pykspa | ecb1fe140bd7915b694e41679e055200c280301c08a8ba33bca7ba5d5c34d21b

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	bcjlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	bcjlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	abqgjobtkla.exe

Pykspa
Pykspa is a worm spreads via Skype uses DGA and it's written in C++.
worm pykspa
Pykspa family
pykspa

UAC bypass 3 TTPs 21 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	bcjlq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	bcjlq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bcjlq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bcjlq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	bcjlq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	bcjlq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	bcjlq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	bcjlq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	abqgjobtkla.exe

Detect Pykspa worm 2 IoCs

worm

resource	yara_rule
behavioral2/files/0x000e000000023f91-4.dat	family_pykspa
behavioral2/files/0x000e000000023f5f-82.dat	family_pykspa

Adds policy Run key to start application 2 TTPs 37 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bcjlq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fslzqkfxmzahcyhsl.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oschpamv = "zojzsolfwloxusdqlld.exe"	abqgjobtkla.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	bcjlq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bcjlq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mcypjgezrhlvtsesopiy.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bcjlq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ocwldyundrtbxueqkj.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bcjlq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bsphcazvofkvuuhwtvpgd.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bcjlq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ykcpfysjxjjpjemw.exe"	bcjlq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bcjlq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zojzsolfwloxusdqlld.exe"	bcjlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oschpamv = "fslzqkfxmzahcyhsl.exe"	abqgjobtkla.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bcjlq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bsphcazvofkvuuhwtvpgd.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bcjlq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bsphcazvofkvuuhwtvpgd.exe"	bcjlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oschpamv = "mcypjgezrhlvtsesopiy.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oschpamv = "mcypjgezrhlvtsesopiy.exe"	bcjlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bcjlq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fslzqkfxmzahcyhsl.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bcjlq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mcypjgezrhlvtsesopiy.exe"	bcjlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bcjlq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bsphcazvofkvuuhwtvpgd.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oschpamv = "zojzsolfwloxusdqlld.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bcjlq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ocwldyundrtbxueqkj.exe"	bcjlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bcjlq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bsphcazvofkvuuhwtvpgd.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oschpamv = "zojzsolfwloxusdqlld.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bcjlq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bsphcazvofkvuuhwtvpgd.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oschpamv = "bsphcazvofkvuuhwtvpgd.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oschpamv = "mcypjgezrhlvtsesopiy.exe"	abqgjobtkla.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	bcjlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oschpamv = "ykcpfysjxjjpjemw.exe"	bcjlq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	abqgjobtkla.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	abqgjobtkla.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	abqgjobtkla.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oschpamv = "ocwldyundrtbxueqkj.exe"	bcjlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oschpamv = "mcypjgezrhlvtsesopiy.exe"	abqgjobtkla.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oschpamv = "ocwldyundrtbxueqkj.exe"	abqgjobtkla.exe

Disables RegEdit via registry modification 6 IoCs

defense_evasion

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	bcjlq.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	abqgjobtkla.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	bcjlq.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	bcjlq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	bcjlq.exe

Checks computer location settings 2 TTPs 55 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	zojzsolfwloxusdqlld.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	bsphcazvofkvuuhwtvpgd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	zojzsolfwloxusdqlld.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	bsphcazvofkvuuhwtvpgd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	zojzsolfwloxusdqlld.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	ykcpfysjxjjpjemw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	mcypjgezrhlvtsesopiy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	ykcpfysjxjjpjemw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	fslzqkfxmzahcyhsl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	zojzsolfwloxusdqlld.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	zojzsolfwloxusdqlld.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	fslzqkfxmzahcyhsl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	ocwldyundrtbxueqkj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	mcypjgezrhlvtsesopiy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	ykcpfysjxjjpjemw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	ocwldyundrtbxueqkj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	fslzqkfxmzahcyhsl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	ocwldyundrtbxueqkj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	bsphcazvofkvuuhwtvpgd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	zojzsolfwloxusdqlld.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	mcypjgezrhlvtsesopiy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	zojzsolfwloxusdqlld.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	assasin terror.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	ocwldyundrtbxueqkj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	mcypjgezrhlvtsesopiy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	ykcpfysjxjjpjemw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	mcypjgezrhlvtsesopiy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	fslzqkfxmzahcyhsl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	ykcpfysjxjjpjemw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	fslzqkfxmzahcyhsl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	bsphcazvofkvuuhwtvpgd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	ykcpfysjxjjpjemw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	fslzqkfxmzahcyhsl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	fslzqkfxmzahcyhsl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	ocwldyundrtbxueqkj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	fslzqkfxmzahcyhsl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	bsphcazvofkvuuhwtvpgd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	mcypjgezrhlvtsesopiy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	abqgjobtkla.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	zojzsolfwloxusdqlld.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	mcypjgezrhlvtsesopiy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	zojzsolfwloxusdqlld.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	fslzqkfxmzahcyhsl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	zojzsolfwloxusdqlld.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	bsphcazvofkvuuhwtvpgd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	ykcpfysjxjjpjemw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	ykcpfysjxjjpjemw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	mcypjgezrhlvtsesopiy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	zojzsolfwloxusdqlld.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	ykcpfysjxjjpjemw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	bsphcazvofkvuuhwtvpgd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	ykcpfysjxjjpjemw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	ocwldyundrtbxueqkj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	zojzsolfwloxusdqlld.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	ocwldyundrtbxueqkj.exe

Executes dropped EXE 64 IoCs

pid	Process
2608	abqgjobtkla.exe
2212	zojzsolfwloxusdqlld.exe
4360	bsphcazvofkvuuhwtvpgd.exe
1536	abqgjobtkla.exe
3036	ocwldyundrtbxueqkj.exe
3904	ocwldyundrtbxueqkj.exe
4708	ykcpfysjxjjpjemw.exe
2340	abqgjobtkla.exe
4644	ocwldyundrtbxueqkj.exe
4396	fslzqkfxmzahcyhsl.exe
5084	abqgjobtkla.exe
4528	ykcpfysjxjjpjemw.exe
4392	abqgjobtkla.exe
4436	bcjlq.exe
4604	bcjlq.exe
324	zojzsolfwloxusdqlld.exe
3816	ocwldyundrtbxueqkj.exe
4120	ykcpfysjxjjpjemw.exe
3904	mcypjgezrhlvtsesopiy.exe
4708	abqgjobtkla.exe
3636	ykcpfysjxjjpjemw.exe
2804	abqgjobtkla.exe
1808	zojzsolfwloxusdqlld.exe
5000	ykcpfysjxjjpjemw.exe
4472	zojzsolfwloxusdqlld.exe
3768	zojzsolfwloxusdqlld.exe
2668	mcypjgezrhlvtsesopiy.exe
4496	fslzqkfxmzahcyhsl.exe
4372	zojzsolfwloxusdqlld.exe
3456	abqgjobtkla.exe
3624	abqgjobtkla.exe
4632	abqgjobtkla.exe
2444	abqgjobtkla.exe
4768	ykcpfysjxjjpjemw.exe
516	ocwldyundrtbxueqkj.exe
3020	ykcpfysjxjjpjemw.exe
428	bsphcazvofkvuuhwtvpgd.exe
2040	abqgjobtkla.exe
3416	abqgjobtkla.exe
3024	ocwldyundrtbxueqkj.exe
2340	fslzqkfxmzahcyhsl.exe
4784	abqgjobtkla.exe
5000	zojzsolfwloxusdqlld.exe
3468	zojzsolfwloxusdqlld.exe
1532	mcypjgezrhlvtsesopiy.exe
1468	abqgjobtkla.exe
3972	mcypjgezrhlvtsesopiy.exe
4036	abqgjobtkla.exe
2120	ykcpfysjxjjpjemw.exe
1748	mcypjgezrhlvtsesopiy.exe
2960	abqgjobtkla.exe
3148	ykcpfysjxjjpjemw.exe
4004	bsphcazvofkvuuhwtvpgd.exe
1944	fslzqkfxmzahcyhsl.exe
5032	zojzsolfwloxusdqlld.exe
2016	zojzsolfwloxusdqlld.exe
4544	abqgjobtkla.exe
3404	bsphcazvofkvuuhwtvpgd.exe
1636	abqgjobtkla.exe
2312	mcypjgezrhlvtsesopiy.exe
2988	abqgjobtkla.exe
1832	ykcpfysjxjjpjemw.exe
2720	zojzsolfwloxusdqlld.exe
4880	zojzsolfwloxusdqlld.exe

Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs

defense_evasion

Safe Mode Boot

T1562.009

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager	bcjlq.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys	bcjlq.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc	bcjlq.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power	bcjlq.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys	bcjlq.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc	bcjlq.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

defense_evasion persistence privilege_escalation

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fkvbkwjta = "zojzsolfwloxusdqlld.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qymvhwmzjrnp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bsphcazvofkvuuhwtvpgd.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mowzfo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fslzqkfxmzahcyhsl.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fkvbkwjta = "mcypjgezrhlvtsesopiy.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zclpwgr = "zojzsolfwloxusdqlld.exe ."	abqgjobtkla.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fkvbkwjta = "zojzsolfwloxusdqlld.exe"	bcjlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qymvhwmzjrnp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zojzsolfwloxusdqlld.exe"	bcjlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qymvhwmzjrnp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zojzsolfwloxusdqlld.exe"	bcjlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mowzfo = "ocwldyundrtbxueqkj.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tanvgujvelg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ykcpfysjxjjpjemw.exe ."	bcjlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tanvgujvelg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ocwldyundrtbxueqkj.exe ."	abqgjobtkla.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mowzfo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fslzqkfxmzahcyhsl.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zclpwgr = "zojzsolfwloxusdqlld.exe ."	bcjlq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fkvbkwjta = "mcypjgezrhlvtsesopiy.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fkvbkwjta = "ocwldyundrtbxueqkj.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fkvbkwjta = "bsphcazvofkvuuhwtvpgd.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mowzfo = "ykcpfysjxjjpjemw.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\zclpwgr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zojzsolfwloxusdqlld.exe ."	abqgjobtkla.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\yeqxhuitbh = "bsphcazvofkvuuhwtvpgd.exe ."	abqgjobtkla.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mowzfo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ykcpfysjxjjpjemw.exe"	bcjlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mowzfo = "ykcpfysjxjjpjemw.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\zclpwgr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mcypjgezrhlvtsesopiy.exe ."	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mowzfo = "mcypjgezrhlvtsesopiy.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fkvbkwjta = "ocwldyundrtbxueqkj.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\yeqxhuitbh = "ocwldyundrtbxueqkj.exe ."	bcjlq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\zclpwgr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ocwldyundrtbxueqkj.exe ."	bcjlq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mowzfo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bsphcazvofkvuuhwtvpgd.exe"	bcjlq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\zclpwgr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zojzsolfwloxusdqlld.exe ."	bcjlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qymvhwmzjrnp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mcypjgezrhlvtsesopiy.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qymvhwmzjrnp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mcypjgezrhlvtsesopiy.exe"	bcjlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tanvgujvelg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ocwldyundrtbxueqkj.exe ."	abqgjobtkla.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mowzfo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zojzsolfwloxusdqlld.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mowzfo = "ocwldyundrtbxueqkj.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\yeqxhuitbh = "ykcpfysjxjjpjemw.exe ."	bcjlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zclpwgr = "ykcpfysjxjjpjemw.exe ."	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mowzfo = "bsphcazvofkvuuhwtvpgd.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tanvgujvelg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zojzsolfwloxusdqlld.exe ."	abqgjobtkla.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fkvbkwjta = "zojzsolfwloxusdqlld.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\yeqxhuitbh = "ocwldyundrtbxueqkj.exe ."	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qymvhwmzjrnp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ykcpfysjxjjpjemw.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mowzfo = "zojzsolfwloxusdqlld.exe"	bcjlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mowzfo = "ocwldyundrtbxueqkj.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mowzfo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ykcpfysjxjjpjemw.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fkvbkwjta = "ocwldyundrtbxueqkj.exe"	bcjlq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\yeqxhuitbh = "zojzsolfwloxusdqlld.exe ."	bcjlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qymvhwmzjrnp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mcypjgezrhlvtsesopiy.exe"	bcjlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zclpwgr = "bsphcazvofkvuuhwtvpgd.exe ."	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tanvgujvelg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zojzsolfwloxusdqlld.exe ."	bcjlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mowzfo = "zojzsolfwloxusdqlld.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\yeqxhuitbh = "zojzsolfwloxusdqlld.exe ."	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qymvhwmzjrnp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fslzqkfxmzahcyhsl.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mowzfo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mcypjgezrhlvtsesopiy.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\yeqxhuitbh = "fslzqkfxmzahcyhsl.exe ."	abqgjobtkla.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fkvbkwjta = "zojzsolfwloxusdqlld.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\zclpwgr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ykcpfysjxjjpjemw.exe ."	abqgjobtkla.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fkvbkwjta = "ykcpfysjxjjpjemw.exe"	bcjlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zclpwgr = "mcypjgezrhlvtsesopiy.exe ."	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tanvgujvelg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zojzsolfwloxusdqlld.exe ."	abqgjobtkla.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mowzfo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ocwldyundrtbxueqkj.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mowzfo = "ocwldyundrtbxueqkj.exe"	bcjlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mowzfo = "bsphcazvofkvuuhwtvpgd.exe"	bcjlq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mowzfo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ykcpfysjxjjpjemw.exe"	bcjlq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\zclpwgr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ocwldyundrtbxueqkj.exe ."	bcjlq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mowzfo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bsphcazvofkvuuhwtvpgd.exe"	abqgjobtkla.exe

Checks whether UAC is enabled 1 TTPs 24 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	abqgjobtkla.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bcjlq.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	abqgjobtkla.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bcjlq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bcjlq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	abqgjobtkla.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bcjlq.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	abqgjobtkla.exe

Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 3 IoCs

Possible Turn off User Account Control's privilege elevation for standard users.

Executable Installer File Permissions Weakness

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	bcjlq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	bcjlq.exe

Looks up external IP address via web service 7 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
42	whatismyip.everdot.org
52	whatismyip.everdot.org
26	www.whatismyip.ca
27	whatismyipaddress.com
30	whatismyip.everdot.org
31	www.showmyipaddress.com
39	www.whatismyip.ca

