxmpnvgucl.exe
  rdzmdvmidxmpnvgucl.exe .
  2⤵
  PID:5604
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\rdzmdvmidxmpnvgucl.exe*."
    3⤵
    PID:2868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\itoaqhxsmftvszjwd.exe
1⤵
PID:3680
- C:\Users\Admin\AppData\Local\Temp\itoaqhxsmftvszjwd.exe
  C:\Users\Admin\AppData\Local\Temp\itoaqhxsmftvszjwd.exe
  2⤵
  PID:5416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\itoaqhxsmftvszjwd.exe .
1⤵
PID:1800
- C:\Users\Admin\AppData\Local\Temp\itoaqhxsmftvszjwd.exe
  C:\Users\Admin\AppData\Local\Temp\itoaqhxsmftvszjwd.exe .
  2⤵
  PID:5316
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\itoaqhxsmftvszjwd.exe*."
    3⤵
    PID:1848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\blfqfvkexpcdzfoa.exe
1⤵
PID:5976
- C:\Users\Admin\AppData\Local\Temp\blfqfvkexpcdzfoa.exe
  C:\Users\Admin\AppData\Local\Temp\blfqfvkexpcdzfoa.exe
  2⤵
  PID:768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pdbqjdwurnejjtgwgrfd.exe .
1⤵
PID:1200
- C:\Users\Admin\AppData\Local\Temp\pdbqjdwurnejjtgwgrfd.exe
  C:\Users\Admin\AppData\Local\Temp\pdbqjdwurnejjtgwgrfd.exe .
  2⤵
  PID:1668
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\pdbqjdwurnejjtgwgrfd.exe*."
    3⤵
    PID:760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c etsicxrqoldjkvjalxmlb.exe
1⤵
PID:1088
- C:\Windows\etsicxrqoldjkvjalxmlb.exe
  etsicxrqoldjkvjalxmlb.exe
  2⤵
  PID:3264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c itoaqhxsmftvszjwd.exe .
1⤵
PID:2084
- C:\Windows\itoaqhxsmftvszjwd.exe
  itoaqhxsmftvszjwd.exe .
  2⤵
  PID:5552
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\itoaqhxsmftvszjwd.exe*."
    3⤵
    PID:4816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c etsicxrqoldjkvjalxmlb.exe
1⤵
PID:2544
- C:\Windows\etsicxrqoldjkvjalxmlb.exe
  etsicxrqoldjkvjalxmlb.exe
  2⤵
  PID:1828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rdzmdvmidxmpnvgucl.exe
1⤵
PID:5936
- C:\Windows\rdzmdvmidxmpnvgucl.exe
  rdzmdvmidxmpnvgucl.exe
  2⤵
  PID:4644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c blfqfvkexpcdzfoa.exe .
1⤵
PID:5988
- C:\Windows\blfqfvkexpcdzfoa.exe
  blfqfvkexpcdzfoa.exe .
  2⤵
  PID:1656
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\blfqfvkexpcdzfoa.exe*."
    3⤵
    PID:3036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c itoaqhxsmftvszjwd.exe .
1⤵
PID:992
- C:\Windows\itoaqhxsmftvszjwd.exe
  itoaqhxsmftvszjwd.exe .
  2⤵
  PID:3048
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\itoaqhxsmftvszjwd.exe*."
    3⤵
    PID:1240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\blfqfvkexpcdzfoa.exe
1⤵
PID:3400
- C:\Users\Admin\AppData\Local\Temp\blfqfvkexpcdzfoa.exe
  C:\Users\Admin\AppData\Local\Temp\blfqfvkexpcdzfoa.exe
  2⤵
  PID:4668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rdzmdvmidxmpnvgucl.exe
1⤵
PID:4064
- C:\Windows\rdzmdvmidxmpnvgucl.exe
  rdzmdvmidxmpnvgucl.exe
  2⤵
  PID:5464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\blfqfvkexpcdzfoa.exe .
1⤵
PID:5768
- C:\Users\Admin\AppData\Local\Temp\blfqfvkexpcdzfoa.exe
  C:\Users\Admin\AppData\Local\Temp\blfqfvkexpcdzfoa.exe .
  2⤵
  PID:2372
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\blfqfvkexpcdzfoa.exe*."
    3⤵
    PID:2868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rdzmdvmidxmpnvgucl.exe .
1⤵
PID:4156
- C:\Windows\rdzmdvmidxmpnvgucl.exe
  rdzmdvmidxmpnvgucl.exe .
  2⤵
  PID:3524
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\rdzmdvmidxmpnvgucl.exe*."
    3⤵
    PID:4100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cpmasldawrhlktfudna.exe
1⤵
PID:1284
- C:\Windows\cpmasldawrhlktfudna.exe
  cpmasldawrhlktfudna.exe
  2⤵
  PID:808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\blfqfvkexpcdzfoa.exe
1⤵
PID:4800
- C:\Users\Admin\AppData\Local\Temp\blfqfvkexpcdzfoa.exe
  C:\Users\Admin\AppData\Local\Temp\blfqfvkexpcdzfoa.exe
  2⤵
  PID:4180

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pdbqjdwurnejjtgwgrfd.exe .
1⤵
PID:6116
- C:\Users\Admin\AppData\Local\Temp\pdbqjdwurnejjtgwgrfd.exe
  C:\Users\Admin\AppData\Local\Temp\pdbqjdwurnejjtgwgrfd.exe .
  2⤵
  PID:3440
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\pdbqjdwurnejjtgwgrfd.exe*."
    3⤵
    PID:692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\etsicxrqoldjkvjalxmlb.exe
1⤵
PID:3544
- C:\Users\Admin\AppData\Local\Temp\etsicxrqoldjkvjalxmlb.exe
  C:\Users\Admin\AppData\Local\Temp\etsicxrqoldjkvjalxmlb.exe
  2⤵
  PID:1800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c etsicxrqoldjkvjalxmlb.exe .
1⤵
PID:5228
- C:\Windows\etsicxrqoldjkvjalxmlb.exe
  etsicxrqoldjkvjalxmlb.exe .
  2⤵
  PID:6044
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\etsicxrqoldjkvjalxmlb.exe*."
    3⤵
    PID:3628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rdzmdvmidxmpnvgucl.exe .
1⤵
PID:4032
- C:\Users\Admin\AppData\Local\Temp\rdzmdvmidxmpnvgucl.exe
  C:\Users\Admin\AppData\Local\Temp\rdzmdvmidxmpnvgucl.exe .
  2⤵
  PID:4632
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\rdzmdvmidxmpnvgucl.exe*."
    3⤵
    PID:2560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c itoaqhxsmftvszjwd.exe
1⤵
PID:5160
- C:\Windows\itoaqhxsmftvszjwd.exe
  itoaqhxsmftvszjwd.exe
  2⤵
  PID:2760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cpmasldawrhlktfudna.exe
1⤵
PID:4772
- C:\Users\Admin\AppData\Local\Temp\cpmasldawrhlktfudna.exe
  C:\Users\Admin\AppData\Local\Temp\cpmasldawrhlktfudna.exe
  2⤵
  PID:3836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c blfqfvkexpcdzfoa.exe .
1⤵
PID:2376
- C:\Windows\blfqfvkexpcdzfoa.exe
  blfqfvkexpcdzfoa.exe .
  2⤵
  PID:5844
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\blfqfvkexpcdzfoa.exe*."
    3⤵
    PID:4212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cpmasldawrhlktfudna.exe .
1⤵
PID:1508
- C:\Users\Admin\AppData\Local\Temp\cpmasldawrhlktfudna.exe
  C:\Users\Admin\AppData\Local\Temp\cpmasldawrhlktfudna.exe .
  2⤵
  PID:4136
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\cpmasldawrhlktfudna.exe*."
    3⤵
    PID:2132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\itoaqhxsmftvszjwd.exe
1⤵
PID:4084
- C:\Users\Admin\AppData\Local\Temp\itoaqhxsmftvszjwd.exe
  C:\Users\Admin\AppData\Local\Temp\itoaqhxsmftvszjwd.exe
  2⤵
  PID:5996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\etsicxrqoldjkvjalxmlb.exe .
1⤵
PID:332
- C:\Users\Admin\AppData\Local\Temp\etsicxrqoldjkvjalxmlb.exe
  C:\Users\Admin\AppData\Local\Temp\etsicxrqoldjkvjalxmlb.exe .
  2⤵
  PID:2860
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\etsicxrqoldjkvjalxmlb.exe*."
    3⤵
    PID:2252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\etsicxrqoldjkvjalxmlb.exe
1⤵
PID:4736
- C:\Users\Admin\AppData\Local\Temp\etsicxrqoldjkvjalxmlb.exe
  C:\Users\Admin\AppData\Local\Temp\etsicxrqoldjkvjalxmlb.exe
  2⤵
  PID:3120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\blfqfvkexpcdzfoa.exe .
1⤵
PID:4392
- C:\Users\Admin\AppData\Local\Temp\blfqfvkexpcdzfoa.exe
  C:\Users\Admin\AppData\Local\Temp\blfqfvkexpcdzfoa.exe .
  2⤵
  PID:848
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\blfqfvkexpcdzfoa.exe*."
    3⤵
    PID:5460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rdzmdvmidxmpnvgucl.exe
1⤵
PID:4872
- C:\Windows\rdzmdvmidxmpnvgucl.exe
  rdzmdvmidxmpnvgucl.exe
  2⤵
  PID:1488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c blfqfvkexpcdzfoa.exe .
1⤵
PID:1824
- C:\Windows\blfqfvkexpcdzfoa.exe
  blfqfvkexpcdzfoa.exe .
  2⤵
  PID:2100
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\blfqfvkexpcdzfoa.exe*."
    3⤵
    PID:5344

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c etsicxrqoldjkvjalxmlb.exe
1⤵
PID:5988
- C:\Windows\etsicxrqoldjkvjalxmlb.exe
  etsicxrqoldjkvjalxmlb.exe
  2⤵
  PID:3624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c itoaqhxsmftvszjwd.exe
1⤵
PID:3816
- C:\Windows\itoaqhxsmftvszjwd.exe
  itoaqhxsmftvszjwd.exe
  2⤵
  PID:4440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c blfqfvkexpcdzfoa.exe .
1⤵
PID:212
- C:\Windows\blfqfvkexpcdzfoa.exe
  blfqfvkexpcdzfoa.exe .
  2⤵
  PID:1444
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\blfqfvkexpcdzfoa.exe*."
    3⤵
    PID:2736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rdzmdvmidxmpnvgucl.exe .
1⤵
PID:1176
- C:\Windows\rdzmdvmidxmpnvgucl.exe
  rdzmdvmidxmpnvgucl.exe .
  2⤵
  PID:1608
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\rdzmdvmidxmpnvgucl.exe*."
    3⤵
    PID:5088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\blfqfvkexpcdzfoa.exe
1⤵
PID:1564
- C:\Users\Admin\AppData\Local\Temp\blfqfvkexpcdzfoa.exe
  C:\Users\Admin\AppData\Local\Temp\blfqfvkexpcdzfoa.exe
  2⤵
  PID:4196

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c blfqfvkexpcdzfoa.exe
1⤵
PID:628
- C:\Windows\blfqfvkexpcdzfoa.exe
  blfqfvkexpcdzfoa.exe
  2⤵
  PID:3520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cpmasldawrhlktfudna.exe .
1⤵
PID:3880
- C:\Users\Admin\AppData\Local\Temp\cpmasldawrhlktfudna.exe
  C:\Users\Admin\AppData\Local\Temp\cpmasldawrhlktfudna.exe .
  2⤵
  PID:5696
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\cpmasldawrhlktfudna.exe*."
    3⤵
    PID:380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c itoaqhxsmftvszjwd.exe .
1⤵
PID:5508
- C:\Windows\itoaqhxsmftvszjwd.exe
  itoaqhxsmftvszjwd.exe .
  2⤵
  PID:5708
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\itoaqhxsmftvszjwd.exe*."
    3⤵
    PID:1392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c blfqfvkexpcdzfoa.exe
1⤵
PID:5720
- C:\Windows\blfqfvkexpcdzfoa.exe
  blfqfvkexpcdzfoa.exe
  2⤵
  PID:5816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\itoaqhxsmftvszjwd.exe
1⤵
PID:5236
- C:\Users\Admin\AppData\Local\Temp\itoaqhxsmftvszjwd.exe
  C:\Users\Admin\AppData\Local\Temp\itoaqhxsmftvszjwd.exe
  2⤵
  PID:2272

