pykspa | 16065b6a2019d67e3fb44ff535c692359705f245542151efb863b2d35e79ed31

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	mtbfen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	mtbfen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	bbygorkllli.exe

Pykspa
Pykspa is a worm spreads via Skype uses DGA and it's written in C++.
worm pykspa
Pykspa family
pykspa

UAC bypass 3 TTPs 26 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	mtbfen.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	mtbfen.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	mtbfen.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	mtbfen.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	mtbfen.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	mtbfen.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	mtbfen.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	mtbfen.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	bbygorkllli.exe

Detect Pykspa worm 2 IoCs

worm

resource	yara_rule
behavioral2/files/0x0004000000023342-4.dat	family_pykspa
behavioral2/files/0x0008000000024229-86.dat	family_pykspa

Adds policy Run key to start application 2 TTPs 57 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tfsbftgmbjh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mhdvifbqofmvbsjvxhid.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qfvhofvewhillw = "ohbrcxreapubfujttb.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qfvhofvewhillw = "yphvexpauhkprerz.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qfvhofvewhillw = "ztofrniwtjpxcsitudd.exe"	mtbfen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qfvhofvewhillw = "mhdvifbqofmvbsjvxhid.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tfsbftgmbjh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fxqfpjcojxbhkymvu.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tfsbftgmbjh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mhdvifbqofmvbsjvxhid.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qfvhofvewhillw = "mhdvifbqofmvbsjvxhid.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tfsbftgmbjh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bxunbzwmldlvcumzcnpli.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qfvhofvewhillw = "fxqfpjcojxbhkymvu.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tfsbftgmbjh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bxunbzwmldlvcumzcnpli.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qfvhofvewhillw = "ohbrcxreapubfujttb.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tfsbftgmbjh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yphvexpauhkprerz.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qfvhofvewhillw = "ohbrcxreapubfujttb.exe"	mtbfen.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	bbygorkllli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tfsbftgmbjh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ztofrniwtjpxcsitudd.exe"	bbygorkllli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	bbygorkllli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	bbygorkllli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	bbygorkllli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tfsbftgmbjh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mhdvifbqofmvbsjvxhid.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qfvhofvewhillw = "ztofrniwtjpxcsitudd.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tfsbftgmbjh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ohbrcxreapubfujttb.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qfvhofvewhillw = "fxqfpjcojxbhkymvu.exe"	bbygorkllli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tfsbftgmbjh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yphvexpauhkprerz.exe"	mtbfen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tfsbftgmbjh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fxqfpjcojxbhkymvu.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qfvhofvewhillw = "ztofrniwtjpxcsitudd.exe"	bbygorkllli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tfsbftgmbjh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mhdvifbqofmvbsjvxhid.exe"	bbygorkllli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	bbygorkllli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tfsbftgmbjh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bxunbzwmldlvcumzcnpli.exe"	mtbfen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qfvhofvewhillw = "ztofrniwtjpxcsitudd.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tfsbftgmbjh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yphvexpauhkprerz.exe"	mtbfen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tfsbftgmbjh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mhdvifbqofmvbsjvxhid.exe"	mtbfen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tfsbftgmbjh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ztofrniwtjpxcsitudd.exe"	mtbfen.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	bbygorkllli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	mtbfen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qfvhofvewhillw = "bxunbzwmldlvcumzcnpli.exe"	mtbfen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qfvhofvewhillw = "ztofrniwtjpxcsitudd.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tfsbftgmbjh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ohbrcxreapubfujttb.exe"	mtbfen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qfvhofvewhillw = "ohbrcxreapubfujttb.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qfvhofvewhillw = "yphvexpauhkprerz.exe"	mtbfen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tfsbftgmbjh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fxqfpjcojxbhkymvu.exe"	bbygorkllli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	bbygorkllli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tfsbftgmbjh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ohbrcxreapubfujttb.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tfsbftgmbjh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ztofrniwtjpxcsitudd.exe"	bbygorkllli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qfvhofvewhillw = "ohbrcxreapubfujttb.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tfsbftgmbjh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fxqfpjcojxbhkymvu.exe"	bbygorkllli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	mtbfen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qfvhofvewhillw = "yphvexpauhkprerz.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qfvhofvewhillw = "fxqfpjcojxbhkymvu.exe"	bbygorkllli.exe

Blocklisted process makes network request 5 IoCs

flow	pid	Process
56	4816	Process not Found
59	4816	Process not Found
61	4816	Process not Found
64	4816	Process not Found
66	4816	Process not Found

Disables RegEdit via registry modification 6 IoCs

defense_evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	bbygorkllli.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	mtbfen.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	mtbfen.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	mtbfen.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	mtbfen.exe

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	bbygorkllli.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	fxqfpjcojxbhkymvu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	fxqfpjcojxbhkymvu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	ohbrcxreapubfujttb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	ztofrniwtjpxcsitudd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	bxunbzwmldlvcumzcnpli.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	mhdvifbqofmvbsjvxhid.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	mhdvifbqofmvbsjvxhid.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	ztofrniwtjpxcsitudd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	ohbrcxreapubfujttb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	ztofrniwtjpxcsitudd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	ohbrcxreapubfujttb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	ohbrcxreapubfujttb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	ohbrcxreapubfujttb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	bxunbzwmldlvcumzcnpli.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	mhdvifbqofmvbsjvxhid.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	ztofrniwtjpxcsitudd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	ohbrcxreapubfujttb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	bxunbzwmldlvcumzcnpli.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	yphvexpauhkprerz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	bxunbzwmldlvcumzcnpli.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	mhdvifbqofmvbsjvxhid.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	ohbrcxreapubfujttb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	yphvexpauhkprerz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	fxqfpjcojxbhkymvu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	bxunbzwmldlvcumzcnpli.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	fxqfpjcojxbhkymvu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	mhdvifbqofmvbsjvxhid.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	mhdvifbqofmvbsjvxhid.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	ztofrniwtjpxcsitudd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	bxunbzwmldlvcumzcnpli.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	yphvexpauhkprerz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	yphvexpauhkprerz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	ohbrcxreapubfujttb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	fxqfpjcojxbhkymvu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	yphvexpauhkprerz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	yphvexpauhkprerz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	ztofrniwtjpxcsitudd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	yphvexpauhkprerz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	mhdvifbqofmvbsjvxhid.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	yphvexpauhkprerz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	fxqfpjcojxbhkymvu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	bxunbzwmldlvcumzcnpli.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	bxunbzwmldlvcumzcnpli.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	ztofrniwtjpxcsitudd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	yphvexpauhkprerz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	bxunbzwmldlvcumzcnpli.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	ohbrcxreapubfujttb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	ztofrniwtjpxcsitudd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	JaffaCakes118_9227d16a21f3c92e5ace17a0923db492.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	ztofrniwtjpxcsitudd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	bxunbzwmldlvcumzcnpli.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	mhdvifbqofmvbsjvxhid.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	fxqfpjcojxbhkymvu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	ztofrniwtjpxcsitudd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	bxunbzwmldlvcumzcnpli.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	ztofrniwtjpxcsitudd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	mhdvifbqofmvbsjvxhid.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	yphvexpauhkprerz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	yphvexpauhkprerz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	ohbrcxreapubfujttb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	bxunbzwmldlvcumzcnpli.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	fxqfpjcojxbhkymvu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	fxqfpjcojxbhkymvu.exe

Executes dropped EXE 64 IoCs

pid	Process
1652	bbygorkllli.exe
4920	bxunbzwmldlvcumzcnpli.exe
4400	ztofrniwtjpxcsitudd.exe
4384	bbygorkllli.exe
1684	fxqfpjcojxbhkymvu.exe
3324	ohbrcxreapubfujttb.exe
452	fxqfpjcojxbhkymvu.exe
2124	bbygorkllli.exe
3452	mhdvifbqofmvbsjvxhid.exe
6112	bbygorkllli.exe
5708	fxqfpjcojxbhkymvu.exe
3160	bxunbzwmldlvcumzcnpli.exe
408	bbygorkllli.exe
5284	mtbfen.exe
1632	mtbfen.exe
5848	fxqfpjcojxbhkymvu.exe
4720	ztofrniwtjpxcsitudd.exe
1864	yphvexpauhkprerz.exe
2044	bxunbzwmldlvcumzcnpli.exe
3388	bbygorkllli.exe
4464	mhdvifbqofmvbsjvxhid.exe
4364	bbygorkllli.exe
220	mhdvifbqofmvbsjvxhid.exe
5412	bxunbzwmldlvcumzcnpli.exe
1664	fxqfpjcojxbhkymvu.exe
2936	yphvexpauhkprerz.exe
5100	bbygorkllli.exe
4968	yphvexpauhkprerz.exe
2124	yphvexpauhkprerz.exe
4300	yphvexpauhkprerz.exe
5832	bbygorkllli.exe
3924	yphvexpauhkprerz.exe
1876	ztofrniwtjpxcsitudd.exe
968	ztofrniwtjpxcsitudd.exe
6048	ztofrniwtjpxcsitudd.exe
5996	bbygorkllli.exe
3132	bbygorkllli.exe
4556	ohbrcxreapubfujttb.exe
2084	bxunbzwmldlvcumzcnpli.exe
4820	ohbrcxreapubfujttb.exe
1880	bbygorkllli.exe
1244	mhdvifbqofmvbsjvxhid.exe
1888	ohbrcxreapubfujttb.exe
3116	bbygorkllli.exe
3956	bbygorkllli.exe
1804	fxqfpjcojxbhkymvu.exe
3904	bbygorkllli.exe
4100	bbygorkllli.exe
3388	fxqfpjcojxbhkymvu.exe
3056	yphvexpauhkprerz.exe
4676	bbygorkllli.exe
3724	mhdvifbqofmvbsjvxhid.exe
5476	ohbrcxreapubfujttb.exe
3616	bbygorkllli.exe
5224	ztofrniwtjpxcsitudd.exe
1108	ohbrcxreapubfujttb.exe
4508	mhdvifbqofmvbsjvxhid.exe
4372	mhdvifbqofmvbsjvxhid.exe
3736	bbygorkllli.exe
636	ztofrniwtjpxcsitudd.exe
4968	bxunbzwmldlvcumzcnpli.exe
5996	yphvexpauhkprerz.exe
1860	ztofrniwtjpxcsitudd.exe
2984	bbygorkllli.exe

Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs

defense_evasion

Safe Mode Boot

T1562.009

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager	mtbfen.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys	mtbfen.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc	mtbfen.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power	mtbfen.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys	mtbfen.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc	mtbfen.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

defense_evasion persistence privilege_escalation

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\fxqfpjcojxbhkymvu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ztofrniwtjpxcsitudd.exe ."	mtbfen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\fxqfpjcojxbhkymvu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bxunbzwmldlvcumzcnpli.exe ."	bbygorkllli.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qdrbgvjqgpop = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ohbrcxreapubfujttb.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qdrbgvjqgpop = "bxunbzwmldlvcumzcnpli.exe"	mtbfen.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\pdsdjzownxxzy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ohbrcxreapubfujttb.exe ."	bbygorkllli.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\yphvexpauhkprerz = "ohbrcxreapubfujttb.exe ."	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qdrbgvjqgpop = "ztofrniwtjpxcsitudd.exe"	mtbfen.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\yphvexpauhkprerz = "fxqfpjcojxbhkymvu.exe ."	mtbfen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qdrbgvjqgpop = "ztofrniwtjpxcsitudd.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\yphvexpauhkprerz = "yphvexpauhkprerz.exe ."	mtbfen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pdsdjzownxxzy = "mhdvifbqofmvbsjvxhid.exe ."	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pdsdjzownxxzy = "mhdvifbqofmvbsjvxhid.exe ."	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ohbrcxreapubfujttb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ztofrniwtjpxcsitudd.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tjanvneohtvzamy = "mhdvifbqofmvbsjvxhid.exe"	mtbfen.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tjanvneohtvzamy = "bxunbzwmldlvcumzcnpli.exe"	mtbfen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qdrbgvjqgpop = "yphvexpauhkprerz.exe"	mtbfen.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\yphvexpauhkprerz = "bxunbzwmldlvcumzcnpli.exe ."	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qdrbgvjqgpop = "fxqfpjcojxbhkymvu.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tjanvneohtvzamy = "bxunbzwmldlvcumzcnpli.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\fxqfpjcojxbhkymvu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bxunbzwmldlvcumzcnpli.exe ."	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qdrbgvjqgpop = "bxunbzwmldlvcumzcnpli.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qdrbgvjqgpop = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fxqfpjcojxbhkymvu.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tjanvneohtvzamy = "mhdvifbqofmvbsjvxhid.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\yphvexpauhkprerz = "yphvexpauhkprerz.exe ."	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pdsdjzownxxzy = "ohbrcxreapubfujttb.exe ."	mtbfen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pdsdjzownxxzy = "mhdvifbqofmvbsjvxhid.exe ."	mtbfen.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\pdsdjzownxxzy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yphvexpauhkprerz.exe ."	mtbfen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qdrbgvjqgpop = "ztofrniwtjpxcsitudd.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\pdsdjzownxxzy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bxunbzwmldlvcumzcnpli.exe ."	bbygorkllli.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\pdsdjzownxxzy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ztofrniwtjpxcsitudd.exe ."	mtbfen.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qdrbgvjqgpop = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ztofrniwtjpxcsitudd.exe"	mtbfen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qdrbgvjqgpop = "ztofrniwtjpxcsitudd.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\yphvexpauhkprerz = "ztofrniwtjpxcsitudd.exe ."	bbygorkllli.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qdrbgvjqgpop = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bxunbzwmldlvcumzcnpli.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pdsdjzownxxzy = "ztofrniwtjpxcsitudd.exe ."	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pdsdjzownxxzy = "bxunbzwmldlvcumzcnpli.exe ."	mtbfen.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tjanvneohtvzamy = "ohbrcxreapubfujttb.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ohbrcxreapubfujttb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mhdvifbqofmvbsjvxhid.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pdsdjzownxxzy = "ztofrniwtjpxcsitudd.exe ."	mtbfen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ohbrcxreapubfujttb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mhdvifbqofmvbsjvxhid.exe"	mtbfen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qdrbgvjqgpop = "ztofrniwtjpxcsitudd.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qdrbgvjqgpop = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bxunbzwmldlvcumzcnpli.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tjanvneohtvzamy = "ztofrniwtjpxcsitudd.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\yphvexpauhkprerz = "ohbrcxreapubfujttb.exe ."	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qdrbgvjqgpop = "mhdvifbqofmvbsjvxhid.exe"	mtbfen.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\pdsdjzownxxzy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mhdvifbqofmvbsjvxhid.exe ."	mtbfen.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tjanvneohtvzamy = "mhdvifbqofmvbsjvxhid.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qdrbgvjqgpop = "fxqfpjcojxbhkymvu.exe"	mtbfen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\fxqfpjcojxbhkymvu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ohbrcxreapubfujttb.exe ."	mtbfen.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\pdsdjzownxxzy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ztofrniwtjpxcsitudd.exe ."	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ohbrcxreapubfujttb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ohbrcxreapubfujttb.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\pdsdjzownxxzy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yphvexpauhkprerz.exe ."	bbygorkllli.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\pdsdjzownxxzy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fxqfpjcojxbhkymvu.exe ."	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qdrbgvjqgpop = "ohbrcxreapubfujttb.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\fxqfpjcojxbhkymvu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mhdvifbqofmvbsjvxhid.exe ."	bbygorkllli.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tjanvneohtvzamy = "ztofrniwtjpxcsitudd.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\yphvexpauhkprerz = "ztofrniwtjpxcsitudd.exe ."	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\fxqfpjcojxbhkymvu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yphvexpauhkprerz.exe ."	bbygorkllli.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\yphvexpauhkprerz = "mhdvifbqofmvbsjvxhid.exe ."	bbygorkllli.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qdrbgvjqgpop = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yphvexpauhkprerz.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qdrbgvjqgpop = "bxunbzwmldlvcumzcnpli.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pdsdjzownxxzy = "ohbrcxreapubfujttb.exe ."	bbygorkllli.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qdrbgvjqgpop = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yphvexpauhkprerz.exe"	mtbfen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qdrbgvjqgpop = "mhdvifbqofmvbsjvxhid.exe"	bbygorkllli.exe

Checks whether UAC is enabled 1 TTPs 34 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bbygorkllli.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bbygorkllli.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bbygorkllli.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bbygorkllli.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bbygorkllli.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bbygorkllli.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bbygorkllli.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bbygorkllli.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bbygorkllli.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bbygorkllli.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	mtbfen.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	mtbfen.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	mtbfen.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bbygorkllli.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bbygorkllli.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	mtbfen.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bbygorkllli.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bbygorkllli.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bbygorkllli.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bbygorkllli.exe

Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 3 IoCs

Possible Turn off User Account Control's privilege elevation for standard users.

Executable Installer File Permissions Weakness

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	mtbfen.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	mtbfen.exe

Looks up external IP address via web service 9 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
45	whatismyip.everdot.org
50	whatismyipaddress.com
54	whatismyip.everdot.org
26	whatismyip.everdot.org
36	www.whatismyip.ca
38	whatismyip.everdot.org
44	www.whatismyip.ca
25	www.whatismyip.ca
40	www.showmyipaddress.com