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\bsphcazvofkvuuhwtvpgd.exe	bcjlq.exe
File opened for modification	C:\Windows\SysWOW64\fslzqkfxmzahcyhsl.exe	bcjlq.exe
File opened for modification	C:\Windows\SysWOW64\zojzsolfwloxusdqlld.exe	bcjlq.exe
File opened for modification	C:\Windows\SysWOW64\mcypjgezrhlvtsesopiy.exe	bcjlq.exe
File opened for modification	C:\Windows\SysWOW64\fslzqkfxmzahcyhsl.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\ykcpfysjxjjpjemw.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\ocwldyundrtbxueqkj.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\zojzsolfwloxusdqlld.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\ykcpfysjxjjpjemw.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\ocwldyundrtbxueqkj.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\ykcpfysjxjjpjemw.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\ykcpfysjxjjpjemw.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\ykcpfysjxjjpjemw.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\bsphcazvofkvuuhwtvpgd.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\ocwldyundrtbxueqkj.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\zojzsolfwloxusdqlld.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\mcypjgezrhlvtsesopiy.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\skibxwwtnflxxymcadyqoh.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\ocwldyundrtbxueqkj.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\mcypjgezrhlvtsesopiy.exe	abqgjobtkla.exe
File created	C:\Windows\SysWOW64\ssyzdksxzznhpyusyjmmstxemr.thb	bcjlq.exe
File opened for modification	C:\Windows\SysWOW64\ocwldyundrtbxueqkj.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\ocwldyundrtbxueqkj.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\ocwldyundrtbxueqkj.exe	bcjlq.exe
File opened for modification	C:\Windows\SysWOW64\zojzsolfwloxusdqlld.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\mcypjgezrhlvtsesopiy.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\bsphcazvofkvuuhwtvpgd.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\skibxwwtnflxxymcadyqoh.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\zojzsolfwloxusdqlld.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\fslzqkfxmzahcyhsl.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\zojzsolfwloxusdqlld.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\ssyzdksxzznhpyusyjmmstxemr.thb	bcjlq.exe
File opened for modification	C:\Windows\SysWOW64\mcypjgezrhlvtsesopiy.exe	bcjlq.exe
File opened for modification	C:\Windows\SysWOW64\tevhwohxkvuzsmtctpdofrgyrhufejcwdmdzn.pbq	bcjlq.exe
File opened for modification	C:\Windows\SysWOW64\skibxwwtnflxxymcadyqoh.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\skibxwwtnflxxymcadyqoh.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\ocwldyundrtbxueqkj.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\zojzsolfwloxusdqlld.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\bsphcazvofkvuuhwtvpgd.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\ocwldyundrtbxueqkj.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\skibxwwtnflxxymcadyqoh.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\zojzsolfwloxusdqlld.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\ykcpfysjxjjpjemw.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\bsphcazvofkvuuhwtvpgd.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\fslzqkfxmzahcyhsl.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\fslzqkfxmzahcyhsl.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\ykcpfysjxjjpjemw.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\fslzqkfxmzahcyhsl.exe	bcjlq.exe
File opened for modification	C:\Windows\SysWOW64\skibxwwtnflxxymcadyqoh.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\fslzqkfxmzahcyhsl.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\zojzsolfwloxusdqlld.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\skibxwwtnflxxymcadyqoh.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\mcypjgezrhlvtsesopiy.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\zojzsolfwloxusdqlld.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\bsphcazvofkvuuhwtvpgd.exe	abqgjobtkla.exe
File created	C:\Windows\SysWOW64\tevhwohxkvuzsmtctpdofrgyrhufejcwdmdzn.pbq	bcjlq.exe
File opened for modification	C:\Windows\SysWOW64\ykcpfysjxjjpjemw.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\zojzsolfwloxusdqlld.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\fslzqkfxmzahcyhsl.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\zojzsolfwloxusdqlld.exe	bcjlq.exe
File opened for modification	C:\Windows\SysWOW64\ykcpfysjxjjpjemw.exe	bcjlq.exe
File opened for modification	C:\Windows\SysWOW64\bsphcazvofkvuuhwtvpgd.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\mcypjgezrhlvtsesopiy.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\ykcpfysjxjjpjemw.exe	abqgjobtkla.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\ssyzdksxzznhpyusyjmmstxemr.thb	bcjlq.exe
File created	C:\Program Files (x86)\ssyzdksxzznhpyusyjmmstxemr.thb	bcjlq.exe
File opened for modification	C:\Program Files (x86)\tevhwohxkvuzsmtctpdofrgyrhufejcwdmdzn.pbq	bcjlq.exe
File created	C:\Program Files (x86)\tevhwohxkvuzsmtctpdofrgyrhufejcwdmdzn.pbq	bcjlq.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\skibxwwtnflxxymcadyqoh.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\zojzsolfwloxusdqlld.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\ykcpfysjxjjpjemw.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\ykcpfysjxjjpjemw.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\fslzqkfxmzahcyhsl.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\bsphcazvofkvuuhwtvpgd.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\skibxwwtnflxxymcadyqoh.exe	bcjlq.exe
File opened for modification	C:\Windows\fslzqkfxmzahcyhsl.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\skibxwwtnflxxymcadyqoh.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\zojzsolfwloxusdqlld.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\zojzsolfwloxusdqlld.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\mcypjgezrhlvtsesopiy.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\zojzsolfwloxusdqlld.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\ocwldyundrtbxueqkj.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\bsphcazvofkvuuhwtvpgd.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\ocwldyundrtbxueqkj.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\bsphcazvofkvuuhwtvpgd.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\mcypjgezrhlvtsesopiy.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\mcypjgezrhlvtsesopiy.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\zojzsolfwloxusdqlld.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\bsphcazvofkvuuhwtvpgd.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\skibxwwtnflxxymcadyqoh.exe	bcjlq.exe
File opened for modification	C:\Windows\ykcpfysjxjjpjemw.exe	bcjlq.exe
File opened for modification	C:\Windows\mcypjgezrhlvtsesopiy.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\fslzqkfxmzahcyhsl.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\ocwldyundrtbxueqkj.exe	bcjlq.exe
File opened for modification	C:\Windows\tevhwohxkvuzsmtctpdofrgyrhufejcwdmdzn.pbq	bcjlq.exe
File opened for modification	C:\Windows\fslzqkfxmzahcyhsl.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\skibxwwtnflxxymcadyqoh.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\bsphcazvofkvuuhwtvpgd.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\ocwldyundrtbxueqkj.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\mcypjgezrhlvtsesopiy.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\mcypjgezrhlvtsesopiy.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\bsphcazvofkvuuhwtvpgd.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\ykcpfysjxjjpjemw.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\fslzqkfxmzahcyhsl.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\fslzqkfxmzahcyhsl.exe	bcjlq.exe
File opened for modification	C:\Windows\zojzsolfwloxusdqlld.exe	bcjlq.exe
File opened for modification	C:\Windows\ocwldyundrtbxueqkj.exe	bcjlq.exe
File opened for modification	C:\Windows\skibxwwtnflxxymcadyqoh.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\fslzqkfxmzahcyhsl.exe	bcjlq.exe
File opened for modification	C:\Windows\ykcpfysjxjjpjemw.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\ocwldyundrtbxueqkj.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\zojzsolfwloxusdqlld.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\ykcpfysjxjjpjemw.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\zojzsolfwloxusdqlld.exe	bcjlq.exe
File created	C:\Windows\tevhwohxkvuzsmtctpdofrgyrhufejcwdmdzn.pbq	bcjlq.exe
File opened for modification	C:\Windows\ocwldyundrtbxueqkj.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\fslzqkfxmzahcyhsl.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\bsphcazvofkvuuhwtvpgd.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\fslzqkfxmzahcyhsl.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\zojzsolfwloxusdqlld.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\skibxwwtnflxxymcadyqoh.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\zojzsolfwloxusdqlld.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\mcypjgezrhlvtsesopiy.exe	bcjlq.exe
File opened for modification	C:\Windows\mcypjgezrhlvtsesopiy.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\bsphcazvofkvuuhwtvpgd.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\ocwldyundrtbxueqkj.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\fslzqkfxmzahcyhsl.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\skibxwwtnflxxymcadyqoh.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\fslzqkfxmzahcyhsl.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\mcypjgezrhlvtsesopiy.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\ocwldyundrtbxueqkj.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\zojzsolfwloxusdqlld.exe	abqgjobtkla.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bsphcazvofkvuuhwtvpgd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mcypjgezrhlvtsesopiy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fslzqkfxmzahcyhsl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fslzqkfxmzahcyhsl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ocwldyundrtbxueqkj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bsphcazvofkvuuhwtvpgd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ocwldyundrtbxueqkj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zojzsolfwloxusdqlld.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ocwldyundrtbxueqkj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ykcpfysjxjjpjemw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mcypjgezrhlvtsesopiy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ocwldyundrtbxueqkj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	assasin terror.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bsphcazvofkvuuhwtvpgd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bsphcazvofkvuuhwtvpgd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ocwldyundrtbxueqkj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bsphcazvofkvuuhwtvpgd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ykcpfysjxjjpjemw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zojzsolfwloxusdqlld.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ykcpfysjxjjpjemw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ocwldyundrtbxueqkj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bsphcazvofkvuuhwtvpgd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zojzsolfwloxusdqlld.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zojzsolfwloxusdqlld.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fslzqkfxmzahcyhsl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fslzqkfxmzahcyhsl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zojzsolfwloxusdqlld.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ykcpfysjxjjpjemw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ocwldyundrtbxueqkj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mcypjgezrhlvtsesopiy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fslzqkfxmzahcyhsl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zojzsolfwloxusdqlld.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fslzqkfxmzahcyhsl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ykcpfysjxjjpjemw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ykcpfysjxjjpjemw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bcjlq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zojzsolfwloxusdqlld.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ykcpfysjxjjpjemw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mcypjgezrhlvtsesopiy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ocwldyundrtbxueqkj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fslzqkfxmzahcyhsl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ykcpfysjxjjpjemw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fslzqkfxmzahcyhsl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zojzsolfwloxusdqlld.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zojzsolfwloxusdqlld.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zojzsolfwloxusdqlld.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zojzsolfwloxusdqlld.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ykcpfysjxjjpjemw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mcypjgezrhlvtsesopiy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ocwldyundrtbxueqkj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fslzqkfxmzahcyhsl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fslzqkfxmzahcyhsl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bsphcazvofkvuuhwtvpgd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zojzsolfwloxusdqlld.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mcypjgezrhlvtsesopiy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mcypjgezrhlvtsesopiy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ykcpfysjxjjpjemw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	abqgjobtkla.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ocwldyundrtbxueqkj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mcypjgezrhlvtsesopiy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zojzsolfwloxusdqlld.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ykcpfysjxjjpjemw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ykcpfysjxjjpjemw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zojzsolfwloxusdqlld.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

pid	Process
2112	assasin terror.exe
2112	assasin terror.exe
2112	assasin terror.exe
2112	assasin terror.exe
2112	assasin terror.exe
2112	assasin terror.exe
2112	assasin terror.exe
2112	assasin terror.exe
2112	assasin terror.exe
2112	assasin terror.exe
2112	assasin terror.exe
2112	assasin terror.exe
2112	assasin terror.exe
2112	assasin terror.exe
2112	assasin terror.exe
2112	assasin terror.exe
4436	bcjlq.exe
4436	bcjlq.exe
2112	assasin terror.exe
2112	assasin terror.exe
2112	assasin terror.exe
2112	assasin terror.exe
2112	assasin terror.exe
2112	assasin terror.exe
2112	assasin terror.exe
2112	assasin terror.exe
2112	assasin terror.exe
2112	assasin terror.exe
2112	assasin terror.exe
2112	assasin terror.exe
2112	assasin terror.exe
2112	assasin terror.exe
2112	assasin terror.exe
2112	assasin terror.exe
2112	assasin terror.exe
2112	assasin terror.exe
2112	assasin terror.exe
2112	assasin terror.exe
2112	assasin terror.exe
2112	assasin terror.exe
2112	assasin terror.exe
2112	assasin terror.exe
2112	assasin terror.exe
2112	assasin terror.exe
2112	assasin terror.exe
2112	assasin terror.exe
2112	assasin terror.exe
2112	assasin terror.exe
2112	assasin terror.exe
2112	assasin terror.exe
2112	assasin terror.exe
2112	assasin terror.exe
2112	assasin terror.exe
2112	assasin terror.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4436	bcjlq.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2112 wrote to memory of 2608	2112	assasin terror.exe	89
PID 2112 wrote to memory of 2608	2112	assasin terror.exe	89
PID 2112 wrote to memory of 2608	2112	assasin terror.exe	89
PID 2960 wrote to memory of 2212	2960	cmd.exe	92
PID 2960 wrote to memory of 2212	2960	cmd.exe	92
PID 2960 wrote to memory of 2212	2960	cmd.exe	92
PID 3588 wrote to memory of 4360	3588	cmd.exe	95
PID 3588 wrote to memory of 4360	3588	cmd.exe	95
PID 3588 wrote to memory of 4360	3588	cmd.exe	95
PID 4360 wrote to memory of 1536	4360	bsphcazvofkvuuhwtvpgd.exe	98
PID 4360 wrote to memory of 1536	4360	bsphcazvofkvuuhwtvpgd.exe	98
PID 4360 wrote to memory of 1536	4360	bsphcazvofkvuuhwtvpgd.exe	98
PID 4568 wrote to memory of 3036	4568	cmd.exe	101
PID 4568 wrote to memory of 3036	4568	cmd.exe	101
PID 4568 wrote to memory of 3036	4568	cmd.exe	101
PID 2928 wrote to memory of 3904	2928	cmd.exe	137
PID 2928 wrote to memory of 3904	2928	cmd.exe	137
PID 2928 wrote to memory of 3904	2928	cmd.exe	137
PID 3984 wrote to memory of 4708	3984	cmd.exe	138
PID 3984 wrote to memory of 4708	3984	cmd.exe	138
PID 3984 wrote to memory of 4708	3984	cmd.exe	138
PID 3904 wrote to memory of 2340	3904	ocwldyundrtbxueqkj.exe	186
PID 3904 wrote to memory of 2340	3904	ocwldyundrtbxueqkj.exe	186
PID 3904 wrote to memory of 2340	3904	ocwldyundrtbxueqkj.exe	186
PID 3712 wrote to memory of 4644	3712	cmd.exe	109
PID 3712 wrote to memory of 4644	3712	cmd.exe	109
PID 3712 wrote to memory of 4644	3712	cmd.exe	109
PID 1468 wrote to memory of 4396	1468	cmd.exe	182
PID 1468 wrote to memory of 4396	1468	cmd.exe	182
PID 1468 wrote to memory of 4396	1468	cmd.exe	182
PID 4644 wrote to memory of 5084	4644	ocwldyundrtbxueqkj.exe	116
PID 4644 wrote to memory of 5084	4644	ocwldyundrtbxueqkj.exe	116
PID 4644 wrote to memory of 5084	4644	ocwldyundrtbxueqkj.exe	116
PID 1808 wrote to memory of 4528	1808	cmd.exe	251
PID 1808 wrote to memory of 4528	1808	cmd.exe	251
PID 1808 wrote to memory of 4528	1808	cmd.exe	251
PID 4528 wrote to memory of 4392	4528	ykcpfysjxjjpjemw.exe	319
PID 4528 wrote to memory of 4392	4528	ykcpfysjxjjpjemw.exe	319
PID 4528 wrote to memory of 4392	4528	ykcpfysjxjjpjemw.exe	319
PID 2608 wrote to memory of 4436	2608	abqgjobtkla.exe	121
PID 2608 wrote to memory of 4436	2608	abqgjobtkla.exe	121
PID 2608 wrote to memory of 4436	2608	abqgjobtkla.exe	121
PID 2608 wrote to memory of 4604	2608	abqgjobtkla.exe	122
PID 2608 wrote to memory of 4604	2608	abqgjobtkla.exe	122
PID 2608 wrote to memory of 4604	2608	abqgjobtkla.exe	122
PID 5112 wrote to memory of 324	5112	cmd.exe	128
PID 5112 wrote to memory of 324	5112	cmd.exe	128
PID 5112 wrote to memory of 324	5112	cmd.exe	128
PID 2388 wrote to memory of 3816	2388	cmd.exe	320
PID 2388 wrote to memory of 3816	2388	cmd.exe	320
PID 2388 wrote to memory of 3816	2388	cmd.exe	320
PID 1348 wrote to memory of 4120	1348	cmd.exe	247
PID 1348 wrote to memory of 4120	1348	cmd.exe	247
PID 1348 wrote to memory of 4120	1348	cmd.exe	247
PID 3340 wrote to memory of 3904	3340	cmd.exe	368
PID 3340 wrote to memory of 3904	3340	cmd.exe	368
PID 3340 wrote to memory of 3904	3340	cmd.exe	368
PID 4120 wrote to memory of 4708	4120	ykcpfysjxjjpjemw.exe	138
PID 4120 wrote to memory of 4708	4120	ykcpfysjxjjpjemw.exe	138
PID 4120 wrote to memory of 4708	4120	ykcpfysjxjjpjemw.exe	138
PID 2312 wrote to memory of 3636	2312	cmd.exe	145
PID 2312 wrote to memory of 3636	2312	cmd.exe	145
PID 2312 wrote to memory of 3636	2312	cmd.exe	145
PID 3904 wrote to memory of 2804	3904	mcypjgezrhlvtsesopiy.exe	349

System policy modification 1 TTPs 54 IoCs

defense_evasion

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	bcjlq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bcjlq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	bcjlq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	bcjlq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	bcjlq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	bcjlq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	bcjlq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	bcjlq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	bcjlq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	bcjlq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	bcjlq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	bcjlq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	abqgjobtkla.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	abqgjobtkla.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	bcjlq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bcjlq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	bcjlq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	bcjlq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	bcjlq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	bcjlq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	bcjlq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	bcjlq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	bcjlq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	bcjlq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	abqgjobtkla.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	abqgjobtkla.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	bcjlq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	bcjlq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	abqgjobtkla.exe

C:\Users\Admin\AppData\Local\Temp\assasin terror.exe
"C:\Users\Admin\AppData\Local\Temp\assasin terror.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2112
- C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
  "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\assasin terror.exe*"
  2⤵
  - Modifies WinLogon for persistence
  - UAC bypass
  - Adds policy Run key to start application
  - Disables RegEdit via registry modification
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Hijack Execution Flow: Executable Installer File Permissions Weakness
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2608
- - C:\Users\Admin\AppData\Local\Temp\bcjlq.exe
    "C:\Users\Admin\AppData\Local\Temp\bcjlq.exe" "-C:\Users\Admin\AppData\Local\Temp\ykcpfysjxjjpjemw.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Impair Defenses: Safe Mode Boot
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Hijack Execution Flow: Executable Installer File Permissions Weakness
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:4436
- - C:\Users\Admin\AppData\Local\Temp\bcjlq.exe
    "C:\Users\Admin\AppData\Local\Temp\bcjlq.exe" "-C:\Users\Admin\AppData\Local\Temp\ykcpfysjxjjpjemw.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Hijack Execution Flow: Executable Installer File Permissions Weakness
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:4604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zojzsolfwloxusdqlld.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2960
- C:\Windows\zojzsolfwloxusdqlld.exe
  zojzsolfwloxusdqlld.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bsphcazvofkvuuhwtvpgd.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:3588
- C:\Windows\bsphcazvofkvuuhwtvpgd.exe
  bsphcazvofkvuuhwtvpgd.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4360
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\bsphcazvofkvuuhwtvpgd.exe*."
    3⤵
    - Executes dropped EXE
    PID:1536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ocwldyundrtbxueqkj.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4568
- C:\Windows\ocwldyundrtbxueqkj.exe
  ocwldyundrtbxueqkj.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ocwldyundrtbxueqkj.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:2928
- C:\Windows\ocwldyundrtbxueqkj.exe
  ocwldyundrtbxueqkj.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3904
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\ocwldyundrtbxueqkj.exe*."
    3⤵
    - Executes dropped EXE
    PID:2340

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ykcpfysjxjjpjemw.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:3984
- C:\Users\Admin\AppData\Local\Temp\ykcpfysjxjjpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\ykcpfysjxjjpjemw.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ocwldyundrtbxueqkj.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:3712
- C:\Users\Admin\AppData\Local\Temp\ocwldyundrtbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\ocwldyundrtbxueqkj.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4644
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\ocwldyundrtbxueqkj.exe*."
    3⤵
    - Executes dropped EXE
    PID:5084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fslzqkfxmzahcyhsl.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:1468
- C:\Users\Admin\AppData\Local\Temp\fslzqkfxmzahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\fslzqkfxmzahcyhsl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ykcpfysjxjjpjemw.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:1808
- C:\Users\Admin\AppData\Local\Temp\ykcpfysjxjjpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\ykcpfysjxjjpjemw.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4528
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\ykcpfysjxjjpjemw.exe*."
    3⤵
    - Executes dropped EXE
    PID:4392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zojzsolfwloxusdqlld.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:5112
- C:\Windows\zojzsolfwloxusdqlld.exe
  zojzsolfwloxusdqlld.exe
  2⤵
  - Executes dropped EXE
  PID:324