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cpmasldawrhlktfudna.exe .
1⤵
PID:1844
- C:\Windows\cpmasldawrhlktfudna.exe
  cpmasldawrhlktfudna.exe .
  2⤵
  PID:5972
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\cpmasldawrhlktfudna.exe*."
    3⤵
    PID:6028
  - - C:\Users\Admin\AppData\Local\Temp\tahrygq.exe
      "C:\Users\Admin\AppData\Local\Temp\tahrygq.exe" "-c:\windows\cpmasldawrhlktfudna.exe"
      4⤵
      PID:2940
  - - C:\Users\Admin\AppData\Local\Temp\tahrygq.exe
      "C:\Users\Admin\AppData\Local\Temp\tahrygq.exe" "-c:\windows\cpmasldawrhlktfudna.exe"
      4⤵
      PID:2904
  - - C:\Users\Admin\AppData\Local\Temp\tahrygq.exe
      "C:\Users\Admin\AppData\Local\Temp\tahrygq.exe" "-c:\windows\cpmasldawrhlktfudna.exe"
      4⤵
      PID:3820
  - - C:\Users\Admin\AppData\Local\Temp\tahrygq.exe
      "C:\Users\Admin\AppData\Local\Temp\tahrygq.exe" "-c:\windows\cpmasldawrhlktfudna.exe"
      4⤵
      PID:1284
  - - C:\Users\Admin\AppData\Local\Temp\tahrygq.exe
      "C:\Users\Admin\AppData\Local\Temp\tahrygq.exe" "-c:\windows\cpmasldawrhlktfudna.exe"
      4⤵
      PID:5976
  - - C:\Users\Admin\AppData\Local\Temp\tahrygq.exe
      "C:\Users\Admin\AppData\Local\Temp\tahrygq.exe" "-c:\windows\cpmasldawrhlktfudna.exe"
      4⤵
      PID:3064
  - - C:\Users\Admin\AppData\Local\Temp\tahrygq.exe
      "C:\Users\Admin\AppData\Local\Temp\tahrygq.exe" "-c:\windows\cpmasldawrhlktfudna.exe"
      4⤵
      PID:4784
  - - C:\Users\Admin\AppData\Local\Temp\tahrygq.exe
      "C:\Users\Admin\AppData\Local\Temp\tahrygq.exe" "-c:\windows\cpmasldawrhlktfudna.exe"
      4⤵
      PID:316
  - - C:\Users\Admin\AppData\Local\Temp\tahrygq.exe
      "C:\Users\Admin\AppData\Local\Temp\tahrygq.exe" "-c:\windows\cpmasldawrhlktfudna.exe"
      4⤵
      PID:1692
  - - C:\Users\Admin\AppData\Local\Temp\tahrygq.exe
      "C:\Users\Admin\AppData\Local\Temp\tahrygq.exe" "-c:\windows\cpmasldawrhlktfudna.exe"
      4⤵
      PID:4548
  - - C:\Users\Admin\AppData\Local\Temp\tahrygq.exe
      "C:\Users\Admin\AppData\Local\Temp\tahrygq.exe" "-c:\windows\cpmasldawrhlktfudna.exe"
      4⤵
      PID:208
  - - C:\Users\Admin\AppData\Local\Temp\tahrygq.exe
      "C:\Users\Admin\AppData\Local\Temp\tahrygq.exe" "-c:\windows\cpmasldawrhlktfudna.exe"
      4⤵
      PID:4800
  - - C:\Users\Admin\AppData\Local\Temp\tahrygq.exe
      "C:\Users\Admin\AppData\Local\Temp\tahrygq.exe" "-c:\windows\cpmasldawrhlktfudna.exe"
      4⤵
      PID:5520
  - - C:\Users\Admin\AppData\Local\Temp\tahrygq.exe
      "C:\Users\Admin\AppData\Local\Temp\tahrygq.exe" "-c:\windows\cpmasldawrhlktfudna.exe"
      4⤵
      PID:5468
  - - C:\Users\Admin\AppData\Local\Temp\tahrygq.exe
      "C:\Users\Admin\AppData\Local\Temp\tahrygq.exe" "-c:\windows\cpmasldawrhlktfudna.exe"
      4⤵
      PID:5856
  - - C:\Users\Admin\AppData\Local\Temp\tahrygq.exe
      "C:\Users\Admin\AppData\Local\Temp\tahrygq.exe" "-c:\windows\cpmasldawrhlktfudna.exe"
      4⤵
      PID:4268
  - - C:\Users\Admin\AppData\Local\Temp\tahrygq.exe
      "C:\Users\Admin\AppData\Local\Temp\tahrygq.exe" "-c:\windows\cpmasldawrhlktfudna.exe"
      4⤵
      PID:1096
  - - C:\Users\Admin\AppData\Local\Temp\tahrygq.exe
      "C:\Users\Admin\AppData\Local\Temp\tahrygq.exe" "-c:\windows\cpmasldawrhlktfudna.exe"
      4⤵
      PID:3876
  - - C:\Users\Admin\AppData\Local\Temp\tahrygq.exe
      "C:\Users\Admin\AppData\Local\Temp\tahrygq.exe" "-c:\windows\cpmasldawrhlktfudna.exe"
      4⤵
      PID:5244
  - - C:\Users\Admin\AppData\Local\Temp\tahrygq.exe
      "C:\Users\Admin\AppData\Local\Temp\tahrygq.exe" "-c:\windows\cpmasldawrhlktfudna.exe"
      4⤵
      PID:2352
  - - C:\Users\Admin\AppData\Local\Temp\tahrygq.exe
      "C:\Users\Admin\AppData\Local\Temp\tahrygq.exe" "-c:\windows\cpmasldawrhlktfudna.exe"
      4⤵
      PID:2444
  - - C:\Users\Admin\AppData\Local\Temp\tahrygq.exe
      "C:\Users\Admin\AppData\Local\Temp\tahrygq.exe" "-c:\windows\cpmasldawrhlktfudna.exe"
      4⤵
      PID:364
  - - C:\Users\Admin\AppData\Local\Temp\tahrygq.exe
      "C:\Users\Admin\AppData\Local\Temp\tahrygq.exe" "-c:\windows\cpmasldawrhlktfudna.exe"
      4⤵
      PID:2692
  - - C:\Users\Admin\AppData\Local\Temp\tahrygq.exe
      "C:\Users\Admin\AppData\Local\Temp\tahrygq.exe" "-c:\windows\cpmasldawrhlktfudna.exe"
      4⤵
      PID:6064
  - - C:\Users\Admin\AppData\Local\Temp\tahrygq.exe
      "C:\Users\Admin\AppData\Local\Temp\tahrygq.exe" "-c:\windows\cpmasldawrhlktfudna.exe"
      4⤵
      PID:5772
  - - C:\Users\Admin\AppData\Local\Temp\tahrygq.exe
      "C:\Users\Admin\AppData\Local\Temp\tahrygq.exe" "-c:\windows\cpmasldawrhlktfudna.exe"
      4⤵
      PID:228
  - - C:\Users\Admin\AppData\Local\Temp\tahrygq.exe
      "C:\Users\Admin\AppData\Local\Temp\tahrygq.exe" "-c:\windows\cpmasldawrhlktfudna.exe"
      4⤵
      PID:3508
  - - C:\Users\Admin\AppData\Local\Temp\tahrygq.exe
      "C:\Users\Admin\AppData\Local\Temp\tahrygq.exe" "-c:\windows\cpmasldawrhlktfudna.exe"
      4⤵
      PID:5244
  - - C:\Users\Admin\AppData\Local\Temp\tahrygq.exe
      "C:\Users\Admin\AppData\Local\Temp\tahrygq.exe" "-c:\windows\cpmasldawrhlktfudna.exe"
      4⤵
      PID:692
  - - C:\Users\Admin\AppData\Local\Temp\tahrygq.exe
      "C:\Users\Admin\AppData\Local\Temp\tahrygq.exe" "-c:\windows\cpmasldawrhlktfudna.exe"
      4⤵
      PID:2012
  - - C:\Users\Admin\AppData\Local\Temp\tahrygq.exe
      "C:\Users\Admin\AppData\Local\Temp\tahrygq.exe" "-c:\windows\cpmasldawrhlktfudna.exe"
      4⤵
      PID:2448
  - - C:\Users\Admin\AppData\Local\Temp\tahrygq.exe
      "C:\Users\Admin\AppData\Local\Temp\tahrygq.exe" "-c:\windows\cpmasldawrhlktfudna.exe"
      4⤵
      PID:2468
  - - C:\Users\Admin\AppData\Local\Temp\tahrygq.exe
      "C:\Users\Admin\AppData\Local\Temp\tahrygq.exe" "-c:\windows\cpmasldawrhlktfudna.exe"
      4⤵
      PID:1444
  - - C:\Users\Admin\AppData\Local\Temp\tahrygq.exe
      "C:\Users\Admin\AppData\Local\Temp\tahrygq.exe" "-c:\windows\cpmasldawrhlktfudna.exe"
      4⤵
      PID:2984
  - - C:\Users\Admin\AppData\Local\Temp\tahrygq.exe
      "C:\Users\Admin\AppData\Local\Temp\tahrygq.exe" "-c:\windows\cpmasldawrhlktfudna.exe"
      4⤵
      PID:860
  - - C:\Users\Admin\AppData\Local\Temp\tahrygq.exe
      "C:\Users\Admin\AppData\Local\Temp\tahrygq.exe" "-c:\windows\cpmasldawrhlktfudna.exe"
      4⤵
      PID:3836
  - - C:\Users\Admin\AppData\Local\Temp\tahrygq.exe
      "C:\Users\Admin\AppData\Local\Temp\tahrygq.exe" "-c:\windows\cpmasldawrhlktfudna.exe"
      4⤵
      PID:5024
  - - C:\Users\Admin\AppData\Local\Temp\tahrygq.exe
      "C:\Users\Admin\AppData\Local\Temp\tahrygq.exe" "-c:\windows\cpmasldawrhlktfudna.exe"
      4⤵
      PID:5972
  - - C:\Users\Admin\AppData\Local\Temp\tahrygq.exe
      "C:\Users\Admin\AppData\Local\Temp\tahrygq.exe" "-c:\windows\cpmasldawrhlktfudna.exe"
      4⤵
      PID:4252
  - - C:\Users\Admin\AppData\Local\Temp\tahrygq.exe
      "C:\Users\Admin\AppData\Local\Temp\tahrygq.exe" "-c:\windows\cpmasldawrhlktfudna.exe"
      4⤵
      PID:1776
  - - C:\Users\Admin\AppData\Local\Temp\tahrygq.exe
      "C:\Users\Admin\AppData\Local\Temp\tahrygq.exe" "-c:\windows\cpmasldawrhlktfudna.exe"
      4⤵
      PID:376
  - - C:\Users\Admin\AppData\Local\Temp\tahrygq.exe
      "C:\Users\Admin\AppData\Local\Temp\tahrygq.exe" "-c:\windows\cpmasldawrhlktfudna.exe"
      4⤵
      PID:2272
  - - C:\Users\Admin\AppData\Local\Temp\tahrygq.exe
      "C:\Users\Admin\AppData\Local\Temp\tahrygq.exe" "-c:\windows\cpmasldawrhlktfudna.exe"
      4⤵
      PID:3396
  - - C:\Users\Admin\AppData\Local\Temp\tahrygq.exe
      "C:\Users\Admin\AppData\Local\Temp\tahrygq.exe" "-c:\windows\cpmasldawrhlktfudna.exe"
      4⤵
      PID:4472
  - - C:\Users\Admin\AppData\Local\Temp\tahrygq.exe
      "C:\Users\Admin\AppData\Local\Temp\tahrygq.exe" "-c:\windows\cpmasldawrhlktfudna.exe"
      4⤵
      PID:4404
  - - C:\Users\Admin\AppData\Local\Temp\tahrygq.exe
      "C:\Users\Admin\AppData\Local\Temp\tahrygq.exe" "-c:\windows\cpmasldawrhlktfudna.exe"
      4⤵
      PID:2204
  - - C:\Users\Admin\AppData\Local\Temp\tahrygq.exe
      "C:\Users\Admin\AppData\Local\Temp\tahrygq.exe" "-c:\windows\cpmasldawrhlktfudna.exe"
      4⤵
      PID:2748
  - - C:\Users\Admin\AppData\Local\Temp\tahrygq.exe
      "C:\Users\Admin\AppData\Local\Temp\tahrygq.exe" "-c:\windows\cpmasldawrhlktfudna.exe"
      4⤵
      PID:3544
  - - C:\Users\Admin\AppData\Local\Temp\tahrygq.exe
      "C:\Users\Admin\AppData\Local\Temp\tahrygq.exe" "-c:\windows\cpmasldawrhlktfudna.exe"
      4⤵
      PID:3048
  - - C:\Users\Admin\AppData\Local\Temp\tahrygq.exe
      "C:\Users\Admin\AppData\Local\Temp\tahrygq.exe" "-c:\windows\cpmasldawrhlktfudna.exe"
      4⤵
      PID:2984
  - - C:\Users\Admin\AppData\Local\Temp\tahrygq.exe
      "C:\Users\Admin\AppData\Local\Temp\tahrygq.exe" "-c:\windows\cpmasldawrhlktfudna.exe"
      4⤵
      PID:3456
  - - C:\Users\Admin\AppData\Local\Temp\tahrygq.exe
      "C:\Users\Admin\AppData\Local\Temp\tahrygq.exe" "-c:\windows\cpmasldawrhlktfudna.exe"
      4⤵
      PID:3000
  - - C:\Users\Admin\AppData\Local\Temp\tahrygq.exe
      "C:\Users\Admin\AppData\Local\Temp\tahrygq.exe" "-c:\windows\cpmasldawrhlktfudna.exe"
      4⤵
      PID:2844
  - - C:\Users\Admin\AppData\Local\Temp\tahrygq.exe
      "C:\Users\Admin\AppData\Local\Temp\tahrygq.exe" "-c:\windows\cpmasldawrhlktfudna.exe"
      4⤵
      PID:3992
  - - C:\Users\Admin\AppData\Local\Temp\tahrygq.exe
      "C:\Users\Admin\AppData\Local\Temp\tahrygq.exe" "-c:\windows\cpmasldawrhlktfudna.exe"
      4⤵
      PID:3616
  - - C:\Users\Admin\AppData\Local\Temp\tahrygq.exe
      "C:\Users\Admin\AppData\Local\Temp\tahrygq.exe" "-c:\windows\cpmasldawrhlktfudna.exe"
      4⤵
      PID:5904
  - - C:\Users\Admin\AppData\Local\Temp\tahrygq.exe
      "C:\Users\Admin\AppData\Local\Temp\tahrygq.exe" "-c:\windows\cpmasldawrhlktfudna.exe"
      4⤵
      PID:1708
  - - C:\Users\Admin\AppData\Local\Temp\tahrygq.exe
      "C:\Users\Admin\AppData\Local\Temp\tahrygq.exe" "-c:\windows\cpmasldawrhlktfudna.exe"
      4⤵
      PID:528
  - - C:\Users\Admin\AppData\Local\Temp\tahrygq.exe
      "C:\Users\Admin\AppData\Local\Temp\tahrygq.exe" "-c:\windows\cpmasldawrhlktfudna.exe"
      4⤵
      PID:5848
  - - C:\Users\Admin\AppData\Local\Temp\tahrygq.exe
      "C:\Users\Admin\AppData\Local\Temp\tahrygq.exe" "-c:\windows\cpmasldawrhlktfudna.exe"
      4⤵
      PID:1144
  - - C:\Users\Admin\AppData\Local\Temp\tahrygq.exe
      "C:\Users\Admin\AppData\Local\Temp\tahrygq.exe" "-c:\windows\cpmasldawrhlktfudna.exe"
      4⤵
      PID:4676
  - - C:\Users\Admin\AppData\Local\Temp\tahrygq.exe
      "C:\Users\Admin\AppData\Local\Temp\tahrygq.exe" "-c:\windows\cpmasldawrhlktfudna.exe"
      4⤵
      PID:4896
  - - C:\Users\Admin\AppData\Local\Temp\tahrygq.exe
      "C:\Users\Admin\AppData\Local\Temp\tahrygq.exe" "-c:\windows\cpmasldawrhlktfudna.exe"
      4⤵
      PID:5224
  - - C:\Users\Admin\AppData\Local\Temp\tahrygq.exe
      "C:\Users\Admin\AppData\Local\Temp\tahrygq.exe" "-c:\windows\cpmasldawrhlktfudna.exe"
      4⤵
      PID:3032
  - - C:\Users\Admin\AppData\Local\Temp\tahrygq.exe
      "C:\Users\Admin\AppData\Local\Temp\tahrygq.exe" "-c:\windows\cpmasldawrhlktfudna.exe"
      4⤵
      PID:1852
  - - C:\Users\Admin\AppData\Local\Temp\tahrygq.exe
      "C:\Users\Admin\AppData\Local\Temp\tahrygq.exe" "-c:\windows\cpmasldawrhlktfudna.exe"
      4⤵
      PID:5620
  - - C:\Users\Admin\AppData\Local\Temp\tahrygq.exe
      "C:\Users\Admin\AppData\Local\Temp\tahrygq.exe" "-c:\windows\cpmasldawrhlktfudna.exe"
      4⤵
      PID:768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rdzmdvmidxmpnvgucl.exe .
1⤵
PID:3844
- C:\Users\Admin\AppData\Local\Temp\rdzmdvmidxmpnvgucl.exe
  C:\Users\Admin\AppData\Local\Temp\rdzmdvmidxmpnvgucl.exe .
  2⤵
  PID:5640
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\rdzmdvmidxmpnvgucl.exe*."
    3⤵
    PID:4240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\etsicxrqoldjkvjalxmlb.exe
1⤵
PID:5800
- C:\Users\Admin\AppData\Local\Temp\etsicxrqoldjkvjalxmlb.exe
  C:\Users\Admin\AppData\Local\Temp\etsicxrqoldjkvjalxmlb.exe
  2⤵
  PID:1336