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\fxqfpjcojxbhkymvu.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\bxunbzwmldlvcumzcnpli.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\mhdvifbqofmvbsjvxhid.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\mhdvifbqofmvbsjvxhid.exe	mtbfen.exe
File opened for modification	C:\Windows\SysWOW64\ztofrniwtjpxcsitudd.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\fxqfpjcojxbhkymvu.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\bxunbzwmldlvcumzcnpli.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\spnhwvtkkdmxfyrfjvyvtn.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\ohbrcxreapubfujttb.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\ztofrniwtjpxcsitudd.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\ztofrniwtjpxcsitudd.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\yphvexpauhkprerz.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\yphvexpauhkprerz.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\ztofrniwtjpxcsitudd.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\yphvexpauhkprerz.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\bxunbzwmldlvcumzcnpli.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\ztofrniwtjpxcsitudd.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\ohbrcxreapubfujttb.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\yphvexpauhkprerz.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\bxunbzwmldlvcumzcnpli.exe	mtbfen.exe
File opened for modification	C:\Windows\SysWOW64\bxunbzwmldlvcumzcnpli.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\mhdvifbqofmvbsjvxhid.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\spnhwvtkkdmxfyrfjvyvtn.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\mhdvifbqofmvbsjvxhid.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\bxunbzwmldlvcumzcnpli.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\fxqfpjcojxbhkymvu.exe	mtbfen.exe
File opened for modification	C:\Windows\SysWOW64\mhdvifbqofmvbsjvxhid.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\fxqfpjcojxbhkymvu.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\fxqfpjcojxbhkymvu.exe	mtbfen.exe
File opened for modification	C:\Windows\SysWOW64\yphvexpauhkprerz.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\fxqfpjcojxbhkymvu.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\spnhwvtkkdmxfyrfjvyvtn.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\ztofrniwtjpxcsitudd.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\bxunbzwmldlvcumzcnpli.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\spnhwvtkkdmxfyrfjvyvtn.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\ohbrcxreapubfujttb.exe	mtbfen.exe
File opened for modification	C:\Windows\SysWOW64\ztofrniwtjpxcsitudd.exe	mtbfen.exe
File opened for modification	C:\Windows\SysWOW64\ohbrcxreapubfujttb.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\mhdvifbqofmvbsjvxhid.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\bxunbzwmldlvcumzcnpli.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\mhdvifbqofmvbsjvxhid.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\spnhwvtkkdmxfyrfjvyvtn.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\mhdvifbqofmvbsjvxhid.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\bxunbzwmldlvcumzcnpli.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\yphvexpauhkprerz.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\spnhwvtkkdmxfyrfjvyvtn.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\ohbrcxreapubfujttb.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\ohbrcxreapubfujttb.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\ohbrcxreapubfujttb.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\mhdvifbqofmvbsjvxhid.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\ztofrniwtjpxcsitudd.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\spnhwvtkkdmxfyrfjvyvtn.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\ohbrcxreapubfujttb.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\yphvexpauhkprerz.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\ohbrcxreapubfujttb.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\ztofrniwtjpxcsitudd.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\yphvexpauhkprerz.exe	mtbfen.exe
File opened for modification	C:\Windows\SysWOW64\qdrbgvjqgpopnwfjdfylzjodryoxwxvenr.ngt	mtbfen.exe
File opened for modification	C:\Windows\SysWOW64\fxqfpjcojxbhkymvu.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\yphvexpauhkprerz.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\fxqfpjcojxbhkymvu.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\mhdvifbqofmvbsjvxhid.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\ztofrniwtjpxcsitudd.exe	mtbfen.exe
File opened for modification	C:\Windows\SysWOW64\ohbrcxreapubfujttb.exe	bbygorkllli.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\dfihbfiejhvlywunwnvxazt.awb	mtbfen.exe
File created	C:\Program Files (x86)\dfihbfiejhvlywunwnvxazt.awb	mtbfen.exe
File opened for modification	C:\Program Files (x86)\qdrbgvjqgpopnwfjdfylzjodryoxwxvenr.ngt	mtbfen.exe
File created	C:\Program Files (x86)\qdrbgvjqgpopnwfjdfylzjodryoxwxvenr.ngt	mtbfen.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\ohbrcxreapubfujttb.exe	mtbfen.exe
File opened for modification	C:\Windows\yphvexpauhkprerz.exe	mtbfen.exe
File opened for modification	C:\Windows\fxqfpjcojxbhkymvu.exe	bbygorkllli.exe
File opened for modification	C:\Windows\ztofrniwtjpxcsitudd.exe	bbygorkllli.exe
File opened for modification	C:\Windows\bxunbzwmldlvcumzcnpli.exe	bbygorkllli.exe
File opened for modification	C:\Windows\bxunbzwmldlvcumzcnpli.exe	bbygorkllli.exe
File opened for modification	C:\Windows\ohbrcxreapubfujttb.exe	bbygorkllli.exe
File opened for modification	C:\Windows\spnhwvtkkdmxfyrfjvyvtn.exe	mtbfen.exe
File created	C:\Windows\qdrbgvjqgpopnwfjdfylzjodryoxwxvenr.ngt	mtbfen.exe
File opened for modification	C:\Windows\ohbrcxreapubfujttb.exe	bbygorkllli.exe
File opened for modification	C:\Windows\yphvexpauhkprerz.exe	bbygorkllli.exe
File opened for modification	C:\Windows\ztofrniwtjpxcsitudd.exe	bbygorkllli.exe
File opened for modification	C:\Windows\bxunbzwmldlvcumzcnpli.exe	bbygorkllli.exe
File opened for modification	C:\Windows\bxunbzwmldlvcumzcnpli.exe	bbygorkllli.exe
File opened for modification	C:\Windows\fxqfpjcojxbhkymvu.exe	bbygorkllli.exe
File opened for modification	C:\Windows\mhdvifbqofmvbsjvxhid.exe	mtbfen.exe
File opened for modification	C:\Windows\fxqfpjcojxbhkymvu.exe	bbygorkllli.exe
File opened for modification	C:\Windows\spnhwvtkkdmxfyrfjvyvtn.exe	bbygorkllli.exe
File opened for modification	C:\Windows\fxqfpjcojxbhkymvu.exe	bbygorkllli.exe
File opened for modification	C:\Windows\fxqfpjcojxbhkymvu.exe	mtbfen.exe
File opened for modification	C:\Windows\ohbrcxreapubfujttb.exe	bbygorkllli.exe
File opened for modification	C:\Windows\fxqfpjcojxbhkymvu.exe	bbygorkllli.exe
File opened for modification	C:\Windows\ohbrcxreapubfujttb.exe	bbygorkllli.exe
File opened for modification	C:\Windows\bxunbzwmldlvcumzcnpli.exe	bbygorkllli.exe
File opened for modification	C:\Windows\mhdvifbqofmvbsjvxhid.exe	bbygorkllli.exe
File opened for modification	C:\Windows\bxunbzwmldlvcumzcnpli.exe	bbygorkllli.exe
File opened for modification	C:\Windows\ohbrcxreapubfujttb.exe	bbygorkllli.exe
File opened for modification	C:\Windows\mhdvifbqofmvbsjvxhid.exe	bbygorkllli.exe
File opened for modification	C:\Windows\yphvexpauhkprerz.exe	bbygorkllli.exe
File opened for modification	C:\Windows\mhdvifbqofmvbsjvxhid.exe	bbygorkllli.exe
File opened for modification	C:\Windows\yphvexpauhkprerz.exe	bbygorkllli.exe
File opened for modification	C:\Windows\bxunbzwmldlvcumzcnpli.exe	bbygorkllli.exe
File opened for modification	C:\Windows\ohbrcxreapubfujttb.exe	bbygorkllli.exe
File opened for modification	C:\Windows\mhdvifbqofmvbsjvxhid.exe	bbygorkllli.exe
File opened for modification	C:\Windows\spnhwvtkkdmxfyrfjvyvtn.exe	bbygorkllli.exe
File opened for modification	C:\Windows\ztofrniwtjpxcsitudd.exe	bbygorkllli.exe
File opened for modification	C:\Windows\yphvexpauhkprerz.exe	bbygorkllli.exe
File opened for modification	C:\Windows\fxqfpjcojxbhkymvu.exe	bbygorkllli.exe
File opened for modification	C:\Windows\fxqfpjcojxbhkymvu.exe	bbygorkllli.exe
File opened for modification	C:\Windows\ohbrcxreapubfujttb.exe	bbygorkllli.exe
File opened for modification	C:\Windows\mhdvifbqofmvbsjvxhid.exe	bbygorkllli.exe
File opened for modification	C:\Windows\yphvexpauhkprerz.exe	bbygorkllli.exe
File opened for modification	C:\Windows\ztofrniwtjpxcsitudd.exe	bbygorkllli.exe
File opened for modification	C:\Windows\bxunbzwmldlvcumzcnpli.exe	bbygorkllli.exe
File opened for modification	C:\Windows\yphvexpauhkprerz.exe	bbygorkllli.exe
File opened for modification	C:\Windows\mhdvifbqofmvbsjvxhid.exe	bbygorkllli.exe
File opened for modification	C:\Windows\ohbrcxreapubfujttb.exe	bbygorkllli.exe
File opened for modification	C:\Windows\ztofrniwtjpxcsitudd.exe	bbygorkllli.exe
File opened for modification	C:\Windows\bxunbzwmldlvcumzcnpli.exe	bbygorkllli.exe
File opened for modification	C:\Windows\ztofrniwtjpxcsitudd.exe	bbygorkllli.exe
File opened for modification	C:\Windows\yphvexpauhkprerz.exe	bbygorkllli.exe
File opened for modification	C:\Windows\mhdvifbqofmvbsjvxhid.exe	bbygorkllli.exe
File opened for modification	C:\Windows\ztofrniwtjpxcsitudd.exe	mtbfen.exe
File opened for modification	C:\Windows\spnhwvtkkdmxfyrfjvyvtn.exe	bbygorkllli.exe
File opened for modification	C:\Windows\mhdvifbqofmvbsjvxhid.exe	bbygorkllli.exe
File opened for modification	C:\Windows\bxunbzwmldlvcumzcnpli.exe	mtbfen.exe
File opened for modification	C:\Windows\fxqfpjcojxbhkymvu.exe	mtbfen.exe
File opened for modification	C:\Windows\qdrbgvjqgpopnwfjdfylzjodryoxwxvenr.ngt	mtbfen.exe
File opened for modification	C:\Windows\yphvexpauhkprerz.exe	bbygorkllli.exe
File opened for modification	C:\Windows\spnhwvtkkdmxfyrfjvyvtn.exe	bbygorkllli.exe
File opened for modification	C:\Windows\ohbrcxreapubfujttb.exe	mtbfen.exe
File opened for modification	C:\Windows\bxunbzwmldlvcumzcnpli.exe	bbygorkllli.exe
File opened for modification	C:\Windows\yphvexpauhkprerz.exe	mtbfen.exe
File opened for modification	C:\Windows\fxqfpjcojxbhkymvu.exe	bbygorkllli.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ohbrcxreapubfujttb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bxunbzwmldlvcumzcnpli.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bxunbzwmldlvcumzcnpli.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ohbrcxreapubfujttb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yphvexpauhkprerz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yphvexpauhkprerz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bxunbzwmldlvcumzcnpli.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bxunbzwmldlvcumzcnpli.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fxqfpjcojxbhkymvu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mhdvifbqofmvbsjvxhid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ohbrcxreapubfujttb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yphvexpauhkprerz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ztofrniwtjpxcsitudd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ohbrcxreapubfujttb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yphvexpauhkprerz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fxqfpjcojxbhkymvu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ohbrcxreapubfujttb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bxunbzwmldlvcumzcnpli.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ztofrniwtjpxcsitudd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mtbfen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bxunbzwmldlvcumzcnpli.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yphvexpauhkprerz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mhdvifbqofmvbsjvxhid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ztofrniwtjpxcsitudd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mhdvifbqofmvbsjvxhid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mhdvifbqofmvbsjvxhid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bxunbzwmldlvcumzcnpli.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bbygorkllli.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bxunbzwmldlvcumzcnpli.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ztofrniwtjpxcsitudd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ztofrniwtjpxcsitudd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yphvexpauhkprerz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yphvexpauhkprerz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ztofrniwtjpxcsitudd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mhdvifbqofmvbsjvxhid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yphvexpauhkprerz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fxqfpjcojxbhkymvu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mhdvifbqofmvbsjvxhid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ohbrcxreapubfujttb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mhdvifbqofmvbsjvxhid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fxqfpjcojxbhkymvu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mhdvifbqofmvbsjvxhid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bxunbzwmldlvcumzcnpli.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fxqfpjcojxbhkymvu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ohbrcxreapubfujttb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yphvexpauhkprerz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ohbrcxreapubfujttb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ohbrcxreapubfujttb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ohbrcxreapubfujttb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ztofrniwtjpxcsitudd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bxunbzwmldlvcumzcnpli.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ztofrniwtjpxcsitudd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yphvexpauhkprerz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ztofrniwtjpxcsitudd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yphvexpauhkprerz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ohbrcxreapubfujttb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ztofrniwtjpxcsitudd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ohbrcxreapubfujttb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mhdvifbqofmvbsjvxhid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ztofrniwtjpxcsitudd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ztofrniwtjpxcsitudd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ztofrniwtjpxcsitudd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ohbrcxreapubfujttb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fxqfpjcojxbhkymvu.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4636	JaffaCakes118_9227d16a21f3c92e5ace17a0923db492.exe
4636	JaffaCakes118_9227d16a21f3c92e5ace17a0923db492.exe
4636	JaffaCakes118_9227d16a21f3c92e5ace17a0923db492.exe
4636	JaffaCakes118_9227d16a21f3c92e5ace17a0923db492.exe
4636	JaffaCakes118_9227d16a21f3c92e5ace17a0923db492.exe
4636	JaffaCakes118_9227d16a21f3c92e5ace17a0923db492.exe
4636	JaffaCakes118_9227d16a21f3c92e5ace17a0923db492.exe
4636	JaffaCakes118_9227d16a21f3c92e5ace17a0923db492.exe
4636	JaffaCakes118_9227d16a21f3c92e5ace17a0923db492.exe
4636	JaffaCakes118_9227d16a21f3c92e5ace17a0923db492.exe
4636	JaffaCakes118_9227d16a21f3c92e5ace17a0923db492.exe
4636	JaffaCakes118_9227d16a21f3c92e5ace17a0923db492.exe
4636	JaffaCakes118_9227d16a21f3c92e5ace17a0923db492.exe
4636	JaffaCakes118_9227d16a21f3c92e5ace17a0923db492.exe
4636	JaffaCakes118_9227d16a21f3c92e5ace17a0923db492.exe
4636	JaffaCakes118_9227d16a21f3c92e5ace17a0923db492.exe
5284	mtbfen.exe
5284	mtbfen.exe
4636	JaffaCakes118_9227d16a21f3c92e5ace17a0923db492.exe
4636	JaffaCakes118_9227d16a21f3c92e5ace17a0923db492.exe
4636	JaffaCakes118_9227d16a21f3c92e5ace17a0923db492.exe
4636	JaffaCakes118_9227d16a21f3c92e5ace17a0923db492.exe
4636	JaffaCakes118_9227d16a21f3c92e5ace17a0923db492.exe
4636	JaffaCakes118_9227d16a21f3c92e5ace17a0923db492.exe
4636	JaffaCakes118_9227d16a21f3c92e5ace17a0923db492.exe
4636	JaffaCakes118_9227d16a21f3c92e5ace17a0923db492.exe
4636	JaffaCakes118_9227d16a21f3c92e5ace17a0923db492.exe
4636	JaffaCakes118_9227d16a21f3c92e5ace17a0923db492.exe
4636	JaffaCakes118_9227d16a21f3c92e5ace17a0923db492.exe
4636	JaffaCakes118_9227d16a21f3c92e5ace17a0923db492.exe
4636	JaffaCakes118_9227d16a21f3c92e5ace17a0923db492.exe
4636	JaffaCakes118_9227d16a21f3c92e5ace17a0923db492.exe
4636	JaffaCakes118_9227d16a21f3c92e5ace17a0923db492.exe
4636	JaffaCakes118_9227d16a21f3c92e5ace17a0923db492.exe
4636	JaffaCakes118_9227d16a21f3c92e5ace17a0923db492.exe
4636	JaffaCakes118_9227d16a21f3c92e5ace17a0923db492.exe
4636	JaffaCakes118_9227d16a21f3c92e5ace17a0923db492.exe
4636	JaffaCakes118_9227d16a21f3c92e5ace17a0923db492.exe
4636	JaffaCakes118_9227d16a21f3c92e5ace17a0923db492.exe
4636	JaffaCakes118_9227d16a21f3c92e5ace17a0923db492.exe
4636	JaffaCakes118_9227d16a21f3c92e5ace17a0923db492.exe
4636	JaffaCakes118_9227d16a21f3c92e5ace17a0923db492.exe
4636	JaffaCakes118_9227d16a21f3c92e5ace17a0923db492.exe
4636	JaffaCakes118_9227d16a21f3c92e5ace17a0923db492.exe
4636	JaffaCakes118_9227d16a21f3c92e5ace17a0923db492.exe
4636	JaffaCakes118_9227d16a21f3c92e5ace17a0923db492.exe
4636	JaffaCakes118_9227d16a21f3c92e5ace17a0923db492.exe
4636	JaffaCakes118_9227d16a21f3c92e5ace17a0923db492.exe
4636	JaffaCakes118_9227d16a21f3c92e5ace17a0923db492.exe
4636	JaffaCakes118_9227d16a21f3c92e5ace17a0923db492.exe
4636	JaffaCakes118_9227d16a21f3c92e5ace17a0923db492.exe
4636	JaffaCakes118_9227d16a21f3c92e5ace17a0923db492.exe
4636	JaffaCakes118_9227d16a21f3c92e5ace17a0923db492.exe
4636	JaffaCakes118_9227d16a21f3c92e5ace17a0923db492.exe
4636	JaffaCakes118_9227d16a21f3c92e5ace17a0923db492.exe
4636	JaffaCakes118_9227d16a21f3c92e5ace17a0923db492.exe
5284	mtbfen.exe
5284	mtbfen.exe
4636	JaffaCakes118_9227d16a21f3c92e5ace17a0923db492.exe
4636	JaffaCakes118_9227d16a21f3c92e5ace17a0923db492.exe
4636	JaffaCakes118_9227d16a21f3c92e5ace17a0923db492.exe
4636	JaffaCakes118_9227d16a21f3c92e5ace17a0923db492.exe
4636	JaffaCakes118_9227d16a21f3c92e5ace17a0923db492.exe
4636	JaffaCakes118_9227d16a21f3c92e5ace17a0923db492.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	5284	mtbfen.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4636 wrote to memory of 1652	4636	JaffaCakes118_9227d16a21f3c92e5ace17a0923db492.exe	89
PID 4636 wrote to memory of 1652	4636	JaffaCakes118_9227d16a21f3c92e5ace17a0923db492.exe	89
PID 4636 wrote to memory of 1652	4636	JaffaCakes118_9227d16a21f3c92e5ace17a0923db492.exe	89
PID 2628 wrote to memory of 4920	2628	cmd.exe	94
PID 2628 wrote to memory of 4920	2628	cmd.exe	94
PID 2628 wrote to memory of 4920	2628	cmd.exe	94
PID 2404 wrote to memory of 4400	2404	cmd.exe	97
PID 2404 wrote to memory of 4400	2404	cmd.exe	97
PID 2404 wrote to memory of 4400	2404	cmd.exe	97
PID 4400 wrote to memory of 4384	4400	ztofrniwtjpxcsitudd.exe	100
PID 4400 wrote to memory of 4384	4400	ztofrniwtjpxcsitudd.exe	100
PID 4400 wrote to memory of 4384	4400	ztofrniwtjpxcsitudd.exe	100
PID 5292 wrote to memory of 1684	5292	cmd.exe	103
PID 5292 wrote to memory of 1684	5292	cmd.exe	103
PID 5292 wrote to memory of 1684	5292	cmd.exe	103
PID 2528 wrote to memory of 3324	2528	cmd.exe	106
PID 2528 wrote to memory of 3324	2528	cmd.exe	106
PID 2528 wrote to memory of 3324	2528	cmd.exe	106
PID 4936 wrote to memory of 452	4936	cmd.exe	109
PID 4936 wrote to memory of 452	4936	cmd.exe	109
PID 4936 wrote to memory of 452	4936	cmd.exe	109
PID 3324 wrote to memory of 2124	3324	ohbrcxreapubfujttb.exe	172
PID 3324 wrote to memory of 2124	3324	ohbrcxreapubfujttb.exe	172
PID 3324 wrote to memory of 2124	3324	ohbrcxreapubfujttb.exe	172
PID 2908 wrote to memory of 3452	2908	cmd.exe	111
PID 2908 wrote to memory of 3452	2908	cmd.exe	111
PID 2908 wrote to memory of 3452	2908	cmd.exe	111
PID 3452 wrote to memory of 6112	3452	mhdvifbqofmvbsjvxhid.exe	320
PID 3452 wrote to memory of 6112	3452	mhdvifbqofmvbsjvxhid.exe	320
PID 3452 wrote to memory of 6112	3452	mhdvifbqofmvbsjvxhid.exe	320
PID 4584 wrote to memory of 5708	4584	cmd.exe	119
PID 4584 wrote to memory of 5708	4584	cmd.exe	119
PID 4584 wrote to memory of 5708	4584	cmd.exe	119
PID 1856 wrote to memory of 3160	1856	cmd.exe	120
PID 1856 wrote to memory of 3160	1856	cmd.exe	120
PID 1856 wrote to memory of 3160	1856	cmd.exe	120
PID 3160 wrote to memory of 408	3160	bxunbzwmldlvcumzcnpli.exe	121
PID 3160 wrote to memory of 408	3160	bxunbzwmldlvcumzcnpli.exe	121
PID 3160 wrote to memory of 408	3160	bxunbzwmldlvcumzcnpli.exe	121
PID 1652 wrote to memory of 5284	1652	bbygorkllli.exe	122
PID 1652 wrote to memory of 5284	1652	bbygorkllli.exe	122
PID 1652 wrote to memory of 5284	1652	bbygorkllli.exe	122
PID 1652 wrote to memory of 1632	1652	bbygorkllli.exe	123
PID 1652 wrote to memory of 1632	1652	bbygorkllli.exe	123
PID 1652 wrote to memory of 1632	1652	bbygorkllli.exe	123
PID 4632 wrote to memory of 5848	4632	cmd.exe	127
PID 4632 wrote to memory of 5848	4632	cmd.exe	127
PID 4632 wrote to memory of 5848	4632	cmd.exe	127
PID 5844 wrote to memory of 4720	5844	cmd.exe	276
PID 5844 wrote to memory of 4720	5844	cmd.exe	276
PID 5844 wrote to memory of 4720	5844	cmd.exe	276
PID 1004 wrote to memory of 1864	1004	cmd.exe	134
PID 1004 wrote to memory of 1864	1004	cmd.exe	134
PID 1004 wrote to memory of 1864	1004	cmd.exe	134
PID 1640 wrote to memory of 2044	1640	cmd.exe	142
PID 1640 wrote to memory of 2044	1640	cmd.exe	142
PID 1640 wrote to memory of 2044	1640	cmd.exe	142
PID 1864 wrote to memory of 3388	1864	yphvexpauhkprerz.exe	206
PID 1864 wrote to memory of 3388	1864	yphvexpauhkprerz.exe	206
PID 1864 wrote to memory of 3388	1864	yphvexpauhkprerz.exe	206
PID 4960 wrote to memory of 4464	4960	cmd.exe	148
PID 4960 wrote to memory of 4464	4960	cmd.exe	148
PID 4960 wrote to memory of 4464	4960	cmd.exe	148
PID 2044 wrote to memory of 4364	2044	bxunbzwmldlvcumzcnpli.exe	282