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ocwldyundrtbxueqkj.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2388
- C:\Windows\ocwldyundrtbxueqkj.exe
  ocwldyundrtbxueqkj.exe
  2⤵
  - Executes dropped EXE
  PID:3816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ykcpfysjxjjpjemw.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:1348
- C:\Windows\ykcpfysjxjjpjemw.exe
  ykcpfysjxjjpjemw.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4120
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\ykcpfysjxjjpjemw.exe*."
    3⤵
    - Executes dropped EXE
    PID:4708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mcypjgezrhlvtsesopiy.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:3340
- C:\Windows\mcypjgezrhlvtsesopiy.exe
  mcypjgezrhlvtsesopiy.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3904
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\mcypjgezrhlvtsesopiy.exe*."
    3⤵
    - Executes dropped EXE
    PID:2804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ykcpfysjxjjpjemw.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2312
- C:\Windows\ykcpfysjxjjpjemw.exe
  ykcpfysjxjjpjemw.exe
  2⤵
  - Executes dropped EXE
  PID:3636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zojzsolfwloxusdqlld.exe
1⤵
PID:2740
- C:\Windows\zojzsolfwloxusdqlld.exe
  zojzsolfwloxusdqlld.exe
  2⤵
  - Executes dropped EXE
  PID:1808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ykcpfysjxjjpjemw.exe .
1⤵
PID:3420
- C:\Windows\ykcpfysjxjjpjemw.exe
  ykcpfysjxjjpjemw.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5000
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\ykcpfysjxjjpjemw.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:3456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zojzsolfwloxusdqlld.exe .
1⤵
PID:336
- C:\Windows\zojzsolfwloxusdqlld.exe
  zojzsolfwloxusdqlld.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4472
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\zojzsolfwloxusdqlld.exe*."
    3⤵
    - Executes dropped EXE
    PID:3624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zojzsolfwloxusdqlld.exe
1⤵
PID:2596
- C:\Users\Admin\AppData\Local\Temp\zojzsolfwloxusdqlld.exe
  C:\Users\Admin\AppData\Local\Temp\zojzsolfwloxusdqlld.exe
  2⤵
  - Executes dropped EXE
  PID:4372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fslzqkfxmzahcyhsl.exe .
1⤵
PID:2184
- C:\Users\Admin\AppData\Local\Temp\fslzqkfxmzahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\fslzqkfxmzahcyhsl.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4496
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\fslzqkfxmzahcyhsl.exe*."
    3⤵
    - Executes dropped EXE
    PID:2444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zojzsolfwloxusdqlld.exe
1⤵
PID:2888
- C:\Users\Admin\AppData\Local\Temp\zojzsolfwloxusdqlld.exe
  C:\Users\Admin\AppData\Local\Temp\zojzsolfwloxusdqlld.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mcypjgezrhlvtsesopiy.exe .
1⤵
PID:1940
- C:\Users\Admin\AppData\Local\Temp\mcypjgezrhlvtsesopiy.exe
  C:\Users\Admin\AppData\Local\Temp\mcypjgezrhlvtsesopiy.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2668
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\mcypjgezrhlvtsesopiy.exe*."
    3⤵
    - Executes dropped EXE
    PID:4632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ykcpfysjxjjpjemw.exe
1⤵
PID:3328
- C:\Users\Admin\AppData\Local\Temp\ykcpfysjxjjpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\ykcpfysjxjjpjemw.exe
  2⤵
  - Executes dropped EXE
  PID:4768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ykcpfysjxjjpjemw.exe
1⤵
PID:2404
- C:\Users\Admin\AppData\Local\Temp\ykcpfysjxjjpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\ykcpfysjxjjpjemw.exe
  2⤵
  - Executes dropped EXE
  PID:3020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bsphcazvofkvuuhwtvpgd.exe .
1⤵
PID:4016
- C:\Users\Admin\AppData\Local\Temp\bsphcazvofkvuuhwtvpgd.exe
  C:\Users\Admin\AppData\Local\Temp\bsphcazvofkvuuhwtvpgd.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:428
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\bsphcazvofkvuuhwtvpgd.exe*."
    3⤵
    - Executes dropped EXE
    PID:3416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ocwldyundrtbxueqkj.exe .
1⤵
PID:3148
- C:\Users\Admin\AppData\Local\Temp\ocwldyundrtbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\ocwldyundrtbxueqkj.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:516
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\ocwldyundrtbxueqkj.exe*."
    3⤵
    - Executes dropped EXE
    PID:2040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ocwldyundrtbxueqkj.exe
1⤵
PID:1112
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4396
- C:\Windows\ocwldyundrtbxueqkj.exe
  ocwldyundrtbxueqkj.exe
  2⤵
  - Executes dropped EXE
  PID:3024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fslzqkfxmzahcyhsl.exe .
1⤵
PID:4880
- C:\Windows\fslzqkfxmzahcyhsl.exe
  fslzqkfxmzahcyhsl.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2340
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\fslzqkfxmzahcyhsl.exe*."
    3⤵
    - Executes dropped EXE
    PID:4784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zojzsolfwloxusdqlld.exe
1⤵
PID:1692
- C:\Windows\zojzsolfwloxusdqlld.exe
  zojzsolfwloxusdqlld.exe
  2⤵
  - Executes dropped EXE
  PID:5000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zojzsolfwloxusdqlld.exe .
1⤵
PID:2828
- C:\Windows\zojzsolfwloxusdqlld.exe
  zojzsolfwloxusdqlld.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3468
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\zojzsolfwloxusdqlld.exe*."
    3⤵
    - Executes dropped EXE
    PID:1468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mcypjgezrhlvtsesopiy.exe
1⤵
PID:4792
- C:\Users\Admin\AppData\Local\Temp\mcypjgezrhlvtsesopiy.exe
  C:\Users\Admin\AppData\Local\Temp\mcypjgezrhlvtsesopiy.exe
  2⤵
  - Executes dropped EXE
  PID:1532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mcypjgezrhlvtsesopiy.exe .
1⤵
PID:3324
- C:\Users\Admin\AppData\Local\Temp\mcypjgezrhlvtsesopiy.exe
  C:\Users\Admin\AppData\Local\Temp\mcypjgezrhlvtsesopiy.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3972
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\mcypjgezrhlvtsesopiy.exe*."
    3⤵
    - Executes dropped EXE
    PID:4036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ykcpfysjxjjpjemw.exe
1⤵
PID:1272
- C:\Users\Admin\AppData\Local\Temp\ykcpfysjxjjpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\ykcpfysjxjjpjemw.exe
  2⤵
  - Executes dropped EXE
  PID:2120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mcypjgezrhlvtsesopiy.exe .
1⤵
PID:2072
- C:\Users\Admin\AppData\Local\Temp\mcypjgezrhlvtsesopiy.exe
  C:\Users\Admin\AppData\Local\Temp\mcypjgezrhlvtsesopiy.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1748
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\mcypjgezrhlvtsesopiy.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:2960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ykcpfysjxjjpjemw.exe
1⤵
PID:4400
- C:\Windows\ykcpfysjxjjpjemw.exe
  ykcpfysjxjjpjemw.exe
  2⤵
  - Executes dropped EXE
  PID:3148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bsphcazvofkvuuhwtvpgd.exe
1⤵
PID:4312
- C:\Windows\bsphcazvofkvuuhwtvpgd.exe
  bsphcazvofkvuuhwtvpgd.exe
  2⤵
  - Executes dropped EXE
  PID:4004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fslzqkfxmzahcyhsl.exe
1⤵
PID:1980
- C:\Windows\fslzqkfxmzahcyhsl.exe
  fslzqkfxmzahcyhsl.exe
  2⤵
  - Executes dropped EXE
  PID:1944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zojzsolfwloxusdqlld.exe .
1⤵
PID:3096
- C:\Windows\zojzsolfwloxusdqlld.exe
  zojzsolfwloxusdqlld.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5032
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\zojzsolfwloxusdqlld.exe*."
    3⤵
    - Executes dropped EXE
    PID:4544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zojzsolfwloxusdqlld.exe .
1⤵
PID:4360
- C:\Windows\zojzsolfwloxusdqlld.exe
  zojzsolfwloxusdqlld.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2016
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\zojzsolfwloxusdqlld.exe*."
    3⤵
    - Executes dropped EXE
    PID:1636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bsphcazvofkvuuhwtvpgd.exe .
1⤵
PID:1112
- C:\Windows\bsphcazvofkvuuhwtvpgd.exe
  bsphcazvofkvuuhwtvpgd.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3404
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\bsphcazvofkvuuhwtvpgd.exe*."
    3⤵
    - Executes dropped EXE
    PID:2988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mcypjgezrhlvtsesopiy.exe
1⤵
PID:1208
- C:\Windows\mcypjgezrhlvtsesopiy.exe
  mcypjgezrhlvtsesopiy.exe
  2⤵
  - Executes dropped EXE
  PID:2312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ykcpfysjxjjpjemw.exe
1⤵
PID:2636
- C:\Windows\ykcpfysjxjjpjemw.exe
  ykcpfysjxjjpjemw.exe
  2⤵
  - Executes dropped EXE
  PID:1832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ykcpfysjxjjpjemw.exe .
1⤵
PID:3604
- C:\Windows\ykcpfysjxjjpjemw.exe
  ykcpfysjxjjpjemw.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:2404
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\ykcpfysjxjjpjemw.exe*."
    3⤵
    PID:1368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zojzsolfwloxusdqlld.exe .
1⤵
PID:3764
- C:\Windows\zojzsolfwloxusdqlld.exe
  zojzsolfwloxusdqlld.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4880
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\zojzsolfwloxusdqlld.exe*."
    3⤵
    PID:1732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zojzsolfwloxusdqlld.exe
1⤵
PID:4164
- C:\Windows\zojzsolfwloxusdqlld.exe
  zojzsolfwloxusdqlld.exe
  2⤵
  PID:5000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mcypjgezrhlvtsesopiy.exe
1⤵
PID:5020
- C:\Users\Admin\AppData\Local\Temp\mcypjgezrhlvtsesopiy.exe
  C:\Users\Admin\AppData\Local\Temp\mcypjgezrhlvtsesopiy.exe
  2⤵
  PID:636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zojzsolfwloxusdqlld.exe
1⤵
PID:376
- C:\Users\Admin\AppData\Local\Temp\zojzsolfwloxusdqlld.exe
  C:\Users\Admin\AppData\Local\Temp\zojzsolfwloxusdqlld.exe
  2⤵
  PID:1732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ocwldyundrtbxueqkj.exe .
1⤵
PID:3428
- C:\Windows\ocwldyundrtbxueqkj.exe
  ocwldyundrtbxueqkj.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1808
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\ocwldyundrtbxueqkj.exe*."
    3⤵
    PID:4164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zojzsolfwloxusdqlld.exe .
1⤵
PID:1940
- C:\Users\Admin\AppData\Local\Temp\zojzsolfwloxusdqlld.exe
  C:\Users\Admin\AppData\Local\Temp\zojzsolfwloxusdqlld.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2720
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\zojzsolfwloxusdqlld.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mcypjgezrhlvtsesopiy.exe .
1⤵
PID:4120
- C:\Users\Admin\AppData\Local\Temp\mcypjgezrhlvtsesopiy.exe
  C:\Users\Admin\AppData\Local\Temp\mcypjgezrhlvtsesopiy.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4644
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\mcypjgezrhlvtsesopiy.exe*."
    3⤵
    PID:4840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bsphcazvofkvuuhwtvpgd.exe
1⤵
PID:3036
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4528
- C:\Users\Admin\AppData\Local\Temp\bsphcazvofkvuuhwtvpgd.exe
  C:\Users\Admin\AppData\Local\Temp\bsphcazvofkvuuhwtvpgd.exe
  2⤵
  PID:2928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fslzqkfxmzahcyhsl.exe .
1⤵
PID:2184
- C:\Users\Admin\AppData\Local\Temp\fslzqkfxmzahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\fslzqkfxmzahcyhsl.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1616
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\fslzqkfxmzahcyhsl.exe*."
    3⤵
    PID:3172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ykcpfysjxjjpjemw.exe
1⤵
PID:1328
- C:\Users\Admin\AppData\Local\Temp\ykcpfysjxjjpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\ykcpfysjxjjpjemw.exe
  2⤵
  PID:2984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bsphcazvofkvuuhwtvpgd.exe
1⤵
PID:692
- C:\Users\Admin\AppData\Local\Temp\bsphcazvofkvuuhwtvpgd.exe
  C:\Users\Admin\AppData\Local\Temp\bsphcazvofkvuuhwtvpgd.exe
  2⤵
  PID:4036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zojzsolfwloxusdqlld.exe .
1⤵
PID:4348
- C:\Users\Admin\AppData\Local\Temp\zojzsolfwloxusdqlld.exe
  C:\Users\Admin\AppData\Local\Temp\zojzsolfwloxusdqlld.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:5020
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\zojzsolfwloxusdqlld.exe*."
    3⤵
    PID:4000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ykcpfysjxjjpjemw.exe .
1⤵
PID:4624
- C:\Users\Admin\AppData\Local\Temp\ykcpfysjxjjpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\ykcpfysjxjjpjemw.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:2556
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\ykcpfysjxjjpjemw.exe*."
    3⤵
    PID:3112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bsphcazvofkvuuhwtvpgd.exe
1⤵
PID:3620
- C:\Users\Admin\AppData\Local\Temp\bsphcazvofkvuuhwtvpgd.exe
  C:\Users\Admin\AppData\Local\Temp\bsphcazvofkvuuhwtvpgd.exe
  2⤵
  PID:4160

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fslzqkfxmzahcyhsl.exe .
1⤵
PID:2988
- C:\Users\Admin\AppData\Local\Temp\fslzqkfxmzahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\fslzqkfxmzahcyhsl.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:2900
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\fslzqkfxmzahcyhsl.exe*."
    3⤵
    PID:1420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zojzsolfwloxusdqlld.exe
1⤵
PID:2216
- C:\Windows\zojzsolfwloxusdqlld.exe
  zojzsolfwloxusdqlld.exe
  2⤵
  PID:5028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ykcpfysjxjjpjemw.exe .
1⤵
PID:2192
- C:\Windows\ykcpfysjxjjpjemw.exe
  ykcpfysjxjjpjemw.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:2736
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\ykcpfysjxjjpjemw.exe*."
    3⤵
    PID:3016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bsphcazvofkvuuhwtvpgd.exe
1⤵
PID:3604
- C:\Windows\bsphcazvofkvuuhwtvpgd.exe
  bsphcazvofkvuuhwtvpgd.exe
  2⤵
  PID:1228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bsphcazvofkvuuhwtvpgd.exe .
1⤵
PID:2732
- C:\Windows\bsphcazvofkvuuhwtvpgd.exe
  bsphcazvofkvuuhwtvpgd.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:3840
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\bsphcazvofkvuuhwtvpgd.exe*."
    3⤵
    PID:3776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mcypjgezrhlvtsesopiy.exe
1⤵
PID:1944
- C:\Users\Admin\AppData\Local\Temp\mcypjgezrhlvtsesopiy.exe
  C:\Users\Admin\AppData\Local\Temp\mcypjgezrhlvtsesopiy.exe
  2⤵
  PID:2900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ocwldyundrtbxueqkj.exe .
1⤵
PID:2804
- C:\Users\Admin\AppData\Local\Temp\ocwldyundrtbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\ocwldyundrtbxueqkj.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1108
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\ocwldyundrtbxueqkj.exe*."
    3⤵
    PID:432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bsphcazvofkvuuhwtvpgd.exe
1⤵
PID:4940
- C:\Users\Admin\AppData\Local\Temp\bsphcazvofkvuuhwtvpgd.exe
  C:\Users\Admin\AppData\Local\Temp\bsphcazvofkvuuhwtvpgd.exe
  2⤵
  PID:4392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bsphcazvofkvuuhwtvpgd.exe .
1⤵
PID:3816
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1808
- C:\Users\Admin\AppData\Local\Temp\bsphcazvofkvuuhwtvpgd.exe
  C:\Users\Admin\AppData\Local\Temp\bsphcazvofkvuuhwtvpgd.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:2388
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\bsphcazvofkvuuhwtvpgd.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:2636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bsphcazvofkvuuhwtvpgd.exe
1⤵
PID:3984
- C:\Windows\bsphcazvofkvuuhwtvpgd.exe
  bsphcazvofkvuuhwtvpgd.exe
  2⤵
  PID:4952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mcypjgezrhlvtsesopiy.exe .
1⤵
PID:5032
- C:\Windows\mcypjgezrhlvtsesopiy.exe
  mcypjgezrhlvtsesopiy.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4016
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\mcypjgezrhlvtsesopiy.exe*."
    3⤵
    PID:2840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zojzsolfwloxusdqlld.exe
1⤵
PID:2188
- C:\Windows\zojzsolfwloxusdqlld.exe
  zojzsolfwloxusdqlld.exe
  2⤵
  PID:4420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ykcpfysjxjjpjemw.exe .
1⤵
PID:3016
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4372
- C:\Windows\ykcpfysjxjjpjemw.exe
  ykcpfysjxjjpjemw.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:3172
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\ykcpfysjxjjpjemw.exe*."
    3⤵
    PID:5072

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bsphcazvofkvuuhwtvpgd.exe
1⤵
PID:3456
- C:\Users\Admin\AppData\Local\Temp\bsphcazvofkvuuhwtvpgd.exe
  C:\Users\Admin\AppData\Local\Temp\bsphcazvofkvuuhwtvpgd.exe
  2⤵
  PID:3616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zojzsolfwloxusdqlld.exe .
1⤵
PID:2772
- C:\Users\Admin\AppData\Local\Temp\zojzsolfwloxusdqlld.exe
  C:\Users\Admin\AppData\Local\Temp\zojzsolfwloxusdqlld.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:3776
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\zojzsolfwloxusdqlld.exe*."
    3⤵
    PID:4532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bsphcazvofkvuuhwtvpgd.exe
1⤵
PID:5112
- C:\Users\Admin\AppData\Local\Temp\bsphcazvofkvuuhwtvpgd.exe
  C:\Users\Admin\AppData\Local\Temp\bsphcazvofkvuuhwtvpgd.exe
  2⤵
  PID:2804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bsphcazvofkvuuhwtvpgd.exe .
1⤵
PID:512
- C:\Users\Admin\AppData\Local\Temp\bsphcazvofkvuuhwtvpgd.exe
  C:\Users\Admin\AppData\Local\Temp\bsphcazvofkvuuhwtvpgd.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4152
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\bsphcazvofkvuuhwtvpgd.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:3820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ocwldyundrtbxueqkj.exe
1⤵
PID:4636
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4784
- C:\Windows\ocwldyundrtbxueqkj.exe
  ocwldyundrtbxueqkj.exe
  2⤵
  PID:5020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fslzqkfxmzahcyhsl.exe .
1⤵
PID:1876
- C:\Windows\fslzqkfxmzahcyhsl.exe
  fslzqkfxmzahcyhsl.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4260
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\fslzqkfxmzahcyhsl.exe*."
    3⤵
    PID:1332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mcypjgezrhlvtsesopiy.exe
1⤵
PID:4824
- C:\Windows\mcypjgezrhlvtsesopiy.exe
  mcypjgezrhlvtsesopiy.exe
  2⤵
  PID:3324

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ykcpfysjxjjpjemw.exe .
1⤵
PID:2976
- C:\Windows\ykcpfysjxjjpjemw.exe
  ykcpfysjxjjpjemw.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1648
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\ykcpfysjxjjpjemw.exe*."
    3⤵
    PID:2088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mcypjgezrhlvtsesopiy.exe
1⤵
PID:4496
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1748
- C:\Users\Admin\AppData\Local\Temp\mcypjgezrhlvtsesopiy.exe
  C:\Users\Admin\AppData\Local\Temp\mcypjgezrhlvtsesopiy.exe
  2⤵
  PID:1228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mcypjgezrhlvtsesopiy.exe .
1⤵
PID:1692
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3904
- C:\Users\Admin\AppData\Local\Temp\mcypjgezrhlvtsesopiy.exe
  C:\Users\Admin\AppData\Local\Temp\mcypjgezrhlvtsesopiy.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1012
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\mcypjgezrhlvtsesopiy.exe*."
    3⤵
    PID:4512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fslzqkfxmzahcyhsl.exe
1⤵
PID:2660
- C:\Users\Admin\AppData\Local\Temp\fslzqkfxmzahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\fslzqkfxmzahcyhsl.exe
  2⤵
  PID:376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fslzqkfxmzahcyhsl.exe .
1⤵
PID:1308
- C:\Users\Admin\AppData\Local\Temp\fslzqkfxmzahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\fslzqkfxmzahcyhsl.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:2332
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\fslzqkfxmzahcyhsl.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:1624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ykcpfysjxjjpjemw.exe
1⤵
PID:4648
- C:\Windows\ykcpfysjxjjpjemw.exe
  ykcpfysjxjjpjemw.exe
  2⤵
  PID:944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mcypjgezrhlvtsesopiy.exe .
1⤵
PID:432
- C:\Windows\mcypjgezrhlvtsesopiy.exe
  mcypjgezrhlvtsesopiy.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1836
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\mcypjgezrhlvtsesopiy.exe*."
    3⤵
    PID:4328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mcypjgezrhlvtsesopiy.exe
1⤵
PID:1196
- C:\Windows\mcypjgezrhlvtsesopiy.exe
  mcypjgezrhlvtsesopiy.exe
  2⤵
  PID:2060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zojzsolfwloxusdqlld.exe .
1⤵
PID:2968
- C:\Windows\zojzsolfwloxusdqlld.exe
  zojzsolfwloxusdqlld.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:2408
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\zojzsolfwloxusdqlld.exe*."
    3⤵
    PID:2000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ocwldyundrtbxueqkj.exe
1⤵
PID:2388
- C:\Users\Admin\AppData\Local\Temp\ocwldyundrtbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\ocwldyundrtbxueqkj.exe
  2⤵
  PID:4136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zojzsolfwloxusdqlld.exe .
1⤵
PID:1660
- C:\Users\Admin\AppData\Local\Temp\zojzsolfwloxusdqlld.exe
  C:\Users\Admin\AppData\Local\Temp\zojzsolfwloxusdqlld.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1604
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\zojzsolfwloxusdqlld.exe*."
    3⤵
    PID:3444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zojzsolfwloxusdqlld.exe
1⤵
PID:4016
- C:\Users\Admin\AppData\Local\Temp\zojzsolfwloxusdqlld.exe
  C:\Users\Admin\AppData\Local\Temp\zojzsolfwloxusdqlld.exe
  2⤵
  PID:4420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zojzsolfwloxusdqlld.exe .
1⤵
PID:2108
- C:\Users\Admin\AppData\Local\Temp\zojzsolfwloxusdqlld.exe
  C:\Users\Admin\AppData\Local\Temp\zojzsolfwloxusdqlld.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:2596
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\zojzsolfwloxusdqlld.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:2784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mcypjgezrhlvtsesopiy.exe
1⤵
PID:5032
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4036
- C:\Windows\mcypjgezrhlvtsesopiy.exe
  mcypjgezrhlvtsesopiy.exe
  2⤵
  PID:4044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ocwldyundrtbxueqkj.exe .
1⤵
PID:1864
- C:\Windows\ocwldyundrtbxueqkj.exe
  ocwldyundrtbxueqkj.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:636
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\ocwldyundrtbxueqkj.exe*."
    3⤵
    PID:3428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zojzsolfwloxusdqlld.exe
1⤵
PID:1448
- C:\Windows\zojzsolfwloxusdqlld.exe
  zojzsolfwloxusdqlld.exe
  2⤵
  PID:1272