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cpmasldawrhlktfudna.exe .
1⤵
PID:2620
- C:\Users\Admin\AppData\Local\Temp\cpmasldawrhlktfudna.exe
  C:\Users\Admin\AppData\Local\Temp\cpmasldawrhlktfudna.exe .
  2⤵
  PID:5900
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\cpmasldawrhlktfudna.exe*."
    3⤵
    PID:4036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pdbqjdwurnejjtgwgrfd.exe
1⤵
PID:2352
- C:\Windows\pdbqjdwurnejjtgwgrfd.exe
  pdbqjdwurnejjtgwgrfd.exe
  2⤵
  PID:2692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pdbqjdwurnejjtgwgrfd.exe
1⤵
PID:2260
- C:\Users\Admin\AppData\Local\Temp\pdbqjdwurnejjtgwgrfd.exe
  C:\Users\Admin\AppData\Local\Temp\pdbqjdwurnejjtgwgrfd.exe
  2⤵
  PID:1364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c etsicxrqoldjkvjalxmlb.exe .
1⤵
PID:2328
- C:\Windows\etsicxrqoldjkvjalxmlb.exe
  etsicxrqoldjkvjalxmlb.exe .
  2⤵
  PID:6056
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\etsicxrqoldjkvjalxmlb.exe*."
    3⤵
    PID:5648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pdbqjdwurnejjtgwgrfd.exe .
1⤵
PID:5056
- C:\Users\Admin\AppData\Local\Temp\pdbqjdwurnejjtgwgrfd.exe
  C:\Users\Admin\AppData\Local\Temp\pdbqjdwurnejjtgwgrfd.exe .
  2⤵
  PID:5684
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\pdbqjdwurnejjtgwgrfd.exe*."
    3⤵
    PID:1092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cpmasldawrhlktfudna.exe
1⤵
PID:5148
- C:\Users\Admin\AppData\Local\Temp\cpmasldawrhlktfudna.exe
  C:\Users\Admin\AppData\Local\Temp\cpmasldawrhlktfudna.exe
  2⤵
  PID:6100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rdzmdvmidxmpnvgucl.exe .
1⤵
PID:3688
- C:\Users\Admin\AppData\Local\Temp\rdzmdvmidxmpnvgucl.exe
  C:\Users\Admin\AppData\Local\Temp\rdzmdvmidxmpnvgucl.exe .
  2⤵
  PID:5500
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\rdzmdvmidxmpnvgucl.exe*."
    3⤵
    PID:3360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rdzmdvmidxmpnvgucl.exe
1⤵
PID:5964
- C:\Users\Admin\AppData\Local\Temp\rdzmdvmidxmpnvgucl.exe
  C:\Users\Admin\AppData\Local\Temp\rdzmdvmidxmpnvgucl.exe
  2⤵
  PID:5052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rdzmdvmidxmpnvgucl.exe .
1⤵
PID:5368
- C:\Users\Admin\AppData\Local\Temp\rdzmdvmidxmpnvgucl.exe
  C:\Users\Admin\AppData\Local\Temp\rdzmdvmidxmpnvgucl.exe .
  2⤵
  PID:5256
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\rdzmdvmidxmpnvgucl.exe*."
    3⤵
    PID:5156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c siyrhyrexpcdzfoa.exe
1⤵
PID:5104
- C:\Windows\siyrhyrexpcdzfoa.exe
  siyrhyrexpcdzfoa.exe
  2⤵
  PID:4612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zqhbskesmftvszjwd.exe .
1⤵
PID:3164
- C:\Windows\zqhbskesmftvszjwd.exe
  zqhbskesmftvszjwd.exe .
  2⤵
  PID:1100
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\zqhbskesmftvszjwd.exe*."
    3⤵
    PID:1492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zqhbskesmftvszjwd.exe
1⤵
PID:4272
- C:\Windows\zqhbskesmftvszjwd.exe
  zqhbskesmftvszjwd.exe
  2⤵
  PID:4176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cpmasldawrhlktfudna.exe
1⤵
PID:4940
- C:\Windows\cpmasldawrhlktfudna.exe
  cpmasldawrhlktfudna.exe
  2⤵
  PID:5484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zqhbskesmftvszjwd.exe .
1⤵
PID:4524
- C:\Windows\zqhbskesmftvszjwd.exe
  zqhbskesmftvszjwd.exe .
  2⤵
  PID:224
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\zqhbskesmftvszjwd.exe*."
    3⤵
    PID:2856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iasnfytidxmpnvgucc.exe
1⤵
PID:5200
- C:\Users\Admin\AppData\Local\Temp\iasnfytidxmpnvgucc.exe
  C:\Users\Admin\AppData\Local\Temp\iasnfytidxmpnvgucc.exe
  2⤵
  PID:5668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pdbqjdwurnejjtgwgrfd.exe .
1⤵
PID:1784
- C:\Windows\pdbqjdwurnejjtgwgrfd.exe
  pdbqjdwurnejjtgwgrfd.exe .
  2⤵
  PID:5336
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\pdbqjdwurnejjtgwgrfd.exe*."
    3⤵
    PID:628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gaurlgdurnejjtgwgicw.exe .
1⤵
PID:2264
- C:\Users\Admin\AppData\Local\Temp\gaurlgdurnejjtgwgicw.exe
  C:\Users\Admin\AppData\Local\Temp\gaurlgdurnejjtgwgicw.exe .
  2⤵
  PID:1176
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\gaurlgdurnejjtgwgicw.exe*."
    3⤵
    PID:5604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c itoaqhxsmftvszjwd.exe
1⤵
PID:1324
- C:\Windows\itoaqhxsmftvszjwd.exe
  itoaqhxsmftvszjwd.exe
  2⤵
  PID:6108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\siyrhyrexpcdzfoa.exe
1⤵
PID:1860
- C:\Users\Admin\AppData\Local\Temp\siyrhyrexpcdzfoa.exe
  C:\Users\Admin\AppData\Local\Temp\siyrhyrexpcdzfoa.exe
  2⤵
  PID:5160

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c etsicxrqoldjkvjalxmlb.exe .
1⤵
PID:5932
- C:\Windows\etsicxrqoldjkvjalxmlb.exe
  etsicxrqoldjkvjalxmlb.exe .
  2⤵
  PID:5316
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\etsicxrqoldjkvjalxmlb.exe*."
    3⤵
    PID:2144

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rdzmdvmidxmpnvgucl.exe
1⤵
PID:2996
- C:\Users\Admin\AppData\Local\Temp\rdzmdvmidxmpnvgucl.exe
  C:\Users\Admin\AppData\Local\Temp\rdzmdvmidxmpnvgucl.exe
  2⤵
  PID:364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\siyrhyrexpcdzfoa.exe .
1⤵
PID:3860
- C:\Users\Admin\AppData\Local\Temp\siyrhyrexpcdzfoa.exe
  C:\Users\Admin\AppData\Local\Temp\siyrhyrexpcdzfoa.exe .
  2⤵
  PID:3024
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\siyrhyrexpcdzfoa.exe*."
    3⤵
    PID:1428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\itoaqhxsmftvszjwd.exe .
1⤵
PID:1120
- C:\Users\Admin\AppData\Local\Temp\itoaqhxsmftvszjwd.exe
  C:\Users\Admin\AppData\Local\Temp\itoaqhxsmftvszjwd.exe .
  2⤵
  PID:2196
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\itoaqhxsmftvszjwd.exe*."
    3⤵
    PID:5372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rdzmdvmidxmpnvgucl.exe
1⤵
PID:1944
- C:\Users\Admin\AppData\Local\Temp\rdzmdvmidxmpnvgucl.exe
  C:\Users\Admin\AppData\Local\Temp\rdzmdvmidxmpnvgucl.exe
  2⤵
  PID:3872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\itoaqhxsmftvszjwd.exe .
1⤵
PID:1952
- C:\Users\Admin\AppData\Local\Temp\itoaqhxsmftvszjwd.exe
  C:\Users\Admin\AppData\Local\Temp\itoaqhxsmftvszjwd.exe .
  2⤵
  PID:1320
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\itoaqhxsmftvszjwd.exe*."
    3⤵
    PID:4136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rdzmdvmidxmpnvgucl.exe
1⤵
PID:4120
- C:\Windows\rdzmdvmidxmpnvgucl.exe
  rdzmdvmidxmpnvgucl.exe
  2⤵
  PID:5080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pdbqjdwurnejjtgwgrfd.exe .
1⤵
PID:2468
- C:\Windows\pdbqjdwurnejjtgwgrfd.exe
  pdbqjdwurnejjtgwgrfd.exe .
  2⤵
  PID:3916
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\pdbqjdwurnejjtgwgrfd.exe*."
    3⤵
    PID:4644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c itoaqhxsmftvszjwd.exe
1⤵
PID:4268
- C:\Windows\itoaqhxsmftvszjwd.exe
  itoaqhxsmftvszjwd.exe
  2⤵
  PID:2328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cpmasldawrhlktfudna.exe .
1⤵
PID:3292
- C:\Windows\cpmasldawrhlktfudna.exe
  cpmasldawrhlktfudna.exe .
  2⤵
  PID:4584
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\cpmasldawrhlktfudna.exe*."
    3⤵
    PID:6128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pdbqjdwurnejjtgwgrfd.exe
1⤵
PID:1200
- C:\Users\Admin\AppData\Local\Temp\pdbqjdwurnejjtgwgrfd.exe
  C:\Users\Admin\AppData\Local\Temp\pdbqjdwurnejjtgwgrfd.exe
  2⤵
  PID:1500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rdzmdvmidxmpnvgucl.exe .
1⤵
PID:940
- C:\Users\Admin\AppData\Local\Temp\rdzmdvmidxmpnvgucl.exe
  C:\Users\Admin\AppData\Local\Temp\rdzmdvmidxmpnvgucl.exe .
  2⤵
  PID:3216
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\rdzmdvmidxmpnvgucl.exe*."
    3⤵
    PID:1916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\etsicxrqoldjkvjalxmlb.exe
1⤵
PID:1712
- C:\Users\Admin\AppData\Local\Temp\etsicxrqoldjkvjalxmlb.exe
  C:\Users\Admin\AppData\Local\Temp\etsicxrqoldjkvjalxmlb.exe
  2⤵
  PID:3204