System policy modification 1 TTPs 64 IoCs

defense_evasion

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	mtbfen.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	mtbfen.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	mtbfen.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bbygorkllli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	mtbfen.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	mtbfen.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	bbygorkllli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bbygorkllli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	mtbfen.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	mtbfen.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bbygorkllli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	bbygorkllli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	mtbfen.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	mtbfen.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	mtbfen.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	mtbfen.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	bbygorkllli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	mtbfen.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bbygorkllli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	mtbfen.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	mtbfen.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	mtbfen.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	mtbfen.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	mtbfen.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bbygorkllli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	bbygorkllli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	mtbfen.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	mtbfen.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	mtbfen.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	bbygorkllli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bbygorkllli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	mtbfen.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	mtbfen.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	mtbfen.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	bbygorkllli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	mtbfen.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	bbygorkllli.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9227d16a21f3c92e5ace17a0923db492.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9227d16a21f3c92e5ace17a0923db492.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4636
- C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
  "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\jaffacakes118_9227d16a21f3c92e5ace17a0923db492.exe*"
  2⤵
  - Modifies WinLogon for persistence
  - UAC bypass
  - Adds policy Run key to start application
  - Disables RegEdit via registry modification
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Hijack Execution Flow: Executable Installer File Permissions Weakness
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1652
- - C:\Users\Admin\AppData\Local\Temp\mtbfen.exe
    "C:\Users\Admin\AppData\Local\Temp\mtbfen.exe" "-C:\Users\Admin\AppData\Local\Temp\yphvexpauhkprerz.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Impair Defenses: Safe Mode Boot
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Hijack Execution Flow: Executable Installer File Permissions Weakness
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:5284
- - C:\Users\Admin\AppData\Local\Temp\mtbfen.exe
    "C:\Users\Admin\AppData\Local\Temp\mtbfen.exe" "-C:\Users\Admin\AppData\Local\Temp\yphvexpauhkprerz.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Hijack Execution Flow: Executable Installer File Permissions Weakness
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:1632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxunbzwmldlvcumzcnpli.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2628
- C:\Windows\bxunbzwmldlvcumzcnpli.exe
  bxunbzwmldlvcumzcnpli.exe
  2⤵
  - Executes dropped EXE
  PID:4920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ztofrniwtjpxcsitudd.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:2404
- C:\Windows\ztofrniwtjpxcsitudd.exe
  ztofrniwtjpxcsitudd.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4400
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ztofrniwtjpxcsitudd.exe*."
    3⤵
    - Executes dropped EXE
    PID:4384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fxqfpjcojxbhkymvu.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:5292
- C:\Windows\fxqfpjcojxbhkymvu.exe
  fxqfpjcojxbhkymvu.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ohbrcxreapubfujttb.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:2528
- C:\Windows\ohbrcxreapubfujttb.exe
  ohbrcxreapubfujttb.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3324
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ohbrcxreapubfujttb.exe*."
    3⤵
    - Executes dropped EXE
    PID:2124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fxqfpjcojxbhkymvu.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4936
- C:\Users\Admin\AppData\Local\Temp\fxqfpjcojxbhkymvu.exe
  C:\Users\Admin\AppData\Local\Temp\fxqfpjcojxbhkymvu.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhdvifbqofmvbsjvxhid.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:2908
- C:\Users\Admin\AppData\Local\Temp\mhdvifbqofmvbsjvxhid.exe
  C:\Users\Admin\AppData\Local\Temp\mhdvifbqofmvbsjvxhid.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3452
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\mhdvifbqofmvbsjvxhid.exe*."
    3⤵
    - Executes dropped EXE
    PID:6112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fxqfpjcojxbhkymvu.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4584
- C:\Users\Admin\AppData\Local\Temp\fxqfpjcojxbhkymvu.exe
  C:\Users\Admin\AppData\Local\Temp\fxqfpjcojxbhkymvu.exe
  2⤵
  - Executes dropped EXE
  PID:5708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxunbzwmldlvcumzcnpli.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:1856
- C:\Users\Admin\AppData\Local\Temp\bxunbzwmldlvcumzcnpli.exe
  C:\Users\Admin\AppData\Local\Temp\bxunbzwmldlvcumzcnpli.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3160
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\bxunbzwmldlvcumzcnpli.exe*."
    3⤵
    - Executes dropped EXE
    PID:408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fxqfpjcojxbhkymvu.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4632
- C:\Windows\fxqfpjcojxbhkymvu.exe
  fxqfpjcojxbhkymvu.exe
  2⤵
  - Executes dropped EXE
  PID:5848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ztofrniwtjpxcsitudd.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:5844
- C:\Windows\ztofrniwtjpxcsitudd.exe
  ztofrniwtjpxcsitudd.exe
  2⤵
  - Executes dropped EXE
  PID:4720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yphvexpauhkprerz.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:1004
- C:\Windows\yphvexpauhkprerz.exe
  yphvexpauhkprerz.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1864
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\yphvexpauhkprerz.exe*."
    3⤵
    - Executes dropped EXE
    PID:3388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxunbzwmldlvcumzcnpli.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:1640
- C:\Windows\bxunbzwmldlvcumzcnpli.exe
  bxunbzwmldlvcumzcnpli.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2044
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\bxunbzwmldlvcumzcnpli.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:4364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mhdvifbqofmvbsjvxhid.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4960
- C:\Windows\mhdvifbqofmvbsjvxhid.exe
  mhdvifbqofmvbsjvxhid.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxunbzwmldlvcumzcnpli.exe
1⤵
PID:4692
- C:\Windows\bxunbzwmldlvcumzcnpli.exe
  bxunbzwmldlvcumzcnpli.exe
  2⤵
  - Executes dropped EXE
  PID:5412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mhdvifbqofmvbsjvxhid.exe .
1⤵
PID:5168
- C:\Windows\mhdvifbqofmvbsjvxhid.exe
  mhdvifbqofmvbsjvxhid.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:220
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\mhdvifbqofmvbsjvxhid.exe*."
    3⤵
    - Executes dropped EXE
    PID:5100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yphvexpauhkprerz.exe
1⤵
PID:2696
- C:\Users\Admin\AppData\Local\Temp\yphvexpauhkprerz.exe
  C:\Users\Admin\AppData\Local\Temp\yphvexpauhkprerz.exe
  2⤵
  - Executes dropped EXE
  PID:4300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fxqfpjcojxbhkymvu.exe .
1⤵
PID:4292
- C:\Windows\fxqfpjcojxbhkymvu.exe
  fxqfpjcojxbhkymvu.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:1664
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\fxqfpjcojxbhkymvu.exe*."
    3⤵
    - Executes dropped EXE
    PID:5832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yphvexpauhkprerz.exe
1⤵
PID:4560
- C:\Users\Admin\AppData\Local\Temp\yphvexpauhkprerz.exe
  C:\Users\Admin\AppData\Local\Temp\yphvexpauhkprerz.exe
  2⤵
  - Executes dropped EXE
  PID:2124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yphvexpauhkprerz.exe .
1⤵
PID:5564
- C:\Users\Admin\AppData\Local\Temp\yphvexpauhkprerz.exe
  C:\Users\Admin\AppData\Local\Temp\yphvexpauhkprerz.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2936
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\yphvexpauhkprerz.exe*."
    3⤵
    - Executes dropped EXE
    PID:5996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yphvexpauhkprerz.exe .
1⤵
PID:1580
- C:\Users\Admin\AppData\Local\Temp\yphvexpauhkprerz.exe
  C:\Users\Admin\AppData\Local\Temp\yphvexpauhkprerz.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4968
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\yphvexpauhkprerz.exe*."
    3⤵
    - Executes dropped EXE
    PID:3132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yphvexpauhkprerz.exe
1⤵
PID:4296
- C:\Users\Admin\AppData\Local\Temp\yphvexpauhkprerz.exe
  C:\Users\Admin\AppData\Local\Temp\yphvexpauhkprerz.exe
  2⤵
  - Executes dropped EXE
  PID:3924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztofrniwtjpxcsitudd.exe
1⤵
PID:932
- C:\Users\Admin\AppData\Local\Temp\ztofrniwtjpxcsitudd.exe
  C:\Users\Admin\AppData\Local\Temp\ztofrniwtjpxcsitudd.exe
  2⤵
  - Executes dropped EXE
  PID:1876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztofrniwtjpxcsitudd.exe .
1⤵
PID:4912
- C:\Users\Admin\AppData\Local\Temp\ztofrniwtjpxcsitudd.exe
  C:\Users\Admin\AppData\Local\Temp\ztofrniwtjpxcsitudd.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:968
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ztofrniwtjpxcsitudd.exe*."
    3⤵
    - Executes dropped EXE
    PID:1880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxunbzwmldlvcumzcnpli.exe .
1⤵
PID:5824
- C:\Users\Admin\AppData\Local\Temp\bxunbzwmldlvcumzcnpli.exe
  C:\Users\Admin\AppData\Local\Temp\bxunbzwmldlvcumzcnpli.exe .
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2084
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\bxunbzwmldlvcumzcnpli.exe*."
    3⤵
    - Executes dropped EXE
    PID:3116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ztofrniwtjpxcsitudd.exe
1⤵
PID:5052
- C:\Windows\ztofrniwtjpxcsitudd.exe
  ztofrniwtjpxcsitudd.exe
  2⤵
  - Executes dropped EXE
  PID:6048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ohbrcxreapubfujttb.exe .
1⤵
PID:4588
- C:\Windows\ohbrcxreapubfujttb.exe
  ohbrcxreapubfujttb.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:4556
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ohbrcxreapubfujttb.exe*."
    3⤵
    - Executes dropped EXE
    PID:3956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ohbrcxreapubfujttb.exe
1⤵
PID:2908
- C:\Windows\ohbrcxreapubfujttb.exe
  ohbrcxreapubfujttb.exe
  2⤵
  - Executes dropped EXE
  PID:4820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mhdvifbqofmvbsjvxhid.exe .
1⤵
PID:4328
- C:\Windows\mhdvifbqofmvbsjvxhid.exe
  mhdvifbqofmvbsjvxhid.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1244
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\mhdvifbqofmvbsjvxhid.exe*."
    3⤵
    - Executes dropped EXE
    PID:3904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohbrcxreapubfujttb.exe
1⤵
PID:2808
- C:\Users\Admin\AppData\Local\Temp\ohbrcxreapubfujttb.exe
  C:\Users\Admin\AppData\Local\Temp\ohbrcxreapubfujttb.exe
  2⤵
  - Executes dropped EXE
  PID:1888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fxqfpjcojxbhkymvu.exe .
1⤵
PID:5796
- C:\Users\Admin\AppData\Local\Temp\fxqfpjcojxbhkymvu.exe
  C:\Users\Admin\AppData\Local\Temp\fxqfpjcojxbhkymvu.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1804
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\fxqfpjcojxbhkymvu.exe*."
    3⤵
    - Executes dropped EXE
    PID:4100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fxqfpjcojxbhkymvu.exe
1⤵
PID:3588
- C:\Users\Admin\AppData\Local\Temp\fxqfpjcojxbhkymvu.exe
  C:\Users\Admin\AppData\Local\Temp\fxqfpjcojxbhkymvu.exe
  2⤵
  - Executes dropped EXE
  PID:3388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yphvexpauhkprerz.exe .
1⤵
PID:3020
- C:\Users\Admin\AppData\Local\Temp\yphvexpauhkprerz.exe
  C:\Users\Admin\AppData\Local\Temp\yphvexpauhkprerz.exe .
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3056
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\yphvexpauhkprerz.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:4676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mhdvifbqofmvbsjvxhid.exe
1⤵
PID:1652
- C:\Windows\mhdvifbqofmvbsjvxhid.exe
  mhdvifbqofmvbsjvxhid.exe
  2⤵
  - Executes dropped EXE
  PID:3724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ohbrcxreapubfujttb.exe .
1⤵
PID:5320
- C:\Windows\ohbrcxreapubfujttb.exe
  ohbrcxreapubfujttb.exe .
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5476
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ohbrcxreapubfujttb.exe*."
    3⤵
    - Executes dropped EXE
    PID:3616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ztofrniwtjpxcsitudd.exe
1⤵
PID:3320
- C:\Windows\ztofrniwtjpxcsitudd.exe
  ztofrniwtjpxcsitudd.exe
  2⤵
  - Executes dropped EXE
  PID:5224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ohbrcxreapubfujttb.exe .
1⤵
PID:5388
- C:\Windows\ohbrcxreapubfujttb.exe
  ohbrcxreapubfujttb.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1108
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ohbrcxreapubfujttb.exe*."
    3⤵
    - Executes dropped EXE
    PID:3736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mhdvifbqofmvbsjvxhid.exe
1⤵
PID:220
- C:\Windows\mhdvifbqofmvbsjvxhid.exe
  mhdvifbqofmvbsjvxhid.exe
  2⤵
  - Executes dropped EXE
  PID:4372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhdvifbqofmvbsjvxhid.exe
1⤵
PID:2324
- C:\Users\Admin\AppData\Local\Temp\mhdvifbqofmvbsjvxhid.exe
  C:\Users\Admin\AppData\Local\Temp\mhdvifbqofmvbsjvxhid.exe
  2⤵
  - Executes dropped EXE
  PID:4508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yphvexpauhkprerz.exe
1⤵
PID:1480
- C:\Windows\yphvexpauhkprerz.exe
  yphvexpauhkprerz.exe
  2⤵
  - Executes dropped EXE
  PID:5996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztofrniwtjpxcsitudd.exe .
1⤵
PID:1664
- C:\Users\Admin\AppData\Local\Temp\ztofrniwtjpxcsitudd.exe
  C:\Users\Admin\AppData\Local\Temp\ztofrniwtjpxcsitudd.exe .
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1860
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ztofrniwtjpxcsitudd.exe*."
    3⤵
    PID:228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxunbzwmldlvcumzcnpli.exe .
1⤵
PID:3992
- C:\Windows\bxunbzwmldlvcumzcnpli.exe
  bxunbzwmldlvcumzcnpli.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:4968
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\bxunbzwmldlvcumzcnpli.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:4504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ztofrniwtjpxcsitudd.exe .
1⤵
PID:532
- C:\Windows\ztofrniwtjpxcsitudd.exe
  ztofrniwtjpxcsitudd.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:636
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ztofrniwtjpxcsitudd.exe*."
    3⤵
    - Executes dropped EXE
    PID:2984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yphvexpauhkprerz.exe
1⤵
PID:4360
- C:\Windows\yphvexpauhkprerz.exe
  yphvexpauhkprerz.exe
  2⤵
  PID:6064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohbrcxreapubfujttb.exe
1⤵
PID:2340
- C:\Users\Admin\AppData\Local\Temp\ohbrcxreapubfujttb.exe
  C:\Users\Admin\AppData\Local\Temp\ohbrcxreapubfujttb.exe
  2⤵
  PID:4452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yphvexpauhkprerz.exe .
1⤵
PID:5976
- C:\Windows\yphvexpauhkprerz.exe
  yphvexpauhkprerz.exe .
  2⤵
  - Checks computer location settings
  PID:1536
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\yphvexpauhkprerz.exe*."
    3⤵
    PID:3912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohbrcxreapubfujttb.exe .
1⤵
PID:1992
- C:\Users\Admin\AppData\Local\Temp\ohbrcxreapubfujttb.exe
  C:\Users\Admin\AppData\Local\Temp\ohbrcxreapubfujttb.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:388
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ohbrcxreapubfujttb.exe*."
    3⤵
    PID:5816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ohbrcxreapubfujttb.exe
1⤵
PID:5616
- C:\Windows\ohbrcxreapubfujttb.exe
  ohbrcxreapubfujttb.exe
  2⤵
  PID:3008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhdvifbqofmvbsjvxhid.exe
1⤵
PID:5676
- C:\Users\Admin\AppData\Local\Temp\mhdvifbqofmvbsjvxhid.exe
  C:\Users\Admin\AppData\Local\Temp\mhdvifbqofmvbsjvxhid.exe
  2⤵
  PID:5844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yphvexpauhkprerz.exe .
1⤵
PID:3536
- C:\Windows\yphvexpauhkprerz.exe
  yphvexpauhkprerz.exe .
  2⤵
  PID:5768
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\yphvexpauhkprerz.exe*."
    3⤵
    PID:2980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztofrniwtjpxcsitudd.exe .
1⤵
PID:1516
- C:\Users\Admin\AppData\Local\Temp\ztofrniwtjpxcsitudd.exe
  C:\Users\Admin\AppData\Local\Temp\ztofrniwtjpxcsitudd.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4720
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ztofrniwtjpxcsitudd.exe*."
    3⤵
    PID:3700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yphvexpauhkprerz.exe
1⤵
PID:772
- C:\Users\Admin\AppData\Local\Temp\yphvexpauhkprerz.exe
  C:\Users\Admin\AppData\Local\Temp\yphvexpauhkprerz.exe
  2⤵
  PID:3456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohbrcxreapubfujttb.exe .
1⤵
PID:5756
- C:\Users\Admin\AppData\Local\Temp\ohbrcxreapubfujttb.exe
  C:\Users\Admin\AppData\Local\Temp\ohbrcxreapubfujttb.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3172
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ohbrcxreapubfujttb.exe*."
    3⤵
    PID:952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztofrniwtjpxcsitudd.exe
1⤵
PID:3080
- C:\Users\Admin\AppData\Local\Temp\ztofrniwtjpxcsitudd.exe
  C:\Users\Admin\AppData\Local\Temp\ztofrniwtjpxcsitudd.exe
  2⤵
  PID:3680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxunbzwmldlvcumzcnpli.exe
1⤵
PID:3756
- C:\Users\Admin\AppData\Local\Temp\bxunbzwmldlvcumzcnpli.exe
  C:\Users\Admin\AppData\Local\Temp\bxunbzwmldlvcumzcnpli.exe
  2⤵
  PID:4904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztofrniwtjpxcsitudd.exe .
1⤵
PID:4404
- C:\Users\Admin\AppData\Local\Temp\ztofrniwtjpxcsitudd.exe
  C:\Users\Admin\AppData\Local\Temp\ztofrniwtjpxcsitudd.exe .
  2⤵
  PID:764
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ztofrniwtjpxcsitudd.exe*."
    3⤵
    PID:2036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhdvifbqofmvbsjvxhid.exe .
1⤵
PID:3904
- C:\Users\Admin\AppData\Local\Temp\mhdvifbqofmvbsjvxhid.exe
  C:\Users\Admin\AppData\Local\Temp\mhdvifbqofmvbsjvxhid.exe .
  2⤵
  PID:3724
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\mhdvifbqofmvbsjvxhid.exe*."
    3⤵
    PID:3556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ohbrcxreapubfujttb.exe
1⤵
PID:4724
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4364
- C:\Windows\ohbrcxreapubfujttb.exe
  ohbrcxreapubfujttb.exe
  2⤵
  PID:1500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fxqfpjcojxbhkymvu.exe .
1⤵
PID:4592
- C:\Windows\fxqfpjcojxbhkymvu.exe
  fxqfpjcojxbhkymvu.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:3584
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\fxqfpjcojxbhkymvu.exe*."
    3⤵
    PID:4584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ztofrniwtjpxcsitudd.exe
1⤵
PID:5044
- C:\Windows\ztofrniwtjpxcsitudd.exe
  ztofrniwtjpxcsitudd.exe
  2⤵
  PID:1988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fxqfpjcojxbhkymvu.exe .
1⤵
PID:3320
- C:\Windows\fxqfpjcojxbhkymvu.exe
  fxqfpjcojxbhkymvu.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:5388
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\fxqfpjcojxbhkymvu.exe*."
    3⤵
    PID:4640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxunbzwmldlvcumzcnpli.exe
1⤵
PID:3096
- C:\Users\Admin\AppData\Local\Temp\bxunbzwmldlvcumzcnpli.exe
  C:\Users\Admin\AppData\Local\Temp\bxunbzwmldlvcumzcnpli.exe
  2⤵
  PID:4076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxunbzwmldlvcumzcnpli.exe .
1⤵
PID:1124
- C:\Users\Admin\AppData\Local\Temp\bxunbzwmldlvcumzcnpli.exe
  C:\Users\Admin\AppData\Local\Temp\bxunbzwmldlvcumzcnpli.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3924
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\bxunbzwmldlvcumzcnpli.exe*."
    3⤵
    PID:180