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bsphcazvofkvuuhwtvpgd.exe .
1⤵
PID:4708
- C:\Windows\bsphcazvofkvuuhwtvpgd.exe
  bsphcazvofkvuuhwtvpgd.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:3596
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\bsphcazvofkvuuhwtvpgd.exe*."
    3⤵
    PID:4992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fslzqkfxmzahcyhsl.exe
1⤵
PID:3624
- C:\Users\Admin\AppData\Local\Temp\fslzqkfxmzahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\fslzqkfxmzahcyhsl.exe
  2⤵
  PID:512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ykcpfysjxjjpjemw.exe .
1⤵
PID:1700
- C:\Users\Admin\AppData\Local\Temp\ykcpfysjxjjpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\ykcpfysjxjjpjemw.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4120
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\ykcpfysjxjjpjemw.exe*."
    3⤵
    PID:432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mcypjgezrhlvtsesopiy.exe
1⤵
PID:1540
- C:\Users\Admin\AppData\Local\Temp\mcypjgezrhlvtsesopiy.exe
  C:\Users\Admin\AppData\Local\Temp\mcypjgezrhlvtsesopiy.exe
  2⤵
  PID:3816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ykcpfysjxjjpjemw.exe .
1⤵
PID:3896
- C:\Users\Admin\AppData\Local\Temp\ykcpfysjxjjpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\ykcpfysjxjjpjemw.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:3988
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\ykcpfysjxjjpjemw.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:1844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ykcpfysjxjjpjemw.exe
1⤵
PID:4640
- C:\Windows\ykcpfysjxjjpjemw.exe
  ykcpfysjxjjpjemw.exe
  2⤵
  PID:1228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zojzsolfwloxusdqlld.exe .
1⤵
PID:4624
- C:\Windows\zojzsolfwloxusdqlld.exe
  zojzsolfwloxusdqlld.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4372
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\zojzsolfwloxusdqlld.exe*."
    3⤵
    PID:3468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ocwldyundrtbxueqkj.exe
1⤵
PID:3872
- C:\Windows\ocwldyundrtbxueqkj.exe
  ocwldyundrtbxueqkj.exe
  2⤵
  PID:3604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mcypjgezrhlvtsesopiy.exe
1⤵
PID:3712
- C:\Windows\mcypjgezrhlvtsesopiy.exe
  mcypjgezrhlvtsesopiy.exe
  2⤵
  PID:2960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mcypjgezrhlvtsesopiy.exe
1⤵
PID:4496
- C:\Windows\mcypjgezrhlvtsesopiy.exe
  mcypjgezrhlvtsesopiy.exe
  2⤵
  PID:1608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fslzqkfxmzahcyhsl.exe .
1⤵
PID:3404
- C:\Windows\fslzqkfxmzahcyhsl.exe
  fslzqkfxmzahcyhsl.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:2444
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\fslzqkfxmzahcyhsl.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:4748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bsphcazvofkvuuhwtvpgd.exe
1⤵
PID:3972
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1532
- C:\Users\Admin\AppData\Local\Temp\bsphcazvofkvuuhwtvpgd.exe
  C:\Users\Admin\AppData\Local\Temp\bsphcazvofkvuuhwtvpgd.exe
  2⤵
  PID:3624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fslzqkfxmzahcyhsl.exe .
1⤵
PID:4216
- C:\Windows\fslzqkfxmzahcyhsl.exe
  fslzqkfxmzahcyhsl.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4408
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\fslzqkfxmzahcyhsl.exe*."
    3⤵
    PID:3148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fslzqkfxmzahcyhsl.exe .
1⤵
PID:2756
- C:\Windows\fslzqkfxmzahcyhsl.exe
  fslzqkfxmzahcyhsl.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1732
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\fslzqkfxmzahcyhsl.exe*."
    3⤵
    PID:3416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ocwldyundrtbxueqkj.exe .
1⤵
PID:4916
- C:\Users\Admin\AppData\Local\Temp\ocwldyundrtbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\ocwldyundrtbxueqkj.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4260
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\ocwldyundrtbxueqkj.exe*."
    3⤵
    PID:720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mcypjgezrhlvtsesopiy.exe
1⤵
PID:3596
- C:\Windows\mcypjgezrhlvtsesopiy.exe
  mcypjgezrhlvtsesopiy.exe
  2⤵
  PID:4400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ocwldyundrtbxueqkj.exe
1⤵
PID:4992
- C:\Windows\ocwldyundrtbxueqkj.exe
  ocwldyundrtbxueqkj.exe
  2⤵
  PID:3328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ykcpfysjxjjpjemw.exe .
1⤵
PID:2612
- C:\Windows\ykcpfysjxjjpjemw.exe
  ykcpfysjxjjpjemw.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2404
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\ykcpfysjxjjpjemw.exe*."
    3⤵
    PID:2636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ocwldyundrtbxueqkj.exe .
1⤵
PID:5028
- C:\Windows\ocwldyundrtbxueqkj.exe
  ocwldyundrtbxueqkj.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2720
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\ocwldyundrtbxueqkj.exe*."
    3⤵
    PID:5008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ocwldyundrtbxueqkj.exe
1⤵
PID:3540
- C:\Users\Admin\AppData\Local\Temp\ocwldyundrtbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\ocwldyundrtbxueqkj.exe
  2⤵
  PID:4144

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mcypjgezrhlvtsesopiy.exe
1⤵
PID:3324
- C:\Users\Admin\AppData\Local\Temp\mcypjgezrhlvtsesopiy.exe
  C:\Users\Admin\AppData\Local\Temp\mcypjgezrhlvtsesopiy.exe
  2⤵
  PID:4400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ykcpfysjxjjpjemw.exe
1⤵
PID:2388
- C:\Users\Admin\AppData\Local\Temp\ykcpfysjxjjpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\ykcpfysjxjjpjemw.exe
  2⤵
  PID:1608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ocwldyundrtbxueqkj.exe .
1⤵
PID:5100
- C:\Users\Admin\AppData\Local\Temp\ocwldyundrtbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\ocwldyundrtbxueqkj.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1952
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\ocwldyundrtbxueqkj.exe*."
    3⤵
    PID:4312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mcypjgezrhlvtsesopiy.exe .
1⤵
PID:5044
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4880
- C:\Users\Admin\AppData\Local\Temp\mcypjgezrhlvtsesopiy.exe
  C:\Users\Admin\AppData\Local\Temp\mcypjgezrhlvtsesopiy.exe .
  2⤵
  PID:2108
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\mcypjgezrhlvtsesopiy.exe*."
    3⤵
    PID:1584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ykcpfysjxjjpjemw.exe .
1⤵
PID:1980
- C:\Users\Admin\AppData\Local\Temp\ykcpfysjxjjpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\ykcpfysjxjjpjemw.exe .
  2⤵
  PID:3468
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\ykcpfysjxjjpjemw.exe*."
    3⤵
    PID:4044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mcypjgezrhlvtsesopiy.exe
1⤵
PID:1524
- C:\Users\Admin\AppData\Local\Temp\mcypjgezrhlvtsesopiy.exe
  C:\Users\Admin\AppData\Local\Temp\mcypjgezrhlvtsesopiy.exe
  2⤵
  PID:4068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bsphcazvofkvuuhwtvpgd.exe
1⤵
PID:4044
- C:\Users\Admin\AppData\Local\Temp\bsphcazvofkvuuhwtvpgd.exe
  C:\Users\Admin\AppData\Local\Temp\bsphcazvofkvuuhwtvpgd.exe
  2⤵
  PID:2728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ocwldyundrtbxueqkj.exe .
1⤵
PID:1616
- C:\Users\Admin\AppData\Local\Temp\ocwldyundrtbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\ocwldyundrtbxueqkj.exe .
  2⤵
  PID:2804
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\ocwldyundrtbxueqkj.exe*."
    3⤵
    PID:1448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bsphcazvofkvuuhwtvpgd.exe .
1⤵
PID:2656
- C:\Users\Admin\AppData\Local\Temp\bsphcazvofkvuuhwtvpgd.exe
  C:\Users\Admin\AppData\Local\Temp\bsphcazvofkvuuhwtvpgd.exe .
  2⤵
  PID:3856
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\bsphcazvofkvuuhwtvpgd.exe*."
    3⤵
    PID:636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ocwldyundrtbxueqkj.exe
1⤵
PID:3128
- C:\Windows\ocwldyundrtbxueqkj.exe
  ocwldyundrtbxueqkj.exe
  2⤵
  PID:3616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bsphcazvofkvuuhwtvpgd.exe .
1⤵
PID:3328
- C:\Windows\bsphcazvofkvuuhwtvpgd.exe
  bsphcazvofkvuuhwtvpgd.exe .
  2⤵
  PID:4092
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\bsphcazvofkvuuhwtvpgd.exe*."
    3⤵
    PID:4840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bsphcazvofkvuuhwtvpgd.exe
1⤵
PID:1464
- C:\Windows\bsphcazvofkvuuhwtvpgd.exe
  bsphcazvofkvuuhwtvpgd.exe
  2⤵
  PID:4708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mcypjgezrhlvtsesopiy.exe .
1⤵
PID:4940
- C:\Windows\mcypjgezrhlvtsesopiy.exe
  mcypjgezrhlvtsesopiy.exe .
  2⤵
  PID:1832
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\mcypjgezrhlvtsesopiy.exe*."
    3⤵
    PID:5008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ykcpfysjxjjpjemw.exe
1⤵
PID:1636
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2444
- C:\Users\Admin\AppData\Local\Temp\ykcpfysjxjjpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\ykcpfysjxjjpjemw.exe
  2⤵
  PID:2964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ocwldyundrtbxueqkj.exe .
1⤵
PID:2404
- C:\Users\Admin\AppData\Local\Temp\ocwldyundrtbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\ocwldyundrtbxueqkj.exe .
  2⤵
  PID:3616
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\ocwldyundrtbxueqkj.exe*."
    3⤵
    PID:4004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zojzsolfwloxusdqlld.exe
1⤵
PID:5096
- C:\Users\Admin\AppData\Local\Temp\zojzsolfwloxusdqlld.exe
  C:\Users\Admin\AppData\Local\Temp\zojzsolfwloxusdqlld.exe
  2⤵
  PID:880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ykcpfysjxjjpjemw.exe .
1⤵
PID:4000
- C:\Users\Admin\AppData\Local\Temp\ykcpfysjxjjpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\ykcpfysjxjjpjemw.exe .
  2⤵
  PID:1524
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\ykcpfysjxjjpjemw.exe*."
    3⤵
    PID:4624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ocwldyundrtbxueqkj.exe
1⤵
PID:2216
- C:\Windows\ocwldyundrtbxueqkj.exe
  ocwldyundrtbxueqkj.exe
  2⤵
  PID:4048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ykcpfysjxjjpjemw.exe .
1⤵
PID:1876
- C:\Windows\ykcpfysjxjjpjemw.exe
  ykcpfysjxjjpjemw.exe .
  2⤵
  PID:3420
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\ykcpfysjxjjpjemw.exe*."
    3⤵
    PID:4788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ocwldyundrtbxueqkj.exe
1⤵
PID:4292
- C:\Windows\ocwldyundrtbxueqkj.exe
  ocwldyundrtbxueqkj.exe
  2⤵
  PID:3596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ocwldyundrtbxueqkj.exe .
1⤵
PID:2024
- C:\Windows\ocwldyundrtbxueqkj.exe
  ocwldyundrtbxueqkj.exe .
  2⤵
  PID:2420
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\ocwldyundrtbxueqkj.exe*."
    3⤵
    PID:2468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ykcpfysjxjjpjemw.exe
1⤵
PID:4608
- C:\Users\Admin\AppData\Local\Temp\ykcpfysjxjjpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\ykcpfysjxjjpjemw.exe
  2⤵
  PID:2388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mcypjgezrhlvtsesopiy.exe .
1⤵
PID:720
- C:\Users\Admin\AppData\Local\Temp\mcypjgezrhlvtsesopiy.exe
  C:\Users\Admin\AppData\Local\Temp\mcypjgezrhlvtsesopiy.exe .
  2⤵
  PID:4744
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\mcypjgezrhlvtsesopiy.exe*."
    3⤵
    PID:3984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fslzqkfxmzahcyhsl.exe
1⤵
PID:2960
- C:\Users\Admin\AppData\Local\Temp\fslzqkfxmzahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\fslzqkfxmzahcyhsl.exe
  2⤵
  PID:4940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ykcpfysjxjjpjemw.exe .
1⤵
PID:376
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3468
- C:\Users\Admin\AppData\Local\Temp\ykcpfysjxjjpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\ykcpfysjxjjpjemw.exe .
  2⤵
  PID:4264
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\ykcpfysjxjjpjemw.exe*."
    3⤵
    PID:1772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mcypjgezrhlvtsesopiy.exe
1⤵
PID:3404
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5028
- C:\Windows\mcypjgezrhlvtsesopiy.exe
  mcypjgezrhlvtsesopiy.exe
  2⤵
  PID:3248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ocwldyundrtbxueqkj.exe .
1⤵
PID:2612
- C:\Windows\ocwldyundrtbxueqkj.exe
  ocwldyundrtbxueqkj.exe .
  2⤵
  PID:2984
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\ocwldyundrtbxueqkj.exe*."
    3⤵
    PID:1864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mcypjgezrhlvtsesopiy.exe
1⤵
PID:5044
- C:\Windows\mcypjgezrhlvtsesopiy.exe
  mcypjgezrhlvtsesopiy.exe
  2⤵
  PID:1484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ocwldyundrtbxueqkj.exe .
1⤵
PID:1536
- C:\Windows\ocwldyundrtbxueqkj.exe
  ocwldyundrtbxueqkj.exe .
  2⤵
  PID:1012
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\ocwldyundrtbxueqkj.exe*."
    3⤵
    PID:4004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mcypjgezrhlvtsesopiy.exe
1⤵
PID:2388
- C:\Users\Admin\AppData\Local\Temp\mcypjgezrhlvtsesopiy.exe
  C:\Users\Admin\AppData\Local\Temp\mcypjgezrhlvtsesopiy.exe
  2⤵
  PID:2964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zojzsolfwloxusdqlld.exe .
1⤵
PID:3748
- C:\Users\Admin\AppData\Local\Temp\zojzsolfwloxusdqlld.exe
  C:\Users\Admin\AppData\Local\Temp\zojzsolfwloxusdqlld.exe .
  2⤵
  PID:2448
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\zojzsolfwloxusdqlld.exe*."
    3⤵
    PID:2840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ocwldyundrtbxueqkj.exe
1⤵
PID:2884
- C:\Users\Admin\AppData\Local\Temp\ocwldyundrtbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\ocwldyundrtbxueqkj.exe
  2⤵
  PID:2252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ocwldyundrtbxueqkj.exe .
1⤵
PID:872
- C:\Users\Admin\AppData\Local\Temp\ocwldyundrtbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\ocwldyundrtbxueqkj.exe .
  2⤵
  PID:3668
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\ocwldyundrtbxueqkj.exe*."
    3⤵
    PID:636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ykcpfysjxjjpjemw.exe
1⤵
PID:936
- C:\Windows\ykcpfysjxjjpjemw.exe
  ykcpfysjxjjpjemw.exe
  2⤵
  PID:1804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bsphcazvofkvuuhwtvpgd.exe .
1⤵
PID:3428
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1420
- C:\Windows\bsphcazvofkvuuhwtvpgd.exe
  bsphcazvofkvuuhwtvpgd.exe .
  2⤵
  PID:4408
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\bsphcazvofkvuuhwtvpgd.exe*."
    3⤵
    PID:1332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ocwldyundrtbxueqkj.exe
1⤵
PID:372
- C:\Windows\ocwldyundrtbxueqkj.exe
  ocwldyundrtbxueqkj.exe
  2⤵
  PID:1484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bsphcazvofkvuuhwtvpgd.exe .
1⤵
PID:3384
- C:\Windows\bsphcazvofkvuuhwtvpgd.exe
  bsphcazvofkvuuhwtvpgd.exe .
  2⤵
  PID:3892
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\bsphcazvofkvuuhwtvpgd.exe*."
    3⤵
    PID:3324