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cpmasldawrhlktfudna.exe .
1⤵
PID:1624
- C:\Users\Admin\AppData\Local\Temp\cpmasldawrhlktfudna.exe
  C:\Users\Admin\AppData\Local\Temp\cpmasldawrhlktfudna.exe .
  2⤵
  PID:3856
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\cpmasldawrhlktfudna.exe*."
    3⤵
    PID:3964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gaurlgdurnejjtgwgicw.exe
1⤵
PID:2748
- C:\Windows\gaurlgdurnejjtgwgicw.exe
  gaurlgdurnejjtgwgicw.exe
  2⤵
  PID:5380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vqljeayqoldjkvjalojec.exe .
1⤵
PID:5860
- C:\Windows\vqljeayqoldjkvjalojec.exe
  vqljeayqoldjkvjalojec.exe .
  2⤵
  PID:4100
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\vqljeayqoldjkvjalojec.exe*."
    3⤵
    PID:1872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c iasnfytidxmpnvgucc.exe
1⤵
PID:2368
- C:\Windows\iasnfytidxmpnvgucc.exe
  iasnfytidxmpnvgucc.exe
  2⤵
  PID:528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tmfbuokawrhlktfudex.exe .
1⤵
PID:5392
- C:\Windows\tmfbuokawrhlktfudex.exe
  tmfbuokawrhlktfudex.exe .
  2⤵
  PID:3680
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\tmfbuokawrhlktfudex.exe*."
    3⤵
    PID:3440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gaurlgdurnejjtgwgicw.exe
1⤵
PID:428
- C:\Users\Admin\AppData\Local\Temp\gaurlgdurnejjtgwgicw.exe
  C:\Users\Admin\AppData\Local\Temp\gaurlgdurnejjtgwgicw.exe
  2⤵
  PID:1784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iasnfytidxmpnvgucc.exe .
1⤵
PID:5888
- C:\Users\Admin\AppData\Local\Temp\iasnfytidxmpnvgucc.exe
  C:\Users\Admin\AppData\Local\Temp\iasnfytidxmpnvgucc.exe .
  2⤵
  PID:3380
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\iasnfytidxmpnvgucc.exe*."
    3⤵
    PID:2020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c etsicxrqoldjkvjalxmlb.exe
1⤵
PID:4632
- C:\Windows\etsicxrqoldjkvjalxmlb.exe
  etsicxrqoldjkvjalxmlb.exe
  2⤵
  PID:5700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gaurlgdurnejjtgwgicw.exe
1⤵
PID:2984
- C:\Users\Admin\AppData\Local\Temp\gaurlgdurnejjtgwgicw.exe
  C:\Users\Admin\AppData\Local\Temp\gaurlgdurnejjtgwgicw.exe
  2⤵
  PID:1312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cpmasldawrhlktfudna.exe .
1⤵
PID:5316
- C:\Windows\cpmasldawrhlktfudna.exe
  cpmasldawrhlktfudna.exe .
  2⤵
  PID:3040
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\cpmasldawrhlktfudna.exe*."
    3⤵
    PID:3908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmfbuokawrhlktfudex.exe .
1⤵
PID:5236
- C:\Users\Admin\AppData\Local\Temp\tmfbuokawrhlktfudex.exe
  C:\Users\Admin\AppData\Local\Temp\tmfbuokawrhlktfudex.exe .
  2⤵
  PID:6000
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\tmfbuokawrhlktfudex.exe*."
    3⤵
    PID:5704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c etsicxrqoldjkvjalxmlb.exe
1⤵
PID:5416
- C:\Windows\etsicxrqoldjkvjalxmlb.exe
  etsicxrqoldjkvjalxmlb.exe
  2⤵
  PID:1592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c etsicxrqoldjkvjalxmlb.exe .
1⤵
PID:1152
- C:\Windows\etsicxrqoldjkvjalxmlb.exe
  etsicxrqoldjkvjalxmlb.exe .
  2⤵
  PID:3176
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\etsicxrqoldjkvjalxmlb.exe*."
    3⤵
    PID:4824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cpmasldawrhlktfudna.exe
1⤵
PID:5260
- C:\Users\Admin\AppData\Local\Temp\cpmasldawrhlktfudna.exe
  C:\Users\Admin\AppData\Local\Temp\cpmasldawrhlktfudna.exe
  2⤵
  PID:2412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rdzmdvmidxmpnvgucl.exe .
1⤵
PID:4036
- C:\Users\Admin\AppData\Local\Temp\rdzmdvmidxmpnvgucl.exe
  C:\Users\Admin\AppData\Local\Temp\rdzmdvmidxmpnvgucl.exe .
  2⤵
  PID:2620
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\rdzmdvmidxmpnvgucl.exe*."
    3⤵
    PID:856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pdbqjdwurnejjtgwgrfd.exe
1⤵
PID:1508
- C:\Users\Admin\AppData\Local\Temp\pdbqjdwurnejjtgwgrfd.exe
  C:\Users\Admin\AppData\Local\Temp\pdbqjdwurnejjtgwgrfd.exe
  2⤵
  PID:5868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\etsicxrqoldjkvjalxmlb.exe .
1⤵
PID:4256
- C:\Users\Admin\AppData\Local\Temp\etsicxrqoldjkvjalxmlb.exe
  C:\Users\Admin\AppData\Local\Temp\etsicxrqoldjkvjalxmlb.exe .
  2⤵
  PID:2800
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\etsicxrqoldjkvjalxmlb.exe*."
    3⤵
    PID:5684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c itoaqhxsmftvszjwd.exe
1⤵
PID:4584
- C:\Windows\itoaqhxsmftvszjwd.exe
  itoaqhxsmftvszjwd.exe
  2⤵
  PID:1200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pdbqjdwurnejjtgwgrfd.exe .
1⤵
PID:2892
- C:\Windows\pdbqjdwurnejjtgwgrfd.exe
  pdbqjdwurnejjtgwgrfd.exe .
  2⤵
  PID:3304
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\pdbqjdwurnejjtgwgrfd.exe*."
    3⤵
    PID:4744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c etsicxrqoldjkvjalxmlb.exe
1⤵
PID:3768
- C:\Windows\etsicxrqoldjkvjalxmlb.exe
  etsicxrqoldjkvjalxmlb.exe
  2⤵
  PID:4872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pdbqjdwurnejjtgwgrfd.exe
1⤵
PID:1140
- C:\Windows\pdbqjdwurnejjtgwgrfd.exe
  pdbqjdwurnejjtgwgrfd.exe
  2⤵
  PID:5384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cpmasldawrhlktfudna.exe .
1⤵
PID:4204
- C:\Windows\cpmasldawrhlktfudna.exe
  cpmasldawrhlktfudna.exe .
  2⤵
  PID:2260
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\cpmasldawrhlktfudna.exe*."
    3⤵
    PID:3524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c etsicxrqoldjkvjalxmlb.exe .
1⤵
PID:4712
- C:\Windows\etsicxrqoldjkvjalxmlb.exe
  etsicxrqoldjkvjalxmlb.exe .
  2⤵
  PID:636
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\etsicxrqoldjkvjalxmlb.exe*."
    3⤵
    PID:5604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pdbqjdwurnejjtgwgrfd.exe
1⤵
PID:1124
- C:\Users\Admin\AppData\Local\Temp\pdbqjdwurnejjtgwgrfd.exe
  C:\Users\Admin\AppData\Local\Temp\pdbqjdwurnejjtgwgrfd.exe
  2⤵
  PID:1732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\blfqfvkexpcdzfoa.exe .
1⤵
PID:1444
- C:\Users\Admin\AppData\Local\Temp\blfqfvkexpcdzfoa.exe
  C:\Users\Admin\AppData\Local\Temp\blfqfvkexpcdzfoa.exe .
  2⤵
  PID:5600
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\blfqfvkexpcdzfoa.exe*."
    3⤵
    PID:2116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c etsicxrqoldjkvjalxmlb.exe
1⤵
PID:5744
- C:\Windows\etsicxrqoldjkvjalxmlb.exe
  etsicxrqoldjkvjalxmlb.exe
  2⤵
  PID:5524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rdzmdvmidxmpnvgucl.exe
1⤵
PID:1708
- C:\Windows\rdzmdvmidxmpnvgucl.exe
  rdzmdvmidxmpnvgucl.exe
  2⤵
  PID:1768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c blfqfvkexpcdzfoa.exe .
1⤵
PID:3132
- C:\Windows\blfqfvkexpcdzfoa.exe
  blfqfvkexpcdzfoa.exe .
  2⤵
  PID:6108
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\blfqfvkexpcdzfoa.exe*."
    3⤵
    PID:848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\blfqfvkexpcdzfoa.exe
1⤵
PID:4704
- C:\Users\Admin\AppData\Local\Temp\blfqfvkexpcdzfoa.exe
  C:\Users\Admin\AppData\Local\Temp\blfqfvkexpcdzfoa.exe
  2⤵
  PID:6000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c blfqfvkexpcdzfoa.exe .
1⤵
PID:3236
- C:\Windows\blfqfvkexpcdzfoa.exe
  blfqfvkexpcdzfoa.exe .
  2⤵
  PID:5236
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\blfqfvkexpcdzfoa.exe*."
    3⤵
    PID:1912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cpmasldawrhlktfudna.exe
1⤵
PID:2768
- C:\Users\Admin\AppData\Local\Temp\cpmasldawrhlktfudna.exe
  C:\Users\Admin\AppData\Local\Temp\cpmasldawrhlktfudna.exe
  2⤵
  PID:5704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pdbqjdwurnejjtgwgrfd.exe .
1⤵
PID:5720
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2376
- C:\Users\Admin\AppData\Local\Temp\pdbqjdwurnejjtgwgrfd.exe
  C:\Users\Admin\AppData\Local\Temp\pdbqjdwurnejjtgwgrfd.exe .
  2⤵
  PID:5972
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\pdbqjdwurnejjtgwgrfd.exe*."
    3⤵
    PID:5024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\etsicxrqoldjkvjalxmlb.exe .
1⤵
PID:2996
- C:\Users\Admin\AppData\Local\Temp\etsicxrqoldjkvjalxmlb.exe
  C:\Users\Admin\AppData\Local\Temp\etsicxrqoldjkvjalxmlb.exe .
  2⤵
  PID:5820
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\etsicxrqoldjkvjalxmlb.exe*."
    3⤵
    PID:3628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cpmasldawrhlktfudna.exe
1⤵
PID:3808
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3652
- C:\Windows\cpmasldawrhlktfudna.exe
  cpmasldawrhlktfudna.exe
  2⤵
  PID:5848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pdbqjdwurnejjtgwgrfd.exe .
1⤵
PID:1080
- C:\Windows\pdbqjdwurnejjtgwgrfd.exe
  pdbqjdwurnejjtgwgrfd.exe .
  2⤵
  PID:1956
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\pdbqjdwurnejjtgwgrfd.exe*."
    3⤵
    PID:3972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\etsicxrqoldjkvjalxmlb.exe
1⤵
PID:1336
- C:\Users\Admin\AppData\Local\Temp\etsicxrqoldjkvjalxmlb.exe
  C:\Users\Admin\AppData\Local\Temp\etsicxrqoldjkvjalxmlb.exe
  2⤵
  PID:2904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\itoaqhxsmftvszjwd.exe
1⤵
PID:2004
- C:\Users\Admin\AppData\Local\Temp\itoaqhxsmftvszjwd.exe
  C:\Users\Admin\AppData\Local\Temp\itoaqhxsmftvszjwd.exe
  2⤵
  PID:1672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cpmasldawrhlktfudna.exe .
1⤵
PID:1988
- C:\Users\Admin\AppData\Local\Temp\cpmasldawrhlktfudna.exe
  C:\Users\Admin\AppData\Local\Temp\cpmasldawrhlktfudna.exe .
  2⤵
  PID:6096
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\cpmasldawrhlktfudna.exe*."
    3⤵
    PID:2124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rdzmdvmidxmpnvgucl.exe .
1⤵
PID:4160
- C:\Users\Admin\AppData\Local\Temp\rdzmdvmidxmpnvgucl.exe
  C:\Users\Admin\AppData\Local\Temp\rdzmdvmidxmpnvgucl.exe .
  2⤵
  PID:3884
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\rdzmdvmidxmpnvgucl.exe*."
    3⤵
    PID:6016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\blfqfvkexpcdzfoa.exe
1⤵
PID:1072
- C:\Users\Admin\AppData\Local\Temp\blfqfvkexpcdzfoa.exe
  C:\Users\Admin\AppData\Local\Temp\blfqfvkexpcdzfoa.exe
  2⤵
  PID:2548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cpmasldawrhlktfudna.exe .
1⤵
PID:2468
- C:\Users\Admin\AppData\Local\Temp\cpmasldawrhlktfudna.exe
  C:\Users\Admin\AppData\Local\Temp\cpmasldawrhlktfudna.exe .
  2⤵
  PID:5200
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\cpmasldawrhlktfudna.exe*."
    3⤵
    PID:4784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c iasnfytidxmpnvgucc.exe
1⤵
PID:3320
- C:\Windows\iasnfytidxmpnvgucc.exe
  iasnfytidxmpnvgucc.exe
  2⤵
  PID:6128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c siyrhyrexpcdzfoa.exe .
1⤵
PID:2476
- C:\Windows\siyrhyrexpcdzfoa.exe
  siyrhyrexpcdzfoa.exe .
  2⤵
  PID:5680
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\siyrhyrexpcdzfoa.exe*."
    3⤵
    PID:3508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gaurlgdurnejjtgwgicw.exe
1⤵
PID:3824
- C:\Windows\gaurlgdurnejjtgwgicw.exe
  gaurlgdurnejjtgwgicw.exe
  2⤵
  PID:3216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tmfbuokawrhlktfudex.exe .
1⤵
PID:3768
- C:\Windows\tmfbuokawrhlktfudex.exe
  tmfbuokawrhlktfudex.exe .
  2⤵
  PID:1712
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\tmfbuokawrhlktfudex.exe*."
    3⤵
    PID:5772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\siyrhyrexpcdzfoa.exe
1⤵
PID:1512
- C:\Users\Admin\AppData\Local\Temp\siyrhyrexpcdzfoa.exe
  C:\Users\Admin\AppData\Local\Temp\siyrhyrexpcdzfoa.exe
  2⤵
  PID:4780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gaurlgdurnejjtgwgicw.exe .
1⤵
PID:3656
- C:\Users\Admin\AppData\Local\Temp\gaurlgdurnejjtgwgicw.exe
  C:\Users\Admin\AppData\Local\Temp\gaurlgdurnejjtgwgicw.exe .
  2⤵
  PID:4204
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\gaurlgdurnejjtgwgicw.exe*."
    3⤵
    PID:2884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c etsicxrqoldjkvjalxmlb.exe
1⤵
PID:768
- C:\Windows\etsicxrqoldjkvjalxmlb.exe
  etsicxrqoldjkvjalxmlb.exe
  2⤵
  PID:3856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c blfqfvkexpcdzfoa.exe .
1⤵
PID:5352
- C:\Windows\blfqfvkexpcdzfoa.exe
  blfqfvkexpcdzfoa.exe .
  2⤵
  PID:4712
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\blfqfvkexpcdzfoa.exe*."
    3⤵
    PID:5600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gaurlgdurnejjtgwgicw.exe
1⤵
PID:2760
- C:\Users\Admin\AppData\Local\Temp\gaurlgdurnejjtgwgicw.exe
  C:\Users\Admin\AppData\Local\Temp\gaurlgdurnejjtgwgicw.exe
  2⤵
  PID:4492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vqljeayqoldjkvjalojec.exe .
1⤵
PID:5160
- C:\Users\Admin\AppData\Local\Temp\vqljeayqoldjkvjalojec.exe
  C:\Users\Admin\AppData\Local\Temp\vqljeayqoldjkvjalojec.exe .
  2⤵
  PID:3528
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\vqljeayqoldjkvjalojec.exe*."
    3⤵
    PID:5704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pdbqjdwurnejjtgwgrfd.exe
1⤵
PID:5452
- C:\Windows\pdbqjdwurnejjtgwgrfd.exe
  pdbqjdwurnejjtgwgrfd.exe
  2⤵
  PID:5484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c blfqfvkexpcdzfoa.exe .
1⤵
PID:5240
- C:\Windows\blfqfvkexpcdzfoa.exe
  blfqfvkexpcdzfoa.exe .
  2⤵
  PID:4908
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\blfqfvkexpcdzfoa.exe*."
    3⤵
    PID:8