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohbrcxreapubfujttb.exe
1⤵
PID:4476
- C:\Users\Admin\AppData\Local\Temp\ohbrcxreapubfujttb.exe
  C:\Users\Admin\AppData\Local\Temp\ohbrcxreapubfujttb.exe
  2⤵
  PID:6112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yphvexpauhkprerz.exe .
1⤵
PID:5740
- C:\Users\Admin\AppData\Local\Temp\yphvexpauhkprerz.exe
  C:\Users\Admin\AppData\Local\Temp\yphvexpauhkprerz.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1860
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\yphvexpauhkprerz.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:4016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fxqfpjcojxbhkymvu.exe
1⤵
PID:3124
- C:\Windows\fxqfpjcojxbhkymvu.exe
  fxqfpjcojxbhkymvu.exe
  2⤵
  PID:2340

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxunbzwmldlvcumzcnpli.exe .
1⤵
PID:4168
- C:\Windows\bxunbzwmldlvcumzcnpli.exe
  bxunbzwmldlvcumzcnpli.exe .
  2⤵
  - Checks computer location settings
  PID:3008
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\bxunbzwmldlvcumzcnpli.exe*."
    3⤵
    PID:5512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mhdvifbqofmvbsjvxhid.exe
1⤵
PID:5500
- C:\Windows\mhdvifbqofmvbsjvxhid.exe
  mhdvifbqofmvbsjvxhid.exe
  2⤵
  PID:3956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mhdvifbqofmvbsjvxhid.exe .
1⤵
PID:1248
- C:\Windows\mhdvifbqofmvbsjvxhid.exe
  mhdvifbqofmvbsjvxhid.exe .
  2⤵
  - Checks computer location settings
  PID:744
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\mhdvifbqofmvbsjvxhid.exe*."
    3⤵
    PID:1684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yphvexpauhkprerz.exe
1⤵
PID:5616
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3700
- C:\Users\Admin\AppData\Local\Temp\yphvexpauhkprerz.exe
  C:\Users\Admin\AppData\Local\Temp\yphvexpauhkprerz.exe
  2⤵
  PID:2904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohbrcxreapubfujttb.exe .
1⤵
PID:4072
- C:\Users\Admin\AppData\Local\Temp\ohbrcxreapubfujttb.exe
  C:\Users\Admin\AppData\Local\Temp\ohbrcxreapubfujttb.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1640
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ohbrcxreapubfujttb.exe*."
    3⤵
    PID:3476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhdvifbqofmvbsjvxhid.exe
1⤵
PID:2344
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:952
- C:\Users\Admin\AppData\Local\Temp\mhdvifbqofmvbsjvxhid.exe
  C:\Users\Admin\AppData\Local\Temp\mhdvifbqofmvbsjvxhid.exe
  2⤵
  PID:2784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztofrniwtjpxcsitudd.exe .
1⤵
PID:4832
- C:\Users\Admin\AppData\Local\Temp\ztofrniwtjpxcsitudd.exe
  C:\Users\Admin\AppData\Local\Temp\ztofrniwtjpxcsitudd.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1496
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ztofrniwtjpxcsitudd.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:1708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yphvexpauhkprerz.exe
1⤵
PID:116
- C:\Windows\yphvexpauhkprerz.exe
  yphvexpauhkprerz.exe
  2⤵
  PID:1888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yphvexpauhkprerz.exe .
1⤵
PID:5460
- C:\Windows\yphvexpauhkprerz.exe
  yphvexpauhkprerz.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4696
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\yphvexpauhkprerz.exe*."
    3⤵
    PID:2124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yphvexpauhkprerz.exe
1⤵
PID:3724
- C:\Windows\yphvexpauhkprerz.exe
  yphvexpauhkprerz.exe
  2⤵
  PID:5052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ohbrcxreapubfujttb.exe .
1⤵
PID:1976
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1500
- C:\Windows\ohbrcxreapubfujttb.exe
  ohbrcxreapubfujttb.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:6024
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ohbrcxreapubfujttb.exe*."
    3⤵
    PID:5708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztofrniwtjpxcsitudd.exe
1⤵
PID:220
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4584
- C:\Users\Admin\AppData\Local\Temp\ztofrniwtjpxcsitudd.exe
  C:\Users\Admin\AppData\Local\Temp\ztofrniwtjpxcsitudd.exe
  2⤵
  PID:1988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxunbzwmldlvcumzcnpli.exe .
1⤵
PID:1960
- C:\Users\Admin\AppData\Local\Temp\bxunbzwmldlvcumzcnpli.exe
  C:\Users\Admin\AppData\Local\Temp\bxunbzwmldlvcumzcnpli.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4908
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\bxunbzwmldlvcumzcnpli.exe*."
    3⤵
    PID:4952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhdvifbqofmvbsjvxhid.exe
1⤵
PID:5632
- C:\Users\Admin\AppData\Local\Temp\mhdvifbqofmvbsjvxhid.exe
  C:\Users\Admin\AppData\Local\Temp\mhdvifbqofmvbsjvxhid.exe
  2⤵
  PID:2796

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztofrniwtjpxcsitudd.exe .
1⤵
PID:4472
- C:\Users\Admin\AppData\Local\Temp\ztofrniwtjpxcsitudd.exe
  C:\Users\Admin\AppData\Local\Temp\ztofrniwtjpxcsitudd.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:3500
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ztofrniwtjpxcsitudd.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:3320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ztofrniwtjpxcsitudd.exe
1⤵
PID:4120
- C:\Windows\ztofrniwtjpxcsitudd.exe
  ztofrniwtjpxcsitudd.exe
  2⤵
  PID:1408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fxqfpjcojxbhkymvu.exe .
1⤵
PID:4856
- C:\Windows\fxqfpjcojxbhkymvu.exe
  fxqfpjcojxbhkymvu.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1252
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\fxqfpjcojxbhkymvu.exe*."
    3⤵
    PID:1160

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yphvexpauhkprerz.exe
1⤵
PID:2560
- C:\Windows\yphvexpauhkprerz.exe
  yphvexpauhkprerz.exe
  2⤵
  PID:4560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yphvexpauhkprerz.exe .
1⤵
PID:2392
- C:\Windows\yphvexpauhkprerz.exe
  yphvexpauhkprerz.exe .
  2⤵
  - Checks computer location settings
  PID:4436
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\yphvexpauhkprerz.exe*."
    3⤵
    PID:5048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohbrcxreapubfujttb.exe
1⤵
PID:4236
- C:\Users\Admin\AppData\Local\Temp\ohbrcxreapubfujttb.exe
  C:\Users\Admin\AppData\Local\Temp\ohbrcxreapubfujttb.exe
  2⤵
  PID:4988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxunbzwmldlvcumzcnpli.exe .
1⤵
PID:2836
- C:\Users\Admin\AppData\Local\Temp\bxunbzwmldlvcumzcnpli.exe
  C:\Users\Admin\AppData\Local\Temp\bxunbzwmldlvcumzcnpli.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4348
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\bxunbzwmldlvcumzcnpli.exe*."
    3⤵
    PID:5768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhdvifbqofmvbsjvxhid.exe
1⤵
PID:4920
- C:\Users\Admin\AppData\Local\Temp\mhdvifbqofmvbsjvxhid.exe
  C:\Users\Admin\AppData\Local\Temp\mhdvifbqofmvbsjvxhid.exe
  2⤵
  PID:4904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yphvexpauhkprerz.exe .
1⤵
PID:5804
- C:\Users\Admin\AppData\Local\Temp\yphvexpauhkprerz.exe
  C:\Users\Admin\AppData\Local\Temp\yphvexpauhkprerz.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:2864
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\yphvexpauhkprerz.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:3664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yphvexpauhkprerz.exe
1⤵
PID:1684
- C:\Windows\yphvexpauhkprerz.exe
  yphvexpauhkprerz.exe
  2⤵
  PID:4720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mhdvifbqofmvbsjvxhid.exe .
1⤵
PID:1288
- C:\Windows\mhdvifbqofmvbsjvxhid.exe
  mhdvifbqofmvbsjvxhid.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:5332
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\mhdvifbqofmvbsjvxhid.exe*."
    3⤵
    PID:5816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ztofrniwtjpxcsitudd.exe
1⤵
PID:3764
- C:\Windows\ztofrniwtjpxcsitudd.exe
  ztofrniwtjpxcsitudd.exe
  2⤵
  PID:4016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yphvexpauhkprerz.exe .
1⤵
PID:5476
- C:\Windows\yphvexpauhkprerz.exe
  yphvexpauhkprerz.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1496
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\yphvexpauhkprerz.exe*."
    3⤵
    PID:5484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxunbzwmldlvcumzcnpli.exe
1⤵
PID:2160
- C:\Users\Admin\AppData\Local\Temp\bxunbzwmldlvcumzcnpli.exe
  C:\Users\Admin\AppData\Local\Temp\bxunbzwmldlvcumzcnpli.exe
  2⤵
  PID:5764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yphvexpauhkprerz.exe .
1⤵
PID:260
- C:\Users\Admin\AppData\Local\Temp\yphvexpauhkprerz.exe
  C:\Users\Admin\AppData\Local\Temp\yphvexpauhkprerz.exe .
  2⤵
  PID:2940
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\yphvexpauhkprerz.exe*."
    3⤵
    PID:516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxunbzwmldlvcumzcnpli.exe
1⤵
PID:4088
- C:\Users\Admin\AppData\Local\Temp\bxunbzwmldlvcumzcnpli.exe
  C:\Users\Admin\AppData\Local\Temp\bxunbzwmldlvcumzcnpli.exe
  2⤵
  PID:2564

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fxqfpjcojxbhkymvu.exe .
1⤵
PID:3908
- C:\Users\Admin\AppData\Local\Temp\fxqfpjcojxbhkymvu.exe
  C:\Users\Admin\AppData\Local\Temp\fxqfpjcojxbhkymvu.exe .
  2⤵
  - Checks computer location settings
  PID:2396
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\fxqfpjcojxbhkymvu.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fxqfpjcojxbhkymvu.exe
1⤵
PID:5100
- C:\Windows\fxqfpjcojxbhkymvu.exe
  fxqfpjcojxbhkymvu.exe
  2⤵
  PID:2116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ztofrniwtjpxcsitudd.exe .
1⤵
PID:3416
- C:\Windows\ztofrniwtjpxcsitudd.exe
  ztofrniwtjpxcsitudd.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:3904
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ztofrniwtjpxcsitudd.exe*."
    3⤵
    PID:4076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mhdvifbqofmvbsjvxhid.exe
1⤵
PID:3196
- C:\Windows\mhdvifbqofmvbsjvxhid.exe
  mhdvifbqofmvbsjvxhid.exe
  2⤵
  PID:812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yphvexpauhkprerz.exe .
1⤵
PID:4724
- C:\Windows\yphvexpauhkprerz.exe
  yphvexpauhkprerz.exe .
  2⤵
  - Checks computer location settings
  PID:5632
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\yphvexpauhkprerz.exe*."
    3⤵
    PID:5016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fxqfpjcojxbhkymvu.exe
1⤵
PID:4736
- C:\Users\Admin\AppData\Local\Temp\fxqfpjcojxbhkymvu.exe
  C:\Users\Admin\AppData\Local\Temp\fxqfpjcojxbhkymvu.exe
  2⤵
  PID:3500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yphvexpauhkprerz.exe .
1⤵
PID:4612
- C:\Users\Admin\AppData\Local\Temp\yphvexpauhkprerz.exe
  C:\Users\Admin\AppData\Local\Temp\yphvexpauhkprerz.exe .
  2⤵
  - Checks computer location settings
  PID:636
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\yphvexpauhkprerz.exe*."
    3⤵
    PID:3164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yphvexpauhkprerz.exe
1⤵
PID:532
- C:\Users\Admin\AppData\Local\Temp\yphvexpauhkprerz.exe
  C:\Users\Admin\AppData\Local\Temp\yphvexpauhkprerz.exe
  2⤵
  PID:2188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxunbzwmldlvcumzcnpli.exe
1⤵
PID:2716
- C:\Windows\bxunbzwmldlvcumzcnpli.exe
  bxunbzwmldlvcumzcnpli.exe
  2⤵
  PID:5752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhdvifbqofmvbsjvxhid.exe .
1⤵
PID:1860
- C:\Users\Admin\AppData\Local\Temp\mhdvifbqofmvbsjvxhid.exe
  C:\Users\Admin\AppData\Local\Temp\mhdvifbqofmvbsjvxhid.exe .
  2⤵
  - Checks computer location settings
  PID:3068
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\mhdvifbqofmvbsjvxhid.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:5164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fxqfpjcojxbhkymvu.exe
1⤵
PID:1436
- C:\Windows\fxqfpjcojxbhkymvu.exe
  fxqfpjcojxbhkymvu.exe
  2⤵
  PID:3120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ohbrcxreapubfujttb.exe .
1⤵
PID:4480
- C:\Windows\ohbrcxreapubfujttb.exe
  ohbrcxreapubfujttb.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2488
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ohbrcxreapubfujttb.exe*."
    3⤵
    PID:2340

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mhdvifbqofmvbsjvxhid.exe .
1⤵
PID:5260
- C:\Windows\mhdvifbqofmvbsjvxhid.exe
  mhdvifbqofmvbsjvxhid.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5076
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\mhdvifbqofmvbsjvxhid.exe*."
    3⤵
    PID:3080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxunbzwmldlvcumzcnpli.exe
1⤵
PID:5508
- C:\Windows\bxunbzwmldlvcumzcnpli.exe
  bxunbzwmldlvcumzcnpli.exe
  2⤵
  PID:5804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxunbzwmldlvcumzcnpli.exe .
1⤵
PID:2720
- C:\Windows\bxunbzwmldlvcumzcnpli.exe
  bxunbzwmldlvcumzcnpli.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:6100
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\bxunbzwmldlvcumzcnpli.exe*."
    3⤵
    PID:2124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxunbzwmldlvcumzcnpli.exe
1⤵
PID:4904
- C:\Windows\bxunbzwmldlvcumzcnpli.exe
  bxunbzwmldlvcumzcnpli.exe
  2⤵
  PID:60

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztofrniwtjpxcsitudd.exe
1⤵
PID:2560
- C:\Users\Admin\AppData\Local\Temp\ztofrniwtjpxcsitudd.exe
  C:\Users\Admin\AppData\Local\Temp\ztofrniwtjpxcsitudd.exe
  2⤵
  PID:4816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fxqfpjcojxbhkymvu.exe .
1⤵
PID:1856
- C:\Windows\fxqfpjcojxbhkymvu.exe
  fxqfpjcojxbhkymvu.exe .
  2⤵
  - Checks computer location settings
  PID:1572
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\fxqfpjcojxbhkymvu.exe*."
    3⤵
    PID:688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohbrcxreapubfujttb.exe .
1⤵
PID:212
- C:\Users\Admin\AppData\Local\Temp\ohbrcxreapubfujttb.exe
  C:\Users\Admin\AppData\Local\Temp\ohbrcxreapubfujttb.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3384
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ohbrcxreapubfujttb.exe*."
    3⤵
    PID:2876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhdvifbqofmvbsjvxhid.exe
1⤵
PID:2040
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4720
- C:\Users\Admin\AppData\Local\Temp\mhdvifbqofmvbsjvxhid.exe
  C:\Users\Admin\AppData\Local\Temp\mhdvifbqofmvbsjvxhid.exe
  2⤵
  PID:2084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxunbzwmldlvcumzcnpli.exe .
1⤵
PID:3440
- C:\Users\Admin\AppData\Local\Temp\bxunbzwmldlvcumzcnpli.exe
  C:\Users\Admin\AppData\Local\Temp\bxunbzwmldlvcumzcnpli.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:2832
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\bxunbzwmldlvcumzcnpli.exe*."
    3⤵
    PID:2756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ztofrniwtjpxcsitudd.exe
1⤵
PID:5784
- C:\Windows\ztofrniwtjpxcsitudd.exe
  ztofrniwtjpxcsitudd.exe
  2⤵
  PID:6024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxunbzwmldlvcumzcnpli.exe
1⤵
PID:3916
- C:\Users\Admin\AppData\Local\Temp\bxunbzwmldlvcumzcnpli.exe
  C:\Users\Admin\AppData\Local\Temp\bxunbzwmldlvcumzcnpli.exe
  2⤵
  PID:452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohbrcxreapubfujttb.exe .
1⤵
PID:1496
- C:\Users\Admin\AppData\Local\Temp\ohbrcxreapubfujttb.exe
  C:\Users\Admin\AppData\Local\Temp\ohbrcxreapubfujttb.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:5708
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ohbrcxreapubfujttb.exe*."
    3⤵
    PID:5196

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mhdvifbqofmvbsjvxhid.exe .
1⤵
PID:3756
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5476
- C:\Windows\mhdvifbqofmvbsjvxhid.exe
  mhdvifbqofmvbsjvxhid.exe .
  2⤵
  - Checks computer location settings
  PID:3196
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\mhdvifbqofmvbsjvxhid.exe*."
    3⤵
    PID:5996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztofrniwtjpxcsitudd.exe
1⤵
PID:4432
- C:\Users\Admin\AppData\Local\Temp\ztofrniwtjpxcsitudd.exe
  C:\Users\Admin\AppData\Local\Temp\ztofrniwtjpxcsitudd.exe
  2⤵
  PID:4828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yphvexpauhkprerz.exe .
1⤵
PID:5392
- C:\Users\Admin\AppData\Local\Temp\yphvexpauhkprerz.exe
  C:\Users\Admin\AppData\Local\Temp\yphvexpauhkprerz.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1124
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\yphvexpauhkprerz.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:3540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yphvexpauhkprerz.exe
1⤵
PID:2396
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3556
- C:\Windows\yphvexpauhkprerz.exe
  yphvexpauhkprerz.exe
  2⤵
  PID:3596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ohbrcxreapubfujttb.exe .
1⤵
PID:3048
- C:\Windows\ohbrcxreapubfujttb.exe
  ohbrcxreapubfujttb.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1244
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ohbrcxreapubfujttb.exe*."
    3⤵
    PID:4444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxunbzwmldlvcumzcnpli.exe
1⤵
PID:2968
- C:\Users\Admin\AppData\Local\Temp\bxunbzwmldlvcumzcnpli.exe
  C:\Users\Admin\AppData\Local\Temp\bxunbzwmldlvcumzcnpli.exe
  2⤵
  PID:2796