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ykcpfysjxjjpjemw.exe
1⤵
PID:2932
- C:\Users\Admin\AppData\Local\Temp\ykcpfysjxjjpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\ykcpfysjxjjpjemw.exe
  2⤵
  PID:1948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zojzsolfwloxusdqlld.exe .
1⤵
PID:2976
- C:\Users\Admin\AppData\Local\Temp\zojzsolfwloxusdqlld.exe
  C:\Users\Admin\AppData\Local\Temp\zojzsolfwloxusdqlld.exe .
  2⤵
  PID:3176
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\zojzsolfwloxusdqlld.exe*."
    3⤵
    PID:1624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ocwldyundrtbxueqkj.exe
1⤵
PID:1736
- C:\Users\Admin\AppData\Local\Temp\ocwldyundrtbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\ocwldyundrtbxueqkj.exe
  2⤵
  PID:3112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ykcpfysjxjjpjemw.exe .
1⤵
PID:2060
- C:\Users\Admin\AppData\Local\Temp\ykcpfysjxjjpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\ykcpfysjxjjpjemw.exe .
  2⤵
  PID:4316
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\ykcpfysjxjjpjemw.exe*."
    3⤵
    PID:3188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fslzqkfxmzahcyhsl.exe
1⤵
PID:3276
- C:\Windows\fslzqkfxmzahcyhsl.exe
  fslzqkfxmzahcyhsl.exe
  2⤵
  PID:2396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mcypjgezrhlvtsesopiy.exe .
1⤵
PID:3404
- C:\Windows\mcypjgezrhlvtsesopiy.exe
  mcypjgezrhlvtsesopiy.exe .
  2⤵
  PID:4620
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\mcypjgezrhlvtsesopiy.exe*."
    3⤵
    PID:1808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mcypjgezrhlvtsesopiy.exe
1⤵
PID:4992
- C:\Windows\mcypjgezrhlvtsesopiy.exe
  mcypjgezrhlvtsesopiy.exe
  2⤵
  PID:4768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fslzqkfxmzahcyhsl.exe .
1⤵
PID:4884
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:372
- C:\Windows\fslzqkfxmzahcyhsl.exe
  fslzqkfxmzahcyhsl.exe .
  2⤵
  PID:2468
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\fslzqkfxmzahcyhsl.exe*."
    3⤵
    PID:4592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mcypjgezrhlvtsesopiy.exe
1⤵
PID:2932
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3972
- C:\Users\Admin\AppData\Local\Temp\mcypjgezrhlvtsesopiy.exe
  C:\Users\Admin\AppData\Local\Temp\mcypjgezrhlvtsesopiy.exe
  2⤵
  PID:4004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ocwldyundrtbxueqkj.exe .
1⤵
PID:2984
- C:\Users\Admin\AppData\Local\Temp\ocwldyundrtbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\ocwldyundrtbxueqkj.exe .
  2⤵
  PID:2420
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\ocwldyundrtbxueqkj.exe*."
    3⤵
    PID:3616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fslzqkfxmzahcyhsl.exe
1⤵
PID:2404
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:636
- C:\Users\Admin\AppData\Local\Temp\fslzqkfxmzahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\fslzqkfxmzahcyhsl.exe
  2⤵
  PID:1216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fslzqkfxmzahcyhsl.exe .
1⤵
PID:3472
- C:\Users\Admin\AppData\Local\Temp\fslzqkfxmzahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\fslzqkfxmzahcyhsl.exe .
  2⤵
  PID:872
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\fslzqkfxmzahcyhsl.exe*."
    3⤵
    PID:1108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ocwldyundrtbxueqkj.exe
1⤵
PID:512
- C:\Windows\ocwldyundrtbxueqkj.exe
  ocwldyundrtbxueqkj.exe
  2⤵
  PID:1700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fslzqkfxmzahcyhsl.exe .
1⤵
PID:3404
- C:\Windows\fslzqkfxmzahcyhsl.exe
  fslzqkfxmzahcyhsl.exe .
  2⤵
  PID:1800
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\fslzqkfxmzahcyhsl.exe*."
    3⤵
    PID:4916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fslzqkfxmzahcyhsl.exe
1⤵
PID:4740
- C:\Windows\fslzqkfxmzahcyhsl.exe
  fslzqkfxmzahcyhsl.exe
  2⤵
  PID:4168

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bsphcazvofkvuuhwtvpgd.exe .
1⤵
PID:4592
- C:\Windows\bsphcazvofkvuuhwtvpgd.exe
  bsphcazvofkvuuhwtvpgd.exe .
  2⤵
  PID:3764
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\bsphcazvofkvuuhwtvpgd.exe*."
    3⤵
    PID:2404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bsphcazvofkvuuhwtvpgd.exe
1⤵
PID:4884
- C:\Users\Admin\AppData\Local\Temp\bsphcazvofkvuuhwtvpgd.exe
  C:\Users\Admin\AppData\Local\Temp\bsphcazvofkvuuhwtvpgd.exe
  2⤵
  PID:4784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bsphcazvofkvuuhwtvpgd.exe
1⤵
PID:4512
- C:\Windows\bsphcazvofkvuuhwtvpgd.exe
  bsphcazvofkvuuhwtvpgd.exe
  2⤵
  PID:1448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mcypjgezrhlvtsesopiy.exe .
1⤵
PID:1864
- C:\Users\Admin\AppData\Local\Temp\mcypjgezrhlvtsesopiy.exe
  C:\Users\Admin\AppData\Local\Temp\mcypjgezrhlvtsesopiy.exe .
  2⤵
  PID:2252
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\mcypjgezrhlvtsesopiy.exe*."
    3⤵
    PID:1328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ykcpfysjxjjpjemw.exe
1⤵
PID:2060
- C:\Windows\ykcpfysjxjjpjemw.exe
  ykcpfysjxjjpjemw.exe
  2⤵
  PID:4868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ykcpfysjxjjpjemw.exe .
1⤵
PID:2736
- C:\Windows\ykcpfysjxjjpjemw.exe
  ykcpfysjxjjpjemw.exe .
  2⤵
  PID:1700
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\ykcpfysjxjjpjemw.exe*."
    3⤵
    PID:4808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zojzsolfwloxusdqlld.exe .
1⤵
PID:4000
- C:\Windows\zojzsolfwloxusdqlld.exe
  zojzsolfwloxusdqlld.exe .
  2⤵
  PID:2716
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\zojzsolfwloxusdqlld.exe*."
    3⤵
    PID:868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mcypjgezrhlvtsesopiy.exe
1⤵
PID:3884
- C:\Users\Admin\AppData\Local\Temp\mcypjgezrhlvtsesopiy.exe
  C:\Users\Admin\AppData\Local\Temp\mcypjgezrhlvtsesopiy.exe
  2⤵
  PID:2396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mcypjgezrhlvtsesopiy.exe .
1⤵
PID:4488
- C:\Users\Admin\AppData\Local\Temp\mcypjgezrhlvtsesopiy.exe
  C:\Users\Admin\AppData\Local\Temp\mcypjgezrhlvtsesopiy.exe .
  2⤵
  PID:2060
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\mcypjgezrhlvtsesopiy.exe*."
    3⤵
    PID:3816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bsphcazvofkvuuhwtvpgd.exe
1⤵
PID:2388
- C:\Windows\bsphcazvofkvuuhwtvpgd.exe
  bsphcazvofkvuuhwtvpgd.exe
  2⤵
  PID:1236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ocwldyundrtbxueqkj.exe .
1⤵
PID:4508
- C:\Windows\ocwldyundrtbxueqkj.exe
  ocwldyundrtbxueqkj.exe .
  2⤵
  PID:1584
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\ocwldyundrtbxueqkj.exe*."
    3⤵
    PID:1524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zojzsolfwloxusdqlld.exe
1⤵
PID:4708
- C:\Windows\zojzsolfwloxusdqlld.exe
  zojzsolfwloxusdqlld.exe
  2⤵
  PID:428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bsphcazvofkvuuhwtvpgd.exe .
1⤵
PID:4316
- C:\Windows\bsphcazvofkvuuhwtvpgd.exe
  bsphcazvofkvuuhwtvpgd.exe .
  2⤵
  PID:1540
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\bsphcazvofkvuuhwtvpgd.exe*."
    3⤵
    PID:1216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ocwldyundrtbxueqkj.exe
1⤵
PID:376
- C:\Users\Admin\AppData\Local\Temp\ocwldyundrtbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\ocwldyundrtbxueqkj.exe
  2⤵
  PID:3328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bsphcazvofkvuuhwtvpgd.exe .
1⤵
PID:3148
- C:\Users\Admin\AppData\Local\Temp\bsphcazvofkvuuhwtvpgd.exe
  C:\Users\Admin\AppData\Local\Temp\bsphcazvofkvuuhwtvpgd.exe .
  2⤵
  PID:2900
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\bsphcazvofkvuuhwtvpgd.exe*."
    3⤵
    PID:5020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ocwldyundrtbxueqkj.exe
1⤵
PID:4884
- C:\Users\Admin\AppData\Local\Temp\ocwldyundrtbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\ocwldyundrtbxueqkj.exe
  2⤵
  PID:4044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ocwldyundrtbxueqkj.exe .
1⤵
PID:2940
- C:\Users\Admin\AppData\Local\Temp\ocwldyundrtbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\ocwldyundrtbxueqkj.exe .
  2⤵
  PID:5112
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\ocwldyundrtbxueqkj.exe*."
    3⤵
    PID:2668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ykcpfysjxjjpjemw.exe
1⤵
PID:4716
- C:\Users\Admin\AppData\Local\Temp\ykcpfysjxjjpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\ykcpfysjxjjpjemw.exe
  2⤵
  PID:692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ocwldyundrtbxueqkj.exe .
1⤵
PID:1328
- C:\Users\Admin\AppData\Local\Temp\ocwldyundrtbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\ocwldyundrtbxueqkj.exe .
  2⤵
  PID:1216
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\ocwldyundrtbxueqkj.exe*."
    3⤵
    PID:1536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mcypjgezrhlvtsesopiy.exe
1⤵
PID:3908
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4408
- C:\Users\Admin\AppData\Local\Temp\mcypjgezrhlvtsesopiy.exe
  C:\Users\Admin\AppData\Local\Temp\mcypjgezrhlvtsesopiy.exe
  2⤵
  PID:2636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mcypjgezrhlvtsesopiy.exe .
1⤵
PID:2404
- C:\Users\Admin\AppData\Local\Temp\mcypjgezrhlvtsesopiy.exe
  C:\Users\Admin\AppData\Local\Temp\mcypjgezrhlvtsesopiy.exe .
  2⤵
  PID:3172
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\mcypjgezrhlvtsesopiy.exe*."
    3⤵
    PID:5112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fslzqkfxmzahcyhsl.exe
1⤵
PID:2804
- C:\Windows\fslzqkfxmzahcyhsl.exe
  fslzqkfxmzahcyhsl.exe
  2⤵
  PID:392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mcypjgezrhlvtsesopiy.exe .
1⤵
PID:1804
- C:\Windows\mcypjgezrhlvtsesopiy.exe
  mcypjgezrhlvtsesopiy.exe .
  2⤵
  PID:3816
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\mcypjgezrhlvtsesopiy.exe*."
    3⤵
    PID:8

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fslzqkfxmzahcyhsl.exe
1⤵
PID:512
- C:\Windows\fslzqkfxmzahcyhsl.exe
  fslzqkfxmzahcyhsl.exe
  2⤵
  PID:3668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mcypjgezrhlvtsesopiy.exe .
1⤵
PID:4708
- C:\Windows\mcypjgezrhlvtsesopiy.exe
  mcypjgezrhlvtsesopiy.exe .
  2⤵
  PID:4700
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\mcypjgezrhlvtsesopiy.exe*."
    3⤵
    PID:4168

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ykcpfysjxjjpjemw.exe
1⤵
PID:1012
- C:\Users\Admin\AppData\Local\Temp\ykcpfysjxjjpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\ykcpfysjxjjpjemw.exe
  2⤵
  PID:3148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fslzqkfxmzahcyhsl.exe .
1⤵
PID:376
- C:\Users\Admin\AppData\Local\Temp\fslzqkfxmzahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\fslzqkfxmzahcyhsl.exe .
  2⤵
  PID:2636
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\fslzqkfxmzahcyhsl.exe*."
    3⤵
    PID:1948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ocwldyundrtbxueqkj.exe
1⤵
PID:1332
- C:\Users\Admin\AppData\Local\Temp\ocwldyundrtbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\ocwldyundrtbxueqkj.exe
  2⤵
  PID:3892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zojzsolfwloxusdqlld.exe .
1⤵
PID:4360
- C:\Users\Admin\AppData\Local\Temp\zojzsolfwloxusdqlld.exe
  C:\Users\Admin\AppData\Local\Temp\zojzsolfwloxusdqlld.exe .
  2⤵
  PID:4916
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\zojzsolfwloxusdqlld.exe*."
    3⤵
    PID:3276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ocwldyundrtbxueqkj.exe
1⤵
PID:3816
- C:\Windows\ocwldyundrtbxueqkj.exe
  ocwldyundrtbxueqkj.exe
  2⤵
  PID:3468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ykcpfysjxjjpjemw.exe .
1⤵
PID:4788
- C:\Windows\ykcpfysjxjjpjemw.exe
  ykcpfysjxjjpjemw.exe .
  2⤵
  PID:3604
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\ykcpfysjxjjpjemw.exe*."
    3⤵
    PID:2108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fslzqkfxmzahcyhsl.exe
1⤵
PID:3768
- C:\Windows\fslzqkfxmzahcyhsl.exe
  fslzqkfxmzahcyhsl.exe
  2⤵
  PID:4564

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fslzqkfxmzahcyhsl.exe .
1⤵
PID:2612
- C:\Windows\fslzqkfxmzahcyhsl.exe
  fslzqkfxmzahcyhsl.exe .
  2⤵
  PID:1600
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\fslzqkfxmzahcyhsl.exe*."
    3⤵
    PID:2340