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cpmasldawrhlktfudna.exe
1⤵
PID:428
- C:\Users\Admin\AppData\Local\Temp\cpmasldawrhlktfudna.exe
  C:\Users\Admin\AppData\Local\Temp\cpmasldawrhlktfudna.exe
  2⤵
  PID:2252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\itoaqhxsmftvszjwd.exe .
1⤵
PID:4156
- C:\Users\Admin\AppData\Local\Temp\itoaqhxsmftvszjwd.exe
  C:\Users\Admin\AppData\Local\Temp\itoaqhxsmftvszjwd.exe .
  2⤵
  PID:5876
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\itoaqhxsmftvszjwd.exe*."
    3⤵
    PID:1604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cpmasldawrhlktfudna.exe
1⤵
PID:1664
- C:\Users\Admin\AppData\Local\Temp\cpmasldawrhlktfudna.exe
  C:\Users\Admin\AppData\Local\Temp\cpmasldawrhlktfudna.exe
  2⤵
  PID:3672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rdzmdvmidxmpnvgucl.exe .
1⤵
PID:5616
- C:\Users\Admin\AppData\Local\Temp\rdzmdvmidxmpnvgucl.exe
  C:\Users\Admin\AppData\Local\Temp\rdzmdvmidxmpnvgucl.exe .
  2⤵
  PID:5720
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\rdzmdvmidxmpnvgucl.exe*."
    3⤵
    PID:2412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pdbqjdwurnejjtgwgrfd.exe
1⤵
PID:1336
- C:\Windows\pdbqjdwurnejjtgwgrfd.exe
  pdbqjdwurnejjtgwgrfd.exe
  2⤵
  PID:1544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c blfqfvkexpcdzfoa.exe .
1⤵
PID:5548
- C:\Windows\blfqfvkexpcdzfoa.exe
  blfqfvkexpcdzfoa.exe .
  2⤵
  PID:4644
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\blfqfvkexpcdzfoa.exe*."
    3⤵
    PID:1152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rdzmdvmidxmpnvgucl.exe
1⤵
PID:5536
- C:\Windows\rdzmdvmidxmpnvgucl.exe
  rdzmdvmidxmpnvgucl.exe
  2⤵
  PID:1948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c etsicxrqoldjkvjalxmlb.exe
1⤵
PID:908
- C:\Windows\etsicxrqoldjkvjalxmlb.exe
  etsicxrqoldjkvjalxmlb.exe
  2⤵
  PID:3972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pdbqjdwurnejjtgwgrfd.exe .
1⤵
PID:5500
- C:\Windows\pdbqjdwurnejjtgwgrfd.exe
  pdbqjdwurnejjtgwgrfd.exe .
  2⤵
  PID:4452
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\pdbqjdwurnejjtgwgrfd.exe*."
    3⤵
    PID:3124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rdzmdvmidxmpnvgucl.exe .
1⤵
PID:1080
- C:\Windows\rdzmdvmidxmpnvgucl.exe
  rdzmdvmidxmpnvgucl.exe .
  2⤵
  PID:4392
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\rdzmdvmidxmpnvgucl.exe*."
    3⤵
    PID:3008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\etsicxrqoldjkvjalxmlb.exe
1⤵
PID:5976
- C:\Users\Admin\AppData\Local\Temp\etsicxrqoldjkvjalxmlb.exe
  C:\Users\Admin\AppData\Local\Temp\etsicxrqoldjkvjalxmlb.exe
  2⤵
  PID:1520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\etsicxrqoldjkvjalxmlb.exe .
1⤵
PID:4484
- C:\Users\Admin\AppData\Local\Temp\etsicxrqoldjkvjalxmlb.exe
  C:\Users\Admin\AppData\Local\Temp\etsicxrqoldjkvjalxmlb.exe .
  2⤵
  PID:5052
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\etsicxrqoldjkvjalxmlb.exe*."
    3⤵
    PID:4720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c etsicxrqoldjkvjalxmlb.exe
1⤵
PID:3588
- C:\Windows\etsicxrqoldjkvjalxmlb.exe
  etsicxrqoldjkvjalxmlb.exe
  2⤵
  PID:2248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c itoaqhxsmftvszjwd.exe
1⤵
PID:6128
- C:\Windows\itoaqhxsmftvszjwd.exe
  itoaqhxsmftvszjwd.exe
  2⤵
  PID:5096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rdzmdvmidxmpnvgucl.exe .
1⤵
PID:4872
- C:\Windows\rdzmdvmidxmpnvgucl.exe
  rdzmdvmidxmpnvgucl.exe .
  2⤵
  PID:3820
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\rdzmdvmidxmpnvgucl.exe*."
    3⤵
    PID:5600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cpmasldawrhlktfudna.exe
1⤵
PID:992
- C:\Users\Admin\AppData\Local\Temp\cpmasldawrhlktfudna.exe
  C:\Users\Admin\AppData\Local\Temp\cpmasldawrhlktfudna.exe
  2⤵
  PID:3844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\etsicxrqoldjkvjalxmlb.exe
1⤵
PID:2564
- C:\Users\Admin\AppData\Local\Temp\etsicxrqoldjkvjalxmlb.exe
  C:\Users\Admin\AppData\Local\Temp\etsicxrqoldjkvjalxmlb.exe
  2⤵
  PID:3412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c etsicxrqoldjkvjalxmlb.exe .
1⤵
PID:5776
- C:\Windows\etsicxrqoldjkvjalxmlb.exe
  etsicxrqoldjkvjalxmlb.exe .
  2⤵
  PID:4384
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\etsicxrqoldjkvjalxmlb.exe*."
    3⤵
    PID:5416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\blfqfvkexpcdzfoa.exe .
1⤵
PID:1732
- C:\Users\Admin\AppData\Local\Temp\blfqfvkexpcdzfoa.exe
  C:\Users\Admin\AppData\Local\Temp\blfqfvkexpcdzfoa.exe .
  2⤵
  PID:4972
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\blfqfvkexpcdzfoa.exe*."
    3⤵
    PID:5912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rdzmdvmidxmpnvgucl.exe .
1⤵
PID:1512
- C:\Users\Admin\AppData\Local\Temp\rdzmdvmidxmpnvgucl.exe
  C:\Users\Admin\AppData\Local\Temp\rdzmdvmidxmpnvgucl.exe .
  2⤵
  PID:5692
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\rdzmdvmidxmpnvgucl.exe*."
    3⤵
    PID:5900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cpmasldawrhlktfudna.exe
1⤵
PID:808
- C:\Windows\cpmasldawrhlktfudna.exe
  cpmasldawrhlktfudna.exe
  2⤵
  PID:2760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cpmasldawrhlktfudna.exe .
1⤵
PID:4340
- C:\Windows\cpmasldawrhlktfudna.exe
  cpmasldawrhlktfudna.exe .
  2⤵
  PID:3024
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\cpmasldawrhlktfudna.exe*."
    3⤵
    PID:2372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cpmasldawrhlktfudna.exe
1⤵
PID:4616
- C:\Users\Admin\AppData\Local\Temp\cpmasldawrhlktfudna.exe
  C:\Users\Admin\AppData\Local\Temp\cpmasldawrhlktfudna.exe
  2⤵
  PID:5940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\etsicxrqoldjkvjalxmlb.exe
1⤵
PID:1444
- C:\Users\Admin\AppData\Local\Temp\etsicxrqoldjkvjalxmlb.exe
  C:\Users\Admin\AppData\Local\Temp\etsicxrqoldjkvjalxmlb.exe
  2⤵
  PID:4216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\itoaqhxsmftvszjwd.exe .
1⤵
PID:4860
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2300
- C:\Users\Admin\AppData\Local\Temp\itoaqhxsmftvszjwd.exe
  C:\Users\Admin\AppData\Local\Temp\itoaqhxsmftvszjwd.exe .
  2⤵
  PID:2768
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\itoaqhxsmftvszjwd.exe*."
    3⤵
    PID:3040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\etsicxrqoldjkvjalxmlb.exe .
1⤵
PID:3680
- C:\Users\Admin\AppData\Local\Temp\etsicxrqoldjkvjalxmlb.exe
  C:\Users\Admin\AppData\Local\Temp\etsicxrqoldjkvjalxmlb.exe .
  2⤵
  PID:6108
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\etsicxrqoldjkvjalxmlb.exe*."
    3⤵
    PID:4524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cpmasldawrhlktfudna.exe
1⤵
PID:1664
- C:\Users\Admin\AppData\Local\Temp\cpmasldawrhlktfudna.exe
  C:\Users\Admin\AppData\Local\Temp\cpmasldawrhlktfudna.exe
  2⤵
  PID:3480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pdbqjdwurnejjtgwgrfd.exe .
1⤵
PID:3140
- C:\Users\Admin\AppData\Local\Temp\pdbqjdwurnejjtgwgrfd.exe
  C:\Users\Admin\AppData\Local\Temp\pdbqjdwurnejjtgwgrfd.exe .
  2⤵
  PID:2412
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\pdbqjdwurnejjtgwgrfd.exe*."
    3⤵
    PID:3460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gaurlgdurnejjtgwgicw.exe
1⤵
PID:4724
- C:\Windows\gaurlgdurnejjtgwgicw.exe
  gaurlgdurnejjtgwgicw.exe
  2⤵
  PID:408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c iasnfytidxmpnvgucc.exe .
1⤵
PID:3296
- C:\Windows\iasnfytidxmpnvgucc.exe
  iasnfytidxmpnvgucc.exe .
  2⤵
  PID:1388
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\iasnfytidxmpnvgucc.exe*."
    3⤵
    PID:4968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tmfbuokawrhlktfudex.exe
1⤵
PID:6056
- C:\Windows\tmfbuokawrhlktfudex.exe
  tmfbuokawrhlktfudex.exe
  2⤵
  PID:5552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gaurlgdurnejjtgwgicw.exe .
1⤵
PID:6096
- C:\Windows\gaurlgdurnejjtgwgicw.exe
  gaurlgdurnejjtgwgicw.exe .
  2⤵
  PID:3064
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\gaurlgdurnejjtgwgicw.exe*."
    3⤵
    PID:4548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iasnfytidxmpnvgucc.exe
1⤵
PID:1988
- C:\Users\Admin\AppData\Local\Temp\iasnfytidxmpnvgucc.exe
  C:\Users\Admin\AppData\Local\Temp\iasnfytidxmpnvgucc.exe
  2⤵
  PID:5468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iasnfytidxmpnvgucc.exe .
1⤵
PID:5092
- C:\Users\Admin\AppData\Local\Temp\iasnfytidxmpnvgucc.exe
  C:\Users\Admin\AppData\Local\Temp\iasnfytidxmpnvgucc.exe .
  2⤵
  PID:4676
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\iasnfytidxmpnvgucc.exe*."
    3⤵
    PID:4392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cpmasldawrhlktfudna.exe
1⤵
PID:5540
- C:\Windows\cpmasldawrhlktfudna.exe
  cpmasldawrhlktfudna.exe
  2⤵
  PID:5420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c blfqfvkexpcdzfoa.exe .
1⤵
PID:4940
- C:\Windows\blfqfvkexpcdzfoa.exe
  blfqfvkexpcdzfoa.exe .
  2⤵
  PID:852
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\blfqfvkexpcdzfoa.exe*."
    3⤵
    PID:4780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqhbskesmftvszjwd.exe
1⤵
PID:4944
- C:\Users\Admin\AppData\Local\Temp\zqhbskesmftvszjwd.exe
  C:\Users\Admin\AppData\Local\Temp\zqhbskesmftvszjwd.exe
  2⤵
  PID:6044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqhbskesmftvszjwd.exe .
1⤵
PID:3860
- C:\Users\Admin\AppData\Local\Temp\zqhbskesmftvszjwd.exe
  C:\Users\Admin\AppData\Local\Temp\zqhbskesmftvszjwd.exe .
  2⤵
  PID:5964
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\zqhbskesmftvszjwd.exe*."
    3⤵
    PID:3756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rdzmdvmidxmpnvgucl.exe