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztofrniwtjpxcsitudd.exe .
1⤵
PID:4176
- C:\Users\Admin\AppData\Local\Temp\ztofrniwtjpxcsitudd.exe
  C:\Users\Admin\AppData\Local\Temp\ztofrniwtjpxcsitudd.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4932
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ztofrniwtjpxcsitudd.exe*."
    3⤵
    PID:3928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxunbzwmldlvcumzcnpli.exe
1⤵
PID:636
- C:\Users\Admin\AppData\Local\Temp\bxunbzwmldlvcumzcnpli.exe
  C:\Users\Admin\AppData\Local\Temp\bxunbzwmldlvcumzcnpli.exe
  2⤵
  PID:4504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yphvexpauhkprerz.exe .
1⤵
PID:1160
- C:\Users\Admin\AppData\Local\Temp\yphvexpauhkprerz.exe
  C:\Users\Admin\AppData\Local\Temp\yphvexpauhkprerz.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:532
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\yphvexpauhkprerz.exe*."
    3⤵
    PID:4452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ztofrniwtjpxcsitudd.exe
1⤵
PID:2244
- C:\Windows\ztofrniwtjpxcsitudd.exe
  ztofrniwtjpxcsitudd.exe
  2⤵
  PID:3608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mhdvifbqofmvbsjvxhid.exe .
1⤵
PID:3060
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:228
- C:\Windows\mhdvifbqofmvbsjvxhid.exe
  mhdvifbqofmvbsjvxhid.exe .
  2⤵
  PID:3532
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\mhdvifbqofmvbsjvxhid.exe*."
    3⤵
    PID:4824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mhdvifbqofmvbsjvxhid.exe
1⤵
PID:3232
- C:\Windows\mhdvifbqofmvbsjvxhid.exe
  mhdvifbqofmvbsjvxhid.exe
  2⤵
  PID:2152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxunbzwmldlvcumzcnpli.exe .
1⤵
PID:772
- C:\Windows\bxunbzwmldlvcumzcnpli.exe
  bxunbzwmldlvcumzcnpli.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4916
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\bxunbzwmldlvcumzcnpli.exe*."
    3⤵
    PID:4904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fxqfpjcojxbhkymvu.exe
1⤵
PID:3624
- C:\Users\Admin\AppData\Local\Temp\fxqfpjcojxbhkymvu.exe
  C:\Users\Admin\AppData\Local\Temp\fxqfpjcojxbhkymvu.exe
  2⤵
  PID:2868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fxqfpjcojxbhkymvu.exe .
1⤵
PID:5432
- C:\Users\Admin\AppData\Local\Temp\fxqfpjcojxbhkymvu.exe
  C:\Users\Admin\AppData\Local\Temp\fxqfpjcojxbhkymvu.exe .
  2⤵
  - Checks computer location settings
  PID:5532
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\fxqfpjcojxbhkymvu.exe*."
    3⤵
    PID:3084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohbrcxreapubfujttb.exe
1⤵
PID:1516
- C:\Users\Admin\AppData\Local\Temp\ohbrcxreapubfujttb.exe
  C:\Users\Admin\AppData\Local\Temp\ohbrcxreapubfujttb.exe
  2⤵
  PID:3320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztofrniwtjpxcsitudd.exe .
1⤵
PID:2876
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3736
- C:\Users\Admin\AppData\Local\Temp\ztofrniwtjpxcsitudd.exe
  C:\Users\Admin\AppData\Local\Temp\ztofrniwtjpxcsitudd.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:6120
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ztofrniwtjpxcsitudd.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:1800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ohbrcxreapubfujttb.exe
1⤵
PID:4356
- C:\Windows\ohbrcxreapubfujttb.exe
  ohbrcxreapubfujttb.exe
  2⤵
  PID:1076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxunbzwmldlvcumzcnpli.exe .
1⤵
PID:5844
- C:\Windows\bxunbzwmldlvcumzcnpli.exe
  bxunbzwmldlvcumzcnpli.exe .
  2⤵
  - Checks computer location settings
  PID:5104
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\bxunbzwmldlvcumzcnpli.exe*."
    3⤵
    PID:2404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ztofrniwtjpxcsitudd.exe
1⤵
PID:4920
- C:\Windows\ztofrniwtjpxcsitudd.exe
  ztofrniwtjpxcsitudd.exe
  2⤵
  PID:3512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ztofrniwtjpxcsitudd.exe .
1⤵
PID:5616
- C:\Windows\ztofrniwtjpxcsitudd.exe
  ztofrniwtjpxcsitudd.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:932
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ztofrniwtjpxcsitudd.exe*."
    3⤵
    PID:2176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztofrniwtjpxcsitudd.exe
1⤵
PID:4500
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5484
- C:\Users\Admin\AppData\Local\Temp\ztofrniwtjpxcsitudd.exe
  C:\Users\Admin\AppData\Local\Temp\ztofrniwtjpxcsitudd.exe
  2⤵
  PID:5308

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhdvifbqofmvbsjvxhid.exe .
1⤵
PID:5708
- C:\Users\Admin\AppData\Local\Temp\mhdvifbqofmvbsjvxhid.exe
  C:\Users\Admin\AppData\Local\Temp\mhdvifbqofmvbsjvxhid.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:3416
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\mhdvifbqofmvbsjvxhid.exe*."
    3⤵
    PID:388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxunbzwmldlvcumzcnpli.exe
1⤵
PID:3748
- C:\Users\Admin\AppData\Local\Temp\bxunbzwmldlvcumzcnpli.exe
  C:\Users\Admin\AppData\Local\Temp\bxunbzwmldlvcumzcnpli.exe
  2⤵
  PID:5768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohbrcxreapubfujttb.exe .
1⤵
PID:2272
- C:\Users\Admin\AppData\Local\Temp\ohbrcxreapubfujttb.exe
  C:\Users\Admin\AppData\Local\Temp\ohbrcxreapubfujttb.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:5988
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ohbrcxreapubfujttb.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:2656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxunbzwmldlvcumzcnpli.exe
1⤵
PID:2920
- C:\Windows\bxunbzwmldlvcumzcnpli.exe
  bxunbzwmldlvcumzcnpli.exe
  2⤵
  PID:5976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ohbrcxreapubfujttb.exe .
1⤵
PID:4476
- C:\Windows\ohbrcxreapubfujttb.exe
  ohbrcxreapubfujttb.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4484
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ohbrcxreapubfujttb.exe*."
    3⤵
    PID:4680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ztofrniwtjpxcsitudd.exe
1⤵
PID:1680
- C:\Windows\ztofrniwtjpxcsitudd.exe
  ztofrniwtjpxcsitudd.exe
  2⤵
  PID:3852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ztofrniwtjpxcsitudd.exe .
1⤵
PID:4208
- C:\Windows\ztofrniwtjpxcsitudd.exe
  ztofrniwtjpxcsitudd.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:2916
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ztofrniwtjpxcsitudd.exe*."
    3⤵
    PID:3996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fxqfpjcojxbhkymvu.exe
1⤵
PID:1248
- C:\Users\Admin\AppData\Local\Temp\fxqfpjcojxbhkymvu.exe
  C:\Users\Admin\AppData\Local\Temp\fxqfpjcojxbhkymvu.exe
  2⤵
  PID:5544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxunbzwmldlvcumzcnpli.exe .
1⤵
PID:408
- C:\Users\Admin\AppData\Local\Temp\bxunbzwmldlvcumzcnpli.exe
  C:\Users\Admin\AppData\Local\Temp\bxunbzwmldlvcumzcnpli.exe .
  2⤵
  PID:4672
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\bxunbzwmldlvcumzcnpli.exe*."
    3⤵
    PID:4548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fxqfpjcojxbhkymvu.exe
1⤵
PID:4632
- C:\Users\Admin\AppData\Local\Temp\fxqfpjcojxbhkymvu.exe
  C:\Users\Admin\AppData\Local\Temp\fxqfpjcojxbhkymvu.exe
  2⤵
  PID:3624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhdvifbqofmvbsjvxhid.exe .
1⤵
PID:4080
- C:\Users\Admin\AppData\Local\Temp\mhdvifbqofmvbsjvxhid.exe
  C:\Users\Admin\AppData\Local\Temp\mhdvifbqofmvbsjvxhid.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3504
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\mhdvifbqofmvbsjvxhid.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:3008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fxqfpjcojxbhkymvu.exe
1⤵
PID:516
- C:\Windows\fxqfpjcojxbhkymvu.exe
  fxqfpjcojxbhkymvu.exe
  2⤵
  PID:1280

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mhdvifbqofmvbsjvxhid.exe .
1⤵
PID:316
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2124
- C:\Windows\mhdvifbqofmvbsjvxhid.exe
  mhdvifbqofmvbsjvxhid.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4492
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\mhdvifbqofmvbsjvxhid.exe*."
    3⤵
    PID:6024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mhdvifbqofmvbsjvxhid.exe
1⤵
PID:2748
- C:\Windows\mhdvifbqofmvbsjvxhid.exe
  mhdvifbqofmvbsjvxhid.exe
  2⤵
  PID:3476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxunbzwmldlvcumzcnpli.exe .
1⤵
PID:5528
- C:\Windows\bxunbzwmldlvcumzcnpli.exe
  bxunbzwmldlvcumzcnpli.exe .
  2⤵
  - Checks computer location settings
  PID:3908
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\bxunbzwmldlvcumzcnpli.exe*."
    3⤵
    PID:5240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhdvifbqofmvbsjvxhid.exe
1⤵
PID:6056
- C:\Users\Admin\AppData\Local\Temp\mhdvifbqofmvbsjvxhid.exe
  C:\Users\Admin\AppData\Local\Temp\mhdvifbqofmvbsjvxhid.exe
  2⤵
  PID:1772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yphvexpauhkprerz.exe .
1⤵
PID:3892
- C:\Users\Admin\AppData\Local\Temp\yphvexpauhkprerz.exe
  C:\Users\Admin\AppData\Local\Temp\yphvexpauhkprerz.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2720
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\yphvexpauhkprerz.exe*."
    3⤵
    PID:2776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohbrcxreapubfujttb.exe
1⤵
PID:916
- C:\Users\Admin\AppData\Local\Temp\ohbrcxreapubfujttb.exe
  C:\Users\Admin\AppData\Local\Temp\ohbrcxreapubfujttb.exe
  2⤵
  PID:2848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fxqfpjcojxbhkymvu.exe .
1⤵
PID:1580
- C:\Users\Admin\AppData\Local\Temp\fxqfpjcojxbhkymvu.exe
  C:\Users\Admin\AppData\Local\Temp\fxqfpjcojxbhkymvu.exe .
  2⤵
  - Checks computer location settings
  PID:1916
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\fxqfpjcojxbhkymvu.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:4676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yphvexpauhkprerz.exe
1⤵
PID:3136
- C:\Windows\yphvexpauhkprerz.exe
  yphvexpauhkprerz.exe
  2⤵
  PID:4816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxunbzwmldlvcumzcnpli.exe .
1⤵
PID:3048
- C:\Windows\bxunbzwmldlvcumzcnpli.exe
  bxunbzwmldlvcumzcnpli.exe .
  2⤵
  - Checks computer location settings
  PID:5160
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\bxunbzwmldlvcumzcnpli.exe*."
    3⤵
    PID:3324

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxunbzwmldlvcumzcnpli.exe
1⤵
PID:3964
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4504
- C:\Windows\bxunbzwmldlvcumzcnpli.exe
  bxunbzwmldlvcumzcnpli.exe
  2⤵
  PID:1600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ztofrniwtjpxcsitudd.exe .
1⤵
PID:4612
- C:\Windows\ztofrniwtjpxcsitudd.exe
  ztofrniwtjpxcsitudd.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:3020
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ztofrniwtjpxcsitudd.exe*."
    3⤵
    PID:2920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztofrniwtjpxcsitudd.exe
1⤵
PID:336
- C:\Users\Admin\AppData\Local\Temp\ztofrniwtjpxcsitudd.exe
  C:\Users\Admin\AppData\Local\Temp\ztofrniwtjpxcsitudd.exe
  2⤵
  PID:2504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxunbzwmldlvcumzcnpli.exe .
1⤵
PID:544
- C:\Users\Admin\AppData\Local\Temp\bxunbzwmldlvcumzcnpli.exe
  C:\Users\Admin\AppData\Local\Temp\bxunbzwmldlvcumzcnpli.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4056
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\bxunbzwmldlvcumzcnpli.exe*."
    3⤵
    PID:1252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yphvexpauhkprerz.exe
1⤵
PID:6112
- C:\Users\Admin\AppData\Local\Temp\yphvexpauhkprerz.exe
  C:\Users\Admin\AppData\Local\Temp\yphvexpauhkprerz.exe
  2⤵
  PID:5536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohbrcxreapubfujttb.exe .
1⤵
PID:1972
- C:\Users\Admin\AppData\Local\Temp\ohbrcxreapubfujttb.exe
  C:\Users\Admin\AppData\Local\Temp\ohbrcxreapubfujttb.exe .
  2⤵
  PID:4576
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ohbrcxreapubfujttb.exe*."
    3⤵
    PID:3996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mhdvifbqofmvbsjvxhid.exe
1⤵
PID:2592
- C:\Windows\mhdvifbqofmvbsjvxhid.exe
  mhdvifbqofmvbsjvxhid.exe
  2⤵
  PID:2152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mhdvifbqofmvbsjvxhid.exe .
1⤵
PID:1780
- C:\Windows\mhdvifbqofmvbsjvxhid.exe
  mhdvifbqofmvbsjvxhid.exe .
  2⤵
  PID:4564
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\mhdvifbqofmvbsjvxhid.exe*."
    3⤵
    PID:5188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ohbrcxreapubfujttb.exe
1⤵
PID:3760
- C:\Windows\ohbrcxreapubfujttb.exe
  ohbrcxreapubfujttb.exe
  2⤵
  PID:2932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxunbzwmldlvcumzcnpli.exe
1⤵
PID:3456
- C:\Windows\bxunbzwmldlvcumzcnpli.exe
  bxunbzwmldlvcumzcnpli.exe
  2⤵
  PID:3432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mhdvifbqofmvbsjvxhid.exe .
1⤵
PID:744
- C:\Windows\mhdvifbqofmvbsjvxhid.exe
  mhdvifbqofmvbsjvxhid.exe .
  2⤵
  PID:3476
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\mhdvifbqofmvbsjvxhid.exe*."
    3⤵
    PID:1772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fxqfpjcojxbhkymvu.exe
1⤵
PID:2500
- C:\Windows\fxqfpjcojxbhkymvu.exe
  fxqfpjcojxbhkymvu.exe
  2⤵
  PID:5240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhdvifbqofmvbsjvxhid.exe
1⤵
PID:5816
- C:\Users\Admin\AppData\Local\Temp\mhdvifbqofmvbsjvxhid.exe
  C:\Users\Admin\AppData\Local\Temp\mhdvifbqofmvbsjvxhid.exe
  2⤵
  PID:3284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ztofrniwtjpxcsitudd.exe .
1⤵
PID:6132
- C:\Windows\ztofrniwtjpxcsitudd.exe
  ztofrniwtjpxcsitudd.exe .
  2⤵
  PID:2760
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ztofrniwtjpxcsitudd.exe*."
    3⤵
    PID:3096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yphvexpauhkprerz.exe .
1⤵
PID:1880
- C:\Users\Admin\AppData\Local\Temp\yphvexpauhkprerz.exe
  C:\Users\Admin\AppData\Local\Temp\yphvexpauhkprerz.exe .
  2⤵
  PID:5304
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\yphvexpauhkprerz.exe*."
    3⤵
    PID:4692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ohbrcxreapubfujttb.exe .
1⤵
PID:6024
- C:\Windows\ohbrcxreapubfujttb.exe
  ohbrcxreapubfujttb.exe .
  2⤵
  PID:5452
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ohbrcxreapubfujttb.exe*."
    3⤵
    PID:4056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fxqfpjcojxbhkymvu.exe
1⤵
PID:2476
- C:\Windows\fxqfpjcojxbhkymvu.exe
  fxqfpjcojxbhkymvu.exe
  2⤵
  PID:5320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ohbrcxreapubfujttb.exe .
1⤵
PID:5528
- C:\Windows\ohbrcxreapubfujttb.exe
  ohbrcxreapubfujttb.exe .
  2⤵
  PID:4976
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ohbrcxreapubfujttb.exe*."
    3⤵
    PID:1860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fxqfpjcojxbhkymvu.exe
1⤵
PID:5692
- C:\Windows\fxqfpjcojxbhkymvu.exe
  fxqfpjcojxbhkymvu.exe
  2⤵
  PID:5748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fxqfpjcojxbhkymvu.exe
1⤵
PID:2148
- C:\Users\Admin\AppData\Local\Temp\fxqfpjcojxbhkymvu.exe
  C:\Users\Admin\AppData\Local\Temp\fxqfpjcojxbhkymvu.exe
  2⤵
  PID:6096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztofrniwtjpxcsitudd.exe
1⤵
PID:3452
- C:\Users\Admin\AppData\Local\Temp\ztofrniwtjpxcsitudd.exe
  C:\Users\Admin\AppData\Local\Temp\ztofrniwtjpxcsitudd.exe
  2⤵
  PID:5224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ztofrniwtjpxcsitudd.exe .
1⤵
PID:1196
- C:\Windows\ztofrniwtjpxcsitudd.exe
  ztofrniwtjpxcsitudd.exe .
  2⤵
  PID:4988
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ztofrniwtjpxcsitudd.exe*."
    3⤵
    PID:824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohbrcxreapubfujttb.exe .
1⤵
PID:2548
- C:\Users\Admin\AppData\Local\Temp\ohbrcxreapubfujttb.exe
  C:\Users\Admin\AppData\Local\Temp\ohbrcxreapubfujttb.exe .
  2⤵
  PID:4820
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ohbrcxreapubfujttb.exe*."
    3⤵
    PID:4176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yphvexpauhkprerz.exe .
1⤵
PID:5736
- C:\Users\Admin\AppData\Local\Temp\yphvexpauhkprerz.exe
  C:\Users\Admin\AppData\Local\Temp\yphvexpauhkprerz.exe .
  2⤵
  PID:4480
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\yphvexpauhkprerz.exe*."
    3⤵
    PID:4564

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxunbzwmldlvcumzcnpli.exe
1⤵
PID:2892
- C:\Users\Admin\AppData\Local\Temp\bxunbzwmldlvcumzcnpli.exe
  C:\Users\Admin\AppData\Local\Temp\bxunbzwmldlvcumzcnpli.exe
  2⤵
  PID:2200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fxqfpjcojxbhkymvu.exe .
1⤵
PID:5840
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:388
- C:\Users\Admin\AppData\Local\Temp\fxqfpjcojxbhkymvu.exe
  C:\Users\Admin\AppData\Local\Temp\fxqfpjcojxbhkymvu.exe .
  2⤵
  PID:940
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\fxqfpjcojxbhkymvu.exe*."
    3⤵
    PID:2164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yphvexpauhkprerz.exe
1⤵
PID:3928
- C:\Users\Admin\AppData\Local\Temp\yphvexpauhkprerz.exe
  C:\Users\Admin\AppData\Local\Temp\yphvexpauhkprerz.exe
  2⤵
  PID:5872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhdvifbqofmvbsjvxhid.exe .
1⤵
PID:4840
- C:\Users\Admin\AppData\Local\Temp\mhdvifbqofmvbsjvxhid.exe
  C:\Users\Admin\AppData\Local\Temp\mhdvifbqofmvbsjvxhid.exe .
  2⤵
  PID:3060
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\mhdvifbqofmvbsjvxhid.exe*."
    3⤵
    PID:4196