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ocwldyundrtbxueqkj.exe
1⤵
PID:1448
- C:\Users\Admin\AppData\Local\Temp\ocwldyundrtbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\ocwldyundrtbxueqkj.exe
  2⤵
  PID:2660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fslzqkfxmzahcyhsl.exe .
1⤵
PID:868
- C:\Users\Admin\AppData\Local\Temp\fslzqkfxmzahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\fslzqkfxmzahcyhsl.exe .
  2⤵
  PID:4052
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\fslzqkfxmzahcyhsl.exe*."
    3⤵
    PID:5100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bsphcazvofkvuuhwtvpgd.exe
1⤵
PID:3544
- C:\Users\Admin\AppData\Local\Temp\bsphcazvofkvuuhwtvpgd.exe
  C:\Users\Admin\AppData\Local\Temp\bsphcazvofkvuuhwtvpgd.exe
  2⤵
  PID:4404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mcypjgezrhlvtsesopiy.exe .
1⤵
PID:3892
- C:\Users\Admin\AppData\Local\Temp\mcypjgezrhlvtsesopiy.exe
  C:\Users\Admin\AppData\Local\Temp\mcypjgezrhlvtsesopiy.exe .
  2⤵
  PID:1368
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\mcypjgezrhlvtsesopiy.exe*."
    3⤵
    PID:4916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mcypjgezrhlvtsesopiy.exe
1⤵
PID:1536
- C:\Windows\mcypjgezrhlvtsesopiy.exe
  mcypjgezrhlvtsesopiy.exe
  2⤵
  PID:4488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bsphcazvofkvuuhwtvpgd.exe .
1⤵
PID:3816
- C:\Windows\bsphcazvofkvuuhwtvpgd.exe
  bsphcazvofkvuuhwtvpgd.exe .
  2⤵
  PID:3104
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\bsphcazvofkvuuhwtvpgd.exe*."
    3⤵
    PID:3056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ykcpfysjxjjpjemw.exe
1⤵
PID:1832
- C:\Windows\ykcpfysjxjjpjemw.exe
  ykcpfysjxjjpjemw.exe
  2⤵
  PID:2660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ykcpfysjxjjpjemw.exe .
1⤵
PID:3820
- C:\Windows\ykcpfysjxjjpjemw.exe
  ykcpfysjxjjpjemw.exe .
  2⤵
  PID:4324
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\ykcpfysjxjjpjemw.exe*."
    3⤵
    PID:1108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zojzsolfwloxusdqlld.exe
1⤵
PID:4388
- C:\Users\Admin\AppData\Local\Temp\zojzsolfwloxusdqlld.exe
  C:\Users\Admin\AppData\Local\Temp\zojzsolfwloxusdqlld.exe
  2⤵
  PID:4740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ocwldyundrtbxueqkj.exe .
1⤵
PID:456
- C:\Users\Admin\AppData\Local\Temp\ocwldyundrtbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\ocwldyundrtbxueqkj.exe .
  2⤵
  PID:4592
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\ocwldyundrtbxueqkj.exe*."
    3⤵
    PID:4868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ocwldyundrtbxueqkj.exe
1⤵
PID:3860
- C:\Users\Admin\AppData\Local\Temp\ocwldyundrtbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\ocwldyundrtbxueqkj.exe
  2⤵
  PID:4356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fslzqkfxmzahcyhsl.exe .
1⤵
PID:2312
- C:\Users\Admin\AppData\Local\Temp\fslzqkfxmzahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\fslzqkfxmzahcyhsl.exe .
  2⤵
  PID:3016
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\fslzqkfxmzahcyhsl.exe*."
    3⤵
    PID:3964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fslzqkfxmzahcyhsl.exe
1⤵
PID:1368
- C:\Windows\fslzqkfxmzahcyhsl.exe
  fslzqkfxmzahcyhsl.exe
  2⤵
  PID:2152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bsphcazvofkvuuhwtvpgd.exe .
1⤵
PID:1972
- C:\Windows\bsphcazvofkvuuhwtvpgd.exe
  bsphcazvofkvuuhwtvpgd.exe .
  2⤵
  PID:4392
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\bsphcazvofkvuuhwtvpgd.exe*."
    3⤵
    PID:4812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ykcpfysjxjjpjemw.exe
1⤵
PID:4648
- C:\Windows\ykcpfysjxjjpjemw.exe
  ykcpfysjxjjpjemw.exe
  2⤵
  PID:3816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fslzqkfxmzahcyhsl.exe .
1⤵
PID:3972
- C:\Windows\fslzqkfxmzahcyhsl.exe
  fslzqkfxmzahcyhsl.exe .
  2⤵
  PID:4740
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\fslzqkfxmzahcyhsl.exe*."
    3⤵
    PID:1448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ocwldyundrtbxueqkj.exe
1⤵
PID:2716
- C:\Users\Admin\AppData\Local\Temp\ocwldyundrtbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\ocwldyundrtbxueqkj.exe
  2⤵
  PID:3128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mcypjgezrhlvtsesopiy.exe .
1⤵
PID:4780
- C:\Users\Admin\AppData\Local\Temp\mcypjgezrhlvtsesopiy.exe
  C:\Users\Admin\AppData\Local\Temp\mcypjgezrhlvtsesopiy.exe .
  2⤵
  PID:3764
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\mcypjgezrhlvtsesopiy.exe*."
    3⤵
    PID:3976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ykcpfysjxjjpjemw.exe
1⤵
PID:1800
- C:\Users\Admin\AppData\Local\Temp\ykcpfysjxjjpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\ykcpfysjxjjpjemw.exe
  2⤵
  PID:3020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zojzsolfwloxusdqlld.exe .
1⤵
PID:456
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1732
- C:\Users\Admin\AppData\Local\Temp\zojzsolfwloxusdqlld.exe
  C:\Users\Admin\AppData\Local\Temp\zojzsolfwloxusdqlld.exe .
  2⤵
  PID:3860
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\zojzsolfwloxusdqlld.exe*."
    3⤵
    PID:1736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ykcpfysjxjjpjemw.exe
1⤵
PID:880
- C:\Windows\ykcpfysjxjjpjemw.exe
  ykcpfysjxjjpjemw.exe
  2⤵
  PID:3748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ykcpfysjxjjpjemw.exe .
1⤵
PID:2152
- C:\Windows\ykcpfysjxjjpjemw.exe
  ykcpfysjxjjpjemw.exe .
  2⤵
  PID:3840
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\ykcpfysjxjjpjemw.exe*."
    3⤵
    PID:2408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bsphcazvofkvuuhwtvpgd.exe
1⤵
PID:5072
- C:\Windows\bsphcazvofkvuuhwtvpgd.exe
  bsphcazvofkvuuhwtvpgd.exe
  2⤵
  PID:4088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fslzqkfxmzahcyhsl.exe .
1⤵
PID:4644
- C:\Windows\fslzqkfxmzahcyhsl.exe
  fslzqkfxmzahcyhsl.exe .
  2⤵
  PID:1012
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\fslzqkfxmzahcyhsl.exe*."
    3⤵
    PID:2060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zojzsolfwloxusdqlld.exe
1⤵
PID:512
- C:\Users\Admin\AppData\Local\Temp\zojzsolfwloxusdqlld.exe
  C:\Users\Admin\AppData\Local\Temp\zojzsolfwloxusdqlld.exe
  2⤵
  PID:4640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zojzsolfwloxusdqlld.exe .
1⤵
PID:2840
- C:\Users\Admin\AppData\Local\Temp\zojzsolfwloxusdqlld.exe
  C:\Users\Admin\AppData\Local\Temp\zojzsolfwloxusdqlld.exe .
  2⤵
  PID:1940
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\zojzsolfwloxusdqlld.exe*."
    3⤵
    PID:3856
  - - C:\Users\Admin\AppData\Local\Temp\oqsenp.exe
      "C:\Users\Admin\AppData\Local\Temp\oqsenp.exe" "-C:\Users\Admin\AppData\Local\Temp\amyunzsczijpjemw.exe"
      4⤵
      PID:1196
  - - C:\Users\Admin\AppData\Local\Temp\oqsenp.exe
      "C:\Users\Admin\AppData\Local\Temp\oqsenp.exe" "-C:\Users\Admin\AppData\Local\Temp\amyunzsczijpjemw.exe"
      4⤵
      PID:4648
  - - C:\Users\Admin\AppData\Local\Temp\oqsenp.exe
      "C:\Users\Admin\AppData\Local\Temp\oqsenp.exe" "-C:\Users\Admin\AppData\Local\Temp\amyunzsczijpjemw.exe"
      4⤵
      PID:6044
  - - C:\Users\Admin\AppData\Local\Temp\oqsenp.exe
      "C:\Users\Admin\AppData\Local\Temp\oqsenp.exe" "-C:\Users\Admin\AppData\Local\Temp\amyunzsczijpjemw.exe"
      4⤵
      PID:6128
  - - C:\Users\Admin\AppData\Local\Temp\oqsenp.exe
      "C:\Users\Admin\AppData\Local\Temp\oqsenp.exe" "-C:\Users\Admin\AppData\Local\Temp\amyunzsczijpjemw.exe"
      4⤵
      PID:5832
  - - C:\Users\Admin\AppData\Local\Temp\oqsenp.exe
      "C:\Users\Admin\AppData\Local\Temp\oqsenp.exe" "-C:\Users\Admin\AppData\Local\Temp\amyunzsczijpjemw.exe"
      4⤵
      PID:1972
  - - C:\Users\Admin\AppData\Local\Temp\oqsenp.exe
      "C:\Users\Admin\AppData\Local\Temp\oqsenp.exe" "-C:\Users\Admin\AppData\Local\Temp\amyunzsczijpjemw.exe"
      4⤵
      PID:4420
  - - C:\Users\Admin\AppData\Local\Temp\oqsenp.exe
      "C:\Users\Admin\AppData\Local\Temp\oqsenp.exe" "-C:\Users\Admin\AppData\Local\Temp\amyunzsczijpjemw.exe"
      4⤵
      PID:3104
  - - C:\Users\Admin\AppData\Local\Temp\oqsenp.exe
      "C:\Users\Admin\AppData\Local\Temp\oqsenp.exe" "-C:\Users\Admin\AppData\Local\Temp\amyunzsczijpjemw.exe"
      4⤵
      PID:6076
  - - C:\Users\Admin\AppData\Local\Temp\oqsenp.exe
      "C:\Users\Admin\AppData\Local\Temp\oqsenp.exe" "-C:\Users\Admin\AppData\Local\Temp\amyunzsczijpjemw.exe"
      4⤵
      PID:5232
  - - C:\Users\Admin\AppData\Local\Temp\oqsenp.exe
      "C:\Users\Admin\AppData\Local\Temp\oqsenp.exe" "-C:\Users\Admin\AppData\Local\Temp\amyunzsczijpjemw.exe"
      4⤵
      PID:4316
  - - C:\Users\Admin\AppData\Local\Temp\oqsenp.exe
      "C:\Users\Admin\AppData\Local\Temp\oqsenp.exe" "-C:\Users\Admin\AppData\Local\Temp\amyunzsczijpjemw.exe"
      4⤵
      PID:6032
  - - C:\Users\Admin\AppData\Local\Temp\oqsenp.exe
      "C:\Users\Admin\AppData\Local\Temp\oqsenp.exe" "-C:\Users\Admin\AppData\Local\Temp\amyunzsczijpjemw.exe"
      4⤵
      PID:3972
  - - C:\Users\Admin\AppData\Local\Temp\oqsenp.exe
      "C:\Users\Admin\AppData\Local\Temp\oqsenp.exe" "-C:\Users\Admin\AppData\Local\Temp\amyunzsczijpjemw.exe"
      4⤵
      PID:5604
  - - C:\Users\Admin\AppData\Local\Temp\oqsenp.exe
      "C:\Users\Admin\AppData\Local\Temp\oqsenp.exe" "-C:\Users\Admin\AppData\Local\Temp\amyunzsczijpjemw.exe"
      4⤵
      PID:2952
  - - C:\Users\Admin\AppData\Local\Temp\oqsenp.exe
      "C:\Users\Admin\AppData\Local\Temp\oqsenp.exe" "-C:\Users\Admin\AppData\Local\Temp\amyunzsczijpjemw.exe"
      4⤵
      PID:3976
  - - C:\Users\Admin\AppData\Local\Temp\oqsenp.exe
      "C:\Users\Admin\AppData\Local\Temp\oqsenp.exe" "-C:\Users\Admin\AppData\Local\Temp\amyunzsczijpjemw.exe"
      4⤵
      PID:6116
  - - C:\Users\Admin\AppData\Local\Temp\oqsenp.exe
      "C:\Users\Admin\AppData\Local\Temp\oqsenp.exe" "-C:\Users\Admin\AppData\Local\Temp\amyunzsczijpjemw.exe"
      4⤵
      PID:5460
  - - C:\Users\Admin\AppData\Local\Temp\oqsenp.exe
      "C:\Users\Admin\AppData\Local\Temp\oqsenp.exe" "-C:\Users\Admin\AppData\Local\Temp\amyunzsczijpjemw.exe"
      4⤵
      PID:5856
  - - C:\Users\Admin\AppData\Local\Temp\oqsenp.exe
      "C:\Users\Admin\AppData\Local\Temp\oqsenp.exe" "-C:\Users\Admin\AppData\Local\Temp\amyunzsczijpjemw.exe"
      4⤵
      PID:5136
  - - C:\Users\Admin\AppData\Local\Temp\oqsenp.exe
      "C:\Users\Admin\AppData\Local\Temp\oqsenp.exe" "-C:\Users\Admin\AppData\Local\Temp\amyunzsczijpjemw.exe"
      4⤵
      PID:2404
  - - C:\Users\Admin\AppData\Local\Temp\oqsenp.exe
      "C:\Users\Admin\AppData\Local\Temp\oqsenp.exe" "-C:\Users\Admin\AppData\Local\Temp\amyunzsczijpjemw.exe"
      4⤵
      PID:5592
  - - C:\Users\Admin\AppData\Local\Temp\oqsenp.exe
      "C:\Users\Admin\AppData\Local\Temp\oqsenp.exe" "-C:\Users\Admin\AppData\Local\Temp\amyunzsczijpjemw.exe"
      4⤵
      PID:4760
  - - C:\Users\Admin\AppData\Local\Temp\oqsenp.exe
      "C:\Users\Admin\AppData\Local\Temp\oqsenp.exe" "-C:\Users\Admin\AppData\Local\Temp\amyunzsczijpjemw.exe"
      4⤵
      PID:3108
  - - C:\Users\Admin\AppData\Local\Temp\oqsenp.exe
      "C:\Users\Admin\AppData\Local\Temp\oqsenp.exe" "-C:\Users\Admin\AppData\Local\Temp\amyunzsczijpjemw.exe"
      4⤵
      PID:5464
  - - C:\Users\Admin\AppData\Local\Temp\oqsenp.exe
      "C:\Users\Admin\AppData\Local\Temp\oqsenp.exe" "-C:\Users\Admin\AppData\Local\Temp\amyunzsczijpjemw.exe"
      4⤵
      PID:5580
  - - C:\Users\Admin\AppData\Local\Temp\oqsenp.exe
      "C:\Users\Admin\AppData\Local\Temp\oqsenp.exe" "-C:\Users\Admin\AppData\Local\Temp\amyunzsczijpjemw.exe"
      4⤵
      PID:1664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ykcpfysjxjjpjemw.exe
1⤵
PID:1700
- C:\Users\Admin\AppData\Local\Temp\ykcpfysjxjjpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\ykcpfysjxjjpjemw.exe
  2⤵
  PID:4388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mcypjgezrhlvtsesopiy.exe .
1⤵
PID:3820
- C:\Users\Admin\AppData\Local\Temp\mcypjgezrhlvtsesopiy.exe
  C:\Users\Admin\AppData\Local\Temp\mcypjgezrhlvtsesopiy.exe .
  2⤵
  PID:4508
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\mcypjgezrhlvtsesopiy.exe*."
    3⤵
    PID:3020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c qesqlzugfqtbxueqkj.exe
1⤵
PID:2448
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2404
- C:\Windows\qesqlzugfqtbxueqkj.exe
  qesqlzugfqtbxueqkj.exe
  2⤵
  PID:2996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c huheylfqoyahcyhsl.exe .
1⤵
PID:3036
- C:\Windows\huheylfqoyahcyhsl.exe
  huheylfqoyahcyhsl.exe .
  2⤵
  PID:2068
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\huheylfqoyahcyhsl.exe*."
    3⤵
    PID:5096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ocwldyundrtbxueqkj.exe
1⤵
PID:4660
- C:\Windows\ocwldyundrtbxueqkj.exe
  ocwldyundrtbxueqkj.exe
  2⤵
  PID:4952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dulmkbzoqekvuuhwtvriz.exe
1⤵
PID:432
- C:\Windows\dulmkbzoqekvuuhwtvriz.exe
  dulmkbzoqekvuuhwtvriz.exe
  2⤵
  PID:880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c oeuurhestglvtsesopka.exe .
1⤵
PID:4152
- C:\Windows\oeuurhestglvtsesopka.exe
  oeuurhestglvtsesopka.exe .
  2⤵
  PID:3892
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\oeuurhestglvtsesopka.exe*."
    3⤵
    PID:2756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mcypjgezrhlvtsesopiy.exe .
1⤵
PID:4312
- C:\Windows\mcypjgezrhlvtsesopiy.exe
  mcypjgezrhlvtsesopiy.exe .
  2⤵
  PID:1864
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\mcypjgezrhlvtsesopiy.exe*."
    3⤵
    PID:4360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qesqlzugfqtbxueqkj.exe
1⤵
PID:4812
- C:\Users\Admin\AppData\Local\Temp\qesqlzugfqtbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\qesqlzugfqtbxueqkj.exe
  2⤵
  PID:4872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\huheylfqoyahcyhsl.exe .
1⤵
PID:1584
- C:\Users\Admin\AppData\Local\Temp\huheylfqoyahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\huheylfqoyahcyhsl.exe .
  2⤵
  PID:4508
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\huheylfqoyahcyhsl.exe*."
    3⤵
    PID:5096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mcypjgezrhlvtsesopiy.exe
1⤵
PID:1944
- C:\Windows\mcypjgezrhlvtsesopiy.exe
  mcypjgezrhlvtsesopiy.exe
  2⤵
  PID:5020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ykcpfysjxjjpjemw.exe .
1⤵
PID:4004
- C:\Windows\ykcpfysjxjjpjemw.exe
  ykcpfysjxjjpjemw.exe .
  2⤵
  PID:4784
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\ykcpfysjxjjpjemw.exe*."
    3⤵
    PID:1604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fslzqkfxmzahcyhsl.exe
1⤵
PID:2396
- C:\Users\Admin\AppData\Local\Temp\fslzqkfxmzahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\fslzqkfxmzahcyhsl.exe
  2⤵
  PID:1748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dulmkbzoqekvuuhwtvriz.exe
1⤵
PID:668
- C:\Users\Admin\AppData\Local\Temp\dulmkbzoqekvuuhwtvriz.exe
  C:\Users\Admin\AppData\Local\Temp\dulmkbzoqekvuuhwtvriz.exe
  2⤵
  PID:3112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ocwldyundrtbxueqkj.exe .
1⤵
PID:2692
- C:\Users\Admin\AppData\Local\Temp\ocwldyundrtbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\ocwldyundrtbxueqkj.exe .
  2⤵
  PID:3472
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\ocwldyundrtbxueqkj.exe*."
    3⤵
    PID:3624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dulmkbzoqekvuuhwtvriz.exe .
1⤵
PID:4748
- C:\Users\Admin\AppData\Local\Temp\dulmkbzoqekvuuhwtvriz.exe
  C:\Users\Admin\AppData\Local\Temp\dulmkbzoqekvuuhwtvriz.exe .
  2⤵
  PID:2940
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\dulmkbzoqekvuuhwtvriz.exe*."
    3⤵
    PID:2800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mcypjgezrhlvtsesopiy.exe
1⤵
PID:2636
- C:\Users\Admin\AppData\Local\Temp\mcypjgezrhlvtsesopiy.exe
  C:\Users\Admin\AppData\Local\Temp\mcypjgezrhlvtsesopiy.exe
  2⤵
  PID:4748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ykcpfysjxjjpjemw.exe .
1⤵
PID:4952
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2804
- C:\Users\Admin\AppData\Local\Temp\ykcpfysjxjjpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\ykcpfysjxjjpjemw.exe .
  2⤵
  PID:2736
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\ykcpfysjxjjpjemw.exe*."
    3⤵
    PID:2716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bsphcazvofkvuuhwtvpgd.exe
1⤵
PID:4620
- C:\Windows\bsphcazvofkvuuhwtvpgd.exe
  bsphcazvofkvuuhwtvpgd.exe
  2⤵
  PID:4748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fslzqkfxmzahcyhsl.exe
1⤵
PID:3100
- C:\Windows\fslzqkfxmzahcyhsl.exe
  fslzqkfxmzahcyhsl.exe
  2⤵
  PID:1524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bsphcazvofkvuuhwtvpgd.exe .
1⤵
PID:2108
- C:\Windows\bsphcazvofkvuuhwtvpgd.exe
  bsphcazvofkvuuhwtvpgd.exe .
  2⤵
  PID:3976
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\bsphcazvofkvuuhwtvpgd.exe*."
    3⤵
    PID:5352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zojzsolfwloxusdqlld.exe .
1⤵
PID:2420
- C:\Windows\zojzsolfwloxusdqlld.exe
  zojzsolfwloxusdqlld.exe .
  2⤵
  PID:2276
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\zojzsolfwloxusdqlld.exe*."
    3⤵
    PID:5180

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ocwldyundrtbxueqkj.exe
1⤵
PID:5112
- C:\Windows\ocwldyundrtbxueqkj.exe
  ocwldyundrtbxueqkj.exe
  2⤵
  PID:4788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bsphcazvofkvuuhwtvpgd.exe
1⤵
PID:3840
- C:\Windows\bsphcazvofkvuuhwtvpgd.exe
  bsphcazvofkvuuhwtvpgd.exe
  2⤵
  PID:5408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ykcpfysjxjjpjemw.exe
1⤵
PID:4940
- C:\Windows\ykcpfysjxjjpjemw.exe
  ykcpfysjxjjpjemw.exe
  2⤵
  PID:5248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bsphcazvofkvuuhwtvpgd.exe .
1⤵
PID:3620
- C:\Windows\bsphcazvofkvuuhwtvpgd.exe
  bsphcazvofkvuuhwtvpgd.exe .
  2⤵
  PID:5372
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\bsphcazvofkvuuhwtvpgd.exe*."
    3⤵
    PID:5700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ocwldyundrtbxueqkj.exe .
1⤵
PID:3768
- C:\Windows\ocwldyundrtbxueqkj.exe
  ocwldyundrtbxueqkj.exe .
  2⤵
  PID:4748
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\ocwldyundrtbxueqkj.exe*."
    3⤵
    PID:5472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zojzsolfwloxusdqlld.exe
1⤵
PID:3912
- C:\Users\Admin\AppData\Local\Temp\zojzsolfwloxusdqlld.exe
  C:\Users\Admin\AppData\Local\Temp\zojzsolfwloxusdqlld.exe
  2⤵
  PID:5420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mcypjgezrhlvtsesopiy.exe .
1⤵
PID:3296
- C:\Users\Admin\AppData\Local\Temp\mcypjgezrhlvtsesopiy.exe
  C:\Users\Admin\AppData\Local\Temp\mcypjgezrhlvtsesopiy.exe .
  2⤵
  PID:4744
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\mcypjgezrhlvtsesopiy.exe*."
    3⤵
    PID:5292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fslzqkfxmzahcyhsl.exe .
1⤵
PID:4328
- C:\Windows\fslzqkfxmzahcyhsl.exe
  fslzqkfxmzahcyhsl.exe .
  2⤵
  PID:5680
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\fslzqkfxmzahcyhsl.exe*."
    3⤵
    PID:5888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mcypjgezrhlvtsesopiy.exe
1⤵
PID:4488
- C:\Users\Admin\AppData\Local\Temp\mcypjgezrhlvtsesopiy.exe
  C:\Users\Admin\AppData\Local\Temp\mcypjgezrhlvtsesopiy.exe
  2⤵
  PID:5932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mcypjgezrhlvtsesopiy.exe .
1⤵
PID:2684
- C:\Users\Admin\AppData\Local\Temp\mcypjgezrhlvtsesopiy.exe
  C:\Users\Admin\AppData\Local\Temp\mcypjgezrhlvtsesopiy.exe .
  2⤵
  PID:3624
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\mcypjgezrhlvtsesopiy.exe*."
    3⤵
    PID:5240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bsphcazvofkvuuhwtvpgd.exe
1⤵
PID:2024
- C:\Windows\bsphcazvofkvuuhwtvpgd.exe
  bsphcazvofkvuuhwtvpgd.exe
  2⤵
  PID:5508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zojzsolfwloxusdqlld.exe
1⤵
PID:3404
- C:\Users\Admin\AppData\Local\Temp\zojzsolfwloxusdqlld.exe
  C:\Users\Admin\AppData\Local\Temp\zojzsolfwloxusdqlld.exe
  2⤵
  PID:5628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ocwldyundrtbxueqkj.exe .
1⤵
PID:5008
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4164
- C:\Windows\ocwldyundrtbxueqkj.exe
  ocwldyundrtbxueqkj.exe .
  2⤵
  PID:5636
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\ocwldyundrtbxueqkj.exe*."
    3⤵
    PID:5880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zojzsolfwloxusdqlld.exe
1⤵
PID:2072
- C:\Users\Admin\AppData\Local\Temp\zojzsolfwloxusdqlld.exe
  C:\Users\Admin\AppData\Local\Temp\zojzsolfwloxusdqlld.exe
  2⤵
  PID:5660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ykcpfysjxjjpjemw.exe .
1⤵
PID:1532
- C:\Users\Admin\AppData\Local\Temp\ykcpfysjxjjpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\ykcpfysjxjjpjemw.exe .
  2⤵
  PID:5784
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\ykcpfysjxjjpjemw.exe*."
    3⤵
    PID:5996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bsphcazvofkvuuhwtvpgd.exe
1⤵
PID:1844
- C:\Users\Admin\AppData\Local\Temp\bsphcazvofkvuuhwtvpgd.exe
  C:\Users\Admin\AppData\Local\Temp\bsphcazvofkvuuhwtvpgd.exe
  2⤵
  PID:5816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mcypjgezrhlvtsesopiy.exe .
1⤵
PID:4648
- C:\Users\Admin\AppData\Local\Temp\mcypjgezrhlvtsesopiy.exe
  C:\Users\Admin\AppData\Local\Temp\mcypjgezrhlvtsesopiy.exe .
  2⤵
  PID:4100
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\mcypjgezrhlvtsesopiy.exe*."
    3⤵
    PID:5308