1⤵
PID:2552
- C:\Windows\rdzmdvmidxmpnvgucl.exe
  rdzmdvmidxmpnvgucl.exe
  2⤵
  PID:4484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rdzmdvmidxmpnvgucl.exe .
1⤵
PID:3412
- C:\Windows\rdzmdvmidxmpnvgucl.exe
  rdzmdvmidxmpnvgucl.exe .
  2⤵
  PID:2264
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\rdzmdvmidxmpnvgucl.exe*."
    3⤵
    PID:3048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\itoaqhxsmftvszjwd.exe
1⤵
PID:5228
- C:\Users\Admin\AppData\Local\Temp\itoaqhxsmftvszjwd.exe
  C:\Users\Admin\AppData\Local\Temp\itoaqhxsmftvszjwd.exe
  2⤵
  PID:2756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\blfqfvkexpcdzfoa.exe .
1⤵
PID:3408
- C:\Users\Admin\AppData\Local\Temp\blfqfvkexpcdzfoa.exe
  C:\Users\Admin\AppData\Local\Temp\blfqfvkexpcdzfoa.exe .
  2⤵
  PID:3436
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\blfqfvkexpcdzfoa.exe*."
    3⤵
    PID:4032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\itoaqhxsmftvszjwd.exe
1⤵
PID:4712
- C:\Users\Admin\AppData\Local\Temp\itoaqhxsmftvszjwd.exe
  C:\Users\Admin\AppData\Local\Temp\itoaqhxsmftvszjwd.exe
  2⤵
  PID:3664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rdzmdvmidxmpnvgucl.exe .
1⤵
PID:5860
- C:\Users\Admin\AppData\Local\Temp\rdzmdvmidxmpnvgucl.exe
  C:\Users\Admin\AppData\Local\Temp\rdzmdvmidxmpnvgucl.exe .
  2⤵
  PID:1512
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\rdzmdvmidxmpnvgucl.exe*."
    3⤵
    PID:3440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cpmasldawrhlktfudna.exe
1⤵
PID:5392
- C:\Windows\cpmasldawrhlktfudna.exe
  cpmasldawrhlktfudna.exe
  2⤵
  PID:1804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pdbqjdwurnejjtgwgrfd.exe .
1⤵
PID:4460
- C:\Windows\pdbqjdwurnejjtgwgrfd.exe
  pdbqjdwurnejjtgwgrfd.exe .
  2⤵
  PID:5348
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\pdbqjdwurnejjtgwgrfd.exe*."
    3⤵
    PID:6040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pdbqjdwurnejjtgwgrfd.exe
1⤵
PID:5876
- C:\Windows\pdbqjdwurnejjtgwgrfd.exe
  pdbqjdwurnejjtgwgrfd.exe
  2⤵
  PID:2452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rdzmdvmidxmpnvgucl.exe
1⤵
PID:4860
- C:\Windows\rdzmdvmidxmpnvgucl.exe
  rdzmdvmidxmpnvgucl.exe
  2⤵
  PID:3292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rdzmdvmidxmpnvgucl.exe .
1⤵
PID:5980
- C:\Windows\rdzmdvmidxmpnvgucl.exe
  rdzmdvmidxmpnvgucl.exe .
  2⤵
  PID:4272
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\rdzmdvmidxmpnvgucl.exe*."
    3⤵
    PID:5112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rdzmdvmidxmpnvgucl.exe
1⤵
PID:1952
- C:\Users\Admin\AppData\Local\Temp\rdzmdvmidxmpnvgucl.exe
  C:\Users\Admin\AppData\Local\Temp\rdzmdvmidxmpnvgucl.exe
  2⤵
  PID:5244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c blfqfvkexpcdzfoa.exe .
1⤵
PID:4100
- C:\Windows\blfqfvkexpcdzfoa.exe
  blfqfvkexpcdzfoa.exe .
  2⤵
  PID:2784
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\blfqfvkexpcdzfoa.exe*."
    3⤵
    PID:4900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\blfqfvkexpcdzfoa.exe .
1⤵
PID:2904
- C:\Users\Admin\AppData\Local\Temp\blfqfvkexpcdzfoa.exe
  C:\Users\Admin\AppData\Local\Temp\blfqfvkexpcdzfoa.exe .
  2⤵
  PID:5280
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\blfqfvkexpcdzfoa.exe*."
    3⤵
    PID:2672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rdzmdvmidxmpnvgucl.exe
1⤵
PID:2996
- C:\Windows\rdzmdvmidxmpnvgucl.exe
  rdzmdvmidxmpnvgucl.exe
  2⤵
  PID:5104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cpmasldawrhlktfudna.exe
1⤵
PID:692
- C:\Windows\cpmasldawrhlktfudna.exe
  cpmasldawrhlktfudna.exe
  2⤵
  PID:3988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c etsicxrqoldjkvjalxmlb.exe .
1⤵
PID:4336
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1544
- C:\Windows\etsicxrqoldjkvjalxmlb.exe
  etsicxrqoldjkvjalxmlb.exe .
  2⤵
  PID:1340
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\etsicxrqoldjkvjalxmlb.exe*."
    3⤵
    PID:4112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\blfqfvkexpcdzfoa.exe
1⤵
PID:5356
- C:\Users\Admin\AppData\Local\Temp\blfqfvkexpcdzfoa.exe
  C:\Users\Admin\AppData\Local\Temp\blfqfvkexpcdzfoa.exe
  2⤵
  PID:5772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rdzmdvmidxmpnvgucl.exe
1⤵
PID:3296
- C:\Users\Admin\AppData\Local\Temp\rdzmdvmidxmpnvgucl.exe
  C:\Users\Admin\AppData\Local\Temp\rdzmdvmidxmpnvgucl.exe
  2⤵
  PID:1088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cpmasldawrhlktfudna.exe .
1⤵
PID:6056
- C:\Windows\cpmasldawrhlktfudna.exe
  cpmasldawrhlktfudna.exe .
  2⤵
  PID:4788
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\cpmasldawrhlktfudna.exe*."
    3⤵
    PID:5696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pdbqjdwurnejjtgwgrfd.exe .
1⤵
PID:2864
- C:\Users\Admin\AppData\Local\Temp\pdbqjdwurnejjtgwgrfd.exe
  C:\Users\Admin\AppData\Local\Temp\pdbqjdwurnejjtgwgrfd.exe .
  2⤵
  PID:5256
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\pdbqjdwurnejjtgwgrfd.exe*."
    3⤵
    PID:4872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pdbqjdwurnejjtgwgrfd.exe .
1⤵
PID:5508
- C:\Users\Admin\AppData\Local\Temp\pdbqjdwurnejjtgwgrfd.exe
  C:\Users\Admin\AppData\Local\Temp\pdbqjdwurnejjtgwgrfd.exe .
  2⤵
  PID:4780
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\pdbqjdwurnejjtgwgrfd.exe*."
    3⤵
    PID:5208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rdzmdvmidxmpnvgucl.exe
1⤵
PID:2196
- C:\Windows\rdzmdvmidxmpnvgucl.exe
  rdzmdvmidxmpnvgucl.exe
  2⤵
  PID:756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c itoaqhxsmftvszjwd.exe .
1⤵
PID:1404
- C:\Windows\itoaqhxsmftvszjwd.exe
  itoaqhxsmftvszjwd.exe .
  2⤵
  PID:2260
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\itoaqhxsmftvszjwd.exe*."
    3⤵
    PID:1124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\etsicxrqoldjkvjalxmlb.exe
1⤵
PID:1500
- C:\Users\Admin\AppData\Local\Temp\etsicxrqoldjkvjalxmlb.exe
  C:\Users\Admin\AppData\Local\Temp\etsicxrqoldjkvjalxmlb.exe
  2⤵
  PID:4488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\blfqfvkexpcdzfoa.exe
1⤵
PID:5092
- C:\Users\Admin\AppData\Local\Temp\blfqfvkexpcdzfoa.exe
  C:\Users\Admin\AppData\Local\Temp\blfqfvkexpcdzfoa.exe
  2⤵
  PID:760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\etsicxrqoldjkvjalxmlb.exe .
1⤵
PID:2892
- C:\Users\Admin\AppData\Local\Temp\etsicxrqoldjkvjalxmlb.exe
  C:\Users\Admin\AppData\Local\Temp\etsicxrqoldjkvjalxmlb.exe .
  2⤵
  PID:4032
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\etsicxrqoldjkvjalxmlb.exe*."
    3⤵
    PID:4176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rdzmdvmidxmpnvgucl.exe .
1⤵
PID:2328
- C:\Users\Admin\AppData\Local\Temp\rdzmdvmidxmpnvgucl.exe
  C:\Users\Admin\AppData\Local\Temp\rdzmdvmidxmpnvgucl.exe .
  2⤵
  PID:3380
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\rdzmdvmidxmpnvgucl.exe*."
    3⤵
    PID:808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\blfqfvkexpcdzfoa.exe
1⤵
PID:5136
- C:\Users\Admin\AppData\Local\Temp\blfqfvkexpcdzfoa.exe
  C:\Users\Admin\AppData\Local\Temp\blfqfvkexpcdzfoa.exe
  2⤵
  PID:4764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pdbqjdwurnejjtgwgrfd.exe .
1⤵
PID:5384
- C:\Users\Admin\AppData\Local\Temp\pdbqjdwurnejjtgwgrfd.exe
  C:\Users\Admin\AppData\Local\Temp\pdbqjdwurnejjtgwgrfd.exe .
  2⤵
  PID:5456
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\pdbqjdwurnejjtgwgrfd.exe*."
    3⤵
    PID:2856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c itoaqhxsmftvszjwd.exe
1⤵
PID:4540
- C:\Windows\itoaqhxsmftvszjwd.exe
  itoaqhxsmftvszjwd.exe
  2⤵
  PID:3836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pdbqjdwurnejjtgwgrfd.exe .
1⤵
PID:1768
- C:\Windows\pdbqjdwurnejjtgwgrfd.exe
  pdbqjdwurnejjtgwgrfd.exe .
  2⤵
  PID:4964
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\pdbqjdwurnejjtgwgrfd.exe*."
    3⤵
    PID:5972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c itoaqhxsmftvszjwd.exe
1⤵
PID:4196
- C:\Windows\itoaqhxsmftvszjwd.exe
  itoaqhxsmftvszjwd.exe
  2⤵
  PID:4572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rdzmdvmidxmpnvgucl.exe .
1⤵
PID:676
- C:\Windows\rdzmdvmidxmpnvgucl.exe
  rdzmdvmidxmpnvgucl.exe .
  2⤵
  PID:2296
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\rdzmdvmidxmpnvgucl.exe*."
    3⤵
    PID:3672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cpmasldawrhlktfudna.exe
1⤵
PID:1144
- C:\Users\Admin\AppData\Local\Temp\cpmasldawrhlktfudna.exe
  C:\Users\Admin\AppData\Local\Temp\cpmasldawrhlktfudna.exe
  2⤵
  PID:1140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\etsicxrqoldjkvjalxmlb.exe .
1⤵
PID:5708
- C:\Users\Admin\AppData\Local\Temp\etsicxrqoldjkvjalxmlb.exe
  C:\Users\Admin\AppData\Local\Temp\etsicxrqoldjkvjalxmlb.exe .
  2⤵
  PID:5236
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\etsicxrqoldjkvjalxmlb.exe*."
    3⤵
    PID:1912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cpmasldawrhlktfudna.exe
1⤵
PID:4860
- C:\Users\Admin\AppData\Local\Temp\cpmasldawrhlktfudna.exe
  C:\Users\Admin\AppData\Local\Temp\cpmasldawrhlktfudna.exe
  2⤵
  PID:1952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cpmasldawrhlktfudna.exe .
1⤵
PID:5192
- C:\Users\Admin\AppData\Local\Temp\cpmasldawrhlktfudna.exe
  C:\Users\Admin\AppData\Local\Temp\cpmasldawrhlktfudna.exe .
  2⤵
  PID:2940
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\cpmasldawrhlktfudna.exe*."
    3⤵
    PID:408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gaurlgdurnejjtgwgicw.exe
1⤵
PID:5812
- C:\Windows\gaurlgdurnejjtgwgicw.exe
  gaurlgdurnejjtgwgicw.exe
  2⤵
  PID:5280