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yphvexpauhkprerz.exe
1⤵
PID:4120
- C:\Users\Admin\AppData\Local\Temp\yphvexpauhkprerz.exe
  C:\Users\Admin\AppData\Local\Temp\yphvexpauhkprerz.exe
  2⤵
  PID:1640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztofrniwtjpxcsitudd.exe .
1⤵
PID:5392
- C:\Users\Admin\AppData\Local\Temp\ztofrniwtjpxcsitudd.exe
  C:\Users\Admin\AppData\Local\Temp\ztofrniwtjpxcsitudd.exe .
  2⤵
  PID:1280
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ztofrniwtjpxcsitudd.exe*."
    3⤵
    PID:5400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mhdvifbqofmvbsjvxhid.exe
1⤵
PID:5048
- C:\Windows\mhdvifbqofmvbsjvxhid.exe
  mhdvifbqofmvbsjvxhid.exe
  2⤵
  PID:772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fxqfpjcojxbhkymvu.exe .
1⤵
PID:4208
- C:\Windows\fxqfpjcojxbhkymvu.exe
  fxqfpjcojxbhkymvu.exe .
  2⤵
  PID:4712
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\fxqfpjcojxbhkymvu.exe*."
    3⤵
    PID:4164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yphvexpauhkprerz.exe
1⤵
PID:3944
- C:\Windows\yphvexpauhkprerz.exe
  yphvexpauhkprerz.exe
  2⤵
  PID:4060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mhdvifbqofmvbsjvxhid.exe .
1⤵
PID:1436
- C:\Windows\mhdvifbqofmvbsjvxhid.exe
  mhdvifbqofmvbsjvxhid.exe .
  2⤵
  PID:696
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\mhdvifbqofmvbsjvxhid.exe*."
    3⤵
    PID:5104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yphvexpauhkprerz.exe
1⤵
PID:3476
- C:\Users\Admin\AppData\Local\Temp\yphvexpauhkprerz.exe
  C:\Users\Admin\AppData\Local\Temp\yphvexpauhkprerz.exe
  2⤵
  PID:3972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohbrcxreapubfujttb.exe .
1⤵
PID:688
- C:\Users\Admin\AppData\Local\Temp\ohbrcxreapubfujttb.exe
  C:\Users\Admin\AppData\Local\Temp\ohbrcxreapubfujttb.exe .
  2⤵
  PID:2500
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ohbrcxreapubfujttb.exe*."
    3⤵
    PID:4460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhdvifbqofmvbsjvxhid.exe
1⤵
PID:5556
- C:\Users\Admin\AppData\Local\Temp\mhdvifbqofmvbsjvxhid.exe
  C:\Users\Admin\AppData\Local\Temp\mhdvifbqofmvbsjvxhid.exe
  2⤵
  PID:3440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxunbzwmldlvcumzcnpli.exe .
1⤵
PID:4348
- C:\Users\Admin\AppData\Local\Temp\bxunbzwmldlvcumzcnpli.exe
  C:\Users\Admin\AppData\Local\Temp\bxunbzwmldlvcumzcnpli.exe .
  2⤵
  PID:5460
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\bxunbzwmldlvcumzcnpli.exe*."
    3⤵
    PID:3172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yphvexpauhkprerz.exe
1⤵
PID:2056
- C:\Windows\yphvexpauhkprerz.exe
  yphvexpauhkprerz.exe
  2⤵
  PID:4504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxunbzwmldlvcumzcnpli.exe .
1⤵
PID:2432
- C:\Windows\bxunbzwmldlvcumzcnpli.exe
  bxunbzwmldlvcumzcnpli.exe .
  2⤵
  PID:4436
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\bxunbzwmldlvcumzcnpli.exe*."
    3⤵
    PID:5876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fxqfpjcojxbhkymvu.exe
1⤵
PID:2228
- C:\Windows\fxqfpjcojxbhkymvu.exe
  fxqfpjcojxbhkymvu.exe
  2⤵
  PID:4516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yphvexpauhkprerz.exe .
1⤵
PID:4344
- C:\Windows\yphvexpauhkprerz.exe
  yphvexpauhkprerz.exe .
  2⤵
  PID:464
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\yphvexpauhkprerz.exe*."
    3⤵
    PID:4696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxunbzwmldlvcumzcnpli.exe
1⤵
PID:2776
- C:\Users\Admin\AppData\Local\Temp\bxunbzwmldlvcumzcnpli.exe
  C:\Users\Admin\AppData\Local\Temp\bxunbzwmldlvcumzcnpli.exe
  2⤵
  PID:5708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxunbzwmldlvcumzcnpli.exe .
1⤵
PID:976
- C:\Users\Admin\AppData\Local\Temp\bxunbzwmldlvcumzcnpli.exe
  C:\Users\Admin\AppData\Local\Temp\bxunbzwmldlvcumzcnpli.exe .
  2⤵
  PID:2588
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\bxunbzwmldlvcumzcnpli.exe*."
    3⤵
    PID:4432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxunbzwmldlvcumzcnpli.exe
1⤵
PID:1684
- C:\Users\Admin\AppData\Local\Temp\bxunbzwmldlvcumzcnpli.exe
  C:\Users\Admin\AppData\Local\Temp\bxunbzwmldlvcumzcnpli.exe
  2⤵
  PID:8

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yphvexpauhkprerz.exe .
1⤵
PID:3660
- C:\Users\Admin\AppData\Local\Temp\yphvexpauhkprerz.exe
  C:\Users\Admin\AppData\Local\Temp\yphvexpauhkprerz.exe .
  2⤵
  PID:4160
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\yphvexpauhkprerz.exe*."
    3⤵
    PID:4904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ohbrcxreapubfujttb.exe
1⤵
PID:6072
- C:\Windows\ohbrcxreapubfujttb.exe
  ohbrcxreapubfujttb.exe
  2⤵
  PID:4756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fxqfpjcojxbhkymvu.exe .
1⤵
PID:3616
- C:\Windows\fxqfpjcojxbhkymvu.exe
  fxqfpjcojxbhkymvu.exe .
  2⤵
  PID:6112
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\fxqfpjcojxbhkymvu.exe*."
    3⤵
    PID:2424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ztofrniwtjpxcsitudd.exe
1⤵
PID:4136
- C:\Windows\ztofrniwtjpxcsitudd.exe
  ztofrniwtjpxcsitudd.exe
  2⤵
  PID:3728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxunbzwmldlvcumzcnpli.exe .
1⤵
PID:3020
- C:\Windows\bxunbzwmldlvcumzcnpli.exe
  bxunbzwmldlvcumzcnpli.exe .
  2⤵
  PID:3912
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\bxunbzwmldlvcumzcnpli.exe*."
    3⤵
    PID:1984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yphvexpauhkprerz.exe
1⤵
PID:3944
- C:\Users\Admin\AppData\Local\Temp\yphvexpauhkprerz.exe
  C:\Users\Admin\AppData\Local\Temp\yphvexpauhkprerz.exe
  2⤵
  PID:3972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fxqfpjcojxbhkymvu.exe .
1⤵
PID:2340
- C:\Users\Admin\AppData\Local\Temp\fxqfpjcojxbhkymvu.exe
  C:\Users\Admin\AppData\Local\Temp\fxqfpjcojxbhkymvu.exe .
  2⤵
  PID:4764
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\fxqfpjcojxbhkymvu.exe*."
    3⤵
    PID:2152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhdvifbqofmvbsjvxhid.exe
1⤵
PID:5432
- C:\Users\Admin\AppData\Local\Temp\mhdvifbqofmvbsjvxhid.exe
  C:\Users\Admin\AppData\Local\Temp\mhdvifbqofmvbsjvxhid.exe
  2⤵
  PID:4080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohbrcxreapubfujttb.exe .
1⤵
PID:1516
- C:\Users\Admin\AppData\Local\Temp\ohbrcxreapubfujttb.exe
  C:\Users\Admin\AppData\Local\Temp\ohbrcxreapubfujttb.exe .
  2⤵
  PID:3892
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ohbrcxreapubfujttb.exe*."
    3⤵
    PID:2396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yphvexpauhkprerz.exe
1⤵
PID:3996
- C:\Windows\yphvexpauhkprerz.exe
  yphvexpauhkprerz.exe
  2⤵
  PID:2628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ztofrniwtjpxcsitudd.exe .
1⤵
PID:1716
- C:\Windows\ztofrniwtjpxcsitudd.exe
  ztofrniwtjpxcsitudd.exe .
  2⤵
  PID:3596
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ztofrniwtjpxcsitudd.exe*."
    3⤵
    PID:3648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxunbzwmldlvcumzcnpli.exe
1⤵
PID:4100
- C:\Windows\bxunbzwmldlvcumzcnpli.exe
  bxunbzwmldlvcumzcnpli.exe
  2⤵
  PID:4504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ohbrcxreapubfujttb.exe .
1⤵
PID:3068
- C:\Windows\ohbrcxreapubfujttb.exe
  ohbrcxreapubfujttb.exe .
  2⤵
  PID:5968
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ohbrcxreapubfujttb.exe*."
    3⤵
    PID:1972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yphvexpauhkprerz.exe
1⤵
PID:5404
- C:\Users\Admin\AppData\Local\Temp\yphvexpauhkprerz.exe
  C:\Users\Admin\AppData\Local\Temp\yphvexpauhkprerz.exe
  2⤵
  PID:1252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yphvexpauhkprerz.exe .
1⤵
PID:4472
- C:\Users\Admin\AppData\Local\Temp\yphvexpauhkprerz.exe
  C:\Users\Admin\AppData\Local\Temp\yphvexpauhkprerz.exe .
  2⤵
  PID:4736
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\yphvexpauhkprerz.exe*."
    3⤵
    PID:5980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fxqfpjcojxbhkymvu.exe
1⤵
PID:4076
- C:\Users\Admin\AppData\Local\Temp\fxqfpjcojxbhkymvu.exe
  C:\Users\Admin\AppData\Local\Temp\fxqfpjcojxbhkymvu.exe
  2⤵
  PID:4696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fxqfpjcojxbhkymvu.exe .
1⤵
PID:2508
- C:\Users\Admin\AppData\Local\Temp\fxqfpjcojxbhkymvu.exe
  C:\Users\Admin\AppData\Local\Temp\fxqfpjcojxbhkymvu.exe .
  2⤵
  PID:2988
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\fxqfpjcojxbhkymvu.exe*."
    3⤵
    PID:1680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mhdvifbqofmvbsjvxhid.exe
1⤵
PID:8
- C:\Windows\mhdvifbqofmvbsjvxhid.exe
  mhdvifbqofmvbsjvxhid.exe
  2⤵
  PID:5676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yphvexpauhkprerz.exe .
1⤵
PID:2344
- C:\Windows\yphvexpauhkprerz.exe
  yphvexpauhkprerz.exe .
  2⤵
  PID:4160
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\yphvexpauhkprerz.exe*."
    3⤵
    PID:3748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mhdvifbqofmvbsjvxhid.exe
1⤵
PID:5372
- C:\Windows\mhdvifbqofmvbsjvxhid.exe
  mhdvifbqofmvbsjvxhid.exe
  2⤵
  PID:2516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxunbzwmldlvcumzcnpli.exe .
1⤵
PID:4232
- C:\Windows\bxunbzwmldlvcumzcnpli.exe
  bxunbzwmldlvcumzcnpli.exe .
  2⤵
  PID:5544
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\bxunbzwmldlvcumzcnpli.exe*."
    3⤵
    PID:1564

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fxqfpjcojxbhkymvu.exe
1⤵
PID:4640
- C:\Users\Admin\AppData\Local\Temp\fxqfpjcojxbhkymvu.exe
  C:\Users\Admin\AppData\Local\Temp\fxqfpjcojxbhkymvu.exe
  2⤵
  PID:1256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohbrcxreapubfujttb.exe .
1⤵
PID:2696
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5332
- C:\Users\Admin\AppData\Local\Temp\ohbrcxreapubfujttb.exe
  C:\Users\Admin\AppData\Local\Temp\ohbrcxreapubfujttb.exe .
  2⤵
  PID:4936
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ohbrcxreapubfujttb.exe*."
    3⤵
    PID:4744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhdvifbqofmvbsjvxhid.exe
1⤵
PID:5280
- C:\Users\Admin\AppData\Local\Temp\mhdvifbqofmvbsjvxhid.exe
  C:\Users\Admin\AppData\Local\Temp\mhdvifbqofmvbsjvxhid.exe
  2⤵
  PID:4136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohbrcxreapubfujttb.exe .
1⤵
PID:5756
- C:\Users\Admin\AppData\Local\Temp\ohbrcxreapubfujttb.exe
  C:\Users\Admin\AppData\Local\Temp\ohbrcxreapubfujttb.exe .
  2⤵
  PID:2188
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ohbrcxreapubfujttb.exe*."
    3⤵
    PID:3764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ohbrcxreapubfujttb.exe
1⤵
PID:4352
- C:\Windows\ohbrcxreapubfujttb.exe
  ohbrcxreapubfujttb.exe
  2⤵
  PID:612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yphvexpauhkprerz.exe .
1⤵
PID:4764
- C:\Windows\yphvexpauhkprerz.exe
  yphvexpauhkprerz.exe .
  2⤵
  PID:2340
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\yphvexpauhkprerz.exe*."
    3⤵
    PID:2528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yphvexpauhkprerz.exe
1⤵
PID:6100
- C:\Windows\yphvexpauhkprerz.exe
  yphvexpauhkprerz.exe
  2⤵
  PID:2500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yphvexpauhkprerz.exe .
1⤵
PID:4904
- C:\Windows\yphvexpauhkprerz.exe
  yphvexpauhkprerz.exe .
  2⤵
  PID:3988
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\yphvexpauhkprerz.exe*."
    3⤵
    PID:3908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztofrniwtjpxcsitudd.exe
1⤵
PID:4556
- C:\Users\Admin\AppData\Local\Temp\ztofrniwtjpxcsitudd.exe
  C:\Users\Admin\AppData\Local\Temp\ztofrniwtjpxcsitudd.exe
  2⤵
  PID:2628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztofrniwtjpxcsitudd.exe .
1⤵
PID:4404
- C:\Users\Admin\AppData\Local\Temp\ztofrniwtjpxcsitudd.exe
  C:\Users\Admin\AppData\Local\Temp\ztofrniwtjpxcsitudd.exe .
  2⤵
  PID:5164
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ztofrniwtjpxcsitudd.exe*."
    3⤵
    PID:5256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fxqfpjcojxbhkymvu.exe
1⤵
PID:3120
- C:\Users\Admin\AppData\Local\Temp\fxqfpjcojxbhkymvu.exe
  C:\Users\Admin\AppData\Local\Temp\fxqfpjcojxbhkymvu.exe
  2⤵
  PID:4912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yphvexpauhkprerz.exe .
1⤵
PID:5784
- C:\Users\Admin\AppData\Local\Temp\yphvexpauhkprerz.exe
  C:\Users\Admin\AppData\Local\Temp\yphvexpauhkprerz.exe .
  2⤵
  PID:1540
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\yphvexpauhkprerz.exe*."
    3⤵
    PID:1524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxunbzwmldlvcumzcnpli.exe
1⤵
PID:5708
- C:\Windows\bxunbzwmldlvcumzcnpli.exe
  bxunbzwmldlvcumzcnpli.exe
  2⤵
  PID:3088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ohbrcxreapubfujttb.exe .
1⤵
PID:5488
- C:\Windows\ohbrcxreapubfujttb.exe
  ohbrcxreapubfujttb.exe .
  2⤵
  PID:3296
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ohbrcxreapubfujttb.exe*."
    3⤵
    PID:2796

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mhdvifbqofmvbsjvxhid.exe
1⤵
PID:3556
- C:\Windows\mhdvifbqofmvbsjvxhid.exe
  mhdvifbqofmvbsjvxhid.exe
  2⤵
  PID:1204

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxunbzwmldlvcumzcnpli.exe
1⤵
PID:5472
- C:\Windows\bxunbzwmldlvcumzcnpli.exe
  bxunbzwmldlvcumzcnpli.exe
  2⤵
  PID:5380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yphvexpauhkprerz.exe .
1⤵
PID:2892
- C:\Windows\yphvexpauhkprerz.exe
  yphvexpauhkprerz.exe .
  2⤵
  PID:748
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\yphvexpauhkprerz.exe*."
    3⤵
    PID:4612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ztofrniwtjpxcsitudd.exe .
1⤵
PID:8
- C:\Windows\ztofrniwtjpxcsitudd.exe
  ztofrniwtjpxcsitudd.exe .
  2⤵
  PID:1756
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ztofrniwtjpxcsitudd.exe*."
    3⤵
    PID:2152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ztofrniwtjpxcsitudd.exe
1⤵
PID:3356
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3956
- C:\Windows\ztofrniwtjpxcsitudd.exe
  ztofrniwtjpxcsitudd.exe
  2⤵
  PID:224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohbrcxreapubfujttb.exe
1⤵
PID:2780
- C:\Users\Admin\AppData\Local\Temp\ohbrcxreapubfujttb.exe
  C:\Users\Admin\AppData\Local\Temp\ohbrcxreapubfujttb.exe
  2⤵
  PID:5544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxunbzwmldlvcumzcnpli.exe .
1⤵
PID:4952
- C:\Users\Admin\AppData\Local\Temp\bxunbzwmldlvcumzcnpli.exe
  C:\Users\Admin\AppData\Local\Temp\bxunbzwmldlvcumzcnpli.exe .
  2⤵
  PID:4252
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\bxunbzwmldlvcumzcnpli.exe*."
    3⤵
    PID:5340

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yphvexpauhkprerz.exe
1⤵
PID:6108
- C:\Windows\yphvexpauhkprerz.exe
  yphvexpauhkprerz.exe
  2⤵
  PID:4584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ztofrniwtjpxcsitudd.exe .
1⤵
PID:5032
- C:\Windows\ztofrniwtjpxcsitudd.exe
  ztofrniwtjpxcsitudd.exe .
  2⤵
  PID:3064
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ztofrniwtjpxcsitudd.exe*."
    3⤵
    PID:5104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ztofrniwtjpxcsitudd.exe .
1⤵
PID:4724
- C:\Windows\ztofrniwtjpxcsitudd.exe
  ztofrniwtjpxcsitudd.exe .
  2⤵
  PID:2772
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ztofrniwtjpxcsitudd.exe*."
    3⤵
    PID:4504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztofrniwtjpxcsitudd.exe
1⤵
PID:5368
- C:\Users\Admin\AppData\Local\Temp\ztofrniwtjpxcsitudd.exe
  C:\Users\Admin\AppData\Local\Temp\ztofrniwtjpxcsitudd.exe
  2⤵
  PID:2920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yphvexpauhkprerz.exe
1⤵
PID:3388
- C:\Windows\yphvexpauhkprerz.exe
  yphvexpauhkprerz.exe
  2⤵
  PID:4912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztofrniwtjpxcsitudd.exe
1⤵
PID:536
- C:\Users\Admin\AppData\Local\Temp\ztofrniwtjpxcsitudd.exe
  C:\Users\Admin\AppData\Local\Temp\ztofrniwtjpxcsitudd.exe
  2⤵
  PID:760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxunbzwmldlvcumzcnpli.exe .
1⤵
PID:3760
- C:\Windows\bxunbzwmldlvcumzcnpli.exe
  bxunbzwmldlvcumzcnpli.exe .
  2⤵
  PID:3436
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\bxunbzwmldlvcumzcnpli.exe*."
    3⤵
    PID:4516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fxqfpjcojxbhkymvu.exe .
1⤵
PID:2188
- C:\Users\Admin\AppData\Local\Temp\fxqfpjcojxbhkymvu.exe
  C:\Users\Admin\AppData\Local\Temp\fxqfpjcojxbhkymvu.exe .
  2⤵
  PID:1252
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\fxqfpjcojxbhkymvu.exe*."
    3⤵
    PID:1408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztofrniwtjpxcsitudd.exe .
1⤵
PID:2120
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2904
- C:\Users\Admin\AppData\Local\Temp\ztofrniwtjpxcsitudd.exe
  C:\Users\Admin\AppData\Local\Temp\ztofrniwtjpxcsitudd.exe .
  2⤵
  PID:5724
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ztofrniwtjpxcsitudd.exe*."
    3⤵
    PID:1480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztofrniwtjpxcsitudd.exe
1⤵
PID:1304
- C:\Users\Admin\AppData\Local\Temp\ztofrniwtjpxcsitudd.exe
  C:\Users\Admin\AppData\Local\Temp\ztofrniwtjpxcsitudd.exe
  2⤵
  PID:4560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yphvexpauhkprerz.exe .
1⤵
PID:5240
- C:\Users\Admin\AppData\Local\Temp\yphvexpauhkprerz.exe
  C:\Users\Admin\AppData\Local\Temp\yphvexpauhkprerz.exe .
  2⤵
  PID:1524
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\yphvexpauhkprerz.exe*."
    3⤵
    PID:1772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yphvexpauhkprerz.exe
1⤵
PID:6060
- C:\Users\Admin\AppData\Local\Temp\yphvexpauhkprerz.exe
  C:\Users\Admin\AppData\Local\Temp\yphvexpauhkprerz.exe
  2⤵
  PID:5432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohbrcxreapubfujttb.exe .
1⤵
PID:3168
- C:\Users\Admin\AppData\Local\Temp\ohbrcxreapubfujttb.exe
  C:\Users\Admin\AppData\Local\Temp\ohbrcxreapubfujttb.exe .
  2⤵
  PID:2056
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ohbrcxreapubfujttb.exe*."
    3⤵
    PID:3556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohbrcxreapubfujttb.exe
1⤵
PID:3988
- C:\Users\Admin\AppData\Local\Temp\ohbrcxreapubfujttb.exe
  C:\Users\Admin\AppData\Local\Temp\ohbrcxreapubfujttb.exe
  2⤵
  PID:3048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhdvifbqofmvbsjvxhid.exe .
1⤵
PID:3724
- C:\Users\Admin\AppData\Local\Temp\mhdvifbqofmvbsjvxhid.exe
  C:\Users\Admin\AppData\Local\Temp\mhdvifbqofmvbsjvxhid.exe .
  2⤵
  PID:3772
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\mhdvifbqofmvbsjvxhid.exe*."
    3⤵
    PID:5844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mhdvifbqofmvbsjvxhid.exe
1⤵
PID:428
- C:\Windows\mhdvifbqofmvbsjvxhid.exe
  mhdvifbqofmvbsjvxhid.exe
  2⤵
  PID:2364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yphvexpauhkprerz.exe .
1⤵
PID:3452
- C:\Windows\yphvexpauhkprerz.exe
  yphvexpauhkprerz.exe .
  2⤵
  PID:5600
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\yphvexpauhkprerz.exe*."
    3⤵
    PID:116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ohbrcxreapubfujttb.exe
1⤵
PID:2588
- C:\Windows\ohbrcxreapubfujttb.exe
  ohbrcxreapubfujttb.exe
  2⤵
  PID:4640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yphvexpauhkprerz.exe .
1⤵
PID:2396
- C:\Windows\yphvexpauhkprerz.exe
  yphvexpauhkprerz.exe .
  2⤵
  PID:4048
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\yphvexpauhkprerz.exe*."
    3⤵
    PID:3320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztofrniwtjpxcsitudd.exe
1⤵
PID:5472
- C:\Users\Admin\AppData\Local\Temp\ztofrniwtjpxcsitudd.exe
  C:\Users\Admin\AppData\Local\Temp\ztofrniwtjpxcsitudd.exe
  2⤵
  PID:2412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxunbzwmldlvcumzcnpli.exe .
1⤵
PID:224
- C:\Users\Admin\AppData\Local\Temp\bxunbzwmldlvcumzcnpli.exe
  C:\Users\Admin\AppData\Local\Temp\bxunbzwmldlvcumzcnpli.exe .
  2⤵
  PID:1984
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\bxunbzwmldlvcumzcnpli.exe*."
    3⤵
    PID:3384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yphvexpauhkprerz.exe
1⤵
PID:5840
- C:\Users\Admin\AppData\Local\Temp\yphvexpauhkprerz.exe
  C:\Users\Admin\AppData\Local\Temp\yphvexpauhkprerz.exe
  2⤵
  PID:3196