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ykcpfysjxjjpjemw.exe .
1⤵
PID:3176
- C:\Users\Admin\AppData\Local\Temp\ykcpfysjxjjpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\ykcpfysjxjjpjemw.exe .
  2⤵
  PID:5872
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\ykcpfysjxjjpjemw.exe*."
    3⤵
    PID:6052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ocwldyundrtbxueqkj.exe
1⤵
PID:5428
- C:\Users\Admin\AppData\Local\Temp\ocwldyundrtbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\ocwldyundrtbxueqkj.exe
  2⤵
  PID:5764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mcypjgezrhlvtsesopiy.exe .
1⤵
PID:5520
- C:\Users\Admin\AppData\Local\Temp\mcypjgezrhlvtsesopiy.exe
  C:\Users\Admin\AppData\Local\Temp\mcypjgezrhlvtsesopiy.exe .
  2⤵
  PID:428
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\mcypjgezrhlvtsesopiy.exe*."
    3⤵
    PID:4152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c huheylfqoyahcyhsl.exe
1⤵
PID:5916
- C:\Windows\huheylfqoyahcyhsl.exe
  huheylfqoyahcyhsl.exe
  2⤵
  PID:2088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ocwldyundrtbxueqkj.exe
1⤵
PID:6084
- C:\Windows\ocwldyundrtbxueqkj.exe
  ocwldyundrtbxueqkj.exe
  2⤵
  PID:5264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c qesqlzugfqtbxueqkj.exe .
1⤵
PID:6120
- C:\Windows\qesqlzugfqtbxueqkj.exe
  qesqlzugfqtbxueqkj.exe .
  2⤵
  PID:2692
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\qesqlzugfqtbxueqkj.exe*."
    3⤵
    PID:5424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fslzqkfxmzahcyhsl.exe .
1⤵
PID:5180
- C:\Windows\fslzqkfxmzahcyhsl.exe
  fslzqkfxmzahcyhsl.exe .
  2⤵
  PID:4316
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\fslzqkfxmzahcyhsl.exe*."
    3⤵
    PID:2420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c oeuurhestglvtsesopka.exe
1⤵
PID:1584
- C:\Windows\oeuurhestglvtsesopka.exe
  oeuurhestglvtsesopka.exe
  2⤵
  PID:1648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bqfeaplyykoxusdqllf.exe .
1⤵
PID:624
- C:\Windows\bqfeaplyykoxusdqllf.exe
  bqfeaplyykoxusdqllf.exe .
  2⤵
  PID:3324
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\bqfeaplyykoxusdqllf.exe*."
    3⤵
    PID:3800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fslzqkfxmzahcyhsl.exe
1⤵
PID:4952
- C:\Windows\fslzqkfxmzahcyhsl.exe
  fslzqkfxmzahcyhsl.exe
  2⤵
  PID:936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\huheylfqoyahcyhsl.exe
1⤵
PID:5112
- C:\Users\Admin\AppData\Local\Temp\huheylfqoyahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\huheylfqoyahcyhsl.exe
  2⤵
  PID:1832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zojzsolfwloxusdqlld.exe .
1⤵
PID:5484
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1808
- C:\Windows\zojzsolfwloxusdqlld.exe
  zojzsolfwloxusdqlld.exe .
  2⤵
  PID:3708
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\zojzsolfwloxusdqlld.exe*."
    3⤵
    PID:5692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\huheylfqoyahcyhsl.exe .
1⤵
PID:5624
- C:\Users\Admin\AppData\Local\Temp\huheylfqoyahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\huheylfqoyahcyhsl.exe .
  2⤵
  PID:4264
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\huheylfqoyahcyhsl.exe*."
    3⤵
    PID:5964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mcypjgezrhlvtsesopiy.exe
1⤵
PID:1216
- C:\Users\Admin\AppData\Local\Temp\mcypjgezrhlvtsesopiy.exe
  C:\Users\Admin\AppData\Local\Temp\mcypjgezrhlvtsesopiy.exe
  2⤵
  PID:2192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bsphcazvofkvuuhwtvpgd.exe .
1⤵
PID:5100
- C:\Users\Admin\AppData\Local\Temp\bsphcazvofkvuuhwtvpgd.exe
  C:\Users\Admin\AppData\Local\Temp\bsphcazvofkvuuhwtvpgd.exe .
  2⤵
  PID:3112
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\bsphcazvofkvuuhwtvpgd.exe*."
    3⤵
    PID:5404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\huheylfqoyahcyhsl.exe
1⤵
PID:5552
- C:\Users\Admin\AppData\Local\Temp\huheylfqoyahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\huheylfqoyahcyhsl.exe
  2⤵
  PID:5604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dulmkbzoqekvuuhwtvriz.exe .
1⤵
PID:5004
- C:\Users\Admin\AppData\Local\Temp\dulmkbzoqekvuuhwtvriz.exe
  C:\Users\Admin\AppData\Local\Temp\dulmkbzoqekvuuhwtvriz.exe .
  2⤵
  PID:5960
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\dulmkbzoqekvuuhwtvriz.exe*."
    3⤵
    PID:6056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mcypjgezrhlvtsesopiy.exe
1⤵
PID:5268
- C:\Users\Admin\AppData\Local\Temp\mcypjgezrhlvtsesopiy.exe
  C:\Users\Admin\AppData\Local\Temp\mcypjgezrhlvtsesopiy.exe
  2⤵
  PID:5788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ykcpfysjxjjpjemw.exe .
1⤵
PID:5868
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5000
- C:\Users\Admin\AppData\Local\Temp\ykcpfysjxjjpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\ykcpfysjxjjpjemw.exe .
  2⤵
  PID:5680
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\ykcpfysjxjjpjemw.exe*."
    3⤵
    PID:2720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ocwldyundrtbxueqkj.exe
1⤵
PID:5992
- C:\Windows\ocwldyundrtbxueqkj.exe
  ocwldyundrtbxueqkj.exe
  2⤵
  PID:5532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bsphcazvofkvuuhwtvpgd.exe .
1⤵
PID:5172
- C:\Windows\bsphcazvofkvuuhwtvpgd.exe
  bsphcazvofkvuuhwtvpgd.exe .
  2⤵
  PID:5916
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\bsphcazvofkvuuhwtvpgd.exe*."
    3⤵
    PID:1748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ykcpfysjxjjpjemw.exe
1⤵
PID:5384
- C:\Windows\ykcpfysjxjjpjemw.exe
  ykcpfysjxjjpjemw.exe
  2⤵
  PID:4320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ykcpfysjxjjpjemw.exe .
1⤵
PID:3328
- C:\Windows\ykcpfysjxjjpjemw.exe
  ykcpfysjxjjpjemw.exe .
  2⤵
  PID:6112
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\ykcpfysjxjjpjemw.exe*."
    3⤵
    PID:5608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fslzqkfxmzahcyhsl.exe
1⤵
PID:5344
- C:\Users\Admin\AppData\Local\Temp\fslzqkfxmzahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\fslzqkfxmzahcyhsl.exe
  2⤵
  PID:2760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fslzqkfxmzahcyhsl.exe .
1⤵
PID:4788
- C:\Users\Admin\AppData\Local\Temp\fslzqkfxmzahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\fslzqkfxmzahcyhsl.exe .
  2⤵
  PID:668
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\fslzqkfxmzahcyhsl.exe*."
    3⤵
    PID:1436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mcypjgezrhlvtsesopiy.exe
1⤵
PID:2276
- C:\Users\Admin\AppData\Local\Temp\mcypjgezrhlvtsesopiy.exe
  C:\Users\Admin\AppData\Local\Temp\mcypjgezrhlvtsesopiy.exe
  2⤵
  PID:2936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fslzqkfxmzahcyhsl.exe .
1⤵
PID:4940
- C:\Users\Admin\AppData\Local\Temp\fslzqkfxmzahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\fslzqkfxmzahcyhsl.exe .
  2⤵
  PID:2484
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\fslzqkfxmzahcyhsl.exe*."
    3⤵
    PID:2756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zojzsolfwloxusdqlld.exe
1⤵
PID:5596
- C:\Windows\zojzsolfwloxusdqlld.exe
  zojzsolfwloxusdqlld.exe
  2⤵
  PID:4052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mcypjgezrhlvtsesopiy.exe .
1⤵
PID:4404
- C:\Windows\mcypjgezrhlvtsesopiy.exe
  mcypjgezrhlvtsesopiy.exe .
  2⤵
  PID:2840
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\mcypjgezrhlvtsesopiy.exe*."
    3⤵
    PID:5300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ykcpfysjxjjpjemw.exe
1⤵
PID:3712
- C:\Windows\ykcpfysjxjjpjemw.exe
  ykcpfysjxjjpjemw.exe
  2⤵
  PID:5468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ykcpfysjxjjpjemw.exe .
1⤵
PID:5840
- C:\Windows\ykcpfysjxjjpjemw.exe
  ykcpfysjxjjpjemw.exe .
  2⤵
  PID:872
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\ykcpfysjxjjpjemw.exe*."
    3⤵
    PID:5940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ocwldyundrtbxueqkj.exe
1⤵
PID:6028
- C:\Users\Admin\AppData\Local\Temp\ocwldyundrtbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\ocwldyundrtbxueqkj.exe
  2⤵
  PID:636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bsphcazvofkvuuhwtvpgd.exe .
1⤵
PID:1608
- C:\Users\Admin\AppData\Local\Temp\bsphcazvofkvuuhwtvpgd.exe
  C:\Users\Admin\AppData\Local\Temp\bsphcazvofkvuuhwtvpgd.exe .
  2⤵
  PID:5460
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\bsphcazvofkvuuhwtvpgd.exe*."
    3⤵
    PID:6016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mcypjgezrhlvtsesopiy.exe
1⤵
PID:3404
- C:\Users\Admin\AppData\Local\Temp\mcypjgezrhlvtsesopiy.exe
  C:\Users\Admin\AppData\Local\Temp\mcypjgezrhlvtsesopiy.exe
  2⤵
  PID:1844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mcypjgezrhlvtsesopiy.exe .
1⤵
PID:5164
- C:\Users\Admin\AppData\Local\Temp\mcypjgezrhlvtsesopiy.exe
  C:\Users\Admin\AppData\Local\Temp\mcypjgezrhlvtsesopiy.exe .
  2⤵
  PID:2984
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\mcypjgezrhlvtsesopiy.exe*."
    3⤵
    PID:1532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zojzsolfwloxusdqlld.exe
1⤵
PID:3196
- C:\Windows\zojzsolfwloxusdqlld.exe
  zojzsolfwloxusdqlld.exe
  2⤵
  PID:4160

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mcypjgezrhlvtsesopiy.exe .
1⤵
PID:5588
- C:\Windows\mcypjgezrhlvtsesopiy.exe
  mcypjgezrhlvtsesopiy.exe .
  2⤵
  PID:5292
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\mcypjgezrhlvtsesopiy.exe*."
    3⤵
    PID:2940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ocwldyundrtbxueqkj.exe
1⤵
PID:1540
- C:\Windows\ocwldyundrtbxueqkj.exe
  ocwldyundrtbxueqkj.exe
  2⤵
  PID:6068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mcypjgezrhlvtsesopiy.exe .
1⤵
PID:2388
- C:\Windows\mcypjgezrhlvtsesopiy.exe
  mcypjgezrhlvtsesopiy.exe .
  2⤵
  PID:5316
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\mcypjgezrhlvtsesopiy.exe*."
    3⤵
    PID:3128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ocwldyundrtbxueqkj.exe
1⤵
PID:4324
- C:\Users\Admin\AppData\Local\Temp\ocwldyundrtbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\ocwldyundrtbxueqkj.exe
  2⤵
  PID:5160