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zqhbskesmftvszjwd.exe .
1⤵
PID:5976
- C:\Windows\zqhbskesmftvszjwd.exe
  zqhbskesmftvszjwd.exe .
  2⤵
  PID:4432
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\zqhbskesmftvszjwd.exe*."
    3⤵
    PID:5652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c iasnfytidxmpnvgucc.exe
1⤵
PID:2012
- C:\Windows\iasnfytidxmpnvgucc.exe
  iasnfytidxmpnvgucc.exe
  2⤵
  PID:3508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c iasnfytidxmpnvgucc.exe .
1⤵
PID:1472
- C:\Windows\iasnfytidxmpnvgucc.exe
  iasnfytidxmpnvgucc.exe .
  2⤵
  PID:4240
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\iasnfytidxmpnvgucc.exe*."
    3⤵
    PID:2340

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmfbuokawrhlktfudex.exe
1⤵
PID:5604
- C:\Users\Admin\AppData\Local\Temp\tmfbuokawrhlktfudex.exe
  C:\Users\Admin\AppData\Local\Temp\tmfbuokawrhlktfudex.exe
  2⤵
  PID:5964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqhbskesmftvszjwd.exe .
1⤵
PID:1376
- C:\Users\Admin\AppData\Local\Temp\zqhbskesmftvszjwd.exe
  C:\Users\Admin\AppData\Local\Temp\zqhbskesmftvszjwd.exe .
  2⤵
  PID:4484
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\zqhbskesmftvszjwd.exe*."
    3⤵
    PID:5856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c itoaqhxsmftvszjwd.exe
1⤵
PID:1264
- C:\Windows\itoaqhxsmftvszjwd.exe
  itoaqhxsmftvszjwd.exe
  2⤵
  PID:3588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqhbskesmftvszjwd.exe
1⤵
PID:4256
- C:\Users\Admin\AppData\Local\Temp\zqhbskesmftvszjwd.exe
  C:\Users\Admin\AppData\Local\Temp\zqhbskesmftvszjwd.exe
  2⤵
  PID:1524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c blfqfvkexpcdzfoa.exe .
1⤵
PID:3916
- C:\Windows\blfqfvkexpcdzfoa.exe
  blfqfvkexpcdzfoa.exe .
  2⤵
  PID:4356
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\blfqfvkexpcdzfoa.exe*."
    3⤵
    PID:5468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqhbskesmftvszjwd.exe .
1⤵
PID:2368
- C:\Users\Admin\AppData\Local\Temp\zqhbskesmftvszjwd.exe
  C:\Users\Admin\AppData\Local\Temp\zqhbskesmftvszjwd.exe .
  2⤵
  PID:3504
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\zqhbskesmftvszjwd.exe*."
    3⤵
    PID:5552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pdbqjdwurnejjtgwgrfd.exe
1⤵
PID:3188
- C:\Windows\pdbqjdwurnejjtgwgrfd.exe
  pdbqjdwurnejjtgwgrfd.exe
  2⤵
  PID:3464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pdbqjdwurnejjtgwgrfd.exe .
1⤵
PID:5684
- C:\Windows\pdbqjdwurnejjtgwgrfd.exe
  pdbqjdwurnejjtgwgrfd.exe .
  2⤵
  PID:3180
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\pdbqjdwurnejjtgwgrfd.exe*."
    3⤵
    PID:5540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\blfqfvkexpcdzfoa.exe
1⤵
PID:4144
- C:\Users\Admin\AppData\Local\Temp\blfqfvkexpcdzfoa.exe
  C:\Users\Admin\AppData\Local\Temp\blfqfvkexpcdzfoa.exe
  2⤵
  PID:4000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rdzmdvmidxmpnvgucl.exe .
1⤵
PID:2976
- C:\Users\Admin\AppData\Local\Temp\rdzmdvmidxmpnvgucl.exe
  C:\Users\Admin\AppData\Local\Temp\rdzmdvmidxmpnvgucl.exe .
  2⤵
  PID:4132
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\rdzmdvmidxmpnvgucl.exe*."
    3⤵
    PID:1112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cpmasldawrhlktfudna.exe
1⤵
PID:4992
- C:\Users\Admin\AppData\Local\Temp\cpmasldawrhlktfudna.exe
  C:\Users\Admin\AppData\Local\Temp\cpmasldawrhlktfudna.exe
  2⤵
  PID:4736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\blfqfvkexpcdzfoa.exe .
1⤵
PID:3164
- C:\Users\Admin\AppData\Local\Temp\blfqfvkexpcdzfoa.exe
  C:\Users\Admin\AppData\Local\Temp\blfqfvkexpcdzfoa.exe .
  2⤵
  PID:4852
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\blfqfvkexpcdzfoa.exe*."
    3⤵
    PID:2176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cpmasldawrhlktfudna.exe
1⤵
PID:860
- C:\Windows\cpmasldawrhlktfudna.exe
  cpmasldawrhlktfudna.exe
  2⤵
  PID:552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pdbqjdwurnejjtgwgrfd.exe .
1⤵
PID:4964
- C:\Windows\pdbqjdwurnejjtgwgrfd.exe
  pdbqjdwurnejjtgwgrfd.exe .
  2⤵
  PID:2316
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\pdbqjdwurnejjtgwgrfd.exe*."
    3⤵
    PID:3268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rdzmdvmidxmpnvgucl.exe
1⤵
PID:6112
- C:\Windows\rdzmdvmidxmpnvgucl.exe
  rdzmdvmidxmpnvgucl.exe
  2⤵
  PID:4244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cpmasldawrhlktfudna.exe .
1⤵
PID:5848
- C:\Windows\cpmasldawrhlktfudna.exe
  cpmasldawrhlktfudna.exe .
  2⤵
  PID:5784
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\cpmasldawrhlktfudna.exe*."
    3⤵
    PID:5708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c itoaqhxsmftvszjwd.exe
1⤵
PID:3480
- C:\Windows\itoaqhxsmftvszjwd.exe
  itoaqhxsmftvszjwd.exe
  2⤵
  PID:4192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rdzmdvmidxmpnvgucl.exe
1⤵
PID:3708
- C:\Users\Admin\AppData\Local\Temp\rdzmdvmidxmpnvgucl.exe
  C:\Users\Admin\AppData\Local\Temp\rdzmdvmidxmpnvgucl.exe
  2⤵
  PID:3808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\blfqfvkexpcdzfoa.exe .
1⤵
PID:2004
- C:\Users\Admin\AppData\Local\Temp\blfqfvkexpcdzfoa.exe
  C:\Users\Admin\AppData\Local\Temp\blfqfvkexpcdzfoa.exe .
  2⤵
  PID:3236
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\blfqfvkexpcdzfoa.exe*."
    3⤵
    PID:1652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cpmasldawrhlktfudna.exe .
1⤵
PID:2852
- C:\Windows\cpmasldawrhlktfudna.exe
  cpmasldawrhlktfudna.exe .
  2⤵
  PID:4552
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\cpmasldawrhlktfudna.exe*."
    3⤵
    PID:1056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c itoaqhxsmftvszjwd.exe
1⤵
PID:3132
- C:\Windows\itoaqhxsmftvszjwd.exe
  itoaqhxsmftvszjwd.exe
  2⤵
  PID:5088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cpmasldawrhlktfudna.exe
1⤵
PID:5992
- C:\Windows\cpmasldawrhlktfudna.exe
  cpmasldawrhlktfudna.exe
  2⤵
  PID:224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\itoaqhxsmftvszjwd.exe
1⤵
PID:1288
- C:\Users\Admin\AppData\Local\Temp\itoaqhxsmftvszjwd.exe
  C:\Users\Admin\AppData\Local\Temp\itoaqhxsmftvszjwd.exe
  2⤵
  PID:5988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c itoaqhxsmftvszjwd.exe .
1⤵
PID:3988
- C:\Windows\itoaqhxsmftvszjwd.exe
  itoaqhxsmftvszjwd.exe .
  2⤵
  PID:2016
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\itoaqhxsmftvszjwd.exe*."
    3⤵
    PID:3008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c itoaqhxsmftvszjwd.exe .
1⤵
PID:1172
- C:\Windows\itoaqhxsmftvszjwd.exe
  itoaqhxsmftvszjwd.exe .
  2⤵
  PID:4652
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\itoaqhxsmftvszjwd.exe*."
    3⤵
    PID:6040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pdbqjdwurnejjtgwgrfd.exe .
1⤵
PID:6128
- C:\Users\Admin\AppData\Local\Temp\pdbqjdwurnejjtgwgrfd.exe
  C:\Users\Admin\AppData\Local\Temp\pdbqjdwurnejjtgwgrfd.exe .
  2⤵
  PID:2564
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\pdbqjdwurnejjtgwgrfd.exe*."
    3⤵
    PID:4712

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\etsicxrqoldjkvjalxmlb.exe
1⤵
PID:4932
- C:\Users\Admin\AppData\Local\Temp\etsicxrqoldjkvjalxmlb.exe
  C:\Users\Admin\AppData\Local\Temp\etsicxrqoldjkvjalxmlb.exe
  2⤵
  PID:3320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c etsicxrqoldjkvjalxmlb.exe
1⤵
PID:4240
- C:\Windows\etsicxrqoldjkvjalxmlb.exe
  etsicxrqoldjkvjalxmlb.exe
  2⤵
  PID:1020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pdbqjdwurnejjtgwgrfd.exe .
1⤵
PID:4296
- C:\Users\Admin\AppData\Local\Temp\pdbqjdwurnejjtgwgrfd.exe
  C:\Users\Admin\AppData\Local\Temp\pdbqjdwurnejjtgwgrfd.exe .
  2⤵
  PID:5028
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\pdbqjdwurnejjtgwgrfd.exe*."
    3⤵
    PID:5272