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohbrcxreapubfujttb.exe .
1⤵
PID:2488
- C:\Users\Admin\AppData\Local\Temp\ohbrcxreapubfujttb.exe
  C:\Users\Admin\AppData\Local\Temp\ohbrcxreapubfujttb.exe .
  2⤵
  PID:4468
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ohbrcxreapubfujttb.exe*."
    3⤵
    PID:2628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mhdvifbqofmvbsjvxhid.exe
1⤵
PID:4348
- C:\Windows\mhdvifbqofmvbsjvxhid.exe
  mhdvifbqofmvbsjvxhid.exe
  2⤵
  PID:1256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yphvexpauhkprerz.exe .
1⤵
PID:5672
- C:\Windows\yphvexpauhkprerz.exe
  yphvexpauhkprerz.exe .
  2⤵
  PID:5620
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\yphvexpauhkprerz.exe*."
    3⤵
    PID:1672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fxqfpjcojxbhkymvu.exe
1⤵
PID:1568
- C:\Windows\fxqfpjcojxbhkymvu.exe
  fxqfpjcojxbhkymvu.exe
  2⤵
  PID:3388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ztofrniwtjpxcsitudd.exe .
1⤵
PID:4720
- C:\Windows\ztofrniwtjpxcsitudd.exe
  ztofrniwtjpxcsitudd.exe .
  2⤵
  PID:6136
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ztofrniwtjpxcsitudd.exe*."
    3⤵
    PID:2164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhdvifbqofmvbsjvxhid.exe
1⤵
PID:3080
- C:\Users\Admin\AppData\Local\Temp\mhdvifbqofmvbsjvxhid.exe
  C:\Users\Admin\AppData\Local\Temp\mhdvifbqofmvbsjvxhid.exe
  2⤵
  PID:2200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fxqfpjcojxbhkymvu.exe .
1⤵
PID:1280
- C:\Users\Admin\AppData\Local\Temp\fxqfpjcojxbhkymvu.exe
  C:\Users\Admin\AppData\Local\Temp\fxqfpjcojxbhkymvu.exe .
  2⤵
  PID:1304
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\fxqfpjcojxbhkymvu.exe*."
    3⤵
    PID:1140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yphvexpauhkprerz.exe
1⤵
PID:2084
- C:\Users\Admin\AppData\Local\Temp\yphvexpauhkprerz.exe
  C:\Users\Admin\AppData\Local\Temp\yphvexpauhkprerz.exe
  2⤵
  PID:4472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxunbzwmldlvcumzcnpli.exe .
1⤵
PID:1708
- C:\Users\Admin\AppData\Local\Temp\bxunbzwmldlvcumzcnpli.exe
  C:\Users\Admin\AppData\Local\Temp\bxunbzwmldlvcumzcnpli.exe .
  2⤵
  PID:2444
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\bxunbzwmldlvcumzcnpli.exe*."
    3⤵
    PID:2652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fxqfpjcojxbhkymvu.exe
1⤵
PID:1160
- C:\Windows\fxqfpjcojxbhkymvu.exe
  fxqfpjcojxbhkymvu.exe
  2⤵
  PID:4840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ztofrniwtjpxcsitudd.exe .
1⤵
PID:1688
- C:\Windows\ztofrniwtjpxcsitudd.exe
  ztofrniwtjpxcsitudd.exe .
  2⤵
  PID:552
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ztofrniwtjpxcsitudd.exe*."
    3⤵
    PID:3908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ohbrcxreapubfujttb.exe
1⤵
PID:612
- C:\Windows\ohbrcxreapubfujttb.exe
  ohbrcxreapubfujttb.exe
  2⤵
  PID:2748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ohbrcxreapubfujttb.exe .
1⤵
PID:3168
- C:\Windows\ohbrcxreapubfujttb.exe
  ohbrcxreapubfujttb.exe .
  2⤵
  PID:4696
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ohbrcxreapubfujttb.exe*."
    3⤵
    PID:1976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhdvifbqofmvbsjvxhid.exe
1⤵
PID:4816
- C:\Users\Admin\AppData\Local\Temp\mhdvifbqofmvbsjvxhid.exe
  C:\Users\Admin\AppData\Local\Temp\mhdvifbqofmvbsjvxhid.exe
  2⤵
  PID:3748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztofrniwtjpxcsitudd.exe .
1⤵
PID:5968
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2796
- C:\Users\Admin\AppData\Local\Temp\ztofrniwtjpxcsitudd.exe
  C:\Users\Admin\AppData\Local\Temp\ztofrniwtjpxcsitudd.exe .
  2⤵
  PID:5588
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ztofrniwtjpxcsitudd.exe*."
    3⤵
    PID:5472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxunbzwmldlvcumzcnpli.exe
1⤵
PID:4852
- C:\Users\Admin\AppData\Local\Temp\bxunbzwmldlvcumzcnpli.exe
  C:\Users\Admin\AppData\Local\Temp\bxunbzwmldlvcumzcnpli.exe
  2⤵
  PID:1880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxunbzwmldlvcumzcnpli.exe .
1⤵
PID:5384
- C:\Users\Admin\AppData\Local\Temp\bxunbzwmldlvcumzcnpli.exe
  C:\Users\Admin\AppData\Local\Temp\bxunbzwmldlvcumzcnpli.exe .
  2⤵
  PID:1048
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\bxunbzwmldlvcumzcnpli.exe*."
    3⤵
    PID:1984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxunbzwmldlvcumzcnpli.exe
1⤵
PID:952
- C:\Windows\bxunbzwmldlvcumzcnpli.exe
  bxunbzwmldlvcumzcnpli.exe
  2⤵
  PID:5816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ohbrcxreapubfujttb.exe .
1⤵
PID:3776
- C:\Windows\ohbrcxreapubfujttb.exe
  ohbrcxreapubfujttb.exe .
  2⤵
  PID:2808
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ohbrcxreapubfujttb.exe*."
    3⤵
    PID:5992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mhdvifbqofmvbsjvxhid.exe
1⤵
PID:4252
- C:\Windows\mhdvifbqofmvbsjvxhid.exe
  mhdvifbqofmvbsjvxhid.exe
  2⤵
  PID:2476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mhdvifbqofmvbsjvxhid.exe .
1⤵
PID:5316
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2488
- C:\Windows\mhdvifbqofmvbsjvxhid.exe
  mhdvifbqofmvbsjvxhid.exe .
  2⤵
  PID:4024
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\mhdvifbqofmvbsjvxhid.exe*."
    3⤵
    PID:5208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxunbzwmldlvcumzcnpli.exe
1⤵
PID:2284
- C:\Users\Admin\AppData\Local\Temp\bxunbzwmldlvcumzcnpli.exe
  C:\Users\Admin\AppData\Local\Temp\bxunbzwmldlvcumzcnpli.exe
  2⤵
  PID:4504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhdvifbqofmvbsjvxhid.exe .
1⤵
PID:2272
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3120
- C:\Users\Admin\AppData\Local\Temp\mhdvifbqofmvbsjvxhid.exe
  C:\Users\Admin\AppData\Local\Temp\mhdvifbqofmvbsjvxhid.exe .
  2⤵
  PID:4348
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\mhdvifbqofmvbsjvxhid.exe*."
    3⤵
    PID:4560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhdvifbqofmvbsjvxhid.exe
1⤵
PID:1856
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:764
- C:\Users\Admin\AppData\Local\Temp\mhdvifbqofmvbsjvxhid.exe
  C:\Users\Admin\AppData\Local\Temp\mhdvifbqofmvbsjvxhid.exe
  2⤵
  PID:812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fxqfpjcojxbhkymvu.exe .
1⤵
PID:1032
- C:\Users\Admin\AppData\Local\Temp\fxqfpjcojxbhkymvu.exe
  C:\Users\Admin\AppData\Local\Temp\fxqfpjcojxbhkymvu.exe .
  2⤵
  PID:1568
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\fxqfpjcojxbhkymvu.exe*."
    3⤵
    PID:4564

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxunbzwmldlvcumzcnpli.exe
1⤵
PID:3080
- C:\Windows\bxunbzwmldlvcumzcnpli.exe
  bxunbzwmldlvcumzcnpli.exe
  2⤵
  PID:2176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxunbzwmldlvcumzcnpli.exe .
1⤵
PID:4876
- C:\Windows\bxunbzwmldlvcumzcnpli.exe
  bxunbzwmldlvcumzcnpli.exe .
  2⤵
  PID:4648
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\bxunbzwmldlvcumzcnpli.exe*."
    3⤵
    PID:464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mhdvifbqofmvbsjvxhid.exe
1⤵
PID:1916
- C:\Windows\mhdvifbqofmvbsjvxhid.exe
  mhdvifbqofmvbsjvxhid.exe
  2⤵
  PID:2980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mhdvifbqofmvbsjvxhid.exe .
1⤵
PID:3844
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4824
- C:\Windows\mhdvifbqofmvbsjvxhid.exe
  mhdvifbqofmvbsjvxhid.exe .
  2⤵
  PID:6024
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\mhdvifbqofmvbsjvxhid.exe*."
    3⤵
    PID:1480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohbrcxreapubfujttb.exe
1⤵
PID:5176
- C:\Users\Admin\AppData\Local\Temp\ohbrcxreapubfujttb.exe
  C:\Users\Admin\AppData\Local\Temp\ohbrcxreapubfujttb.exe
  2⤵
  PID:1708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fxqfpjcojxbhkymvu.exe .
1⤵
PID:2388
- C:\Users\Admin\AppData\Local\Temp\fxqfpjcojxbhkymvu.exe
  C:\Users\Admin\AppData\Local\Temp\fxqfpjcojxbhkymvu.exe .
  2⤵
  PID:2784
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\fxqfpjcojxbhkymvu.exe*."
    3⤵
    PID:1804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxunbzwmldlvcumzcnpli.exe
1⤵
PID:4112
- C:\Users\Admin\AppData\Local\Temp\bxunbzwmldlvcumzcnpli.exe
  C:\Users\Admin\AppData\Local\Temp\bxunbzwmldlvcumzcnpli.exe
  2⤵
  PID:1244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztofrniwtjpxcsitudd.exe .
1⤵
PID:2904
- C:\Users\Admin\AppData\Local\Temp\ztofrniwtjpxcsitudd.exe
  C:\Users\Admin\AppData\Local\Temp\ztofrniwtjpxcsitudd.exe .
  2⤵
  PID:3556
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ztofrniwtjpxcsitudd.exe*."
    3⤵
    PID:5452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fxqfpjcojxbhkymvu.exe
1⤵
PID:4356
- C:\Windows\fxqfpjcojxbhkymvu.exe
  fxqfpjcojxbhkymvu.exe
  2⤵
  PID:4536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fxqfpjcojxbhkymvu.exe .
1⤵
PID:1332
- C:\Windows\fxqfpjcojxbhkymvu.exe
  fxqfpjcojxbhkymvu.exe .
  2⤵
  PID:3496
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\fxqfpjcojxbhkymvu.exe*."
    3⤵
    PID:3964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fxqfpjcojxbhkymvu.exe
1⤵
PID:2392
- C:\Windows\fxqfpjcojxbhkymvu.exe
  fxqfpjcojxbhkymvu.exe
  2⤵
  PID:2536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fxqfpjcojxbhkymvu.exe .
1⤵
PID:932
- C:\Windows\fxqfpjcojxbhkymvu.exe
  fxqfpjcojxbhkymvu.exe .
  2⤵
  PID:1544
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\fxqfpjcojxbhkymvu.exe*."
    3⤵
    PID:1048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fxqfpjcojxbhkymvu.exe
1⤵
PID:5256
- C:\Users\Admin\AppData\Local\Temp\fxqfpjcojxbhkymvu.exe
  C:\Users\Admin\AppData\Local\Temp\fxqfpjcojxbhkymvu.exe
  2⤵
  PID:1620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fxqfpjcojxbhkymvu.exe .
1⤵
PID:5492
- C:\Users\Admin\AppData\Local\Temp\fxqfpjcojxbhkymvu.exe
  C:\Users\Admin\AppData\Local\Temp\fxqfpjcojxbhkymvu.exe .
  2⤵
  PID:1284
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\fxqfpjcojxbhkymvu.exe*."
    3⤵
    PID:4612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhdvifbqofmvbsjvxhid.exe
1⤵
PID:5508
- C:\Users\Admin\AppData\Local\Temp\mhdvifbqofmvbsjvxhid.exe
  C:\Users\Admin\AppData\Local\Temp\mhdvifbqofmvbsjvxhid.exe
  2⤵
  PID:5816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhdvifbqofmvbsjvxhid.exe .
1⤵
PID:5116
- C:\Users\Admin\AppData\Local\Temp\mhdvifbqofmvbsjvxhid.exe
  C:\Users\Admin\AppData\Local\Temp\mhdvifbqofmvbsjvxhid.exe .
  2⤵
  PID:4508
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\mhdvifbqofmvbsjvxhid.exe*."
    3⤵
    PID:5240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxunbzwmldlvcumzcnpli.exe
1⤵
PID:4468
- C:\Windows\bxunbzwmldlvcumzcnpli.exe
  bxunbzwmldlvcumzcnpli.exe
  2⤵
  PID:5048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fxqfpjcojxbhkymvu.exe
1⤵
PID:4576
- C:\Windows\fxqfpjcojxbhkymvu.exe
  fxqfpjcojxbhkymvu.exe
  2⤵
  PID:5136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yphvexpauhkprerz.exe .
1⤵
PID:3084
- C:\Windows\yphvexpauhkprerz.exe
  yphvexpauhkprerz.exe .
  2⤵
  PID:4056
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\yphvexpauhkprerz.exe*."
    3⤵
    PID:4724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mhdvifbqofmvbsjvxhid.exe
1⤵
PID:8
- C:\Windows\mhdvifbqofmvbsjvxhid.exe
  mhdvifbqofmvbsjvxhid.exe
  2⤵
  PID:1672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mhdvifbqofmvbsjvxhid.exe .
1⤵
PID:1092
- C:\Windows\mhdvifbqofmvbsjvxhid.exe
  mhdvifbqofmvbsjvxhid.exe .
  2⤵
  PID:1856
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\mhdvifbqofmvbsjvxhid.exe*."
    3⤵
    PID:4720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ohbrcxreapubfujttb.exe
1⤵
PID:3648
- C:\Windows\ohbrcxreapubfujttb.exe
  ohbrcxreapubfujttb.exe
  2⤵
  PID:4136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxunbzwmldlvcumzcnpli.exe .
1⤵
PID:5280
- C:\Windows\bxunbzwmldlvcumzcnpli.exe
  bxunbzwmldlvcumzcnpli.exe .
  2⤵
  PID:5228
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\bxunbzwmldlvcumzcnpli.exe*."
    3⤵
    PID:3944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yphvexpauhkprerz.exe
1⤵
PID:2548
- C:\Windows\yphvexpauhkprerz.exe
  yphvexpauhkprerz.exe
  2⤵
  PID:3764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ohbrcxreapubfujttb.exe .
1⤵
PID:1568
- C:\Windows\ohbrcxreapubfujttb.exe
  ohbrcxreapubfujttb.exe .
  2⤵
  PID:2408
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ohbrcxreapubfujttb.exe*."
    3⤵
    PID:612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztofrniwtjpxcsitudd.exe
1⤵
PID:4332
- C:\Users\Admin\AppData\Local\Temp\ztofrniwtjpxcsitudd.exe
  C:\Users\Admin\AppData\Local\Temp\ztofrniwtjpxcsitudd.exe
  2⤵
  PID:5248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fxqfpjcojxbhkymvu.exe
1⤵
PID:1416
- C:\Windows\fxqfpjcojxbhkymvu.exe
  fxqfpjcojxbhkymvu.exe
  2⤵
  PID:1500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ztofrniwtjpxcsitudd.exe .
1⤵
PID:5784
- C:\Windows\ztofrniwtjpxcsitudd.exe
  ztofrniwtjpxcsitudd.exe .
  2⤵
  PID:3124
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ztofrniwtjpxcsitudd.exe*."
    3⤵
    PID:3804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fxqfpjcojxbhkymvu.exe .
1⤵
PID:5764
- C:\Windows\fxqfpjcojxbhkymvu.exe
  fxqfpjcojxbhkymvu.exe .
  2⤵
  PID:4836
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\fxqfpjcojxbhkymvu.exe*."
    3⤵
    PID:2652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhdvifbqofmvbsjvxhid.exe
1⤵
PID:5512
- C:\Users\Admin\AppData\Local\Temp\mhdvifbqofmvbsjvxhid.exe
  C:\Users\Admin\AppData\Local\Temp\mhdvifbqofmvbsjvxhid.exe
  2⤵
  PID:1988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztofrniwtjpxcsitudd.exe .
1⤵
PID:2592
- C:\Users\Admin\AppData\Local\Temp\ztofrniwtjpxcsitudd.exe
  C:\Users\Admin\AppData\Local\Temp\ztofrniwtjpxcsitudd.exe .
  2⤵
  PID:4948
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ztofrniwtjpxcsitudd.exe*."
    3⤵
    PID:220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yphvexpauhkprerz.exe .
1⤵
PID:3988
- C:\Users\Admin\AppData\Local\Temp\yphvexpauhkprerz.exe
  C:\Users\Admin\AppData\Local\Temp\yphvexpauhkprerz.exe .
  2⤵
  PID:1048
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\yphvexpauhkprerz.exe*."
    3⤵
    PID:1460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yphvexpauhkprerz.exe
1⤵
PID:860
- C:\Users\Admin\AppData\Local\Temp\yphvexpauhkprerz.exe
  C:\Users\Admin\AppData\Local\Temp\yphvexpauhkprerz.exe
  2⤵
  PID:4908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxunbzwmldlvcumzcnpli.exe .
1⤵
PID:3724
- C:\Users\Admin\AppData\Local\Temp\bxunbzwmldlvcumzcnpli.exe
  C:\Users\Admin\AppData\Local\Temp\bxunbzwmldlvcumzcnpli.exe .
  2⤵
  PID:3320
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\bxunbzwmldlvcumzcnpli.exe*."
    3⤵
    PID:964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhdvifbqofmvbsjvxhid.exe
1⤵
PID:4564
- C:\Users\Admin\AppData\Local\Temp\mhdvifbqofmvbsjvxhid.exe
  C:\Users\Admin\AppData\Local\Temp\mhdvifbqofmvbsjvxhid.exe
  2⤵
  PID:1112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxunbzwmldlvcumzcnpli.exe .
1⤵
PID:5744
- C:\Users\Admin\AppData\Local\Temp\bxunbzwmldlvcumzcnpli.exe
  C:\Users\Admin\AppData\Local\Temp\bxunbzwmldlvcumzcnpli.exe .
  2⤵
  PID:4612
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\bxunbzwmldlvcumzcnpli.exe*."
    3⤵
    PID:952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohbrcxreapubfujttb.exe
1⤵
PID:3828
- C:\Users\Admin\AppData\Local\Temp\ohbrcxreapubfujttb.exe
  C:\Users\Admin\AppData\Local\Temp\ohbrcxreapubfujttb.exe
  2⤵
  PID:1680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztofrniwtjpxcsitudd.exe
1⤵
PID:1976
- C:\Users\Admin\AppData\Local\Temp\ztofrniwtjpxcsitudd.exe
  C:\Users\Admin\AppData\Local\Temp\ztofrniwtjpxcsitudd.exe
  2⤵
  PID:5384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yphvexpauhkprerz.exe .
1⤵
PID:1652
- C:\Users\Admin\AppData\Local\Temp\yphvexpauhkprerz.exe
  C:\Users\Admin\AppData\Local\Temp\yphvexpauhkprerz.exe .
  2⤵
  PID:4988
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\yphvexpauhkprerz.exe*."
    3⤵
    PID:5992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fxqfpjcojxbhkymvu.exe .
1⤵
PID:2456
- C:\Users\Admin\AppData\Local\Temp\fxqfpjcojxbhkymvu.exe
  C:\Users\Admin\AppData\Local\Temp\fxqfpjcojxbhkymvu.exe .
  2⤵
  PID:224
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\fxqfpjcojxbhkymvu.exe*."
    3⤵
    PID:4508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxunbzwmldlvcumzcnpli.exe
1⤵
PID:3596
- C:\Windows\bxunbzwmldlvcumzcnpli.exe
  bxunbzwmldlvcumzcnpli.exe
  2⤵
  PID:2772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yphvexpauhkprerz.exe .
1⤵
PID:5832
- C:\Windows\yphvexpauhkprerz.exe
  yphvexpauhkprerz.exe .
  2⤵
  PID:1672
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\yphvexpauhkprerz.exe*."
    3⤵
    PID:812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mhdvifbqofmvbsjvxhid.exe
1⤵
PID:5564
- C:\Windows\mhdvifbqofmvbsjvxhid.exe
  mhdvifbqofmvbsjvxhid.exe
  2⤵
  PID:5292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ztofrniwtjpxcsitudd.exe .
1⤵
PID:3164
- C:\Windows\ztofrniwtjpxcsitudd.exe
  ztofrniwtjpxcsitudd.exe .
  2⤵
  PID:4520
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ztofrniwtjpxcsitudd.exe*."
    3⤵
    PID:1204

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztofrniwtjpxcsitudd.exe
1⤵
PID:2560
- C:\Users\Admin\AppData\Local\Temp\ztofrniwtjpxcsitudd.exe
  C:\Users\Admin\AppData\Local\Temp\ztofrniwtjpxcsitudd.exe
  2⤵
  PID:4876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhdvifbqofmvbsjvxhid.exe .
1⤵
PID:4136
- C:\Users\Admin\AppData\Local\Temp\mhdvifbqofmvbsjvxhid.exe
  C:\Users\Admin\AppData\Local\Temp\mhdvifbqofmvbsjvxhid.exe .
  2⤵
  PID:468
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\mhdvifbqofmvbsjvxhid.exe*."
    3⤵
    PID:440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhdvifbqofmvbsjvxhid.exe
1⤵
PID:5620
- C:\Users\Admin\AppData\Local\Temp\mhdvifbqofmvbsjvxhid.exe
  C:\Users\Admin\AppData\Local\Temp\mhdvifbqofmvbsjvxhid.exe
  2⤵
  PID:4712

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztofrniwtjpxcsitudd.exe .
1⤵
PID:1116
- C:\Users\Admin\AppData\Local\Temp\ztofrniwtjpxcsitudd.exe
  C:\Users\Admin\AppData\Local\Temp\ztofrniwtjpxcsitudd.exe .
  2⤵
  PID:5344
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ztofrniwtjpxcsitudd.exe*."
    3⤵
    PID:3764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxunbzwmldlvcumzcnpli.exe
1⤵
PID:1500
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4904
- C:\Windows\bxunbzwmldlvcumzcnpli.exe
  bxunbzwmldlvcumzcnpli.exe
  2⤵
  PID:4584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ohbrcxreapubfujttb.exe .
1⤵
PID:4572
- C:\Windows\ohbrcxreapubfujttb.exe
  ohbrcxreapubfujttb.exe .
  2⤵
  PID:1620
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ohbrcxreapubfujttb.exe*."
    3⤵
    PID:4120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mhdvifbqofmvbsjvxhid.exe
1⤵
PID:1416
- C:\Windows\mhdvifbqofmvbsjvxhid.exe
  mhdvifbqofmvbsjvxhid.exe
  2⤵
  PID:208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ohbrcxreapubfujttb.exe .
1⤵
PID:4916
- C:\Windows\ohbrcxreapubfujttb.exe
  ohbrcxreapubfujttb.exe .
  2⤵
  PID:1284
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ohbrcxreapubfujttb.exe*."
    3⤵
    PID:4836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yphvexpauhkprerz.exe
1⤵
PID:2936
- C:\Users\Admin\AppData\Local\Temp\yphvexpauhkprerz.exe
  C:\Users\Admin\AppData\Local\Temp\yphvexpauhkprerz.exe
  2⤵
  PID:2612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fxqfpjcojxbhkymvu.exe .
1⤵
PID:964
- C:\Users\Admin\AppData\Local\Temp\fxqfpjcojxbhkymvu.exe
  C:\Users\Admin\AppData\Local\Temp\fxqfpjcojxbhkymvu.exe .
  2⤵
  PID:3272
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\fxqfpjcojxbhkymvu.exe*."
    3⤵
    PID:4160

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxunbzwmldlvcumzcnpli.exe
1⤵
PID:1524
- C:\Users\Admin\AppData\Local\Temp\bxunbzwmldlvcumzcnpli.exe
  C:\Users\Admin\AppData\Local\Temp\bxunbzwmldlvcumzcnpli.exe
  2⤵
  PID:940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhdvifbqofmvbsjvxhid.exe .
1⤵
PID:5296
- C:\Users\Admin\AppData\Local\Temp\mhdvifbqofmvbsjvxhid.exe
  C:\Users\Admin\AppData\Local\Temp\mhdvifbqofmvbsjvxhid.exe .
  2⤵
  PID:3012
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\mhdvifbqofmvbsjvxhid.exe*."
    3⤵
    PID:1976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ohbrcxreapubfujttb.exe
1⤵
PID:4352
- C:\Windows\ohbrcxreapubfujttb.exe
  ohbrcxreapubfujttb.exe
  2⤵
  PID:4268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mhdvifbqofmvbsjvxhid.exe .
1⤵
PID:2808
- C:\Windows\mhdvifbqofmvbsjvxhid.exe
  mhdvifbqofmvbsjvxhid.exe .
  2⤵
  PID:4464
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\mhdvifbqofmvbsjvxhid.exe*."
    3⤵
    PID:3504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ohbrcxreapubfujttb.exe
1⤵
PID:2904
- C:\Windows\ohbrcxreapubfujttb.exe
  ohbrcxreapubfujttb.exe
  2⤵
  PID:1880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fxqfpjcojxbhkymvu.exe .
1⤵
PID:2628
- C:\Windows\fxqfpjcojxbhkymvu.exe
  fxqfpjcojxbhkymvu.exe .
  2⤵
  PID:4104
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\fxqfpjcojxbhkymvu.exe*."
    3⤵
    PID:1912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxunbzwmldlvcumzcnpli.exe
1⤵
PID:3908
- C:\Users\Admin\AppData\Local\Temp\bxunbzwmldlvcumzcnpli.exe
  C:\Users\Admin\AppData\Local\Temp\bxunbzwmldlvcumzcnpli.exe
  2⤵
  PID:2344

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yphvexpauhkprerz.exe .
1⤵
PID:2396
- C:\Users\Admin\AppData\Local\Temp\yphvexpauhkprerz.exe
  C:\Users\Admin\AppData\Local\Temp\yphvexpauhkprerz.exe .
  2⤵
  PID:5304
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\yphvexpauhkprerz.exe*."
    3⤵
    PID:5828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztofrniwtjpxcsitudd.exe
1⤵
PID:1972
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5048
- C:\Users\Admin\AppData\Local\Temp\ztofrniwtjpxcsitudd.exe
  C:\Users\Admin\AppData\Local\Temp\ztofrniwtjpxcsitudd.exe
  2⤵
  PID:556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yphvexpauhkprerz.exe .
1⤵
PID:3124
- C:\Users\Admin\AppData\Local\Temp\yphvexpauhkprerz.exe
  C:\Users\Admin\AppData\Local\Temp\yphvexpauhkprerz.exe .
  2⤵
  PID:3116
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\yphvexpauhkprerz.exe*."
    3⤵
    PID:1256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fxqfpjcojxbhkymvu.exe
1⤵
PID:5668
- C:\Windows\fxqfpjcojxbhkymvu.exe
  fxqfpjcojxbhkymvu.exe
  2⤵
  PID:2284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ohbrcxreapubfujttb.exe .
1⤵
PID:4724
- C:\Windows\ohbrcxreapubfujttb.exe
  ohbrcxreapubfujttb.exe .
  2⤵
  PID:1640
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ohbrcxreapubfujttb.exe*."
    3⤵
    PID:2716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ohbrcxreapubfujttb.exe
1⤵
PID:3284
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4720
- C:\Windows\ohbrcxreapubfujttb.exe
  ohbrcxreapubfujttb.exe
  2⤵
  PID:5996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxunbzwmldlvcumzcnpli.exe .
1⤵
PID:948
- C:\Windows\bxunbzwmldlvcumzcnpli.exe
  bxunbzwmldlvcumzcnpli.exe .
  2⤵
  PID:3772
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\bxunbzwmldlvcumzcnpli.exe*."
    3⤵
    PID:4560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fxqfpjcojxbhkymvu.exe
1⤵
PID:3864
- C:\Users\Admin\AppData\Local\Temp\fxqfpjcojxbhkymvu.exe
  C:\Users\Admin\AppData\Local\Temp\fxqfpjcojxbhkymvu.exe
  2⤵
  PID:5228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fxqfpjcojxbhkymvu.exe .
1⤵
PID:4712
- C:\Users\Admin\AppData\Local\Temp\fxqfpjcojxbhkymvu.exe
  C:\Users\Admin\AppData\Local\Temp\fxqfpjcojxbhkymvu.exe .
  2⤵
  PID:932
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\fxqfpjcojxbhkymvu.exe*."
    3⤵
    PID:1688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxunbzwmldlvcumzcnpli.exe
1⤵
PID:3944
- C:\Users\Admin\AppData\Local\Temp\bxunbzwmldlvcumzcnpli.exe
  C:\Users\Admin\AppData\Local\Temp\bxunbzwmldlvcumzcnpli.exe
  2⤵
  PID:5280

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxunbzwmldlvcumzcnpli.exe .
1⤵
PID:4756
- C:\Users\Admin\AppData\Local\Temp\bxunbzwmldlvcumzcnpli.exe
  C:\Users\Admin\AppData\Local\Temp\bxunbzwmldlvcumzcnpli.exe .
  2⤵
  PID:5248
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\bxunbzwmldlvcumzcnpli.exe*."
    3⤵
    PID:3136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxunbzwmldlvcumzcnpli.exe
1⤵
PID:1684
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4076
- C:\Windows\bxunbzwmldlvcumzcnpli.exe
  bxunbzwmldlvcumzcnpli.exe
  2⤵
  PID:5044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fxqfpjcojxbhkymvu.exe .
1⤵
PID:1824
- C:\Windows\fxqfpjcojxbhkymvu.exe
  fxqfpjcojxbhkymvu.exe .
  2⤵
  PID:2612
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\fxqfpjcojxbhkymvu.exe*."
    3⤵
    PID:3064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yphvexpauhkprerz.exe
1⤵
PID:720
- C:\Windows\yphvexpauhkprerz.exe
  yphvexpauhkprerz.exe
  2⤵
  PID:4532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yphvexpauhkprerz.exe .
1⤵
PID:4188
- C:\Windows\yphvexpauhkprerz.exe
  yphvexpauhkprerz.exe .
  2⤵
  PID:5472
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\yphvexpauhkprerz.exe*."
    3⤵
    PID:5492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxunbzwmldlvcumzcnpli.exe
1⤵
PID:4500
- C:\Users\Admin\AppData\Local\Temp\bxunbzwmldlvcumzcnpli.exe
  C:\Users\Admin\AppData\Local\Temp\bxunbzwmldlvcumzcnpli.exe
  2⤵
  PID:1160

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhdvifbqofmvbsjvxhid.exe .
1⤵
PID:3972
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4988
- C:\Users\Admin\AppData\Local\Temp\mhdvifbqofmvbsjvxhid.exe
  C:\Users\Admin\AppData\Local\Temp\mhdvifbqofmvbsjvxhid.exe .
  2⤵
  PID:3392
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\mhdvifbqofmvbsjvxhid.exe*."
    3⤵
    PID:4300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhdvifbqofmvbsjvxhid.exe
1⤵
PID:5452
- C:\Users\Admin\AppData\Local\Temp\mhdvifbqofmvbsjvxhid.exe
  C:\Users\Admin\AppData\Local\Temp\mhdvifbqofmvbsjvxhid.exe
  2⤵
  PID:1476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fxqfpjcojxbhkymvu.exe .
1⤵
PID:824
- C:\Users\Admin\AppData\Local\Temp\fxqfpjcojxbhkymvu.exe
  C:\Users\Admin\AppData\Local\Temp\fxqfpjcojxbhkymvu.exe .
  2⤵
  PID:6060
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\fxqfpjcojxbhkymvu.exe*."
    3⤵
    PID:4268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxunbzwmldlvcumzcnpli.exe
1⤵
PID:4072
- C:\Windows\bxunbzwmldlvcumzcnpli.exe
  bxunbzwmldlvcumzcnpli.exe
  2⤵
  PID:1340

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yphvexpauhkprerz.exe .
1⤵
PID:3920
- C:\Windows\yphvexpauhkprerz.exe
  yphvexpauhkprerz.exe .
  2⤵
  PID:2456
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\yphvexpauhkprerz.exe*."
    3⤵
    PID:3748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxunbzwmldlvcumzcnpli.exe
1⤵
PID:5692
- C:\Windows\bxunbzwmldlvcumzcnpli.exe
  bxunbzwmldlvcumzcnpli.exe
  2⤵
  PID:4676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ohbrcxreapubfujttb.exe .
1⤵
PID:5756
- C:\Windows\ohbrcxreapubfujttb.exe
  ohbrcxreapubfujttb.exe .
  2⤵
  PID:3476
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ohbrcxreapubfujttb.exe*."
    3⤵
    PID:6076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztofrniwtjpxcsitudd.exe
1⤵
PID:1992
- C:\Users\Admin\AppData\Local\Temp\ztofrniwtjpxcsitudd.exe
  C:\Users\Admin\AppData\Local\Temp\ztofrniwtjpxcsitudd.exe
  2⤵
  PID:4460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztofrniwtjpxcsitudd.exe .
1⤵
PID:4168
- C:\Users\Admin\AppData\Local\Temp\ztofrniwtjpxcsitudd.exe
  C:\Users\Admin\AppData\Local\Temp\ztofrniwtjpxcsitudd.exe .
  2⤵
  PID:5312
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ztofrniwtjpxcsitudd.exe*."
    3⤵
    PID:5784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohbrcxreapubfujttb.exe
1⤵
PID:3124
- C:\Users\Admin\AppData\Local\Temp\ohbrcxreapubfujttb.exe
  C:\Users\Admin\AppData\Local\Temp\ohbrcxreapubfujttb.exe
  2⤵
  PID:8

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohbrcxreapubfujttb.exe .
1⤵
PID:4576
- C:\Users\Admin\AppData\Local\Temp\ohbrcxreapubfujttb.exe
  C:\Users\Admin\AppData\Local\Temp\ohbrcxreapubfujttb.exe .
  2⤵
  PID:5096
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ohbrcxreapubfujttb.exe*."
    3⤵
    PID:2696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yphvexpauhkprerz.exe
1⤵
PID:3084
- C:\Windows\yphvexpauhkprerz.exe
  yphvexpauhkprerz.exe
  2⤵
  PID:1200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ztofrniwtjpxcsitudd.exe .
1⤵
PID:4232
- C:\Windows\ztofrniwtjpxcsitudd.exe
  ztofrniwtjpxcsitudd.exe .
  2⤵
  PID:3772
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ztofrniwtjpxcsitudd.exe*."
    3⤵
    PID:2748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxunbzwmldlvcumzcnpli.exe
1⤵
PID:3284
- C:\Windows\bxunbzwmldlvcumzcnpli.exe
  bxunbzwmldlvcumzcnpli.exe
  2⤵
  PID:1092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yphvexpauhkprerz.exe
1⤵
PID:5704
- C:\Windows\yphvexpauhkprerz.exe
  yphvexpauhkprerz.exe
  2⤵
  PID:3648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yphvexpauhkprerz.exe .
1⤵
PID:1480
- C:\Windows\yphvexpauhkprerz.exe
  yphvexpauhkprerz.exe .
  2⤵
  PID:5708
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\yphvexpauhkprerz.exe*."
    3⤵
    PID:5816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mhdvifbqofmvbsjvxhid.exe
1⤵
PID:4056
- C:\Windows\mhdvifbqofmvbsjvxhid.exe
  mhdvifbqofmvbsjvxhid.exe
  2⤵
  PID:1988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mhdvifbqofmvbsjvxhid.exe .
1⤵
PID:544
- C:\Windows\mhdvifbqofmvbsjvxhid.exe
  mhdvifbqofmvbsjvxhid.exe .
  2⤵
  PID:5976
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\mhdvifbqofmvbsjvxhid.exe*."
    3⤵
    PID:1160

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ztofrniwtjpxcsitudd.exe .
1⤵
PID:680
- C:\Windows\ztofrniwtjpxcsitudd.exe
  ztofrniwtjpxcsitudd.exe .
  2⤵
  PID:4932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxunbzwmldlvcumzcnpli.exe
1⤵
PID:4692
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztofrniwtjpxcsitudd.exe
1⤵
PID:3612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ohbrcxreapubfujttb.exe
1⤵
PID:5240
- C:\Windows\ohbrcxreapubfujttb.exe
  ohbrcxreapubfujttb.exe
  2⤵
  PID:5220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ohbrcxreapubfujttb.exe .
1⤵
PID:1540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohbrcxreapubfujttb.exe .
1⤵
PID:3656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yphvexpauhkprerz.exe .
1⤵
PID:3252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yphvexpauhkprerz.exe
1⤵
PID:2796
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztofrniwtjpxcsitudd.exe
1⤵
PID:720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohbrcxreapubfujttb.exe .
1⤵
PID:3272

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fxqfpjcojxbhkymvu.exe .
1⤵
PID:3660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fxqfpjcojxbhkymvu.exe
1⤵
PID:3816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Winlogon Helper DLL

T1547.004

Hijack Execution Flow

T1574

Executable Installer File Permissions Weakness

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Winlogon Helper DLL

T1547.004

Hijack Execution Flow

T1574

Executable Installer File Permissions Weakness

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hijack Execution Flow

T1574

Executable Installer File Permissions Weakness

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Safe Mode Boot

T1562.009

Modify Registry