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fslzqkfxmzahcyhsl.exe .
1⤵
PID:432
- C:\Users\Admin\AppData\Local\Temp\fslzqkfxmzahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\fslzqkfxmzahcyhsl.exe .
  2⤵
  PID:4152
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\fslzqkfxmzahcyhsl.exe*."
    3⤵
    PID:5032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zojzsolfwloxusdqlld.exe
1⤵
PID:3100
- C:\Users\Admin\AppData\Local\Temp\zojzsolfwloxusdqlld.exe
  C:\Users\Admin\AppData\Local\Temp\zojzsolfwloxusdqlld.exe
  2⤵
  PID:5744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ykcpfysjxjjpjemw.exe .
1⤵
PID:3428
- C:\Users\Admin\AppData\Local\Temp\ykcpfysjxjjpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\ykcpfysjxjjpjemw.exe .
  2⤵
  PID:5344
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\ykcpfysjxjjpjemw.exe*."
    3⤵
    PID:936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ocwldyundrtbxueqkj.exe
1⤵
PID:5388
- C:\Windows\ocwldyundrtbxueqkj.exe
  ocwldyundrtbxueqkj.exe
  2⤵
  PID:5620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ocwldyundrtbxueqkj.exe .
1⤵
PID:5648
- C:\Windows\ocwldyundrtbxueqkj.exe
  ocwldyundrtbxueqkj.exe .
  2⤵
  PID:3020
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\ocwldyundrtbxueqkj.exe*."
    3⤵
    PID:5928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fslzqkfxmzahcyhsl.exe
1⤵
PID:3056
- C:\Windows\fslzqkfxmzahcyhsl.exe
  fslzqkfxmzahcyhsl.exe
  2⤵
  PID:1208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fslzqkfxmzahcyhsl.exe .
1⤵
PID:2432
- C:\Windows\fslzqkfxmzahcyhsl.exe
  fslzqkfxmzahcyhsl.exe .
  2⤵
  PID:4812
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\fslzqkfxmzahcyhsl.exe*."
    3⤵
    PID:2968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ocwldyundrtbxueqkj.exe
1⤵
PID:4940
- C:\Users\Admin\AppData\Local\Temp\ocwldyundrtbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\ocwldyundrtbxueqkj.exe
  2⤵
  PID:3800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mcypjgezrhlvtsesopiy.exe .
1⤵
PID:5572
- C:\Users\Admin\AppData\Local\Temp\mcypjgezrhlvtsesopiy.exe
  C:\Users\Admin\AppData\Local\Temp\mcypjgezrhlvtsesopiy.exe .
  2⤵
  PID:5760
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\mcypjgezrhlvtsesopiy.exe*."
    3⤵
    PID:1448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bsphcazvofkvuuhwtvpgd.exe
1⤵
PID:5404
- C:\Users\Admin\AppData\Local\Temp\bsphcazvofkvuuhwtvpgd.exe
  C:\Users\Admin\AppData\Local\Temp\bsphcazvofkvuuhwtvpgd.exe
  2⤵
  PID:5924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fslzqkfxmzahcyhsl.exe .
1⤵
PID:5684
- C:\Users\Admin\AppData\Local\Temp\fslzqkfxmzahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\fslzqkfxmzahcyhsl.exe .
  2⤵
  PID:1808
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\fslzqkfxmzahcyhsl.exe*."
    3⤵
    PID:5788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ocwldyundrtbxueqkj.exe
1⤵
PID:5904
- C:\Windows\ocwldyundrtbxueqkj.exe
  ocwldyundrtbxueqkj.exe
  2⤵
  PID:5840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zojzsolfwloxusdqlld.exe
1⤵
PID:5860
- C:\Windows\zojzsolfwloxusdqlld.exe
  zojzsolfwloxusdqlld.exe
  2⤵
  PID:6016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ykcpfysjxjjpjemw.exe .
1⤵
PID:5304
- C:\Windows\ykcpfysjxjjpjemw.exe
  ykcpfysjxjjpjemw.exe .
  2⤵
  PID:4544
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\ykcpfysjxjjpjemw.exe*."
    3⤵
    PID:1588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ocwldyundrtbxueqkj.exe
1⤵
PID:5644
- C:\Windows\ocwldyundrtbxueqkj.exe
  ocwldyundrtbxueqkj.exe
  2⤵
  PID:6132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bsphcazvofkvuuhwtvpgd.exe .
1⤵
PID:2340
- C:\Windows\bsphcazvofkvuuhwtvpgd.exe
  bsphcazvofkvuuhwtvpgd.exe .
  2⤵
  PID:5308
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\bsphcazvofkvuuhwtvpgd.exe*."
    3⤵
    PID:3624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ocwldyundrtbxueqkj.exe
1⤵
PID:5488
- C:\Windows\ocwldyundrtbxueqkj.exe
  ocwldyundrtbxueqkj.exe
  2⤵
  PID:2184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mcypjgezrhlvtsesopiy.exe .
1⤵
PID:5000
- C:\Windows\mcypjgezrhlvtsesopiy.exe
  mcypjgezrhlvtsesopiy.exe .
  2⤵
  PID:6040
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\mcypjgezrhlvtsesopiy.exe*."
    3⤵
    PID:5576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zojzsolfwloxusdqlld.exe .
1⤵
PID:5732
- C:\Windows\zojzsolfwloxusdqlld.exe
  zojzsolfwloxusdqlld.exe .
  2⤵
  PID:4760
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\zojzsolfwloxusdqlld.exe*."
    3⤵
    PID:2484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zojzsolfwloxusdqlld.exe
1⤵
PID:5108
- C:\Windows\zojzsolfwloxusdqlld.exe
  zojzsolfwloxusdqlld.exe
  2⤵
  PID:2636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zojzsolfwloxusdqlld.exe
1⤵
PID:1108
- C:\Users\Admin\AppData\Local\Temp\zojzsolfwloxusdqlld.exe
  C:\Users\Admin\AppData\Local\Temp\zojzsolfwloxusdqlld.exe
  2⤵
  PID:5736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mcypjgezrhlvtsesopiy.exe .
1⤵
PID:4160
- C:\Windows\mcypjgezrhlvtsesopiy.exe
  mcypjgezrhlvtsesopiy.exe .
  2⤵
  PID:2784
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\mcypjgezrhlvtsesopiy.exe*."
    3⤵
    PID:5468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ykcpfysjxjjpjemw.exe .
1⤵
PID:5800
- C:\Users\Admin\AppData\Local\Temp\ykcpfysjxjjpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\ykcpfysjxjjpjemw.exe .
  2⤵
  PID:5180
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\ykcpfysjxjjpjemw.exe*."
    3⤵
    PID:5864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ocwldyundrtbxueqkj.exe
1⤵
PID:5560
- C:\Users\Admin\AppData\Local\Temp\ocwldyundrtbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\ocwldyundrtbxueqkj.exe
  2⤵
  PID:668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mcypjgezrhlvtsesopiy.exe
1⤵
PID:3280
- C:\Windows\mcypjgezrhlvtsesopiy.exe
  mcypjgezrhlvtsesopiy.exe
  2⤵
  PID:4984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ocwldyundrtbxueqkj.exe .
1⤵
PID:4768
- C:\Windows\ocwldyundrtbxueqkj.exe
  ocwldyundrtbxueqkj.exe .
  2⤵
  PID:4652
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\ocwldyundrtbxueqkj.exe*."
    3⤵
    PID:5476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mcypjgezrhlvtsesopiy.exe .
1⤵
PID:2236
- C:\Users\Admin\AppData\Local\Temp\mcypjgezrhlvtsesopiy.exe
  C:\Users\Admin\AppData\Local\Temp\mcypjgezrhlvtsesopiy.exe .
  2⤵
  PID:336
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\mcypjgezrhlvtsesopiy.exe*."
    3⤵
    PID:3056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fslzqkfxmzahcyhsl.exe
1⤵
PID:6108
- C:\Users\Admin\AppData\Local\Temp\fslzqkfxmzahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\fslzqkfxmzahcyhsl.exe
  2⤵
  PID:5256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ykcpfysjxjjpjemw.exe
1⤵
PID:4320
- C:\Users\Admin\AppData\Local\Temp\ykcpfysjxjjpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\ykcpfysjxjjpjemw.exe
  2⤵
  PID:5764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fslzqkfxmzahcyhsl.exe .
1⤵
PID:736
- C:\Users\Admin\AppData\Local\Temp\fslzqkfxmzahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\fslzqkfxmzahcyhsl.exe .
  2⤵
  PID:5748
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\fslzqkfxmzahcyhsl.exe*."
    3⤵
    PID:5556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ocwldyundrtbxueqkj.exe .
1⤵
PID:5744
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1228
- C:\Users\Admin\AppData\Local\Temp\ocwldyundrtbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\ocwldyundrtbxueqkj.exe .
  2⤵
  PID:5760
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\ocwldyundrtbxueqkj.exe*."
    3⤵
    PID:5156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ocwldyundrtbxueqkj.exe
1⤵
PID:5508
- C:\Users\Admin\AppData\Local\Temp\ocwldyundrtbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\ocwldyundrtbxueqkj.exe
  2⤵
  PID:5728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zojzsolfwloxusdqlld.exe .
1⤵
PID:2016
- C:\Users\Admin\AppData\Local\Temp\zojzsolfwloxusdqlld.exe
  C:\Users\Admin\AppData\Local\Temp\zojzsolfwloxusdqlld.exe .
  2⤵
  PID:5956
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\zojzsolfwloxusdqlld.exe*."
    3⤵
    PID:5428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mcypjgezrhlvtsesopiy.exe
1⤵
PID:5620
- C:\Users\Admin\AppData\Local\Temp\mcypjgezrhlvtsesopiy.exe
  C:\Users\Admin\AppData\Local\Temp\mcypjgezrhlvtsesopiy.exe
  2⤵
  PID:5892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fslzqkfxmzahcyhsl.exe .
1⤵
PID:5416
- C:\Users\Admin\AppData\Local\Temp\fslzqkfxmzahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\fslzqkfxmzahcyhsl.exe .
  2⤵
  PID:5580
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\fslzqkfxmzahcyhsl.exe*."
    3⤵
    PID:5496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bsphcazvofkvuuhwtvpgd.exe
1⤵
PID:5528
- C:\Windows\bsphcazvofkvuuhwtvpgd.exe
  bsphcazvofkvuuhwtvpgd.exe
  2⤵
  PID:5492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bsphcazvofkvuuhwtvpgd.exe .
1⤵
PID:5808
- C:\Windows\bsphcazvofkvuuhwtvpgd.exe
  bsphcazvofkvuuhwtvpgd.exe .
  2⤵
  PID:4808
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\bsphcazvofkvuuhwtvpgd.exe*."
    3⤵
    PID:2184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fslzqkfxmzahcyhsl.exe
1⤵
PID:5940
- C:\Windows\fslzqkfxmzahcyhsl.exe
  fslzqkfxmzahcyhsl.exe
  2⤵
  PID:5284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zojzsolfwloxusdqlld.exe .
1⤵
PID:5772
- C:\Windows\zojzsolfwloxusdqlld.exe
  zojzsolfwloxusdqlld.exe .
  2⤵
  PID:5392
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\zojzsolfwloxusdqlld.exe*."
    3⤵
    PID:4424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zojzsolfwloxusdqlld.exe
1⤵
PID:6132
- C:\Users\Admin\AppData\Local\Temp\zojzsolfwloxusdqlld.exe
  C:\Users\Admin\AppData\Local\Temp\zojzsolfwloxusdqlld.exe
  2⤵
  PID:2024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zojzsolfwloxusdqlld.exe .
1⤵
PID:6068
- C:\Users\Admin\AppData\Local\Temp\zojzsolfwloxusdqlld.exe
  C:\Users\Admin\AppData\Local\Temp\zojzsolfwloxusdqlld.exe .
  2⤵
  PID:3416
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\zojzsolfwloxusdqlld.exe*."
    3⤵
    PID:1736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dulmkbzoqekvuuhwtvriz.exe
1⤵
PID:5488
- C:\Windows\dulmkbzoqekvuuhwtvriz.exe
  dulmkbzoqekvuuhwtvriz.exe
  2⤵
  PID:3892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bsphcazvofkvuuhwtvpgd.exe
1⤵
PID:6096
- C:\Users\Admin\AppData\Local\Temp\bsphcazvofkvuuhwtvpgd.exe
  C:\Users\Admin\AppData\Local\Temp\bsphcazvofkvuuhwtvpgd.exe
  2⤵
  PID:3148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dulmkbzoqekvuuhwtvriz.exe .
1⤵
PID:972
- C:\Windows\dulmkbzoqekvuuhwtvriz.exe
  dulmkbzoqekvuuhwtvriz.exe .
  2⤵
  PID:5876
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\dulmkbzoqekvuuhwtvriz.exe*."
    3⤵
    PID:6104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fslzqkfxmzahcyhsl.exe .
1⤵
PID:5612
- C:\Users\Admin\AppData\Local\Temp\fslzqkfxmzahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\fslzqkfxmzahcyhsl.exe .
  2⤵
  PID:1600
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\fslzqkfxmzahcyhsl.exe*."
    3⤵
    PID:4648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c oeuurhestglvtsesopka.exe
1⤵
PID:5532
- C:\Windows\oeuurhestglvtsesopka.exe
  oeuurhestglvtsesopka.exe
  2⤵
  PID:1108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bqfeaplyykoxusdqllf.exe .
1⤵
PID:4716
- C:\Windows\bqfeaplyykoxusdqllf.exe
  bqfeaplyykoxusdqllf.exe .
  2⤵
  PID:5160
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\bqfeaplyykoxusdqllf.exe*."
    3⤵
    PID:5368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qesqlzugfqtbxueqkj.exe
1⤵
PID:5992
- C:\Users\Admin\AppData\Local\Temp\qesqlzugfqtbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\qesqlzugfqtbxueqkj.exe
  2⤵
  PID:1832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oeuurhestglvtsesopka.exe .
1⤵
PID:60
- C:\Users\Admin\AppData\Local\Temp\oeuurhestglvtsesopka.exe
  C:\Users\Admin\AppData\Local\Temp\oeuurhestglvtsesopka.exe .
  2⤵
  PID:3588
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\oeuurhestglvtsesopka.exe*."
    3⤵
    PID:3412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\amyunzsczijpjemw.exe
1⤵
PID:5640
- C:\Users\Admin\AppData\Local\Temp\amyunzsczijpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\amyunzsczijpjemw.exe
  2⤵
  PID:5260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fslzqkfxmzahcyhsl.exe
1⤵
PID:2388
- C:\Windows\fslzqkfxmzahcyhsl.exe
  fslzqkfxmzahcyhsl.exe
  2⤵
  PID:5896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dulmkbzoqekvuuhwtvriz.exe .
1⤵
PID:2312
- C:\Users\Admin\AppData\Local\Temp\dulmkbzoqekvuuhwtvriz.exe
  C:\Users\Admin\AppData\Local\Temp\dulmkbzoqekvuuhwtvriz.exe .
  2⤵
  PID:5732
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\dulmkbzoqekvuuhwtvriz.exe*."
    3⤵
    PID:3096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ykcpfysjxjjpjemw.exe .
1⤵
PID:5520
- C:\Windows\ykcpfysjxjjpjemw.exe
  ykcpfysjxjjpjemw.exe .
  2⤵
  PID:3100
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\ykcpfysjxjjpjemw.exe*."
    3⤵
    PID:3472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mcypjgezrhlvtsesopiy.exe
1⤵
PID:4088
- C:\Windows\mcypjgezrhlvtsesopiy.exe
  mcypjgezrhlvtsesopiy.exe
  2⤵
  PID:5760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fslzqkfxmzahcyhsl.exe .
1⤵
PID:2932
- C:\Windows\fslzqkfxmzahcyhsl.exe
  fslzqkfxmzahcyhsl.exe .
  2⤵
  PID:5152
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\fslzqkfxmzahcyhsl.exe*."
    3⤵
    PID:2396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ykcpfysjxjjpjemw.exe
1⤵
PID:2928
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4992
- C:\Users\Admin\AppData\Local\Temp\ykcpfysjxjjpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\ykcpfysjxjjpjemw.exe
  2⤵
  PID:4936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ykcpfysjxjjpjemw.exe .
1⤵
PID:5800
- C:\Users\Admin\AppData\Local\Temp\ykcpfysjxjjpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\ykcpfysjxjjpjemw.exe .
  2⤵
  PID:5300
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\ykcpfysjxjjpjemw.exe*."
    3⤵
    PID:5796

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fslzqkfxmzahcyhsl.exe
1⤵
PID:2840
- C:\Users\Admin\AppData\Local\Temp\fslzqkfxmzahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\fslzqkfxmzahcyhsl.exe
  2⤵
  PID:2760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zojzsolfwloxusdqlld.exe .
1⤵
PID:5692
- C:\Users\Admin\AppData\Local\Temp\zojzsolfwloxusdqlld.exe
  C:\Users\Admin\AppData\Local\Temp\zojzsolfwloxusdqlld.exe .
  2⤵
  PID:4248
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\zojzsolfwloxusdqlld.exe*."
    3⤵
    PID:5296

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fslzqkfxmzahcyhsl.exe
1⤵
PID:3748
- C:\Windows\fslzqkfxmzahcyhsl.exe
  fslzqkfxmzahcyhsl.exe
  2⤵
  PID:5332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ocwldyundrtbxueqkj.exe .
1⤵
PID:6016
- C:\Windows\ocwldyundrtbxueqkj.exe
  ocwldyundrtbxueqkj.exe .
  2⤵
  PID:2408
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\ocwldyundrtbxueqkj.exe*."
    3⤵
    PID:5844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bsphcazvofkvuuhwtvpgd.exe
1⤵
PID:2024
- C:\Windows\bsphcazvofkvuuhwtvpgd.exe
  bsphcazvofkvuuhwtvpgd.exe
  2⤵
  PID:2716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zojzsolfwloxusdqlld.exe .
1⤵
PID:5584
- C:\Windows\zojzsolfwloxusdqlld.exe
  zojzsolfwloxusdqlld.exe .
  2⤵
  PID:4316
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\zojzsolfwloxusdqlld.exe*."
    3⤵
    PID:6008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mcypjgezrhlvtsesopiy.exe
1⤵
PID:3624
- C:\Users\Admin\AppData\Local\Temp\mcypjgezrhlvtsesopiy.exe
  C:\Users\Admin\AppData\Local\Temp\mcypjgezrhlvtsesopiy.exe
  2⤵
  PID:2684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mcypjgezrhlvtsesopiy.exe .
1⤵
PID:5500
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2984
- C:\Users\Admin\AppData\Local\Temp\mcypjgezrhlvtsesopiy.exe
  C:\Users\Admin\AppData\Local\Temp\mcypjgezrhlvtsesopiy.exe .
  2⤵
  PID:5576
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\mcypjgezrhlvtsesopiy.exe*."
    3⤵
    PID:2340

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ocwldyundrtbxueqkj.exe
1⤵
PID:2816
- C:\Users\Admin\AppData\Local\Temp\ocwldyundrtbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\ocwldyundrtbxueqkj.exe
  2⤵
  PID:4496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mcypjgezrhlvtsesopiy.exe .
1⤵
PID:3812
- C:\Users\Admin\AppData\Local\Temp\mcypjgezrhlvtsesopiy.exe
  C:\Users\Admin\AppData\Local\Temp\mcypjgezrhlvtsesopiy.exe .
  2⤵
  PID:2040
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\mcypjgezrhlvtsesopiy.exe*."
    3⤵
    PID:2996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mcypjgezrhlvtsesopiy.exe
1⤵
PID:5768
- C:\Windows\mcypjgezrhlvtsesopiy.exe
  mcypjgezrhlvtsesopiy.exe
  2⤵
  PID:5264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fslzqkfxmzahcyhsl.exe .
1⤵
PID:5700
- C:\Windows\fslzqkfxmzahcyhsl.exe
  fslzqkfxmzahcyhsl.exe .
  2⤵
  PID:6088
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\fslzqkfxmzahcyhsl.exe*."
    3⤵
    PID:4644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zojzsolfwloxusdqlld.exe
1⤵
PID:4660
- C:\Windows\zojzsolfwloxusdqlld.exe
  zojzsolfwloxusdqlld.exe
  2⤵
  PID:3280

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ykcpfysjxjjpjemw.exe .
1⤵
PID:5020
- C:\Windows\ykcpfysjxjjpjemw.exe
  ykcpfysjxjjpjemw.exe .
  2⤵
  PID:5504
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\ykcpfysjxjjpjemw.exe*."
    3⤵
    PID:5412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zojzsolfwloxusdqlld.exe
1⤵
PID:2432
- C:\Users\Admin\AppData\Local\Temp\zojzsolfwloxusdqlld.exe
  C:\Users\Admin\AppData\Local\Temp\zojzsolfwloxusdqlld.exe
  2⤵
  PID:2568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mcypjgezrhlvtsesopiy.exe .
1⤵
PID:5588
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1836
- C:\Users\Admin\AppData\Local\Temp\mcypjgezrhlvtsesopiy.exe
  C:\Users\Admin\AppData\Local\Temp\mcypjgezrhlvtsesopiy.exe .
  2⤵
  PID:3840
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\mcypjgezrhlvtsesopiy.exe*."
    3⤵
    PID:5732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fslzqkfxmzahcyhsl.exe
1⤵
PID:5432
- C:\Users\Admin\AppData\Local\Temp\fslzqkfxmzahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\fslzqkfxmzahcyhsl.exe
  2⤵
  PID:3100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ykcpfysjxjjpjemw.exe .
1⤵
PID:4700
- C:\Users\Admin\AppData\Local\Temp\ykcpfysjxjjpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\ykcpfysjxjjpjemw.exe .
  2⤵
  PID:1208
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\ykcpfysjxjjpjemw.exe*."
    3⤵
    PID:4312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mcypjgezrhlvtsesopiy.exe
1⤵
PID:2236
- C:\Windows\mcypjgezrhlvtsesopiy.exe
  mcypjgezrhlvtsesopiy.exe
  2⤵
  PID:5396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mcypjgezrhlvtsesopiy.exe .
1⤵
PID:6072
- C:\Windows\mcypjgezrhlvtsesopiy.exe
  mcypjgezrhlvtsesopiy.exe .
  2⤵
  PID:2976
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\mcypjgezrhlvtsesopiy.exe*."
    3⤵
    PID:2940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zojzsolfwloxusdqlld.exe
1⤵
PID:5564
- C:\Windows\zojzsolfwloxusdqlld.exe
  zojzsolfwloxusdqlld.exe
  2⤵
  PID:5800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bsphcazvofkvuuhwtvpgd.exe .
1⤵
PID:4260
- C:\Windows\bsphcazvofkvuuhwtvpgd.exe
  bsphcazvofkvuuhwtvpgd.exe .
  2⤵
  PID:5536
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\bsphcazvofkvuuhwtvpgd.exe*."
    3⤵
    PID:3340

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ykcpfysjxjjpjemw.exe
1⤵
PID:3984
- C:\Users\Admin\AppData\Local\Temp\ykcpfysjxjjpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\ykcpfysjxjjpjemw.exe
  2⤵
  PID:4636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fslzqkfxmzahcyhsl.exe .
1⤵
PID:5988
- C:\Users\Admin\AppData\Local\Temp\fslzqkfxmzahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\fslzqkfxmzahcyhsl.exe .
  2⤵
  PID:1864
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\fslzqkfxmzahcyhsl.exe*."
    3⤵
    PID:5940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ocwldyundrtbxueqkj.exe
1⤵
PID:4808
- C:\Users\Admin\AppData\Local\Temp\ocwldyundrtbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\ocwldyundrtbxueqkj.exe
  2⤵
  PID:2596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ocwldyundrtbxueqkj.exe .
1⤵
PID:3748
- C:\Users\Admin\AppData\Local\Temp\ocwldyundrtbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\ocwldyundrtbxueqkj.exe .
  2⤵
  PID:5772
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\ocwldyundrtbxueqkj.exe*."
    3⤵
    PID:3892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ocwldyundrtbxueqkj.exe
1⤵
PID:5880
- C:\Windows\ocwldyundrtbxueqkj.exe
  ocwldyundrtbxueqkj.exe
  2⤵
  PID:3196

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zojzsolfwloxusdqlld.exe .
1⤵
PID:2228
- C:\Windows\zojzsolfwloxusdqlld.exe
  zojzsolfwloxusdqlld.exe .
  2⤵
  PID:3584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ocwldyundrtbxueqkj.exe
1⤵
PID:692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Winlogon Helper DLL

T1547.004

Hijack Execution Flow

T1574

Executable Installer File Permissions Weakness

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Winlogon Helper DLL

T1547.004

Hijack Execution Flow

T1574

Executable Installer File Permissions Weakness

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hijack Execution Flow

T1574

Executable Installer File Permissions Weakness

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Safe Mode Boot

T1562.009

Modify Registry