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c etsicxrqoldjkvjalxmlb.exe .
1⤵
PID:3276
- C:\Windows\etsicxrqoldjkvjalxmlb.exe
  etsicxrqoldjkvjalxmlb.exe .
  2⤵
  PID:2248
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\etsicxrqoldjkvjalxmlb.exe*."
    3⤵
    PID:1624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\etsicxrqoldjkvjalxmlb.exe
1⤵
PID:388
- C:\Users\Admin\AppData\Local\Temp\etsicxrqoldjkvjalxmlb.exe
  C:\Users\Admin\AppData\Local\Temp\etsicxrqoldjkvjalxmlb.exe
  2⤵
  PID:3916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pdbqjdwurnejjtgwgrfd.exe .
1⤵
PID:3476
- C:\Users\Admin\AppData\Local\Temp\pdbqjdwurnejjtgwgrfd.exe
  C:\Users\Admin\AppData\Local\Temp\pdbqjdwurnejjtgwgrfd.exe .
  2⤵
  PID:5416
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\pdbqjdwurnejjtgwgrfd.exe*."
    3⤵
    PID:5144

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\itoaqhxsmftvszjwd.exe
1⤵
PID:2408
- C:\Users\Admin\AppData\Local\Temp\itoaqhxsmftvszjwd.exe
  C:\Users\Admin\AppData\Local\Temp\itoaqhxsmftvszjwd.exe
  2⤵
  PID:3880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rdzmdvmidxmpnvgucl.exe .
1⤵
PID:5340
- C:\Users\Admin\AppData\Local\Temp\rdzmdvmidxmpnvgucl.exe
  C:\Users\Admin\AppData\Local\Temp\rdzmdvmidxmpnvgucl.exe .
  2⤵
  PID:1616
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\rdzmdvmidxmpnvgucl.exe*."
    3⤵
    PID:2212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rdzmdvmidxmpnvgucl.exe
1⤵
PID:6044
- C:\Users\Admin\AppData\Local\Temp\rdzmdvmidxmpnvgucl.exe
  C:\Users\Admin\AppData\Local\Temp\rdzmdvmidxmpnvgucl.exe
  2⤵
  PID:848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rdzmdvmidxmpnvgucl.exe .
1⤵
PID:3188
- C:\Users\Admin\AppData\Local\Temp\rdzmdvmidxmpnvgucl.exe
  C:\Users\Admin\AppData\Local\Temp\rdzmdvmidxmpnvgucl.exe .
  2⤵
  PID:4584
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\rdzmdvmidxmpnvgucl.exe*."
    3⤵
    PID:3100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tmfbuokawrhlktfudex.exe
1⤵
PID:2744
- C:\Windows\tmfbuokawrhlktfudex.exe
  tmfbuokawrhlktfudex.exe
  2⤵
  PID:4944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c iasnfytidxmpnvgucc.exe .
1⤵
PID:4068
- C:\Windows\iasnfytidxmpnvgucc.exe
  iasnfytidxmpnvgucc.exe .
  2⤵
  PID:1848
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\iasnfytidxmpnvgucc.exe*."
    3⤵
    PID:3780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tmfbuokawrhlktfudex.exe
1⤵
PID:8
- C:\Windows\tmfbuokawrhlktfudex.exe
  tmfbuokawrhlktfudex.exe
  2⤵
  PID:552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c iasnfytidxmpnvgucc.exe .
1⤵
PID:5920
- C:\Windows\iasnfytidxmpnvgucc.exe
  iasnfytidxmpnvgucc.exe .
  2⤵
  PID:5768
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\iasnfytidxmpnvgucc.exe*."
    3⤵
    PID:676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iasnfytidxmpnvgucc.exe
1⤵
PID:2712
- C:\Users\Admin\AppData\Local\Temp\iasnfytidxmpnvgucc.exe
  C:\Users\Admin\AppData\Local\Temp\iasnfytidxmpnvgucc.exe
  2⤵
  PID:4680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\siyrhyrexpcdzfoa.exe .
1⤵
PID:4196
- C:\Users\Admin\AppData\Local\Temp\siyrhyrexpcdzfoa.exe
  C:\Users\Admin\AppData\Local\Temp\siyrhyrexpcdzfoa.exe .
  2⤵
  PID:3040
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\siyrhyrexpcdzfoa.exe*."
    3⤵
    PID:5584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c etsicxrqoldjkvjalxmlb.exe
1⤵
PID:2452
- C:\Windows\etsicxrqoldjkvjalxmlb.exe
  etsicxrqoldjkvjalxmlb.exe
  2⤵
  PID:1108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmfbuokawrhlktfudex.exe
1⤵
PID:4460
- C:\Users\Admin\AppData\Local\Temp\tmfbuokawrhlktfudex.exe
  C:\Users\Admin\AppData\Local\Temp\tmfbuokawrhlktfudex.exe
  2⤵
  PID:2676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gaurlgdurnejjtgwgicw.exe .
1⤵
PID:5372
- C:\Users\Admin\AppData\Local\Temp\gaurlgdurnejjtgwgicw.exe
  C:\Users\Admin\AppData\Local\Temp\gaurlgdurnejjtgwgicw.exe .
  2⤵
  PID:2940
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\gaurlgdurnejjtgwgicw.exe*."
    3⤵
    PID:5796

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pdbqjdwurnejjtgwgrfd.exe .
1⤵
PID:4548
- C:\Windows\pdbqjdwurnejjtgwgrfd.exe
  pdbqjdwurnejjtgwgrfd.exe .
  2⤵
  PID:4152
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\pdbqjdwurnejjtgwgrfd.exe*."
    3⤵
    PID:940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cpmasldawrhlktfudna.exe
1⤵
PID:3012
- C:\Windows\cpmasldawrhlktfudna.exe
  cpmasldawrhlktfudna.exe
  2⤵
  PID:5696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c blfqfvkexpcdzfoa.exe .
1⤵
PID:4744
- C:\Windows\blfqfvkexpcdzfoa.exe
  blfqfvkexpcdzfoa.exe .
  2⤵
  PID:2844
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\blfqfvkexpcdzfoa.exe*."
    3⤵
    PID:5520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\itoaqhxsmftvszjwd.exe
1⤵
PID:3624
- C:\Users\Admin\AppData\Local\Temp\itoaqhxsmftvszjwd.exe
  C:\Users\Admin\AppData\Local\Temp\itoaqhxsmftvszjwd.exe
  2⤵
  PID:1088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\etsicxrqoldjkvjalxmlb.exe .
1⤵
PID:4392
- C:\Users\Admin\AppData\Local\Temp\etsicxrqoldjkvjalxmlb.exe
  C:\Users\Admin\AppData\Local\Temp\etsicxrqoldjkvjalxmlb.exe .
  2⤵
  PID:2972
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\etsicxrqoldjkvjalxmlb.exe*."
    3⤵
    PID:5760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pdbqjdwurnejjtgwgrfd.exe
1⤵
PID:6080
- C:\Users\Admin\AppData\Local\Temp\pdbqjdwurnejjtgwgrfd.exe
  C:\Users\Admin\AppData\Local\Temp\pdbqjdwurnejjtgwgrfd.exe
  2⤵
  PID:5680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rdzmdvmidxmpnvgucl.exe .
1⤵
PID:5644
- C:\Users\Admin\AppData\Local\Temp\rdzmdvmidxmpnvgucl.exe
  C:\Users\Admin\AppData\Local\Temp\rdzmdvmidxmpnvgucl.exe .
  2⤵
  PID:1732
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\rdzmdvmidxmpnvgucl.exe*."
    3⤵
    PID:1500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rdzmdvmidxmpnvgucl.exe
1⤵
PID:5508
- C:\Windows\rdzmdvmidxmpnvgucl.exe
  rdzmdvmidxmpnvgucl.exe
  2⤵
  PID:5732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c blfqfvkexpcdzfoa.exe .
1⤵
PID:3380
- C:\Windows\blfqfvkexpcdzfoa.exe
  blfqfvkexpcdzfoa.exe .
  2⤵
  PID:5052
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\blfqfvkexpcdzfoa.exe*."
    3⤵
    PID:4772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rdzmdvmidxmpnvgucl.exe
1⤵
PID:3096
- C:\Windows\rdzmdvmidxmpnvgucl.exe
  rdzmdvmidxmpnvgucl.exe
  2⤵
  PID:2996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rdzmdvmidxmpnvgucl.exe .
1⤵
PID:4296
- C:\Windows\rdzmdvmidxmpnvgucl.exe
  rdzmdvmidxmpnvgucl.exe .
  2⤵
  PID:5068
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\rdzmdvmidxmpnvgucl.exe*."
    3⤵
    PID:1544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\etsicxrqoldjkvjalxmlb.exe
1⤵
PID:4484
- C:\Users\Admin\AppData\Local\Temp\etsicxrqoldjkvjalxmlb.exe
  C:\Users\Admin\AppData\Local\Temp\etsicxrqoldjkvjalxmlb.exe
  2⤵
  PID:3744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\blfqfvkexpcdzfoa.exe .
1⤵
PID:5952
- C:\Users\Admin\AppData\Local\Temp\blfqfvkexpcdzfoa.exe
  C:\Users\Admin\AppData\Local\Temp\blfqfvkexpcdzfoa.exe .
  2⤵
  PID:4212
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\blfqfvkexpcdzfoa.exe*."
    3⤵
    PID:3832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rdzmdvmidxmpnvgucl.exe
1⤵
PID:5700
- C:\Users\Admin\AppData\Local\Temp\rdzmdvmidxmpnvgucl.exe
  C:\Users\Admin\AppData\Local\Temp\rdzmdvmidxmpnvgucl.exe
  2⤵
  PID:5340

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pdbqjdwurnejjtgwgrfd.exe .
1⤵
PID:2908
- C:\Users\Admin\AppData\Local\Temp\pdbqjdwurnejjtgwgrfd.exe
  C:\Users\Admin\AppData\Local\Temp\pdbqjdwurnejjtgwgrfd.exe .
  2⤵
  PID:3524
- - C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
    "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\pdbqjdwurnejjtgwgrfd.exe*."
    3⤵
    PID:4584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c itoaqhxsmftvszjwd.exe
1⤵
PID:2772
- C:\Windows\itoaqhxsmftvszjwd.exe
  itoaqhxsmftvszjwd.exe
  2⤵
  PID:4996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c blfqfvkexpcdzfoa.exe .
1⤵
PID:4176
- C:\Windows\blfqfvkexpcdzfoa.exe
  blfqfvkexpcdzfoa.exe .
  2⤵
  PID:5384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c itoaqhxsmftvszjwd.exe
1⤵
PID:5972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c etsicxrqoldjkvjalxmlb.exe .
1⤵
PID:5888
- C:\Windows\etsicxrqoldjkvjalxmlb.exe
  etsicxrqoldjkvjalxmlb.exe .
  2⤵
  PID:460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cpmasldawrhlktfudna.exe
1⤵
PID:4304
- C:\Windows\cpmasldawrhlktfudna.exe
  cpmasldawrhlktfudna.exe
  2⤵
  PID:4244

C:\Users\Admin\AppData\Local\Temp\rdzmdvmidxmpnvgucl.exe
C:\Users\Admin\AppData\Local\Temp\rdzmdvmidxmpnvgucl.exe .
1⤵
PID:3672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c itoaqhxsmftvszjwd.exe .
1⤵
PID:1520

C:\Windows\pdbqjdwurnejjtgwgrfd.exe
pdbqjdwurnejjtgwgrfd.exe
1⤵
PID:4816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c itoaqhxsmftvszjwd.exe
1⤵
PID:940

C:\Windows\blfqfvkexpcdzfoa.exe
blfqfvkexpcdzfoa.exe .
1⤵
PID:1776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cpmasldawrhlktfudna.exe
1⤵
PID:1148

C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
"C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\windows\itoaqhxsmftvszjwd.exe*."
1⤵
PID:5264

C:\Users\Admin\AppData\Local\Temp\pdbqjdwurnejjtgwgrfd.exe
C:\Users\Admin\AppData\Local\Temp\pdbqjdwurnejjtgwgrfd.exe .
1⤵
PID:3632

C:\Users\Admin\AppData\Local\Temp\pdbqjdwurnejjtgwgrfd.exe
C:\Users\Admin\AppData\Local\Temp\pdbqjdwurnejjtgwgrfd.exe .
1⤵
PID:4656
- C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
  "C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\pdbqjdwurnejjtgwgrfd.exe*."
  2⤵
  PID:5092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pdbqjdwurnejjtgwgrfd.exe .
1⤵
PID:6128

C:\Users\Admin\AppData\Local\Temp\blfqfvkexpcdzfoa.exe
C:\Users\Admin\AppData\Local\Temp\blfqfvkexpcdzfoa.exe
1⤵
PID:3096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cpmasldawrhlktfudna.exe .
1⤵
PID:1916

C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
"C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\pdbqjdwurnejjtgwgrfd.exe*."
1⤵
PID:2216

C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe
"C:\Users\Admin\AppData\Local\Temp\wearswdegok.exe" "c:\users\admin\appdata\local\temp\cpmasldawrhlktfudna.exe*."
1⤵
PID:5412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Winlogon Helper DLL

T1547.004

Hijack Execution Flow

T1574

Executable Installer File Permissions Weakness

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Winlogon Helper DLL

T1547.004

Hijack Execution Flow

T1574

Executable Installer File Permissions Weakness

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hijack Execution Flow

T1574

Executable Installer File Permissions Weakness

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry