pykspa | 36acac81012402affd71253189dae689addf1efa6d728656430529e006f1e212

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	ontbnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	ontbnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	gncxrwpmqxm.exe

Pykspa
Pykspa is a worm spreads via Skype uses DGA and it's written in C++.
worm pykspa
Pykspa family
pykspa

UAC bypass 3 TTPs 26 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	ontbnl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	gncxrwpmqxm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	gncxrwpmqxm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ontbnl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	gncxrwpmqxm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ontbnl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	ontbnl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ontbnl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	gncxrwpmqxm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	gncxrwpmqxm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	gncxrwpmqxm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ontbnl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	gncxrwpmqxm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	gncxrwpmqxm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	gncxrwpmqxm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	gncxrwpmqxm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	gncxrwpmqxm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	gncxrwpmqxm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	gncxrwpmqxm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ontbnl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ontbnl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	gncxrwpmqxm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	gncxrwpmqxm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	gncxrwpmqxm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	gncxrwpmqxm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	gncxrwpmqxm.exe

Detect Pykspa worm 2 IoCs

worm

resource	yara_rule
behavioral2/files/0x00050000000227b2-4.dat	family_pykspa
behavioral2/files/0x000a000000024352-82.dat	family_pykspa

Adds policy Run key to start application 2 TTPs 52 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\njm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\obvrrdbxmfrhfjmacikx.exe"	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\njm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hribyhcvhxgtoppaz.exe"	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ontbnl = "drmjkxwtjdqhglpehorfa.exe"	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\njm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bngbalidrjujgjlyzef.exe"	ontbnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ontbnl = "hribyhcvhxgtoppaz.exe"	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\njm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\obvrrdbxmfrhfjmacikx.exe"	ontbnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\njm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bngbalidrjujgjlyzef.exe"	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\inp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lfwrhvojypznjlmyyc.exe"	gncxrwpmqxm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ontbnl = "qbtnlvrlypznjlmyyc.exe"	ontbnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\njm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qbtnlvrlypznjlmyyc.exe"	gncxrwpmqxm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ontbnl = "obvrrdbxmfrhfjmacikx.exe"	ontbnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ontbnl = "obvrrdbxmfrhfjmacikx.exe"	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ontbnl = "drmjkxwtjdqhglpehorfa.exe"	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\njm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\drmjkxwtjdqhglpehorfa.exe"	gncxrwpmqxm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	ontbnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\njm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bngbalidrjujgjlyzef.exe"	ontbnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jrwfjl = "jfyvndyvmfrhfjmacifb.exe"	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ontbnl = "ajzrnvphshpbvvue.exe"	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ontbnl = "ajzrnvphshpbvvue.exe"	ontbnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\njm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hribyhcvhxgtoppaz.exe"	ontbnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\njm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\drmjkxwtjdqhglpehorfa.exe"	gncxrwpmqxm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ontbnl = "drmjkxwtjdqhglpehorfa.exe"	ontbnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\njm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qbtnlvrlypznjlmyyc.exe"	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ontbnl = "drmjkxwtjdqhglpehorfa.exe"	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\njm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\obvrrdbxmfrhfjmacikx.exe"	ontbnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	ontbnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\njm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bngbalidrjujgjlyzef.exe"	gncxrwpmqxm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ontbnl = "ajzrnvphshpbvvue.exe"	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ontbnl = "obvrrdbxmfrhfjmacikx.exe"	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\njm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hribyhcvhxgtoppaz.exe"	gncxrwpmqxm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\njm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\drmjkxwtjdqhglpehorfa.exe"	gncxrwpmqxm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jrwfjl = "lfwrhvojypznjlmyyc.exe"	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ontbnl = "hribyhcvhxgtoppaz.exe"	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\njm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bngbalidrjujgjlyzef.exe"	gncxrwpmqxm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ontbnl = "qbtnlvrlypznjlmyyc.exe"	ontbnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ontbnl = "obvrrdbxmfrhfjmacikx.exe"	gncxrwpmqxm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	gncxrwpmqxm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\njm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\drmjkxwtjdqhglpehorfa.exe"	ontbnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ontbnl = "obvrrdbxmfrhfjmacikx.exe"	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ontbnl = "drmjkxwtjdqhglpehorfa.exe"	ontbnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\inp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wrjfwlfbrjujgjlyzea.exe"	gncxrwpmqxm.exe

Disables RegEdit via registry modification 8 IoCs

defense_evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	gncxrwpmqxm.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	ontbnl.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	ontbnl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	ontbnl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	gncxrwpmqxm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	ontbnl.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	gncxrwpmqxm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	gncxrwpmqxm.exe

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	qbtnlvrlypznjlmyyc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	ajzrnvphshpbvvue.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	ajzrnvphshpbvvue.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	qbtnlvrlypznjlmyyc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	drmjkxwtjdqhglpehorfa.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	obvrrdbxmfrhfjmacikx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	bngbalidrjujgjlyzef.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	obvrrdbxmfrhfjmacikx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	bngbalidrjujgjlyzef.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	hribyhcvhxgtoppaz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	ajzrnvphshpbvvue.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	bngbalidrjujgjlyzef.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	obvrrdbxmfrhfjmacikx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	drmjkxwtjdqhglpehorfa.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	ajzrnvphshpbvvue.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	obvrrdbxmfrhfjmacikx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	bngbalidrjujgjlyzef.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	drmjkxwtjdqhglpehorfa.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	bngbalidrjujgjlyzef.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	hribyhcvhxgtoppaz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	ajzrnvphshpbvvue.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	hribyhcvhxgtoppaz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	qbtnlvrlypznjlmyyc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	qbtnlvrlypznjlmyyc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	obvrrdbxmfrhfjmacikx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	hribyhcvhxgtoppaz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	ajzrnvphshpbvvue.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	qbtnlvrlypznjlmyyc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	obvrrdbxmfrhfjmacikx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	bngbalidrjujgjlyzef.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	bngbalidrjujgjlyzef.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	drmjkxwtjdqhglpehorfa.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	hribyhcvhxgtoppaz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	gncxrwpmqxm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	drmjkxwtjdqhglpehorfa.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	ajzrnvphshpbvvue.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	qbtnlvrlypznjlmyyc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	JaffaCakes118_8f591a7464d087c6206b4b6c7edf94c2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	hribyhcvhxgtoppaz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	drmjkxwtjdqhglpehorfa.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	qbtnlvrlypznjlmyyc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	bngbalidrjujgjlyzef.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	hribyhcvhxgtoppaz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	qbtnlvrlypznjlmyyc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	gncxrwpmqxm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	hribyhcvhxgtoppaz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	qbtnlvrlypznjlmyyc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	drmjkxwtjdqhglpehorfa.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	obvrrdbxmfrhfjmacikx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	drmjkxwtjdqhglpehorfa.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	bngbalidrjujgjlyzef.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	obvrrdbxmfrhfjmacikx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	bngbalidrjujgjlyzef.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	ajzrnvphshpbvvue.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	bngbalidrjujgjlyzef.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	drmjkxwtjdqhglpehorfa.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	qbtnlvrlypznjlmyyc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	drmjkxwtjdqhglpehorfa.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	bngbalidrjujgjlyzef.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	drmjkxwtjdqhglpehorfa.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	hribyhcvhxgtoppaz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	bngbalidrjujgjlyzef.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	qbtnlvrlypznjlmyyc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	bngbalidrjujgjlyzef.exe

Executes dropped EXE 64 IoCs

pid	Process
4716	gncxrwpmqxm.exe
1728	obvrrdbxmfrhfjmacikx.exe
5084	bngbalidrjujgjlyzef.exe
5028	gncxrwpmqxm.exe
1412	drmjkxwtjdqhglpehorfa.exe
3500	bngbalidrjujgjlyzef.exe
752	ajzrnvphshpbvvue.exe
1952	gncxrwpmqxm.exe
3184	bngbalidrjujgjlyzef.exe
1716	gncxrwpmqxm.exe
1300	hribyhcvhxgtoppaz.exe
5216	bngbalidrjujgjlyzef.exe
6140	gncxrwpmqxm.exe
4908	ontbnl.exe
5164	ontbnl.exe
808	bngbalidrjujgjlyzef.exe
5252	bngbalidrjujgjlyzef.exe
4276	hribyhcvhxgtoppaz.exe
2924	qbtnlvrlypznjlmyyc.exe
5276	gncxrwpmqxm.exe
3728	gncxrwpmqxm.exe
1756	qbtnlvrlypznjlmyyc.exe
4848	drmjkxwtjdqhglpehorfa.exe
4872	obvrrdbxmfrhfjmacikx.exe
5920	ajzrnvphshpbvvue.exe
4768	ajzrnvphshpbvvue.exe
3556	hribyhcvhxgtoppaz.exe
3540	obvrrdbxmfrhfjmacikx.exe
3724	gncxrwpmqxm.exe
3488	obvrrdbxmfrhfjmacikx.exe
2128	gncxrwpmqxm.exe
1416	gncxrwpmqxm.exe
976	qbtnlvrlypznjlmyyc.exe
932	obvrrdbxmfrhfjmacikx.exe
1156	qbtnlvrlypznjlmyyc.exe
3348	gncxrwpmqxm.exe
1076	qbtnlvrlypznjlmyyc.exe
1232	gncxrwpmqxm.exe
464	gncxrwpmqxm.exe
3792	obvrrdbxmfrhfjmacikx.exe
1980	hribyhcvhxgtoppaz.exe
604	gncxrwpmqxm.exe
3304	qbtnlvrlypznjlmyyc.exe
1060	drmjkxwtjdqhglpehorfa.exe
4492	drmjkxwtjdqhglpehorfa.exe
3468	gncxrwpmqxm.exe
2828	bngbalidrjujgjlyzef.exe
4552	gncxrwpmqxm.exe
4748	qbtnlvrlypznjlmyyc.exe
1452	drmjkxwtjdqhglpehorfa.exe
2444	gncxrwpmqxm.exe
5664	qbtnlvrlypznjlmyyc.exe
3460	obvrrdbxmfrhfjmacikx.exe
1996	ajzrnvphshpbvvue.exe
1440	obvrrdbxmfrhfjmacikx.exe
4952	drmjkxwtjdqhglpehorfa.exe
1300	gncxrwpmqxm.exe
1000	hribyhcvhxgtoppaz.exe
1568	gncxrwpmqxm.exe
1356	bngbalidrjujgjlyzef.exe
1672	qbtnlvrlypznjlmyyc.exe
5768	gncxrwpmqxm.exe
6068	qbtnlvrlypznjlmyyc.exe
2304	ajzrnvphshpbvvue.exe

Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs

defense_evasion

Safe Mode Boot

T1562.009

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys	ontbnl.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc	ontbnl.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power	ontbnl.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys	ontbnl.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc	ontbnl.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager	ontbnl.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

defense_evasion persistence privilege_escalation

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bbiredo = "drmjkxwtjdqhglpehorfa.exe"	ontbnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hjsdstgrv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\obvrrdbxmfrhfjmacikx.exe ."	ontbnl.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bbiredo = "hribyhcvhxgtoppaz.exe"	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\urvb = "obvrrdbxmfrhfjmacikx.exe"	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hjsdstgrv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qbtnlvrlypznjlmyyc.exe ."	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\qrzjxxjt = "qbtnlvrlypznjlmyyc.exe ."	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\dbgny = "qbtnlvrlypznjlmyyc.exe ."	ontbnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hjsdstgrv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bngbalidrjujgjlyzef.exe ."	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\qrzjxxjt = "bngbalidrjujgjlyzef.exe ."	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\dbgny = "bngbalidrjujgjlyzef.exe ."	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\urvb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hribyhcvhxgtoppaz.exe"	ontbnl.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\dbgny = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qbtnlvrlypznjlmyyc.exe ."	ontbnl.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\urvb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qbtnlvrlypznjlmyyc.exe"	ontbnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\urvb = "qbtnlvrlypznjlmyyc.exe"	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\adnzprfrwf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hribyhcvhxgtoppaz.exe"	ontbnl.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\dbgny = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hribyhcvhxgtoppaz.exe ."	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\adnzprfrwf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\drmjkxwtjdqhglpehorfa.exe"	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pvyf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wrjfwlfbrjujgjlyzea.exe"	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bbiredo = "ajzrnvphshpbvvue.exe"	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\dbgny = "hribyhcvhxgtoppaz.exe ."	ontbnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\cnvhotdpv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wrjfwlfbrjujgjlyzea.exe ."	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\urvb = "obvrrdbxmfrhfjmacikx.exe"	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bbiredo = "hribyhcvhxgtoppaz.exe"	ontbnl.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\dbgny = "C:\\Users\\Admin\\AppData\\Local\\Temp\\obvrrdbxmfrhfjmacikx.exe ."	ontbnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\urvb = "obvrrdbxmfrhfjmacikx.exe"	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\adnzprfrwf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\drmjkxwtjdqhglpehorfa.exe"	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hjsdstgrv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ajzrnvphshpbvvue.exe ."	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bbiredo = "obvrrdbxmfrhfjmacikx.exe"	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\dbgny = "C:\\Users\\Admin\\AppData\\Local\\Temp\\drmjkxwtjdqhglpehorfa.exe ."	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\qrzjxxjt = "qbtnlvrlypznjlmyyc.exe ."	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\adnzprfrwf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\drmjkxwtjdqhglpehorfa.exe"	ontbnl.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\urvb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bngbalidrjujgjlyzef.exe"	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\dbgny = "bngbalidrjujgjlyzef.exe ."	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pvyf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vncvjvmfshpbvvue.exe"	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\urvb = "obvrrdbxmfrhfjmacikx.exe"	ontbnl.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\urvb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qbtnlvrlypznjlmyyc.exe"	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\qrzjxxjt = "bngbalidrjujgjlyzef.exe ."	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bbiredo = "hribyhcvhxgtoppaz.exe"	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\dbgny = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bngbalidrjujgjlyzef.exe ."	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bbiredo = "qbtnlvrlypznjlmyyc.exe"	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bbiredo = "ajzrnvphshpbvvue.exe"	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\adnzprfrwf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\drmjkxwtjdqhglpehorfa.exe"	ontbnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\urvb = "hribyhcvhxgtoppaz.exe"	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\qrzjxxjt = "obvrrdbxmfrhfjmacikx.exe ."	ontbnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\adnzprfrwf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ajzrnvphshpbvvue.exe"	ontbnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vhqdlrcpwf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jfyvndyvmfrhfjmacifb.exe"	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\adnzprfrwf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qbtnlvrlypznjlmyyc.exe"	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hjsdstgrv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qbtnlvrlypznjlmyyc.exe ."	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\adnzprfrwf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ajzrnvphshpbvvue.exe"	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\dbgny = "bngbalidrjujgjlyzef.exe ."	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\yfjru = "wrjfwlfbrjujgjlyzea.exe ."	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\lvcntxgr = "jfyvndyvmfrhfjmacifb.exe ."	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\dbgny = "hribyhcvhxgtoppaz.exe ."	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hjsdstgrv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ajzrnvphshpbvvue.exe ."	ontbnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hjsdstgrv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bngbalidrjujgjlyzef.exe ."	ontbnl.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\urvb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bngbalidrjujgjlyzef.exe"	ontbnl.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bbiredo = "hribyhcvhxgtoppaz.exe"	ontbnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hjsdstgrv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\drmjkxwtjdqhglpehorfa.exe ."	ontbnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\dbgny = "hribyhcvhxgtoppaz.exe ."	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\qrzjxxjt = "hribyhcvhxgtoppaz.exe ."	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\urvb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qbtnlvrlypznjlmyyc.exe"	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\dbgny = "drmjkxwtjdqhglpehorfa.exe ."	ontbnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\urvb = "bngbalidrjujgjlyzef.exe"	ontbnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\urvb = "qbtnlvrlypznjlmyyc.exe"	gncxrwpmqxm.exe

Checks whether UAC is enabled 1 TTPs 28 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	gncxrwpmqxm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	gncxrwpmqxm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	gncxrwpmqxm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	gncxrwpmqxm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ontbnl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	gncxrwpmqxm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	gncxrwpmqxm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	gncxrwpmqxm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	gncxrwpmqxm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	gncxrwpmqxm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	gncxrwpmqxm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	gncxrwpmqxm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	gncxrwpmqxm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	gncxrwpmqxm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	gncxrwpmqxm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	gncxrwpmqxm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ontbnl.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ontbnl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	gncxrwpmqxm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	gncxrwpmqxm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	gncxrwpmqxm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	gncxrwpmqxm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	gncxrwpmqxm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	gncxrwpmqxm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ontbnl.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	gncxrwpmqxm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	gncxrwpmqxm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	gncxrwpmqxm.exe

Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 4 IoCs

Possible Turn off User Account Control's privilege elevation for standard users.

Executable Installer File Permissions Weakness

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	gncxrwpmqxm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	gncxrwpmqxm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	ontbnl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	ontbnl.exe

Looks up external IP address via web service 7 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
39	whatismyip.everdot.org
46	www.showmyipaddress.com
50	www.whatismyip.ca
53	whatismyip.everdot.org
29	whatismyip.everdot.org
31	www.whatismyip.ca
32	whatismyipaddress.com

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drmjkxwtjdqhglpehorfa.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\SysWOW64\ajzrnvphshpbvvue.exe	ontbnl.exe
File opened for modification	C:\Windows\SysWOW64\ajzrnvphshpbvvue.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\SysWOW64\ujfdfttridrjjpukowaplj.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\SysWOW64\bngbalidrjujgjlyzef.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\SysWOW64\drmjkxwtjdqhglpehorfa.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\SysWOW64\hribyhcvhxgtoppaz.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\SysWOW64\ujfdfttridrjjpukowaplj.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\SysWOW64\ujfdfttridrjjpukowaplj.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\SysWOW64\hribyhcvhxgtoppaz.exe	ontbnl.exe
File opened for modification	C:\Windows\SysWOW64\hribyhcvhxgtoppaz.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\SysWOW64\ujfdfttridrjjpukowaplj.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\SysWOW64\ajzrnvphshpbvvue.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\SysWOW64\obvrrdbxmfrhfjmacikx.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\SysWOW64\ajzrnvphshpbvvue.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\SysWOW64\bngbalidrjujgjlyzef.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\SysWOW64\qbtnlvrlypznjlmyyc.exe	ontbnl.exe
File opened for modification	C:\Windows\SysWOW64\bngbalidrjujgjlyzef.exe	ontbnl.exe
File opened for modification	C:\Windows\SysWOW64\qbtnlvrlypznjlmyyc.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\SysWOW64\ujfdfttridrjjpukowaplj.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\SysWOW64\ajzrnvphshpbvvue.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\SysWOW64\hribyhcvhxgtoppaz.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\SysWOW64\bngbalidrjujgjlyzef.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\SysWOW64\qbtnlvrlypznjlmyyc.exe	ontbnl.exe
File opened for modification	C:\Windows\SysWOW64\qbtnlvrlypznjlmyyc.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\SysWOW64\bngbalidrjujgjlyzef.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\SysWOW64\ajzrnvphshpbvvue.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\SysWOW64\bngbalidrjujgjlyzef.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\SysWOW64\hribyhcvhxgtoppaz.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\SysWOW64\qbtnlvrlypznjlmyyc.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\SysWOW64\drmjkxwtjdqhglpehorfa.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\SysWOW64\drmjkxwtjdqhglpehorfa.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\SysWOW64\hribyhcvhxgtoppaz.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\SysWOW64\obvrrdbxmfrhfjmacikx.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\SysWOW64\ujfdfttridrjjpukowaplj.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\SysWOW64\obvrrdbxmfrhfjmacikx.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\SysWOW64\bngbalidrjujgjlyzef.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\SysWOW64\ujfdfttridrjjpukowaplj.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\SysWOW64\hribyhcvhxgtoppaz.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\SysWOW64\bngbalidrjujgjlyzef.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\SysWOW64\qbtnlvrlypznjlmyyc.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\SysWOW64\hribyhcvhxgtoppaz.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\SysWOW64\ujfdfttridrjjpukowaplj.exe	ontbnl.exe
File created	C:\Windows\SysWOW64\ajzrnvphshpbvvuececlbtpxrjujrdxxwgegen.vrz	ontbnl.exe
File opened for modification	C:\Windows\SysWOW64\obvrrdbxmfrhfjmacikx.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\SysWOW64\hribyhcvhxgtoppaz.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\SysWOW64\obvrrdbxmfrhfjmacikx.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\SysWOW64\obvrrdbxmfrhfjmacikx.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\SysWOW64\bngbalidrjujgjlyzef.exe	ontbnl.exe
File opened for modification	C:\Windows\SysWOW64\ajzrnvphshpbvvue.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\SysWOW64\ajzrnvphshpbvvue.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\SysWOW64\drmjkxwtjdqhglpehorfa.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\SysWOW64\drmjkxwtjdqhglpehorfa.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\SysWOW64\qbtnlvrlypznjlmyyc.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\SysWOW64\qbtnlvrlypznjlmyyc.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\SysWOW64\drmjkxwtjdqhglpehorfa.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\SysWOW64\qbtnlvrlypznjlmyyc.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\SysWOW64\drmjkxwtjdqhglpehorfa.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\SysWOW64\drmjkxwtjdqhglpehorfa.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\SysWOW64\ajzrnvphshpbvvue.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\SysWOW64\ajzrnvphshpbvvue.exe	ontbnl.exe
File opened for modification	C:\Windows\SysWOW64\ujfdfttridrjjpukowaplj.exe	ontbnl.exe
File opened for modification	C:\Windows\SysWOW64\dbgnyvellpmnwlzylcpnszkhqxx.yzi	ontbnl.exe
File opened for modification	C:\Windows\SysWOW64\bngbalidrjujgjlyzef.exe	gncxrwpmqxm.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\dbgnyvellpmnwlzylcpnszkhqxx.yzi	ontbnl.exe
File opened for modification	C:\Program Files (x86)\ajzrnvphshpbvvuececlbtpxrjujrdxxwgegen.vrz	ontbnl.exe
File created	C:\Program Files (x86)\ajzrnvphshpbvvuececlbtpxrjujrdxxwgegen.vrz	ontbnl.exe
File opened for modification	C:\Program Files (x86)\dbgnyvellpmnwlzylcpnszkhqxx.yzi	ontbnl.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\drmjkxwtjdqhglpehorfa.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\drmjkxwtjdqhglpehorfa.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\bngbalidrjujgjlyzef.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\drmjkxwtjdqhglpehorfa.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\bngbalidrjujgjlyzef.exe	ontbnl.exe
File opened for modification	C:\Windows\drmjkxwtjdqhglpehorfa.exe	ontbnl.exe
File created	C:\Windows\dbgnyvellpmnwlzylcpnszkhqxx.yzi	ontbnl.exe
File opened for modification	C:\Windows\hribyhcvhxgtoppaz.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\bngbalidrjujgjlyzef.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\obvrrdbxmfrhfjmacikx.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\ajzrnvphshpbvvue.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\hribyhcvhxgtoppaz.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\bngbalidrjujgjlyzef.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\hribyhcvhxgtoppaz.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\qbtnlvrlypznjlmyyc.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\obvrrdbxmfrhfjmacikx.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\hribyhcvhxgtoppaz.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\obvrrdbxmfrhfjmacikx.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\ajzrnvphshpbvvue.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\hribyhcvhxgtoppaz.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\qbtnlvrlypznjlmyyc.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\hribyhcvhxgtoppaz.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\bngbalidrjujgjlyzef.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\qbtnlvrlypznjlmyyc.exe	ontbnl.exe
File opened for modification	C:\Windows\drmjkxwtjdqhglpehorfa.exe	ontbnl.exe
File opened for modification	C:\Windows\ajzrnvphshpbvvuececlbtpxrjujrdxxwgegen.vrz	ontbnl.exe
File opened for modification	C:\Windows\qbtnlvrlypznjlmyyc.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\ajzrnvphshpbvvue.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\hribyhcvhxgtoppaz.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\drmjkxwtjdqhglpehorfa.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\obvrrdbxmfrhfjmacikx.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\hribyhcvhxgtoppaz.exe	ontbnl.exe
File opened for modification	C:\Windows\ajzrnvphshpbvvue.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\obvrrdbxmfrhfjmacikx.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\hribyhcvhxgtoppaz.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\ajzrnvphshpbvvue.exe	ontbnl.exe
File opened for modification	C:\Windows\qbtnlvrlypznjlmyyc.exe	ontbnl.exe
File opened for modification	C:\Windows\obvrrdbxmfrhfjmacikx.exe	ontbnl.exe
File opened for modification	C:\Windows\drmjkxwtjdqhglpehorfa.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\qbtnlvrlypznjlmyyc.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\qbtnlvrlypznjlmyyc.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\ajzrnvphshpbvvue.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\ujfdfttridrjjpukowaplj.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\ujfdfttridrjjpukowaplj.exe	ontbnl.exe
File opened for modification	C:\Windows\bngbalidrjujgjlyzef.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\qbtnlvrlypznjlmyyc.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\bngbalidrjujgjlyzef.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\drmjkxwtjdqhglpehorfa.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\bngbalidrjujgjlyzef.exe	ontbnl.exe
File opened for modification	C:\Windows\bngbalidrjujgjlyzef.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\hribyhcvhxgtoppaz.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\obvrrdbxmfrhfjmacikx.exe	ontbnl.exe
File opened for modification	C:\Windows\bngbalidrjujgjlyzef.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\obvrrdbxmfrhfjmacikx.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\hribyhcvhxgtoppaz.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\bngbalidrjujgjlyzef.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\ajzrnvphshpbvvue.exe	ontbnl.exe
File opened for modification	C:\Windows\qbtnlvrlypznjlmyyc.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\obvrrdbxmfrhfjmacikx.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\ujfdfttridrjjpukowaplj.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\ajzrnvphshpbvvue.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\ajzrnvphshpbvvue.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\ujfdfttridrjjpukowaplj.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\ajzrnvphshpbvvue.exe	gncxrwpmqxm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	obvrrdbxmfrhfjmacikx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ajzrnvphshpbvvue.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jfyvndyvmfrhfjmacifb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bngbalidrjujgjlyzef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hribyhcvhxgtoppaz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	drmjkxwtjdqhglpehorfa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hribyhcvhxgtoppaz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gncxrwpmqxm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bngbalidrjujgjlyzef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wrjfwlfbrjujgjlyzea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bngbalidrjujgjlyzef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gncxrwpmqxm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	drmjkxwtjdqhglpehorfa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ontbnl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qbtnlvrlypznjlmyyc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bngbalidrjujgjlyzef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vncvjvmfshpbvvue.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hribyhcvhxgtoppaz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	obvrrdbxmfrhfjmacikx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	drmjkxwtjdqhglpehorfa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bngbalidrjujgjlyzef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	obvrrdbxmfrhfjmacikx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qbtnlvrlypznjlmyyc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ajzrnvphshpbvvue.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bngbalidrjujgjlyzef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wrjfwlfbrjujgjlyzea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yvpngxtrjdqhglpehomjd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vncvjvmfshpbvvue.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lfwrhvojypznjlmyyc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	drmjkxwtjdqhglpehorfa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hribyhcvhxgtoppaz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	obvrrdbxmfrhfjmacikx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	drmjkxwtjdqhglpehorfa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	drmjkxwtjdqhglpehorfa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	drmjkxwtjdqhglpehorfa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ajzrnvphshpbvvue.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	obvrrdbxmfrhfjmacikx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bngbalidrjujgjlyzef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hribyhcvhxgtoppaz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vncvjvmfshpbvvue.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wrjfwlfbrjujgjlyzea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qbtnlvrlypznjlmyyc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qbtnlvrlypznjlmyyc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ajzrnvphshpbvvue.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jfyvndyvmfrhfjmacifb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jrwfjl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvlfuhzthxgtoppaz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	obvrrdbxmfrhfjmacikx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qbtnlvrlypznjlmyyc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ajzrnvphshpbvvue.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qbtnlvrlypznjlmyyc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	drmjkxwtjdqhglpehorfa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jfyvndyvmfrhfjmacifb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	drmjkxwtjdqhglpehorfa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	obvrrdbxmfrhfjmacikx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hribyhcvhxgtoppaz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bngbalidrjujgjlyzef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bngbalidrjujgjlyzef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qbtnlvrlypznjlmyyc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ajzrnvphshpbvvue.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yvpngxtrjdqhglpehomjd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	drmjkxwtjdqhglpehorfa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bngbalidrjujgjlyzef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qbtnlvrlypznjlmyyc.exe

Suspicious behavior: EnumeratesProcesses 62 IoCs

pid	Process
3004	JaffaCakes118_8f591a7464d087c6206b4b6c7edf94c2.exe
3004	JaffaCakes118_8f591a7464d087c6206b4b6c7edf94c2.exe
3004	JaffaCakes118_8f591a7464d087c6206b4b6c7edf94c2.exe
3004	JaffaCakes118_8f591a7464d087c6206b4b6c7edf94c2.exe
3004	JaffaCakes118_8f591a7464d087c6206b4b6c7edf94c2.exe
3004	JaffaCakes118_8f591a7464d087c6206b4b6c7edf94c2.exe
3004	JaffaCakes118_8f591a7464d087c6206b4b6c7edf94c2.exe
3004	JaffaCakes118_8f591a7464d087c6206b4b6c7edf94c2.exe
3004	JaffaCakes118_8f591a7464d087c6206b4b6c7edf94c2.exe
3004	JaffaCakes118_8f591a7464d087c6206b4b6c7edf94c2.exe
3004	JaffaCakes118_8f591a7464d087c6206b4b6c7edf94c2.exe
3004	JaffaCakes118_8f591a7464d087c6206b4b6c7edf94c2.exe
3004	JaffaCakes118_8f591a7464d087c6206b4b6c7edf94c2.exe
3004	JaffaCakes118_8f591a7464d087c6206b4b6c7edf94c2.exe
3004	JaffaCakes118_8f591a7464d087c6206b4b6c7edf94c2.exe
3004	JaffaCakes118_8f591a7464d087c6206b4b6c7edf94c2.exe
4908	ontbnl.exe
4908	ontbnl.exe
3004	JaffaCakes118_8f591a7464d087c6206b4b6c7edf94c2.exe
3004	JaffaCakes118_8f591a7464d087c6206b4b6c7edf94c2.exe
3004	JaffaCakes118_8f591a7464d087c6206b4b6c7edf94c2.exe
3004	JaffaCakes118_8f591a7464d087c6206b4b6c7edf94c2.exe
3004	JaffaCakes118_8f591a7464d087c6206b4b6c7edf94c2.exe
3004	JaffaCakes118_8f591a7464d087c6206b4b6c7edf94c2.exe
3004	JaffaCakes118_8f591a7464d087c6206b4b6c7edf94c2.exe
3004	JaffaCakes118_8f591a7464d087c6206b4b6c7edf94c2.exe
3004	JaffaCakes118_8f591a7464d087c6206b4b6c7edf94c2.exe
3004	JaffaCakes118_8f591a7464d087c6206b4b6c7edf94c2.exe
3004	JaffaCakes118_8f591a7464d087c6206b4b6c7edf94c2.exe
3004	JaffaCakes118_8f591a7464d087c6206b4b6c7edf94c2.exe
3004	JaffaCakes118_8f591a7464d087c6206b4b6c7edf94c2.exe
3004	JaffaCakes118_8f591a7464d087c6206b4b6c7edf94c2.exe
3004	JaffaCakes118_8f591a7464d087c6206b4b6c7edf94c2.exe
3004	JaffaCakes118_8f591a7464d087c6206b4b6c7edf94c2.exe
3004	JaffaCakes118_8f591a7464d087c6206b4b6c7edf94c2.exe
3004	JaffaCakes118_8f591a7464d087c6206b4b6c7edf94c2.exe
3004	JaffaCakes118_8f591a7464d087c6206b4b6c7edf94c2.exe
3004	JaffaCakes118_8f591a7464d087c6206b4b6c7edf94c2.exe
3004	JaffaCakes118_8f591a7464d087c6206b4b6c7edf94c2.exe
3004	JaffaCakes118_8f591a7464d087c6206b4b6c7edf94c2.exe
3004	JaffaCakes118_8f591a7464d087c6206b4b6c7edf94c2.exe
3004	JaffaCakes118_8f591a7464d087c6206b4b6c7edf94c2.exe
3004	JaffaCakes118_8f591a7464d087c6206b4b6c7edf94c2.exe
3004	JaffaCakes118_8f591a7464d087c6206b4b6c7edf94c2.exe
3004	JaffaCakes118_8f591a7464d087c6206b4b6c7edf94c2.exe
3004	JaffaCakes118_8f591a7464d087c6206b4b6c7edf94c2.exe
3004	JaffaCakes118_8f591a7464d087c6206b4b6c7edf94c2.exe
3004	JaffaCakes118_8f591a7464d087c6206b4b6c7edf94c2.exe
3004	JaffaCakes118_8f591a7464d087c6206b4b6c7edf94c2.exe
3004	JaffaCakes118_8f591a7464d087c6206b4b6c7edf94c2.exe
3004	JaffaCakes118_8f591a7464d087c6206b4b6c7edf94c2.exe
3004	JaffaCakes118_8f591a7464d087c6206b4b6c7edf94c2.exe
3004	JaffaCakes118_8f591a7464d087c6206b4b6c7edf94c2.exe
3004	JaffaCakes118_8f591a7464d087c6206b4b6c7edf94c2.exe
3004	JaffaCakes118_8f591a7464d087c6206b4b6c7edf94c2.exe
3004	JaffaCakes118_8f591a7464d087c6206b4b6c7edf94c2.exe
3004	JaffaCakes118_8f591a7464d087c6206b4b6c7edf94c2.exe
3004	JaffaCakes118_8f591a7464d087c6206b4b6c7edf94c2.exe
4908	ontbnl.exe
4908	ontbnl.exe
3004	JaffaCakes118_8f591a7464d087c6206b4b6c7edf94c2.exe
3004	JaffaCakes118_8f591a7464d087c6206b4b6c7edf94c2.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4908	ontbnl.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3004 wrote to memory of 4716	3004	JaffaCakes118_8f591a7464d087c6206b4b6c7edf94c2.exe	89
PID 3004 wrote to memory of 4716	3004	JaffaCakes118_8f591a7464d087c6206b4b6c7edf94c2.exe	89
PID 3004 wrote to memory of 4716	3004	JaffaCakes118_8f591a7464d087c6206b4b6c7edf94c2.exe	89
PID 6124 wrote to memory of 1728	6124	cmd.exe	92
PID 6124 wrote to memory of 1728	6124	cmd.exe	92
PID 6124 wrote to memory of 1728	6124	cmd.exe	92
PID 3244 wrote to memory of 5084	3244	cmd.exe	95
PID 3244 wrote to memory of 5084	3244	cmd.exe	95
PID 3244 wrote to memory of 5084	3244	cmd.exe	95
PID 5084 wrote to memory of 5028	5084	bngbalidrjujgjlyzef.exe	98
PID 5084 wrote to memory of 5028	5084	bngbalidrjujgjlyzef.exe	98
PID 5084 wrote to memory of 5028	5084	bngbalidrjujgjlyzef.exe	98
PID 3488 wrote to memory of 1412	3488	cmd.exe	101
PID 3488 wrote to memory of 1412	3488	cmd.exe	101
PID 3488 wrote to memory of 1412	3488	cmd.exe	101
PID 5116 wrote to memory of 3500	5116	cmd.exe	104
PID 5116 wrote to memory of 3500	5116	cmd.exe	104
PID 5116 wrote to memory of 3500	5116	cmd.exe	104
PID 6136 wrote to memory of 752	6136	cmd.exe	107
PID 6136 wrote to memory of 752	6136	cmd.exe	107
PID 6136 wrote to memory of 752	6136	cmd.exe	107
PID 3500 wrote to memory of 1952	3500	bngbalidrjujgjlyzef.exe	108
PID 3500 wrote to memory of 1952	3500	bngbalidrjujgjlyzef.exe	108
PID 3500 wrote to memory of 1952	3500	bngbalidrjujgjlyzef.exe	108
PID 2384 wrote to memory of 3184	2384	cmd.exe	109
PID 2384 wrote to memory of 3184	2384	cmd.exe	109
PID 2384 wrote to memory of 3184	2384	cmd.exe	109
PID 3184 wrote to memory of 1716	3184	bngbalidrjujgjlyzef.exe	114
PID 3184 wrote to memory of 1716	3184	bngbalidrjujgjlyzef.exe	114
PID 3184 wrote to memory of 1716	3184	bngbalidrjujgjlyzef.exe	114
PID 3448 wrote to memory of 1300	3448	cmd.exe	117
PID 3448 wrote to memory of 1300	3448	cmd.exe	117
PID 3448 wrote to memory of 1300	3448	cmd.exe	117
PID 1508 wrote to memory of 5216	1508	cmd.exe	118
PID 1508 wrote to memory of 5216	1508	cmd.exe	118
PID 1508 wrote to memory of 5216	1508	cmd.exe	118
PID 5216 wrote to memory of 6140	5216	bngbalidrjujgjlyzef.exe	119
PID 5216 wrote to memory of 6140	5216	bngbalidrjujgjlyzef.exe	119
PID 5216 wrote to memory of 6140	5216	bngbalidrjujgjlyzef.exe	119
PID 4716 wrote to memory of 4908	4716	gncxrwpmqxm.exe	121
PID 4716 wrote to memory of 4908	4716	gncxrwpmqxm.exe	121
PID 4716 wrote to memory of 4908	4716	gncxrwpmqxm.exe	121
PID 4716 wrote to memory of 5164	4716	gncxrwpmqxm.exe	122
PID 4716 wrote to memory of 5164	4716	gncxrwpmqxm.exe	122
PID 4716 wrote to memory of 5164	4716	gncxrwpmqxm.exe	122
PID 4884 wrote to memory of 808	4884	cmd.exe	128
PID 4884 wrote to memory of 808	4884	cmd.exe	128
PID 4884 wrote to memory of 808	4884	cmd.exe	128
PID 4304 wrote to memory of 5252	4304	cmd.exe	129
PID 4304 wrote to memory of 5252	4304	cmd.exe	129
PID 4304 wrote to memory of 5252	4304	cmd.exe	129
PID 5708 wrote to memory of 4276	5708	cmd.exe	134
PID 5708 wrote to memory of 4276	5708	cmd.exe	134
PID 5708 wrote to memory of 4276	5708	cmd.exe	134
PID 5592 wrote to memory of 2924	5592	cmd.exe	135
PID 5592 wrote to memory of 2924	5592	cmd.exe	135
PID 5592 wrote to memory of 2924	5592	cmd.exe	135
PID 2924 wrote to memory of 5276	2924	qbtnlvrlypznjlmyyc.exe	140
PID 2924 wrote to memory of 5276	2924	qbtnlvrlypznjlmyyc.exe	140
PID 2924 wrote to memory of 5276	2924	qbtnlvrlypznjlmyyc.exe	140
PID 4276 wrote to memory of 3728	4276	hribyhcvhxgtoppaz.exe	144
PID 4276 wrote to memory of 3728	4276	hribyhcvhxgtoppaz.exe	144
PID 4276 wrote to memory of 3728	4276	hribyhcvhxgtoppaz.exe	144
PID 5972 wrote to memory of 1756	5972	cmd.exe	149

System policy modification 1 TTPs 64 IoCs

defense_evasion

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	ontbnl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	gncxrwpmqxm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	ontbnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	gncxrwpmqxm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	gncxrwpmqxm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	gncxrwpmqxm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	gncxrwpmqxm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ontbnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	ontbnl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	ontbnl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	gncxrwpmqxm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	gncxrwpmqxm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	gncxrwpmqxm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	gncxrwpmqxm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ontbnl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	gncxrwpmqxm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	gncxrwpmqxm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	gncxrwpmqxm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	ontbnl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	ontbnl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	gncxrwpmqxm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ontbnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	gncxrwpmqxm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	gncxrwpmqxm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	gncxrwpmqxm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	gncxrwpmqxm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	gncxrwpmqxm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	ontbnl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ontbnl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ontbnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	gncxrwpmqxm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	gncxrwpmqxm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	ontbnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	gncxrwpmqxm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	gncxrwpmqxm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	gncxrwpmqxm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	gncxrwpmqxm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	gncxrwpmqxm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	gncxrwpmqxm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	ontbnl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	gncxrwpmqxm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	gncxrwpmqxm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	gncxrwpmqxm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	gncxrwpmqxm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	gncxrwpmqxm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	gncxrwpmqxm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	ontbnl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	ontbnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	gncxrwpmqxm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	gncxrwpmqxm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	gncxrwpmqxm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	gncxrwpmqxm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	ontbnl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	gncxrwpmqxm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	gncxrwpmqxm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	gncxrwpmqxm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	gncxrwpmqxm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	gncxrwpmqxm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	ontbnl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	ontbnl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	ontbnl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	ontbnl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	gncxrwpmqxm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ontbnl.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8f591a7464d087c6206b4b6c7edf94c2.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8f591a7464d087c6206b4b6c7edf94c2.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3004
- C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
  "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\jaffacakes118_8f591a7464d087c6206b4b6c7edf94c2.exe*"
  2⤵
  - Modifies WinLogon for persistence
  - UAC bypass
  - Adds policy Run key to start application
  - Disables RegEdit via registry modification
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Hijack Execution Flow: Executable Installer File Permissions Weakness
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:4716
- - C:\Users\Admin\AppData\Local\Temp\ontbnl.exe
    "C:\Users\Admin\AppData\Local\Temp\ontbnl.exe" "-C:\Users\Admin\AppData\Local\Temp\ajzrnvphshpbvvue.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Impair Defenses: Safe Mode Boot
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Hijack Execution Flow: Executable Installer File Permissions Weakness
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:4908
- - C:\Users\Admin\AppData\Local\Temp\ontbnl.exe
    "C:\Users\Admin\AppData\Local\Temp\ontbnl.exe" "-C:\Users\Admin\AppData\Local\Temp\ajzrnvphshpbvvue.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Hijack Execution Flow: Executable Installer File Permissions Weakness
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:5164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c obvrrdbxmfrhfjmacikx.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:6124
- C:\Windows\obvrrdbxmfrhfjmacikx.exe
  obvrrdbxmfrhfjmacikx.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bngbalidrjujgjlyzef.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:3244
- C:\Windows\bngbalidrjujgjlyzef.exe
  bngbalidrjujgjlyzef.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5084
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\bngbalidrjujgjlyzef.exe*."
    3⤵
    - Executes dropped EXE
    PID:5028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c drmjkxwtjdqhglpehorfa.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:3488
- C:\Windows\drmjkxwtjdqhglpehorfa.exe
  drmjkxwtjdqhglpehorfa.exe
  2⤵
  - Executes dropped EXE
  PID:1412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bngbalidrjujgjlyzef.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:5116
- C:\Windows\bngbalidrjujgjlyzef.exe
  bngbalidrjujgjlyzef.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3500
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\bngbalidrjujgjlyzef.exe*."
    3⤵
    - Executes dropped EXE
    PID:1952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ajzrnvphshpbvvue.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:6136
- C:\Users\Admin\AppData\Local\Temp\ajzrnvphshpbvvue.exe
  C:\Users\Admin\AppData\Local\Temp\ajzrnvphshpbvvue.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bngbalidrjujgjlyzef.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:2384
- C:\Users\Admin\AppData\Local\Temp\bngbalidrjujgjlyzef.exe
  C:\Users\Admin\AppData\Local\Temp\bngbalidrjujgjlyzef.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3184
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\bngbalidrjujgjlyzef.exe*."
    3⤵
    - Executes dropped EXE
    PID:1716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hribyhcvhxgtoppaz.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:3448
- C:\Users\Admin\AppData\Local\Temp\hribyhcvhxgtoppaz.exe
  C:\Users\Admin\AppData\Local\Temp\hribyhcvhxgtoppaz.exe
  2⤵
  - Executes dropped EXE
  PID:1300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bngbalidrjujgjlyzef.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:1508
- C:\Users\Admin\AppData\Local\Temp\bngbalidrjujgjlyzef.exe
  C:\Users\Admin\AppData\Local\Temp\bngbalidrjujgjlyzef.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:5216
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\bngbalidrjujgjlyzef.exe*."
    3⤵
    - Executes dropped EXE
    PID:6140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bngbalidrjujgjlyzef.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4304
- C:\Windows\bngbalidrjujgjlyzef.exe
  bngbalidrjujgjlyzef.exe
  2⤵
  - Executes dropped EXE
  PID:5252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bngbalidrjujgjlyzef.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4884
- C:\Windows\bngbalidrjujgjlyzef.exe
  bngbalidrjujgjlyzef.exe
  2⤵
  - Executes dropped EXE
  PID:808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c qbtnlvrlypznjlmyyc.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:5592
- C:\Windows\qbtnlvrlypznjlmyyc.exe
  qbtnlvrlypznjlmyyc.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2924
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\qbtnlvrlypznjlmyyc.exe*."
    3⤵
    - Executes dropped EXE
    PID:5276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hribyhcvhxgtoppaz.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:5708
- C:\Windows\hribyhcvhxgtoppaz.exe
  hribyhcvhxgtoppaz.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4276
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\hribyhcvhxgtoppaz.exe*."
    3⤵
    - Executes dropped EXE
    PID:3728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c qbtnlvrlypznjlmyyc.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:5972
- C:\Windows\qbtnlvrlypznjlmyyc.exe
  qbtnlvrlypznjlmyyc.exe
  2⤵
  - Executes dropped EXE
  PID:1756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c drmjkxwtjdqhglpehorfa.exe
1⤵
PID:1548
- C:\Windows\drmjkxwtjdqhglpehorfa.exe
  drmjkxwtjdqhglpehorfa.exe
  2⤵
  - Executes dropped EXE
  PID:4848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ajzrnvphshpbvvue.exe .
1⤵
PID:6028
- C:\Windows\ajzrnvphshpbvvue.exe
  ajzrnvphshpbvvue.exe .
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4768
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\ajzrnvphshpbvvue.exe*."
    3⤵
    - Executes dropped EXE
    PID:2128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c obvrrdbxmfrhfjmacikx.exe .
1⤵
PID:4044
- C:\Windows\obvrrdbxmfrhfjmacikx.exe
  obvrrdbxmfrhfjmacikx.exe .
  2⤵
  - Executes dropped EXE
  PID:4872
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\obvrrdbxmfrhfjmacikx.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:3724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hribyhcvhxgtoppaz.exe
1⤵
PID:2492
- C:\Users\Admin\AppData\Local\Temp\hribyhcvhxgtoppaz.exe
  C:\Users\Admin\AppData\Local\Temp\hribyhcvhxgtoppaz.exe
  2⤵
  - Executes dropped EXE
  PID:3556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ajzrnvphshpbvvue.exe
1⤵
PID:2344
- C:\Users\Admin\AppData\Local\Temp\ajzrnvphshpbvvue.exe
  C:\Users\Admin\AppData\Local\Temp\ajzrnvphshpbvvue.exe
  2⤵
  - Executes dropped EXE
  PID:5920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\obvrrdbxmfrhfjmacikx.exe .
1⤵
PID:4704
- C:\Users\Admin\AppData\Local\Temp\obvrrdbxmfrhfjmacikx.exe
  C:\Users\Admin\AppData\Local\Temp\obvrrdbxmfrhfjmacikx.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:3488
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\obvrrdbxmfrhfjmacikx.exe*."
    3⤵
    - Executes dropped EXE
    PID:3348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\obvrrdbxmfrhfjmacikx.exe .
1⤵
PID:4664
- C:\Users\Admin\AppData\Local\Temp\obvrrdbxmfrhfjmacikx.exe
  C:\Users\Admin\AppData\Local\Temp\obvrrdbxmfrhfjmacikx.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:3540
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\obvrrdbxmfrhfjmacikx.exe*."
    3⤵
    - Executes dropped EXE
    PID:1416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qbtnlvrlypznjlmyyc.exe
1⤵
PID:1724
- C:\Users\Admin\AppData\Local\Temp\qbtnlvrlypznjlmyyc.exe
  C:\Users\Admin\AppData\Local\Temp\qbtnlvrlypznjlmyyc.exe
  2⤵
  - Executes dropped EXE
  PID:1156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\obvrrdbxmfrhfjmacikx.exe
1⤵
PID:2584
- C:\Users\Admin\AppData\Local\Temp\obvrrdbxmfrhfjmacikx.exe
  C:\Users\Admin\AppData\Local\Temp\obvrrdbxmfrhfjmacikx.exe
  2⤵
  - Executes dropped EXE
  PID:932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qbtnlvrlypznjlmyyc.exe .
1⤵
PID:3816
- C:\Users\Admin\AppData\Local\Temp\qbtnlvrlypznjlmyyc.exe
  C:\Users\Admin\AppData\Local\Temp\qbtnlvrlypznjlmyyc.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1076
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\qbtnlvrlypznjlmyyc.exe*."
    3⤵
    - Executes dropped EXE
    PID:464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qbtnlvrlypznjlmyyc.exe .
1⤵
PID:5032
- C:\Users\Admin\AppData\Local\Temp\qbtnlvrlypznjlmyyc.exe
  C:\Users\Admin\AppData\Local\Temp\qbtnlvrlypznjlmyyc.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:976
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\qbtnlvrlypznjlmyyc.exe*."
    3⤵
    - Executes dropped EXE
    PID:1232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c obvrrdbxmfrhfjmacikx.exe
1⤵
PID:5236
- C:\Windows\obvrrdbxmfrhfjmacikx.exe
  obvrrdbxmfrhfjmacikx.exe
  2⤵
  - Executes dropped EXE
  PID:3792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hribyhcvhxgtoppaz.exe .
1⤵
PID:5296
- C:\Windows\hribyhcvhxgtoppaz.exe
  hribyhcvhxgtoppaz.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1980
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\hribyhcvhxgtoppaz.exe*."
    3⤵
    - Executes dropped EXE
    PID:604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c qbtnlvrlypznjlmyyc.exe
1⤵
PID:3236
- C:\Windows\qbtnlvrlypznjlmyyc.exe
  qbtnlvrlypznjlmyyc.exe
  2⤵
  - Executes dropped EXE
  PID:3304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c drmjkxwtjdqhglpehorfa.exe .
1⤵
PID:1800
- C:\Windows\drmjkxwtjdqhglpehorfa.exe
  drmjkxwtjdqhglpehorfa.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:1060
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\drmjkxwtjdqhglpehorfa.exe*."
    3⤵
    - Executes dropped EXE
    PID:3468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\drmjkxwtjdqhglpehorfa.exe
1⤵
PID:5772
- C:\Users\Admin\AppData\Local\Temp\drmjkxwtjdqhglpehorfa.exe
  C:\Users\Admin\AppData\Local\Temp\drmjkxwtjdqhglpehorfa.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bngbalidrjujgjlyzef.exe .
1⤵
PID:3968
- C:\Users\Admin\AppData\Local\Temp\bngbalidrjujgjlyzef.exe
  C:\Users\Admin\AppData\Local\Temp\bngbalidrjujgjlyzef.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:2828
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\bngbalidrjujgjlyzef.exe*."
    3⤵
    - Executes dropped EXE
    PID:4552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qbtnlvrlypznjlmyyc.exe
1⤵
PID:5564
- C:\Users\Admin\AppData\Local\Temp\qbtnlvrlypznjlmyyc.exe
  C:\Users\Admin\AppData\Local\Temp\qbtnlvrlypznjlmyyc.exe
  2⤵
  - Executes dropped EXE
  PID:4748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\drmjkxwtjdqhglpehorfa.exe .
1⤵
PID:5696
- C:\Users\Admin\AppData\Local\Temp\drmjkxwtjdqhglpehorfa.exe
  C:\Users\Admin\AppData\Local\Temp\drmjkxwtjdqhglpehorfa.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1452
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\drmjkxwtjdqhglpehorfa.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:2444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c qbtnlvrlypznjlmyyc.exe
1⤵
PID:4876
- C:\Windows\qbtnlvrlypznjlmyyc.exe
  qbtnlvrlypznjlmyyc.exe
  2⤵
  - Executes dropped EXE
  PID:5664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c obvrrdbxmfrhfjmacikx.exe
1⤵
PID:5920
- C:\Windows\obvrrdbxmfrhfjmacikx.exe
  obvrrdbxmfrhfjmacikx.exe
  2⤵
  - Executes dropped EXE
  PID:3460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ajzrnvphshpbvvue.exe .
1⤵
PID:3972
- C:\Windows\ajzrnvphshpbvvue.exe
  ajzrnvphshpbvvue.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:1996
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\ajzrnvphshpbvvue.exe*."
    3⤵
    - Executes dropped EXE
    PID:1300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c obvrrdbxmfrhfjmacikx.exe
1⤵
PID:4864
- C:\Windows\obvrrdbxmfrhfjmacikx.exe
  obvrrdbxmfrhfjmacikx.exe
  2⤵
  - Executes dropped EXE
  PID:1440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c drmjkxwtjdqhglpehorfa.exe .
1⤵
PID:4656
- C:\Windows\drmjkxwtjdqhglpehorfa.exe
  drmjkxwtjdqhglpehorfa.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4952
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\drmjkxwtjdqhglpehorfa.exe*."
    3⤵
    - Executes dropped EXE
    PID:1568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bngbalidrjujgjlyzef.exe
1⤵
PID:5076
- C:\Windows\bngbalidrjujgjlyzef.exe
  bngbalidrjujgjlyzef.exe
  2⤵
  - Executes dropped EXE
  PID:1356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hribyhcvhxgtoppaz.exe .
1⤵
PID:1728
- C:\Windows\hribyhcvhxgtoppaz.exe
  hribyhcvhxgtoppaz.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:1000
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\hribyhcvhxgtoppaz.exe*."
    3⤵
    - Executes dropped EXE
    PID:5768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c qbtnlvrlypznjlmyyc.exe .
1⤵
PID:5740
- C:\Windows\qbtnlvrlypznjlmyyc.exe
  qbtnlvrlypznjlmyyc.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:1672
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\qbtnlvrlypznjlmyyc.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:4460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c qbtnlvrlypznjlmyyc.exe
1⤵
PID:4184
- C:\Windows\qbtnlvrlypznjlmyyc.exe
  qbtnlvrlypznjlmyyc.exe
  2⤵
  - Executes dropped EXE
  PID:6068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ajzrnvphshpbvvue.exe
1⤵
PID:2472
- C:\Users\Admin\AppData\Local\Temp\ajzrnvphshpbvvue.exe
  C:\Users\Admin\AppData\Local\Temp\ajzrnvphshpbvvue.exe
  2⤵
  - Executes dropped EXE
  PID:2304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bngbalidrjujgjlyzef.exe
1⤵
PID:4112
- C:\Windows\bngbalidrjujgjlyzef.exe
  bngbalidrjujgjlyzef.exe
  2⤵
  PID:1800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c obvrrdbxmfrhfjmacikx.exe .
1⤵
PID:4260
- C:\Windows\obvrrdbxmfrhfjmacikx.exe
  obvrrdbxmfrhfjmacikx.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4168
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\obvrrdbxmfrhfjmacikx.exe*."
    3⤵
    PID:3672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bngbalidrjujgjlyzef.exe .
1⤵
PID:4696
- C:\Users\Admin\AppData\Local\Temp\bngbalidrjujgjlyzef.exe
  C:\Users\Admin\AppData\Local\Temp\bngbalidrjujgjlyzef.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:2024
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\bngbalidrjujgjlyzef.exe*."
    3⤵
    PID:2396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ajzrnvphshpbvvue.exe .
1⤵
PID:4356
- C:\Windows\ajzrnvphshpbvvue.exe
  ajzrnvphshpbvvue.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:5800
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\ajzrnvphshpbvvue.exe*."
    3⤵
    PID:4680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hribyhcvhxgtoppaz.exe
1⤵
PID:2772
- C:\Users\Admin\AppData\Local\Temp\hribyhcvhxgtoppaz.exe
  C:\Users\Admin\AppData\Local\Temp\hribyhcvhxgtoppaz.exe
  2⤵
  PID:1796

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\drmjkxwtjdqhglpehorfa.exe
1⤵
PID:1760
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:464
- C:\Users\Admin\AppData\Local\Temp\drmjkxwtjdqhglpehorfa.exe
  C:\Users\Admin\AppData\Local\Temp\drmjkxwtjdqhglpehorfa.exe
  2⤵
  PID:5452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ajzrnvphshpbvvue.exe .
1⤵
PID:6052
- C:\Users\Admin\AppData\Local\Temp\ajzrnvphshpbvvue.exe
  C:\Users\Admin\AppData\Local\Temp\ajzrnvphshpbvvue.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:3096
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\ajzrnvphshpbvvue.exe*."
    3⤵
    PID:2276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bngbalidrjujgjlyzef.exe .
1⤵
PID:5104
- C:\Users\Admin\AppData\Local\Temp\bngbalidrjujgjlyzef.exe
  C:\Users\Admin\AppData\Local\Temp\bngbalidrjujgjlyzef.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:5948
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\bngbalidrjujgjlyzef.exe*."
    3⤵
    PID:4912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\obvrrdbxmfrhfjmacikx.exe
1⤵
PID:1820
- C:\Users\Admin\AppData\Local\Temp\obvrrdbxmfrhfjmacikx.exe
  C:\Users\Admin\AppData\Local\Temp\obvrrdbxmfrhfjmacikx.exe
  2⤵
  PID:5964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hribyhcvhxgtoppaz.exe .
1⤵
PID:1072
- C:\Users\Admin\AppData\Local\Temp\hribyhcvhxgtoppaz.exe
  C:\Users\Admin\AppData\Local\Temp\hribyhcvhxgtoppaz.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:5340
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\hribyhcvhxgtoppaz.exe*."
    3⤵
    PID:2660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bngbalidrjujgjlyzef.exe
1⤵
PID:4384
- C:\Users\Admin\AppData\Local\Temp\bngbalidrjujgjlyzef.exe
  C:\Users\Admin\AppData\Local\Temp\bngbalidrjujgjlyzef.exe
  2⤵
  PID:1452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qbtnlvrlypznjlmyyc.exe .
1⤵
PID:2844
- C:\Users\Admin\AppData\Local\Temp\qbtnlvrlypznjlmyyc.exe
  C:\Users\Admin\AppData\Local\Temp\qbtnlvrlypznjlmyyc.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:5708
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\qbtnlvrlypznjlmyyc.exe*."
    3⤵
    PID:3244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\obvrrdbxmfrhfjmacikx.exe
1⤵
PID:2372
- C:\Users\Admin\AppData\Local\Temp\obvrrdbxmfrhfjmacikx.exe
  C:\Users\Admin\AppData\Local\Temp\obvrrdbxmfrhfjmacikx.exe
  2⤵
  PID:1548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ajzrnvphshpbvvue.exe .
1⤵
PID:4564
- C:\Users\Admin\AppData\Local\Temp\ajzrnvphshpbvvue.exe
  C:\Users\Admin\AppData\Local\Temp\ajzrnvphshpbvvue.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4848
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\ajzrnvphshpbvvue.exe*."
    3⤵
    PID:4780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c qbtnlvrlypznjlmyyc.exe
1⤵
PID:1932
- C:\Windows\qbtnlvrlypznjlmyyc.exe
  qbtnlvrlypznjlmyyc.exe
  2⤵
  PID:6124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bngbalidrjujgjlyzef.exe .
1⤵
PID:636
- C:\Windows\bngbalidrjujgjlyzef.exe
  bngbalidrjujgjlyzef.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4484
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\bngbalidrjujgjlyzef.exe*."
    3⤵
    PID:1944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hribyhcvhxgtoppaz.exe
1⤵
PID:2804
- C:\Windows\hribyhcvhxgtoppaz.exe
  hribyhcvhxgtoppaz.exe
  2⤵
  PID:1000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bngbalidrjujgjlyzef.exe .
1⤵
PID:5560
- C:\Windows\bngbalidrjujgjlyzef.exe
  bngbalidrjujgjlyzef.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:2304
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\bngbalidrjujgjlyzef.exe*."
    3⤵
    PID:4552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\drmjkxwtjdqhglpehorfa.exe
1⤵
PID:4884
- C:\Users\Admin\AppData\Local\Temp\drmjkxwtjdqhglpehorfa.exe
  C:\Users\Admin\AppData\Local\Temp\drmjkxwtjdqhglpehorfa.exe
  2⤵
  PID:4304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bngbalidrjujgjlyzef.exe .
1⤵
PID:5952
- C:\Users\Admin\AppData\Local\Temp\bngbalidrjujgjlyzef.exe
  C:\Users\Admin\AppData\Local\Temp\bngbalidrjujgjlyzef.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:3908
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\bngbalidrjujgjlyzef.exe*."
    3⤵
    PID:4184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ajzrnvphshpbvvue.exe
1⤵
PID:1484
- C:\Users\Admin\AppData\Local\Temp\ajzrnvphshpbvvue.exe
  C:\Users\Admin\AppData\Local\Temp\ajzrnvphshpbvvue.exe
  2⤵
  PID:5540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\obvrrdbxmfrhfjmacikx.exe .
1⤵
PID:3348
- C:\Users\Admin\AppData\Local\Temp\obvrrdbxmfrhfjmacikx.exe
  C:\Users\Admin\AppData\Local\Temp\obvrrdbxmfrhfjmacikx.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:448
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\obvrrdbxmfrhfjmacikx.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Checks computer location settings
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Hijack Execution Flow: Executable Installer File Permissions Weakness
    - System Location Discovery: System Language Discovery
    - System policy modification
    PID:3000
  - - C:\Users\Admin\AppData\Local\Temp\jrwfjl.exe
      "C:\Users\Admin\AppData\Local\Temp\jrwfjl.exe" "-C:\Users\Admin\AppData\Local\Temp\vncvjvmfshpbvvue.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4976
  - - C:\Users\Admin\AppData\Local\Temp\jrwfjl.exe
      "C:\Users\Admin\AppData\Local\Temp\jrwfjl.exe" "-C:\Users\Admin\AppData\Local\Temp\vncvjvmfshpbvvue.exe"
      4⤵
      PID:5508
  - - C:\Users\Admin\AppData\Local\Temp\jrwfjl.exe
      "C:\Users\Admin\AppData\Local\Temp\jrwfjl.exe" "-C:\Users\Admin\AppData\Local\Temp\vncvjvmfshpbvvue.exe"
      4⤵
      PID:1072
  - - C:\Users\Admin\AppData\Local\Temp\jrwfjl.exe
      "C:\Users\Admin\AppData\Local\Temp\jrwfjl.exe" "-C:\Users\Admin\AppData\Local\Temp\vncvjvmfshpbvvue.exe"
      4⤵
      PID:4968
  - - C:\Users\Admin\AppData\Local\Temp\jrwfjl.exe
      "C:\Users\Admin\AppData\Local\Temp\jrwfjl.exe" "-C:\Users\Admin\AppData\Local\Temp\vncvjvmfshpbvvue.exe"
      4⤵
      PID:4000
  - - C:\Users\Admin\AppData\Local\Temp\jrwfjl.exe
      "C:\Users\Admin\AppData\Local\Temp\jrwfjl.exe" "-C:\Users\Admin\AppData\Local\Temp\vncvjvmfshpbvvue.exe"
      4⤵
      PID:772
  - - C:\Users\Admin\AppData\Local\Temp\jrwfjl.exe
      "C:\Users\Admin\AppData\Local\Temp\jrwfjl.exe" "-C:\Users\Admin\AppData\Local\Temp\vncvjvmfshpbvvue.exe"
      4⤵
      PID:2844
  - - C:\Users\Admin\AppData\Local\Temp\jrwfjl.exe
      "C:\Users\Admin\AppData\Local\Temp\jrwfjl.exe" "-C:\Users\Admin\AppData\Local\Temp\vncvjvmfshpbvvue.exe"
      4⤵
      PID:4692
  - - C:\Users\Admin\AppData\Local\Temp\jrwfjl.exe
      "C:\Users\Admin\AppData\Local\Temp\jrwfjl.exe" "-C:\Users\Admin\AppData\Local\Temp\vncvjvmfshpbvvue.exe"
      4⤵
      PID:2432
  - - C:\Users\Admin\AppData\Local\Temp\jrwfjl.exe
      "C:\Users\Admin\AppData\Local\Temp\jrwfjl.exe" "-C:\Users\Admin\AppData\Local\Temp\vncvjvmfshpbvvue.exe"
      4⤵
      PID:3936
  - - C:\Users\Admin\AppData\Local\Temp\jrwfjl.exe
      "C:\Users\Admin\AppData\Local\Temp\jrwfjl.exe" "-C:\Users\Admin\AppData\Local\Temp\vncvjvmfshpbvvue.exe"
      4⤵
      PID:5468
  - - C:\Users\Admin\AppData\Local\Temp\jrwfjl.exe
      "C:\Users\Admin\AppData\Local\Temp\jrwfjl.exe" "-C:\Users\Admin\AppData\Local\Temp\vncvjvmfshpbvvue.exe"
      4⤵
      PID:3936
  - - C:\Users\Admin\AppData\Local\Temp\jrwfjl.exe
      "C:\Users\Admin\AppData\Local\Temp\jrwfjl.exe" "-C:\Users\Admin\AppData\Local\Temp\vncvjvmfshpbvvue.exe"
      4⤵
      PID:5340
  - - C:\Users\Admin\AppData\Local\Temp\jrwfjl.exe
      "C:\Users\Admin\AppData\Local\Temp\jrwfjl.exe" "-C:\Users\Admin\AppData\Local\Temp\vncvjvmfshpbvvue.exe"
      4⤵
      PID:2800
  - - C:\Users\Admin\AppData\Local\Temp\jrwfjl.exe
      "C:\Users\Admin\AppData\Local\Temp\jrwfjl.exe" "-C:\Users\Admin\AppData\Local\Temp\vncvjvmfshpbvvue.exe"
      4⤵
      PID:3628
  - - C:\Users\Admin\AppData\Local\Temp\jrwfjl.exe
      "C:\Users\Admin\AppData\Local\Temp\jrwfjl.exe" "-C:\Users\Admin\AppData\Local\Temp\vncvjvmfshpbvvue.exe"
      4⤵
      PID:4596
  - - C:\Users\Admin\AppData\Local\Temp\jrwfjl.exe
      "C:\Users\Admin\AppData\Local\Temp\jrwfjl.exe" "-C:\Users\Admin\AppData\Local\Temp\vncvjvmfshpbvvue.exe"
      4⤵
      PID:1476
  - - C:\Users\Admin\AppData\Local\Temp\jrwfjl.exe
      "C:\Users\Admin\AppData\Local\Temp\jrwfjl.exe" "-C:\Users\Admin\AppData\Local\Temp\vncvjvmfshpbvvue.exe"
      4⤵
      PID:400
  - - C:\Users\Admin\AppData\Local\Temp\jrwfjl.exe
      "C:\Users\Admin\AppData\Local\Temp\jrwfjl.exe" "-C:\Users\Admin\AppData\Local\Temp\vncvjvmfshpbvvue.exe"
      4⤵
      PID:4420
  - - C:\Users\Admin\AppData\Local\Temp\jrwfjl.exe
      "C:\Users\Admin\AppData\Local\Temp\jrwfjl.exe" "-C:\Users\Admin\AppData\Local\Temp\vncvjvmfshpbvvue.exe"
      4⤵
      PID:604
  - - C:\Users\Admin\AppData\Local\Temp\jrwfjl.exe
      "C:\Users\Admin\AppData\Local\Temp\jrwfjl.exe" "-C:\Users\Admin\AppData\Local\Temp\vncvjvmfshpbvvue.exe"
      4⤵
      PID:5092
  - - C:\Users\Admin\AppData\Local\Temp\jrwfjl.exe
      "C:\Users\Admin\AppData\Local\Temp\jrwfjl.exe" "-C:\Users\Admin\AppData\Local\Temp\vncvjvmfshpbvvue.exe"
      4⤵
      PID:4564
  - - C:\Users\Admin\AppData\Local\Temp\jrwfjl.exe
      "C:\Users\Admin\AppData\Local\Temp\jrwfjl.exe" "-C:\Users\Admin\AppData\Local\Temp\vncvjvmfshpbvvue.exe"
      4⤵
      PID:2768
  - - C:\Users\Admin\AppData\Local\Temp\jrwfjl.exe
      "C:\Users\Admin\AppData\Local\Temp\jrwfjl.exe" "-C:\Users\Admin\AppData\Local\Temp\vncvjvmfshpbvvue.exe"
      4⤵
      PID:2728
  - - C:\Users\Admin\AppData\Local\Temp\jrwfjl.exe
      "C:\Users\Admin\AppData\Local\Temp\jrwfjl.exe" "-C:\Users\Admin\AppData\Local\Temp\vncvjvmfshpbvvue.exe"
      4⤵
      PID:2320
  - - C:\Users\Admin\AppData\Local\Temp\jrwfjl.exe
      "C:\Users\Admin\AppData\Local\Temp\jrwfjl.exe" "-C:\Users\Admin\AppData\Local\Temp\vncvjvmfshpbvvue.exe"
      4⤵
      PID:4724
  - - C:\Users\Admin\AppData\Local\Temp\jrwfjl.exe
      "C:\Users\Admin\AppData\Local\Temp\jrwfjl.exe" "-C:\Users\Admin\AppData\Local\Temp\vncvjvmfshpbvvue.exe"
      4⤵
      PID:3024
  - - C:\Users\Admin\AppData\Local\Temp\jrwfjl.exe
      "C:\Users\Admin\AppData\Local\Temp\jrwfjl.exe" "-C:\Users\Admin\AppData\Local\Temp\vncvjvmfshpbvvue.exe"
      4⤵
      PID:3232
  - - C:\Users\Admin\AppData\Local\Temp\jrwfjl.exe
      "C:\Users\Admin\AppData\Local\Temp\jrwfjl.exe" "-C:\Users\Admin\AppData\Local\Temp\vncvjvmfshpbvvue.exe"
      4⤵
      PID:3556
  - - C:\Users\Admin\AppData\Local\Temp\jrwfjl.exe
      "C:\Users\Admin\AppData\Local\Temp\jrwfjl.exe" "-C:\Users\Admin\AppData\Local\Temp\vncvjvmfshpbvvue.exe"
      4⤵
      PID:5444
  - - C:\Users\Admin\AppData\Local\Temp\jrwfjl.exe
      "C:\Users\Admin\AppData\Local\Temp\jrwfjl.exe" "-C:\Users\Admin\AppData\Local\Temp\vncvjvmfshpbvvue.exe"
      4⤵
      PID:3540
  - - C:\Users\Admin\AppData\Local\Temp\jrwfjl.exe
      "C:\Users\Admin\AppData\Local\Temp\jrwfjl.exe" "-C:\Users\Admin\AppData\Local\Temp\vncvjvmfshpbvvue.exe"
      4⤵
      PID:3984
  - - C:\Users\Admin\AppData\Local\Temp\jrwfjl.exe
      "C:\Users\Admin\AppData\Local\Temp\jrwfjl.exe" "-C:\Users\Admin\AppData\Local\Temp\vncvjvmfshpbvvue.exe"
      4⤵
      PID:4988
  - - C:\Users\Admin\AppData\Local\Temp\jrwfjl.exe
      "C:\Users\Admin\AppData\Local\Temp\jrwfjl.exe" "-C:\Users\Admin\AppData\Local\Temp\vncvjvmfshpbvvue.exe"
      4⤵
      PID:1244
  - - C:\Users\Admin\AppData\Local\Temp\jrwfjl.exe
      "C:\Users\Admin\AppData\Local\Temp\jrwfjl.exe" "-C:\Users\Admin\AppData\Local\Temp\vncvjvmfshpbvvue.exe"
      4⤵
      PID:3412
  - - C:\Users\Admin\AppData\Local\Temp\jrwfjl.exe
      "C:\Users\Admin\AppData\Local\Temp\jrwfjl.exe" "-C:\Users\Admin\AppData\Local\Temp\vncvjvmfshpbvvue.exe"
      4⤵
      PID:5560
  - - C:\Users\Admin\AppData\Local\Temp\jrwfjl.exe
      "C:\Users\Admin\AppData\Local\Temp\jrwfjl.exe" "-C:\Users\Admin\AppData\Local\Temp\vncvjvmfshpbvvue.exe"
      4⤵
      PID:664
  - - C:\Users\Admin\AppData\Local\Temp\jrwfjl.exe
      "C:\Users\Admin\AppData\Local\Temp\jrwfjl.exe" "-C:\Users\Admin\AppData\Local\Temp\vncvjvmfshpbvvue.exe"
      4⤵
      PID:2740
  - - C:\Users\Admin\AppData\Local\Temp\jrwfjl.exe
      "C:\Users\Admin\AppData\Local\Temp\jrwfjl.exe" "-C:\Users\Admin\AppData\Local\Temp\vncvjvmfshpbvvue.exe"
      4⤵
      PID:1132
  - - C:\Users\Admin\AppData\Local\Temp\jrwfjl.exe
      "C:\Users\Admin\AppData\Local\Temp\jrwfjl.exe" "-C:\Users\Admin\AppData\Local\Temp\vncvjvmfshpbvvue.exe"
      4⤵
      PID:6136
  - - C:\Users\Admin\AppData\Local\Temp\jrwfjl.exe
      "C:\Users\Admin\AppData\Local\Temp\jrwfjl.exe" "-C:\Users\Admin\AppData\Local\Temp\vncvjvmfshpbvvue.exe"
      4⤵
      PID:1260
  - - C:\Users\Admin\AppData\Local\Temp\jrwfjl.exe
      "C:\Users\Admin\AppData\Local\Temp\jrwfjl.exe" "-C:\Users\Admin\AppData\Local\Temp\vncvjvmfshpbvvue.exe"
      4⤵
      PID:4564
  - - C:\Users\Admin\AppData\Local\Temp\jrwfjl.exe
      "C:\Users\Admin\AppData\Local\Temp\jrwfjl.exe" "-C:\Users\Admin\AppData\Local\Temp\vncvjvmfshpbvvue.exe"
      4⤵
      PID:1536
  - - C:\Users\Admin\AppData\Local\Temp\jrwfjl.exe
      "C:\Users\Admin\AppData\Local\Temp\jrwfjl.exe" "-C:\Users\Admin\AppData\Local\Temp\vncvjvmfshpbvvue.exe"
      4⤵
      PID:2528
  - - C:\Users\Admin\AppData\Local\Temp\jrwfjl.exe
      "C:\Users\Admin\AppData\Local\Temp\jrwfjl.exe" "-C:\Users\Admin\AppData\Local\Temp\vncvjvmfshpbvvue.exe"
      4⤵
      PID:5560
  - - C:\Users\Admin\AppData\Local\Temp\jrwfjl.exe
      "C:\Users\Admin\AppData\Local\Temp\jrwfjl.exe" "-C:\Users\Admin\AppData\Local\Temp\vncvjvmfshpbvvue.exe"
      4⤵
      PID:1020
  - - C:\Users\Admin\AppData\Local\Temp\jrwfjl.exe
      "C:\Users\Admin\AppData\Local\Temp\jrwfjl.exe" "-C:\Users\Admin\AppData\Local\Temp\vncvjvmfshpbvvue.exe"
      4⤵
      PID:5084
  - - C:\Users\Admin\AppData\Local\Temp\jrwfjl.exe
      "C:\Users\Admin\AppData\Local\Temp\jrwfjl.exe" "-C:\Users\Admin\AppData\Local\Temp\vncvjvmfshpbvvue.exe"
      4⤵
      PID:2328
  - - C:\Users\Admin\AppData\Local\Temp\jrwfjl.exe
      "C:\Users\Admin\AppData\Local\Temp\jrwfjl.exe" "-C:\Users\Admin\AppData\Local\Temp\vncvjvmfshpbvvue.exe"
      4⤵
      PID:3464
  - - C:\Users\Admin\AppData\Local\Temp\jrwfjl.exe
      "C:\Users\Admin\AppData\Local\Temp\jrwfjl.exe" "-C:\Users\Admin\AppData\Local\Temp\vncvjvmfshpbvvue.exe"
      4⤵
      PID:2164
  - - C:\Users\Admin\AppData\Local\Temp\jrwfjl.exe
      "C:\Users\Admin\AppData\Local\Temp\jrwfjl.exe" "-C:\Users\Admin\AppData\Local\Temp\vncvjvmfshpbvvue.exe"
      4⤵
      PID:3260
  - - C:\Users\Admin\AppData\Local\Temp\jrwfjl.exe
      "C:\Users\Admin\AppData\Local\Temp\jrwfjl.exe" "-C:\Users\Admin\AppData\Local\Temp\vncvjvmfshpbvvue.exe"
      4⤵
      PID:3972
  - - C:\Users\Admin\AppData\Local\Temp\jrwfjl.exe
      "C:\Users\Admin\AppData\Local\Temp\jrwfjl.exe" "-C:\Users\Admin\AppData\Local\Temp\vncvjvmfshpbvvue.exe"
      4⤵
      PID:5960
  - - C:\Users\Admin\AppData\Local\Temp\jrwfjl.exe
      "C:\Users\Admin\AppData\Local\Temp\jrwfjl.exe" "-C:\Users\Admin\AppData\Local\Temp\vncvjvmfshpbvvue.exe"
      4⤵
      PID:808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yvpngxtrjdqhglpehomjd.exe
1⤵
PID:3616
- C:\Windows\yvpngxtrjdqhglpehomjd.exe
  yvpngxtrjdqhglpehomjd.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wrjfwlfbrjujgjlyzea.exe .
1⤵
PID:5212
- C:\Windows\wrjfwlfbrjujgjlyzea.exe
  wrjfwlfbrjujgjlyzea.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3692
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\wrjfwlfbrjujgjlyzea.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:4792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jfyvndyvmfrhfjmacifb.exe
1⤵
PID:5436
- C:\Windows\jfyvndyvmfrhfjmacifb.exe
  jfyvndyvmfrhfjmacifb.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yvpngxtrjdqhglpehomjd.exe .
1⤵
PID:2728
- C:\Windows\yvpngxtrjdqhglpehomjd.exe
  yvpngxtrjdqhglpehomjd.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5336
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\yvpngxtrjdqhglpehomjd.exe*."
    3⤵
    PID:5700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jfyvndyvmfrhfjmacifb.exe
1⤵
PID:5124
- C:\Users\Admin\AppData\Local\Temp\jfyvndyvmfrhfjmacifb.exe
  C:\Users\Admin\AppData\Local\Temp\jfyvndyvmfrhfjmacifb.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wrjfwlfbrjujgjlyzea.exe .
1⤵
PID:2864
- C:\Users\Admin\AppData\Local\Temp\wrjfwlfbrjujgjlyzea.exe
  C:\Users\Admin\AppData\Local\Temp\wrjfwlfbrjujgjlyzea.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5808
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\wrjfwlfbrjujgjlyzea.exe*."
    3⤵
    PID:5128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c obvrrdbxmfrhfjmacikx.exe
1⤵
PID:3956
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1440
- C:\Windows\obvrrdbxmfrhfjmacikx.exe
  obvrrdbxmfrhfjmacikx.exe
  2⤵
  PID:4828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vncvjvmfshpbvvue.exe
1⤵
PID:1660
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5920
- C:\Users\Admin\AppData\Local\Temp\vncvjvmfshpbvvue.exe
  C:\Users\Admin\AppData\Local\Temp\vncvjvmfshpbvvue.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vncvjvmfshpbvvue.exe .
1⤵
PID:2936
- C:\Users\Admin\AppData\Local\Temp\vncvjvmfshpbvvue.exe
  C:\Users\Admin\AppData\Local\Temp\vncvjvmfshpbvvue.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4180
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\vncvjvmfshpbvvue.exe*."
    3⤵
    PID:1760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bngbalidrjujgjlyzef.exe .
1⤵
PID:4276
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3468
- C:\Windows\bngbalidrjujgjlyzef.exe
  bngbalidrjujgjlyzef.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:3792
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\bngbalidrjujgjlyzef.exe*."
    3⤵
    PID:632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ajzrnvphshpbvvue.exe
1⤵
PID:3860
- C:\Windows\ajzrnvphshpbvvue.exe
  ajzrnvphshpbvvue.exe
  2⤵
  PID:4904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ajzrnvphshpbvvue.exe .
1⤵
PID:1892
- C:\Windows\ajzrnvphshpbvvue.exe
  ajzrnvphshpbvvue.exe .
  2⤵
  - Checks computer location settings
  PID:3636
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\ajzrnvphshpbvvue.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:4396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qbtnlvrlypznjlmyyc.exe
1⤵
PID:5452
- C:\Users\Admin\AppData\Local\Temp\qbtnlvrlypznjlmyyc.exe
  C:\Users\Admin\AppData\Local\Temp\qbtnlvrlypznjlmyyc.exe
  2⤵
  PID:5372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bngbalidrjujgjlyzef.exe .
1⤵
PID:2876
- C:\Users\Admin\AppData\Local\Temp\bngbalidrjujgjlyzef.exe
  C:\Users\Admin\AppData\Local\Temp\bngbalidrjujgjlyzef.exe .
  2⤵
  - Checks computer location settings
  PID:2760
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\bngbalidrjujgjlyzef.exe*."
    3⤵
    PID:2528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\drmjkxwtjdqhglpehorfa.exe
1⤵
PID:1876
- C:\Users\Admin\AppData\Local\Temp\drmjkxwtjdqhglpehorfa.exe
  C:\Users\Admin\AppData\Local\Temp\drmjkxwtjdqhglpehorfa.exe
  2⤵
  PID:1068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\obvrrdbxmfrhfjmacikx.exe .
1⤵
PID:5484
- C:\Users\Admin\AppData\Local\Temp\obvrrdbxmfrhfjmacikx.exe
  C:\Users\Admin\AppData\Local\Temp\obvrrdbxmfrhfjmacikx.exe .
  2⤵
  - Checks computer location settings
  PID:3256
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\obvrrdbxmfrhfjmacikx.exe*."
    3⤵
    PID:5352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bngbalidrjujgjlyzef.exe
1⤵
PID:4008
- C:\Windows\bngbalidrjujgjlyzef.exe
  bngbalidrjujgjlyzef.exe
  2⤵
  PID:5176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bngbalidrjujgjlyzef.exe .
1⤵
PID:2012
- C:\Windows\bngbalidrjujgjlyzef.exe
  bngbalidrjujgjlyzef.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4600
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\bngbalidrjujgjlyzef.exe*."
    3⤵
    PID:392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c obvrrdbxmfrhfjmacikx.exe
1⤵
PID:5152
- C:\Windows\obvrrdbxmfrhfjmacikx.exe
  obvrrdbxmfrhfjmacikx.exe
  2⤵
  PID:2212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c obvrrdbxmfrhfjmacikx.exe .
1⤵
PID:5936
- C:\Windows\obvrrdbxmfrhfjmacikx.exe
  obvrrdbxmfrhfjmacikx.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4576
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\obvrrdbxmfrhfjmacikx.exe*."
    3⤵
    PID:2328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bngbalidrjujgjlyzef.exe
1⤵
PID:5684
- C:\Users\Admin\AppData\Local\Temp\bngbalidrjujgjlyzef.exe
  C:\Users\Admin\AppData\Local\Temp\bngbalidrjujgjlyzef.exe
  2⤵
  PID:5892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\drmjkxwtjdqhglpehorfa.exe .
1⤵
PID:2584
- C:\Users\Admin\AppData\Local\Temp\drmjkxwtjdqhglpehorfa.exe
  C:\Users\Admin\AppData\Local\Temp\drmjkxwtjdqhglpehorfa.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:2608
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\drmjkxwtjdqhglpehorfa.exe*."
    3⤵
    PID:2432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vncvjvmfshpbvvue.exe
1⤵
PID:5976
- C:\Windows\vncvjvmfshpbvvue.exe
  vncvjvmfshpbvvue.exe
  2⤵
  PID:1748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ajzrnvphshpbvvue.exe
1⤵
PID:2780
- C:\Users\Admin\AppData\Local\Temp\ajzrnvphshpbvvue.exe
  C:\Users\Admin\AppData\Local\Temp\ajzrnvphshpbvvue.exe
  2⤵
  PID:6056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\drmjkxwtjdqhglpehorfa.exe .
1⤵
PID:3052
- C:\Users\Admin\AppData\Local\Temp\drmjkxwtjdqhglpehorfa.exe
  C:\Users\Admin\AppData\Local\Temp\drmjkxwtjdqhglpehorfa.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:60
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\drmjkxwtjdqhglpehorfa.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:3704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vncvjvmfshpbvvue.exe .
1⤵
PID:3196
- C:\Windows\vncvjvmfshpbvvue.exe
  vncvjvmfshpbvvue.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5972
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\vncvjvmfshpbvvue.exe*."
    3⤵
    PID:2856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cvlfuhzthxgtoppaz.exe
1⤵
PID:4380
- C:\Windows\cvlfuhzthxgtoppaz.exe
  cvlfuhzthxgtoppaz.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jfyvndyvmfrhfjmacifb.exe .
1⤵
PID:6084
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4780
- C:\Windows\jfyvndyvmfrhfjmacifb.exe
  jfyvndyvmfrhfjmacifb.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3584
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\jfyvndyvmfrhfjmacifb.exe*."
    3⤵
    PID:4904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lfwrhvojypznjlmyyc.exe
1⤵
PID:5808
- C:\Users\Admin\AppData\Local\Temp\lfwrhvojypznjlmyyc.exe
  C:\Users\Admin\AppData\Local\Temp\lfwrhvojypznjlmyyc.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wrjfwlfbrjujgjlyzea.exe .
1⤵
PID:1932
- C:\Users\Admin\AppData\Local\Temp\wrjfwlfbrjujgjlyzea.exe
  C:\Users\Admin\AppData\Local\Temp\wrjfwlfbrjujgjlyzea.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3512
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\wrjfwlfbrjujgjlyzea.exe*."
    3⤵
    PID:1096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c obvrrdbxmfrhfjmacikx.exe
1⤵
PID:4424
- C:\Windows\obvrrdbxmfrhfjmacikx.exe
  obvrrdbxmfrhfjmacikx.exe
  2⤵
  PID:4356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wrjfwlfbrjujgjlyzea.exe
1⤵
PID:4084
- C:\Users\Admin\AppData\Local\Temp\wrjfwlfbrjujgjlyzea.exe
  C:\Users\Admin\AppData\Local\Temp\wrjfwlfbrjujgjlyzea.exe
  2⤵
  PID:4156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jfyvndyvmfrhfjmacifb.exe .
1⤵
PID:4980
- C:\Users\Admin\AppData\Local\Temp\jfyvndyvmfrhfjmacifb.exe
  C:\Users\Admin\AppData\Local\Temp\jfyvndyvmfrhfjmacifb.exe .
  2⤵
  PID:1672
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\jfyvndyvmfrhfjmacifb.exe*."
    3⤵
    PID:2020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c drmjkxwtjdqhglpehorfa.exe .
1⤵
PID:5524
- C:\Windows\drmjkxwtjdqhglpehorfa.exe
  drmjkxwtjdqhglpehorfa.exe .
  2⤵
  PID:2384
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\drmjkxwtjdqhglpehorfa.exe*."
    3⤵
    PID:4092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ajzrnvphshpbvvue.exe
1⤵
PID:1824
- C:\Windows\ajzrnvphshpbvvue.exe
  ajzrnvphshpbvvue.exe
  2⤵
  PID:516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bngbalidrjujgjlyzef.exe .
1⤵
PID:1572
- C:\Windows\bngbalidrjujgjlyzef.exe
  bngbalidrjujgjlyzef.exe .
  2⤵
  - Checks computer location settings
  PID:1568
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\bngbalidrjujgjlyzef.exe*."
    3⤵
    PID:5068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bngbalidrjujgjlyzef.exe
1⤵
PID:2628
- C:\Users\Admin\AppData\Local\Temp\bngbalidrjujgjlyzef.exe
  C:\Users\Admin\AppData\Local\Temp\bngbalidrjujgjlyzef.exe
  2⤵
  PID:5660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hribyhcvhxgtoppaz.exe .
1⤵
PID:3256
- C:\Users\Admin\AppData\Local\Temp\hribyhcvhxgtoppaz.exe
  C:\Users\Admin\AppData\Local\Temp\hribyhcvhxgtoppaz.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:5032
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\hribyhcvhxgtoppaz.exe*."
    3⤵
    PID:2456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bngbalidrjujgjlyzef.exe
1⤵
PID:3908
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1800
- C:\Users\Admin\AppData\Local\Temp\bngbalidrjujgjlyzef.exe
  C:\Users\Admin\AppData\Local\Temp\bngbalidrjujgjlyzef.exe
  2⤵
  PID:4192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hribyhcvhxgtoppaz.exe .
1⤵
PID:932
- C:\Users\Admin\AppData\Local\Temp\hribyhcvhxgtoppaz.exe
  C:\Users\Admin\AppData\Local\Temp\hribyhcvhxgtoppaz.exe .
  2⤵
  PID:4500
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\hribyhcvhxgtoppaz.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:1184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c obvrrdbxmfrhfjmacikx.exe
1⤵
PID:4460
- C:\Windows\obvrrdbxmfrhfjmacikx.exe
  obvrrdbxmfrhfjmacikx.exe
  2⤵
  PID:2772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c qbtnlvrlypznjlmyyc.exe .
1⤵
PID:244
- C:\Windows\qbtnlvrlypznjlmyyc.exe
  qbtnlvrlypznjlmyyc.exe .
  2⤵
  - Checks computer location settings
  PID:1624
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\qbtnlvrlypznjlmyyc.exe*."
    3⤵
    PID:560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ajzrnvphshpbvvue.exe
1⤵
PID:1584
- C:\Windows\ajzrnvphshpbvvue.exe
  ajzrnvphshpbvvue.exe
  2⤵
  PID:1904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c obvrrdbxmfrhfjmacikx.exe .
1⤵
PID:3188
- C:\Windows\obvrrdbxmfrhfjmacikx.exe
  obvrrdbxmfrhfjmacikx.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1436
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\obvrrdbxmfrhfjmacikx.exe*."
    3⤵
    PID:5568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\drmjkxwtjdqhglpehorfa.exe
1⤵
PID:2320
- C:\Users\Admin\AppData\Local\Temp\drmjkxwtjdqhglpehorfa.exe
  C:\Users\Admin\AppData\Local\Temp\drmjkxwtjdqhglpehorfa.exe
  2⤵
  PID:5972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\drmjkxwtjdqhglpehorfa.exe .
1⤵
PID:5084
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5336
- C:\Users\Admin\AppData\Local\Temp\drmjkxwtjdqhglpehorfa.exe
  C:\Users\Admin\AppData\Local\Temp\drmjkxwtjdqhglpehorfa.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:5260
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\drmjkxwtjdqhglpehorfa.exe*."
    3⤵
    PID:4744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qbtnlvrlypznjlmyyc.exe
1⤵
PID:2372
- C:\Users\Admin\AppData\Local\Temp\qbtnlvrlypznjlmyyc.exe
  C:\Users\Admin\AppData\Local\Temp\qbtnlvrlypznjlmyyc.exe
  2⤵
  PID:1660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\drmjkxwtjdqhglpehorfa.exe .
1⤵
PID:5236
- C:\Users\Admin\AppData\Local\Temp\drmjkxwtjdqhglpehorfa.exe
  C:\Users\Admin\AppData\Local\Temp\drmjkxwtjdqhglpehorfa.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:3972
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\drmjkxwtjdqhglpehorfa.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:5780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c obvrrdbxmfrhfjmacikx.exe
1⤵
PID:5924
- C:\Windows\obvrrdbxmfrhfjmacikx.exe
  obvrrdbxmfrhfjmacikx.exe
  2⤵
  PID:640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c qbtnlvrlypznjlmyyc.exe .
1⤵
PID:2108
- C:\Windows\qbtnlvrlypznjlmyyc.exe
  qbtnlvrlypznjlmyyc.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:3700
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\qbtnlvrlypznjlmyyc.exe*."
    3⤵
    PID:3076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hribyhcvhxgtoppaz.exe
1⤵
PID:2040
- C:\Windows\hribyhcvhxgtoppaz.exe
  hribyhcvhxgtoppaz.exe
  2⤵
  PID:4696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hribyhcvhxgtoppaz.exe
1⤵
PID:3792
- C:\Windows\hribyhcvhxgtoppaz.exe
  hribyhcvhxgtoppaz.exe
  2⤵
  PID:2884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bngbalidrjujgjlyzef.exe
1⤵
PID:4952
- C:\Windows\bngbalidrjujgjlyzef.exe
  bngbalidrjujgjlyzef.exe
  2⤵
  PID:4592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c drmjkxwtjdqhglpehorfa.exe .
1⤵
PID:3432
- C:\Windows\drmjkxwtjdqhglpehorfa.exe
  drmjkxwtjdqhglpehorfa.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:2032
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\drmjkxwtjdqhglpehorfa.exe*."
    3⤵
    PID:2456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c drmjkxwtjdqhglpehorfa.exe .
1⤵
PID:4212
- C:\Windows\drmjkxwtjdqhglpehorfa.exe
  drmjkxwtjdqhglpehorfa.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:748
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\drmjkxwtjdqhglpehorfa.exe*."
    3⤵
    PID:4712

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\drmjkxwtjdqhglpehorfa.exe
1⤵
PID:4732
- C:\Users\Admin\AppData\Local\Temp\drmjkxwtjdqhglpehorfa.exe
  C:\Users\Admin\AppData\Local\Temp\drmjkxwtjdqhglpehorfa.exe
  2⤵
  PID:5508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ajzrnvphshpbvvue.exe .
1⤵
PID:1164
- C:\Windows\ajzrnvphshpbvvue.exe
  ajzrnvphshpbvvue.exe .
  2⤵
  - Checks computer location settings
  PID:448
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\ajzrnvphshpbvvue.exe*."
    3⤵
    PID:3140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hribyhcvhxgtoppaz.exe
1⤵
PID:3816
- C:\Windows\hribyhcvhxgtoppaz.exe
  hribyhcvhxgtoppaz.exe
  2⤵
  PID:3412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\drmjkxwtjdqhglpehorfa.exe .
1⤵
PID:1468
- C:\Users\Admin\AppData\Local\Temp\drmjkxwtjdqhglpehorfa.exe
  C:\Users\Admin\AppData\Local\Temp\drmjkxwtjdqhglpehorfa.exe .
  2⤵
  - Checks computer location settings
  PID:4884
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\drmjkxwtjdqhglpehorfa.exe*."
    3⤵
    PID:1944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c drmjkxwtjdqhglpehorfa.exe .
1⤵
PID:4552
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1000
- C:\Windows\drmjkxwtjdqhglpehorfa.exe
  drmjkxwtjdqhglpehorfa.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4764
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\drmjkxwtjdqhglpehorfa.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:1456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hribyhcvhxgtoppaz.exe
1⤵
PID:2852
- C:\Users\Admin\AppData\Local\Temp\hribyhcvhxgtoppaz.exe
  C:\Users\Admin\AppData\Local\Temp\hribyhcvhxgtoppaz.exe
  2⤵
  PID:4760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c drmjkxwtjdqhglpehorfa.exe
1⤵
PID:3568
- C:\Windows\drmjkxwtjdqhglpehorfa.exe
  drmjkxwtjdqhglpehorfa.exe
  2⤵
  PID:5876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bngbalidrjujgjlyzef.exe .
1⤵
PID:652
- C:\Users\Admin\AppData\Local\Temp\bngbalidrjujgjlyzef.exe
  C:\Users\Admin\AppData\Local\Temp\bngbalidrjujgjlyzef.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3620
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\bngbalidrjujgjlyzef.exe*."
    3⤵
    PID:368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hribyhcvhxgtoppaz.exe .
1⤵
PID:3968
- C:\Windows\hribyhcvhxgtoppaz.exe
  hribyhcvhxgtoppaz.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:2320
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\hribyhcvhxgtoppaz.exe*."
    3⤵
    PID:976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qbtnlvrlypznjlmyyc.exe
1⤵
PID:2012
- C:\Users\Admin\AppData\Local\Temp\qbtnlvrlypznjlmyyc.exe
  C:\Users\Admin\AppData\Local\Temp\qbtnlvrlypznjlmyyc.exe
  2⤵
  PID:4968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\drmjkxwtjdqhglpehorfa.exe
1⤵
PID:2352
- C:\Users\Admin\AppData\Local\Temp\drmjkxwtjdqhglpehorfa.exe
  C:\Users\Admin\AppData\Local\Temp\drmjkxwtjdqhglpehorfa.exe
  2⤵
  PID:4356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\obvrrdbxmfrhfjmacikx.exe .
1⤵
PID:3348
- C:\Users\Admin\AppData\Local\Temp\obvrrdbxmfrhfjmacikx.exe
  C:\Users\Admin\AppData\Local\Temp\obvrrdbxmfrhfjmacikx.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4744
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\obvrrdbxmfrhfjmacikx.exe*."
    3⤵
    PID:2848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qbtnlvrlypznjlmyyc.exe .
1⤵
PID:1452
- C:\Users\Admin\AppData\Local\Temp\qbtnlvrlypznjlmyyc.exe
  C:\Users\Admin\AppData\Local\Temp\qbtnlvrlypznjlmyyc.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:2680
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\qbtnlvrlypznjlmyyc.exe*."
    3⤵
    PID:6104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hribyhcvhxgtoppaz.exe
1⤵
PID:2788
- C:\Users\Admin\AppData\Local\Temp\hribyhcvhxgtoppaz.exe
  C:\Users\Admin\AppData\Local\Temp\hribyhcvhxgtoppaz.exe
  2⤵
  PID:4808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qbtnlvrlypznjlmyyc.exe .
1⤵
PID:4432
- C:\Users\Admin\AppData\Local\Temp\qbtnlvrlypznjlmyyc.exe
  C:\Users\Admin\AppData\Local\Temp\qbtnlvrlypznjlmyyc.exe .
  2⤵
  - Checks computer location settings
  PID:4692
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\qbtnlvrlypznjlmyyc.exe*."
    3⤵
    PID:2096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qbtnlvrlypznjlmyyc.exe
1⤵
PID:2584
- C:\Users\Admin\AppData\Local\Temp\qbtnlvrlypznjlmyyc.exe
  C:\Users\Admin\AppData\Local\Temp\qbtnlvrlypznjlmyyc.exe
  2⤵
  PID:4380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hribyhcvhxgtoppaz.exe .
1⤵
PID:3144
- C:\Users\Admin\AppData\Local\Temp\hribyhcvhxgtoppaz.exe
  C:\Users\Admin\AppData\Local\Temp\hribyhcvhxgtoppaz.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:2372
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\hribyhcvhxgtoppaz.exe*."
    3⤵
    PID:1972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ajzrnvphshpbvvue.exe
1⤵
PID:1932
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5708
- C:\Windows\ajzrnvphshpbvvue.exe
  ajzrnvphshpbvvue.exe
  2⤵
  PID:4932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hribyhcvhxgtoppaz.exe .
1⤵
PID:4564
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2760
- C:\Windows\hribyhcvhxgtoppaz.exe
  hribyhcvhxgtoppaz.exe .
  2⤵
  - Checks computer location settings
  PID:844
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\hribyhcvhxgtoppaz.exe*."
    3⤵
    PID:4976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hribyhcvhxgtoppaz.exe
1⤵
PID:5484
- C:\Windows\hribyhcvhxgtoppaz.exe
  hribyhcvhxgtoppaz.exe
  2⤵
  PID:5488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hribyhcvhxgtoppaz.exe .
1⤵
PID:1572
- C:\Windows\hribyhcvhxgtoppaz.exe
  hribyhcvhxgtoppaz.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:3432
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\hribyhcvhxgtoppaz.exe*."
    3⤵
    PID:2020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bngbalidrjujgjlyzef.exe
1⤵
PID:1996
- C:\Users\Admin\AppData\Local\Temp\bngbalidrjujgjlyzef.exe
  C:\Users\Admin\AppData\Local\Temp\bngbalidrjujgjlyzef.exe
  2⤵
  PID:5072

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ajzrnvphshpbvvue.exe .
1⤵
PID:2608
- C:\Users\Admin\AppData\Local\Temp\ajzrnvphshpbvvue.exe
  C:\Users\Admin\AppData\Local\Temp\ajzrnvphshpbvvue.exe .
  2⤵
  - Checks computer location settings
  PID:4092
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\ajzrnvphshpbvvue.exe*."
    3⤵
    PID:3656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hribyhcvhxgtoppaz.exe
1⤵
PID:1352
- C:\Users\Admin\AppData\Local\Temp\hribyhcvhxgtoppaz.exe
  C:\Users\Admin\AppData\Local\Temp\hribyhcvhxgtoppaz.exe
  2⤵
  PID:4740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\obvrrdbxmfrhfjmacikx.exe .
1⤵
PID:1748
- C:\Users\Admin\AppData\Local\Temp\obvrrdbxmfrhfjmacikx.exe
  C:\Users\Admin\AppData\Local\Temp\obvrrdbxmfrhfjmacikx.exe .
  2⤵
  - Checks computer location settings
  PID:1072
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\obvrrdbxmfrhfjmacikx.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:1576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hribyhcvhxgtoppaz.exe
1⤵
PID:3620
- C:\Windows\hribyhcvhxgtoppaz.exe
  hribyhcvhxgtoppaz.exe
  2⤵
  PID:512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ajzrnvphshpbvvue.exe .
1⤵
PID:4868
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4748
- C:\Windows\ajzrnvphshpbvvue.exe
  ajzrnvphshpbvvue.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:5600
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\ajzrnvphshpbvvue.exe*."
    3⤵
    PID:5008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c obvrrdbxmfrhfjmacikx.exe
1⤵
PID:4100
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1300
- C:\Windows\obvrrdbxmfrhfjmacikx.exe
  obvrrdbxmfrhfjmacikx.exe
  2⤵
  PID:208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c qbtnlvrlypznjlmyyc.exe .
1⤵
PID:5112
- C:\Windows\qbtnlvrlypznjlmyyc.exe
  qbtnlvrlypznjlmyyc.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4008
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\qbtnlvrlypznjlmyyc.exe*."
    3⤵
    PID:4716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hribyhcvhxgtoppaz.exe
1⤵
PID:5272
- C:\Users\Admin\AppData\Local\Temp\hribyhcvhxgtoppaz.exe
  C:\Users\Admin\AppData\Local\Temp\hribyhcvhxgtoppaz.exe
  2⤵
  PID:2880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qbtnlvrlypznjlmyyc.exe .
1⤵
PID:5664
- C:\Users\Admin\AppData\Local\Temp\qbtnlvrlypznjlmyyc.exe
  C:\Users\Admin\AppData\Local\Temp\qbtnlvrlypznjlmyyc.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4328
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\qbtnlvrlypznjlmyyc.exe*."
    3⤵
    PID:5148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bngbalidrjujgjlyzef.exe
1⤵
PID:3308
- C:\Users\Admin\AppData\Local\Temp\bngbalidrjujgjlyzef.exe
  C:\Users\Admin\AppData\Local\Temp\bngbalidrjujgjlyzef.exe
  2⤵
  PID:4448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\obvrrdbxmfrhfjmacikx.exe .
1⤵
PID:5568
- C:\Users\Admin\AppData\Local\Temp\obvrrdbxmfrhfjmacikx.exe
  C:\Users\Admin\AppData\Local\Temp\obvrrdbxmfrhfjmacikx.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3480
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\obvrrdbxmfrhfjmacikx.exe*."
    3⤵
    PID:2076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hribyhcvhxgtoppaz.exe
1⤵
PID:4936
- C:\Windows\hribyhcvhxgtoppaz.exe
  hribyhcvhxgtoppaz.exe
  2⤵
  PID:1484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ajzrnvphshpbvvue.exe .
1⤵
PID:5808
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4904
- C:\Windows\ajzrnvphshpbvvue.exe
  ajzrnvphshpbvvue.exe .
  2⤵
  PID:2696
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\ajzrnvphshpbvvue.exe*."
    3⤵
    PID:5092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hribyhcvhxgtoppaz.exe
1⤵
PID:5356
- C:\Windows\hribyhcvhxgtoppaz.exe
  hribyhcvhxgtoppaz.exe
  2⤵
  PID:112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c qbtnlvrlypznjlmyyc.exe .
1⤵
PID:844
- C:\Windows\qbtnlvrlypznjlmyyc.exe
  qbtnlvrlypznjlmyyc.exe .
  2⤵
  PID:1840
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\qbtnlvrlypznjlmyyc.exe*."
    3⤵
    PID:1204

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\drmjkxwtjdqhglpehorfa.exe
1⤵
PID:5216
- C:\Users\Admin\AppData\Local\Temp\drmjkxwtjdqhglpehorfa.exe
  C:\Users\Admin\AppData\Local\Temp\drmjkxwtjdqhglpehorfa.exe
  2⤵
  PID:3184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\drmjkxwtjdqhglpehorfa.exe .
1⤵
PID:1992
- C:\Users\Admin\AppData\Local\Temp\drmjkxwtjdqhglpehorfa.exe
  C:\Users\Admin\AppData\Local\Temp\drmjkxwtjdqhglpehorfa.exe .
  2⤵
  PID:3936
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\drmjkxwtjdqhglpehorfa.exe*."
    3⤵
    PID:5464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ajzrnvphshpbvvue.exe
1⤵
PID:1672
- C:\Users\Admin\AppData\Local\Temp\ajzrnvphshpbvvue.exe
  C:\Users\Admin\AppData\Local\Temp\ajzrnvphshpbvvue.exe
  2⤵
  PID:3656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ajzrnvphshpbvvue.exe .
1⤵
PID:244
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2276
- C:\Users\Admin\AppData\Local\Temp\ajzrnvphshpbvvue.exe
  C:\Users\Admin\AppData\Local\Temp\ajzrnvphshpbvvue.exe .
  2⤵
  PID:6052
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\ajzrnvphshpbvvue.exe*."
    3⤵
    PID:1352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jfyvndyvmfrhfjmacifb.exe
1⤵
PID:3260
- C:\Windows\jfyvndyvmfrhfjmacifb.exe
  jfyvndyvmfrhfjmacifb.exe
  2⤵
  PID:5032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c drmjkxwtjdqhglpehorfa.exe
1⤵
PID:1436
- C:\Windows\drmjkxwtjdqhglpehorfa.exe
  drmjkxwtjdqhglpehorfa.exe
  2⤵
  PID:4420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hribyhcvhxgtoppaz.exe .
1⤵
PID:960
- C:\Windows\hribyhcvhxgtoppaz.exe
  hribyhcvhxgtoppaz.exe .
  2⤵
  PID:2472
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\hribyhcvhxgtoppaz.exe*."
    3⤵
    PID:2880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wrjfwlfbrjujgjlyzea.exe .
1⤵
PID:5704
- C:\Windows\wrjfwlfbrjujgjlyzea.exe
  wrjfwlfbrjujgjlyzea.exe .
  2⤵
  PID:5964
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\wrjfwlfbrjujgjlyzea.exe*."
    3⤵
    PID:3484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yvpngxtrjdqhglpehomjd.exe
1⤵
PID:4560
- C:\Windows\yvpngxtrjdqhglpehomjd.exe
  yvpngxtrjdqhglpehomjd.exe
  2⤵
  PID:5924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ajzrnvphshpbvvue.exe
1⤵
PID:4380
- C:\Windows\ajzrnvphshpbvvue.exe
  ajzrnvphshpbvvue.exe
  2⤵
  PID:1184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vncvjvmfshpbvvue.exe .
1⤵
PID:5236
- C:\Windows\vncvjvmfshpbvvue.exe
  vncvjvmfshpbvvue.exe .
  2⤵
  PID:4800
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\vncvjvmfshpbvvue.exe*."
    3⤵
    PID:6124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ajzrnvphshpbvvue.exe .
1⤵
PID:3940
- C:\Windows\ajzrnvphshpbvvue.exe
  ajzrnvphshpbvvue.exe .
  2⤵
  PID:3452
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\ajzrnvphshpbvvue.exe*."
    3⤵
    PID:4512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\drmjkxwtjdqhglpehorfa.exe
1⤵
PID:5564
- C:\Users\Admin\AppData\Local\Temp\drmjkxwtjdqhglpehorfa.exe
  C:\Users\Admin\AppData\Local\Temp\drmjkxwtjdqhglpehorfa.exe
  2⤵
  PID:5956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wrjfwlfbrjujgjlyzea.exe
1⤵
PID:2584
- C:\Users\Admin\AppData\Local\Temp\wrjfwlfbrjujgjlyzea.exe
  C:\Users\Admin\AppData\Local\Temp\wrjfwlfbrjujgjlyzea.exe
  2⤵
  PID:4580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hribyhcvhxgtoppaz.exe .
1⤵
PID:1412
- C:\Users\Admin\AppData\Local\Temp\hribyhcvhxgtoppaz.exe
  C:\Users\Admin\AppData\Local\Temp\hribyhcvhxgtoppaz.exe .
  2⤵
  PID:4772
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\hribyhcvhxgtoppaz.exe*."
    3⤵
    PID:1568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lfwrhvojypznjlmyyc.exe .
1⤵
PID:2996
- C:\Users\Admin\AppData\Local\Temp\lfwrhvojypznjlmyyc.exe
  C:\Users\Admin\AppData\Local\Temp\lfwrhvojypznjlmyyc.exe .
  2⤵
  PID:5444
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\lfwrhvojypznjlmyyc.exe*."
    3⤵
    PID:5660

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
PID:2096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bngbalidrjujgjlyzef.exe
1⤵
PID:5700
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2856
- C:\Users\Admin\AppData\Local\Temp\bngbalidrjujgjlyzef.exe
  C:\Users\Admin\AppData\Local\Temp\bngbalidrjujgjlyzef.exe
  2⤵
  PID:112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jfyvndyvmfrhfjmacifb.exe
1⤵
PID:4856
- C:\Users\Admin\AppData\Local\Temp\jfyvndyvmfrhfjmacifb.exe
  C:\Users\Admin\AppData\Local\Temp\jfyvndyvmfrhfjmacifb.exe
  2⤵
  PID:6100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wrjfwlfbrjujgjlyzea.exe .
1⤵
PID:4356
- C:\Users\Admin\AppData\Local\Temp\wrjfwlfbrjujgjlyzea.exe
  C:\Users\Admin\AppData\Local\Temp\wrjfwlfbrjujgjlyzea.exe .
  2⤵
  PID:3792
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\wrjfwlfbrjujgjlyzea.exe*."
    3⤵
    PID:224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qbtnlvrlypznjlmyyc.exe .
1⤵
PID:2924
- C:\Users\Admin\AppData\Local\Temp\qbtnlvrlypznjlmyyc.exe
  C:\Users\Admin\AppData\Local\Temp\qbtnlvrlypznjlmyyc.exe .
  2⤵
  PID:5356
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\qbtnlvrlypznjlmyyc.exe*."
    3⤵
    PID:3412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c obvrrdbxmfrhfjmacikx.exe
1⤵
PID:5800
- C:\Windows\obvrrdbxmfrhfjmacikx.exe
  obvrrdbxmfrhfjmacikx.exe
  2⤵
  PID:5680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c qbtnlvrlypznjlmyyc.exe .
1⤵
PID:844
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5768
- C:\Windows\qbtnlvrlypznjlmyyc.exe
  qbtnlvrlypznjlmyyc.exe .
  2⤵
  PID:3936
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\qbtnlvrlypznjlmyyc.exe*."
    3⤵
    PID:1460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c obvrrdbxmfrhfjmacikx.exe
1⤵
PID:3836
- C:\Windows\obvrrdbxmfrhfjmacikx.exe
  obvrrdbxmfrhfjmacikx.exe
  2⤵
  PID:1672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c drmjkxwtjdqhglpehorfa.exe .
1⤵
PID:2244
- C:\Windows\drmjkxwtjdqhglpehorfa.exe
  drmjkxwtjdqhglpehorfa.exe .
  2⤵
  PID:3692
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\drmjkxwtjdqhglpehorfa.exe*."
    3⤵
    PID:5032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\drmjkxwtjdqhglpehorfa.exe
1⤵
PID:4720
- C:\Users\Admin\AppData\Local\Temp\drmjkxwtjdqhglpehorfa.exe
  C:\Users\Admin\AppData\Local\Temp\drmjkxwtjdqhglpehorfa.exe
  2⤵
  PID:5928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ajzrnvphshpbvvue.exe .
1⤵
PID:5316
- C:\Users\Admin\AppData\Local\Temp\ajzrnvphshpbvvue.exe
  C:\Users\Admin\AppData\Local\Temp\ajzrnvphshpbvvue.exe .
  2⤵
  PID:6056
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\ajzrnvphshpbvvue.exe*."
    3⤵
    PID:4844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hribyhcvhxgtoppaz.exe
1⤵
PID:5520
- C:\Users\Admin\AppData\Local\Temp\hribyhcvhxgtoppaz.exe
  C:\Users\Admin\AppData\Local\Temp\hribyhcvhxgtoppaz.exe
  2⤵
  PID:3484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bngbalidrjujgjlyzef.exe .
1⤵
PID:4724
- C:\Users\Admin\AppData\Local\Temp\bngbalidrjujgjlyzef.exe
  C:\Users\Admin\AppData\Local\Temp\bngbalidrjujgjlyzef.exe .
  2⤵
  PID:4912
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\bngbalidrjujgjlyzef.exe*."
    3⤵
    PID:2164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c qbtnlvrlypznjlmyyc.exe
1⤵
PID:4380
- C:\Windows\qbtnlvrlypznjlmyyc.exe
  qbtnlvrlypznjlmyyc.exe
  2⤵
  PID:1628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bngbalidrjujgjlyzef.exe .
1⤵
PID:4792
- C:\Windows\bngbalidrjujgjlyzef.exe
  bngbalidrjujgjlyzef.exe .
  2⤵
  PID:4980
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\bngbalidrjujgjlyzef.exe*."
    3⤵
    PID:3308

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c obvrrdbxmfrhfjmacikx.exe
1⤵
PID:3520
- C:\Windows\obvrrdbxmfrhfjmacikx.exe
  obvrrdbxmfrhfjmacikx.exe
  2⤵
  PID:652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c drmjkxwtjdqhglpehorfa.exe .
1⤵
PID:5836
- C:\Windows\drmjkxwtjdqhglpehorfa.exe
  drmjkxwtjdqhglpehorfa.exe .
  2⤵
  PID:3024
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\drmjkxwtjdqhglpehorfa.exe*."
    3⤵
    PID:5536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qbtnlvrlypznjlmyyc.exe
1⤵
PID:2344
- C:\Users\Admin\AppData\Local\Temp\qbtnlvrlypznjlmyyc.exe
  C:\Users\Admin\AppData\Local\Temp\qbtnlvrlypznjlmyyc.exe
  2⤵
  PID:4828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bngbalidrjujgjlyzef.exe .
1⤵
PID:8
- C:\Users\Admin\AppData\Local\Temp\bngbalidrjujgjlyzef.exe
  C:\Users\Admin\AppData\Local\Temp\bngbalidrjujgjlyzef.exe .
  2⤵
  PID:2628
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\bngbalidrjujgjlyzef.exe*."
    3⤵
    PID:1060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bngbalidrjujgjlyzef.exe
1⤵
PID:112
- C:\Windows\bngbalidrjujgjlyzef.exe
  bngbalidrjujgjlyzef.exe
  2⤵
  PID:2800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qbtnlvrlypznjlmyyc.exe
1⤵
PID:1096
- C:\Users\Admin\AppData\Local\Temp\qbtnlvrlypznjlmyyc.exe
  C:\Users\Admin\AppData\Local\Temp\qbtnlvrlypznjlmyyc.exe
  2⤵
  PID:4640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hribyhcvhxgtoppaz.exe .
1⤵
PID:2480
- C:\Windows\hribyhcvhxgtoppaz.exe
  hribyhcvhxgtoppaz.exe .
  2⤵
  PID:5328
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\hribyhcvhxgtoppaz.exe*."
    3⤵
    PID:5800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\drmjkxwtjdqhglpehorfa.exe .
1⤵
PID:5892
- C:\Users\Admin\AppData\Local\Temp\drmjkxwtjdqhglpehorfa.exe
  C:\Users\Admin\AppData\Local\Temp\drmjkxwtjdqhglpehorfa.exe .
  2⤵
  PID:4976
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\drmjkxwtjdqhglpehorfa.exe*."
    3⤵
    PID:1068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c obvrrdbxmfrhfjmacikx.exe
1⤵
PID:4788
- C:\Windows\obvrrdbxmfrhfjmacikx.exe
  obvrrdbxmfrhfjmacikx.exe
  2⤵
  PID:1988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c drmjkxwtjdqhglpehorfa.exe
1⤵
PID:1480
- C:\Windows\drmjkxwtjdqhglpehorfa.exe
  drmjkxwtjdqhglpehorfa.exe
  2⤵
  PID:4072

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bngbalidrjujgjlyzef.exe .
1⤵
PID:1404
- C:\Windows\bngbalidrjujgjlyzef.exe
  bngbalidrjujgjlyzef.exe .
  2⤵
  PID:2864
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\bngbalidrjujgjlyzef.exe*."
    3⤵
    PID:5520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bngbalidrjujgjlyzef.exe .
1⤵
PID:4084
- C:\Windows\bngbalidrjujgjlyzef.exe
  bngbalidrjujgjlyzef.exe .
  2⤵
  PID:4848
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\bngbalidrjujgjlyzef.exe*."
    3⤵
    PID:4912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qbtnlvrlypznjlmyyc.exe
1⤵
PID:4864
- C:\Users\Admin\AppData\Local\Temp\qbtnlvrlypznjlmyyc.exe
  C:\Users\Admin\AppData\Local\Temp\qbtnlvrlypznjlmyyc.exe
  2⤵
  PID:1548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c qbtnlvrlypznjlmyyc.exe
1⤵
PID:1452
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1672
- C:\Windows\qbtnlvrlypznjlmyyc.exe
  qbtnlvrlypznjlmyyc.exe
  2⤵
  PID:5924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\obvrrdbxmfrhfjmacikx.exe .
1⤵
PID:3836
- C:\Users\Admin\AppData\Local\Temp\obvrrdbxmfrhfjmacikx.exe
  C:\Users\Admin\AppData\Local\Temp\obvrrdbxmfrhfjmacikx.exe .
  2⤵
  PID:5596
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\obvrrdbxmfrhfjmacikx.exe*."
    3⤵
    PID:3940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c drmjkxwtjdqhglpehorfa.exe .
1⤵
PID:4896
- C:\Windows\drmjkxwtjdqhglpehorfa.exe
  drmjkxwtjdqhglpehorfa.exe .
  2⤵
  PID:5664
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\drmjkxwtjdqhglpehorfa.exe*."
    3⤵
    PID:1568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hribyhcvhxgtoppaz.exe
1⤵
PID:4720
- C:\Users\Admin\AppData\Local\Temp\hribyhcvhxgtoppaz.exe
  C:\Users\Admin\AppData\Local\Temp\hribyhcvhxgtoppaz.exe
  2⤵
  PID:1232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hribyhcvhxgtoppaz.exe .
1⤵
PID:1164
- C:\Users\Admin\AppData\Local\Temp\hribyhcvhxgtoppaz.exe
  C:\Users\Admin\AppData\Local\Temp\hribyhcvhxgtoppaz.exe .
  2⤵
  PID:2024
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\hribyhcvhxgtoppaz.exe*."
    3⤵
    PID:2304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ajzrnvphshpbvvue.exe
1⤵
PID:2316
- C:\Users\Admin\AppData\Local\Temp\ajzrnvphshpbvvue.exe
  C:\Users\Admin\AppData\Local\Temp\ajzrnvphshpbvvue.exe
  2⤵
  PID:3556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bngbalidrjujgjlyzef.exe
1⤵
PID:2328
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5964
- C:\Windows\bngbalidrjujgjlyzef.exe
  bngbalidrjujgjlyzef.exe
  2⤵
  PID:3704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hribyhcvhxgtoppaz.exe .
1⤵
PID:3384
- C:\Users\Admin\AppData\Local\Temp\hribyhcvhxgtoppaz.exe
  C:\Users\Admin\AppData\Local\Temp\hribyhcvhxgtoppaz.exe .
  2⤵
  PID:5536
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\hribyhcvhxgtoppaz.exe*."
    3⤵
    PID:4836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hribyhcvhxgtoppaz.exe .
1⤵
PID:4748
- C:\Windows\hribyhcvhxgtoppaz.exe
  hribyhcvhxgtoppaz.exe .
  2⤵
  PID:2044
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\hribyhcvhxgtoppaz.exe*."
    3⤵
    PID:1876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bngbalidrjujgjlyzef.exe
1⤵
PID:2016
- C:\Users\Admin\AppData\Local\Temp\bngbalidrjujgjlyzef.exe
  C:\Users\Admin\AppData\Local\Temp\bngbalidrjujgjlyzef.exe
  2⤵
  PID:4180

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\drmjkxwtjdqhglpehorfa.exe .
1⤵
PID:4852
- C:\Users\Admin\AppData\Local\Temp\drmjkxwtjdqhglpehorfa.exe
  C:\Users\Admin\AppData\Local\Temp\drmjkxwtjdqhglpehorfa.exe .
  2⤵
  PID:3736
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\drmjkxwtjdqhglpehorfa.exe*."
    3⤵
    PID:1204

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hribyhcvhxgtoppaz.exe
1⤵
PID:2212
- C:\Windows\hribyhcvhxgtoppaz.exe
  hribyhcvhxgtoppaz.exe
  2⤵
  PID:8

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c qbtnlvrlypznjlmyyc.exe .
1⤵
PID:2752
- C:\Windows\qbtnlvrlypznjlmyyc.exe
  qbtnlvrlypznjlmyyc.exe .
  2⤵
  PID:2004
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\qbtnlvrlypznjlmyyc.exe*."
    3⤵
    PID:1408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bngbalidrjujgjlyzef.exe
1⤵
PID:5128
- C:\Users\Admin\AppData\Local\Temp\bngbalidrjujgjlyzef.exe
  C:\Users\Admin\AppData\Local\Temp\bngbalidrjujgjlyzef.exe
  2⤵
  PID:1412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bngbalidrjujgjlyzef.exe .
1⤵
PID:4872
- C:\Users\Admin\AppData\Local\Temp\bngbalidrjujgjlyzef.exe
  C:\Users\Admin\AppData\Local\Temp\bngbalidrjujgjlyzef.exe .
  2⤵
  PID:5772
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\bngbalidrjujgjlyzef.exe*."
    3⤵
    PID:4816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ajzrnvphshpbvvue.exe
1⤵
PID:3432
- C:\Users\Admin\AppData\Local\Temp\ajzrnvphshpbvvue.exe
  C:\Users\Admin\AppData\Local\Temp\ajzrnvphshpbvvue.exe
  2⤵
  PID:3464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hribyhcvhxgtoppaz.exe .
1⤵
PID:4592
- C:\Users\Admin\AppData\Local\Temp\hribyhcvhxgtoppaz.exe
  C:\Users\Admin\AppData\Local\Temp\hribyhcvhxgtoppaz.exe .
  2⤵
  PID:4492
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\hribyhcvhxgtoppaz.exe*."
    3⤵
    PID:2852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c obvrrdbxmfrhfjmacikx.exe
1⤵
PID:4832
- C:\Windows\obvrrdbxmfrhfjmacikx.exe
  obvrrdbxmfrhfjmacikx.exe
  2⤵
  PID:3196

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hribyhcvhxgtoppaz.exe .
1⤵
PID:1184
- C:\Windows\hribyhcvhxgtoppaz.exe
  hribyhcvhxgtoppaz.exe .
  2⤵
  PID:60
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\hribyhcvhxgtoppaz.exe*."
    3⤵
    PID:1548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bngbalidrjujgjlyzef.exe
1⤵
PID:2780
- C:\Windows\bngbalidrjujgjlyzef.exe
  bngbalidrjujgjlyzef.exe
  2⤵
  PID:5008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hribyhcvhxgtoppaz.exe .
1⤵
PID:3324
- C:\Windows\hribyhcvhxgtoppaz.exe
  hribyhcvhxgtoppaz.exe .
  2⤵
  PID:4700
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\hribyhcvhxgtoppaz.exe*."
    3⤵
    PID:2184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ajzrnvphshpbvvue.exe
1⤵
PID:5020
- C:\Users\Admin\AppData\Local\Temp\ajzrnvphshpbvvue.exe
  C:\Users\Admin\AppData\Local\Temp\ajzrnvphshpbvvue.exe
  2⤵
  PID:752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\drmjkxwtjdqhglpehorfa.exe .
1⤵
PID:1992
- C:\Users\Admin\AppData\Local\Temp\drmjkxwtjdqhglpehorfa.exe
  C:\Users\Admin\AppData\Local\Temp\drmjkxwtjdqhglpehorfa.exe .
  2⤵
  PID:400
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\drmjkxwtjdqhglpehorfa.exe*."
    3⤵
    PID:4044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bngbalidrjujgjlyzef.exe
1⤵
PID:2316
- C:\Users\Admin\AppData\Local\Temp\bngbalidrjujgjlyzef.exe
  C:\Users\Admin\AppData\Local\Temp\bngbalidrjujgjlyzef.exe
  2⤵
  PID:4744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bngbalidrjujgjlyzef.exe .
1⤵
PID:1688
- C:\Users\Admin\AppData\Local\Temp\bngbalidrjujgjlyzef.exe
  C:\Users\Admin\AppData\Local\Temp\bngbalidrjujgjlyzef.exe .
  2⤵
  PID:5596
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\bngbalidrjujgjlyzef.exe*."
    3⤵
    PID:5248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c qbtnlvrlypznjlmyyc.exe
1⤵
PID:2996
- C:\Windows\qbtnlvrlypznjlmyyc.exe
  qbtnlvrlypznjlmyyc.exe
  2⤵
  PID:5476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ajzrnvphshpbvvue.exe .
1⤵
PID:1164
- C:\Windows\ajzrnvphshpbvvue.exe
  ajzrnvphshpbvvue.exe .
  2⤵
  PID:4844
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\ajzrnvphshpbvvue.exe*."
    3⤵
    PID:1996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ajzrnvphshpbvvue.exe
1⤵
PID:4436
- C:\Windows\ajzrnvphshpbvvue.exe
  ajzrnvphshpbvvue.exe
  2⤵
  PID:808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c drmjkxwtjdqhglpehorfa.exe .
1⤵
PID:1000
- C:\Windows\drmjkxwtjdqhglpehorfa.exe
  drmjkxwtjdqhglpehorfa.exe .
  2⤵
  PID:5100
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\drmjkxwtjdqhglpehorfa.exe*."
    3⤵
    PID:2980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hribyhcvhxgtoppaz.exe
1⤵
PID:2972
- C:\Users\Admin\AppData\Local\Temp\hribyhcvhxgtoppaz.exe
  C:\Users\Admin\AppData\Local\Temp\hribyhcvhxgtoppaz.exe
  2⤵
  PID:3616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ajzrnvphshpbvvue.exe .
1⤵
PID:5356
- C:\Users\Admin\AppData\Local\Temp\ajzrnvphshpbvvue.exe
  C:\Users\Admin\AppData\Local\Temp\ajzrnvphshpbvvue.exe .
  2⤵
  PID:1636
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\ajzrnvphshpbvvue.exe*."
    3⤵
    PID:5328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hribyhcvhxgtoppaz.exe
1⤵
PID:5660
- C:\Users\Admin\AppData\Local\Temp\hribyhcvhxgtoppaz.exe
  C:\Users\Admin\AppData\Local\Temp\hribyhcvhxgtoppaz.exe
  2⤵
  PID:3540

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
PID:5340

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bngbalidrjujgjlyzef.exe .
1⤵
PID:2696
- C:\Users\Admin\AppData\Local\Temp\bngbalidrjujgjlyzef.exe
  C:\Users\Admin\AppData\Local\Temp\bngbalidrjujgjlyzef.exe .
  2⤵
  PID:2772
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\bngbalidrjujgjlyzef.exe*."
    3⤵
    PID:3656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bngbalidrjujgjlyzef.exe
1⤵
PID:3164
- C:\Windows\bngbalidrjujgjlyzef.exe
  bngbalidrjujgjlyzef.exe
  2⤵
  PID:2320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hribyhcvhxgtoppaz.exe .
1⤵
PID:5052
- C:\Windows\hribyhcvhxgtoppaz.exe
  hribyhcvhxgtoppaz.exe .
  2⤵
  PID:1404
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\hribyhcvhxgtoppaz.exe*."
    3⤵
    PID:3480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hribyhcvhxgtoppaz.exe
1⤵
PID:1628
- C:\Windows\hribyhcvhxgtoppaz.exe
  hribyhcvhxgtoppaz.exe
  2⤵
  PID:5512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hribyhcvhxgtoppaz.exe .
1⤵
PID:2020
- C:\Windows\hribyhcvhxgtoppaz.exe
  hribyhcvhxgtoppaz.exe .
  2⤵
  PID:4460
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\hribyhcvhxgtoppaz.exe*."
    3⤵
    PID:3672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ajzrnvphshpbvvue.exe
1⤵
PID:4760
- C:\Users\Admin\AppData\Local\Temp\ajzrnvphshpbvvue.exe
  C:\Users\Admin\AppData\Local\Temp\ajzrnvphshpbvvue.exe
  2⤵
  PID:4720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bngbalidrjujgjlyzef.exe .
1⤵
PID:2780
- C:\Users\Admin\AppData\Local\Temp\bngbalidrjujgjlyzef.exe
  C:\Users\Admin\AppData\Local\Temp\bngbalidrjujgjlyzef.exe .
  2⤵
  PID:3936
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\bngbalidrjujgjlyzef.exe*."
    3⤵
    PID:3972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\drmjkxwtjdqhglpehorfa.exe
1⤵
PID:3104
- C:\Users\Admin\AppData\Local\Temp\drmjkxwtjdqhglpehorfa.exe
  C:\Users\Admin\AppData\Local\Temp\drmjkxwtjdqhglpehorfa.exe
  2⤵
  PID:1424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\obvrrdbxmfrhfjmacikx.exe .
1⤵
PID:4680
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4184
- C:\Users\Admin\AppData\Local\Temp\obvrrdbxmfrhfjmacikx.exe
  C:\Users\Admin\AppData\Local\Temp\obvrrdbxmfrhfjmacikx.exe .
  2⤵
  PID:2024
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\obvrrdbxmfrhfjmacikx.exe*."
    3⤵
    PID:4420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wrjfwlfbrjujgjlyzea.exe
1⤵
PID:2244
- C:\Windows\wrjfwlfbrjujgjlyzea.exe
  wrjfwlfbrjujgjlyzea.exe
  2⤵
  PID:4640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c lfwrhvojypznjlmyyc.exe .
1⤵
PID:1248
- C:\Windows\lfwrhvojypznjlmyyc.exe
  lfwrhvojypznjlmyyc.exe .
  2⤵
  PID:3024
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\lfwrhvojypznjlmyyc.exe*."
    3⤵
    PID:5064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c lfwrhvojypznjlmyyc.exe
1⤵
PID:1876
- C:\Windows\lfwrhvojypznjlmyyc.exe
  lfwrhvojypznjlmyyc.exe
  2⤵
  PID:4936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c lfwrhvojypznjlmyyc.exe .
1⤵
PID:2616
- C:\Windows\lfwrhvojypznjlmyyc.exe
  lfwrhvojypznjlmyyc.exe .
  2⤵
  PID:808
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\lfwrhvojypznjlmyyc.exe*."
    3⤵
    PID:3528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ajzrnvphshpbvvue.exe
1⤵
PID:2212
- C:\Windows\ajzrnvphshpbvvue.exe
  ajzrnvphshpbvvue.exe
  2⤵
  PID:1716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lfwrhvojypznjlmyyc.exe
1⤵
PID:5032
- C:\Users\Admin\AppData\Local\Temp\lfwrhvojypznjlmyyc.exe
  C:\Users\Admin\AppData\Local\Temp\lfwrhvojypznjlmyyc.exe
  2⤵
  PID:5276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lfwrhvojypznjlmyyc.exe .
1⤵
PID:2164
- C:\Users\Admin\AppData\Local\Temp\lfwrhvojypznjlmyyc.exe
  C:\Users\Admin\AppData\Local\Temp\lfwrhvojypznjlmyyc.exe .
  2⤵
  PID:3464
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\lfwrhvojypznjlmyyc.exe*."
    3⤵
    PID:5356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c qbtnlvrlypznjlmyyc.exe .
1⤵
PID:4856
- C:\Windows\qbtnlvrlypznjlmyyc.exe
  qbtnlvrlypznjlmyyc.exe .
  2⤵
  PID:5704
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\qbtnlvrlypznjlmyyc.exe*."
    3⤵
    PID:5700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bngbalidrjujgjlyzef.exe
1⤵
PID:5820
- C:\Windows\bngbalidrjujgjlyzef.exe
  bngbalidrjujgjlyzef.exe
  2⤵
  PID:4600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yvpngxtrjdqhglpehomjd.exe
1⤵
PID:4492
- C:\Users\Admin\AppData\Local\Temp\yvpngxtrjdqhglpehomjd.exe
  C:\Users\Admin\AppData\Local\Temp\yvpngxtrjdqhglpehomjd.exe
  2⤵
  PID:408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c obvrrdbxmfrhfjmacikx.exe .
1⤵
PID:604
- C:\Windows\obvrrdbxmfrhfjmacikx.exe
  obvrrdbxmfrhfjmacikx.exe .
  2⤵
  PID:4500
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\obvrrdbxmfrhfjmacikx.exe*."
    3⤵
    PID:1184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wrjfwlfbrjujgjlyzea.exe .
1⤵
PID:2984
- C:\Users\Admin\AppData\Local\Temp\wrjfwlfbrjujgjlyzea.exe
  C:\Users\Admin\AppData\Local\Temp\wrjfwlfbrjujgjlyzea.exe .
  2⤵
  PID:5924
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\wrjfwlfbrjujgjlyzea.exe*."
    3⤵
    PID:4176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hribyhcvhxgtoppaz.exe
1⤵
PID:1852
- C:\Users\Admin\AppData\Local\Temp\hribyhcvhxgtoppaz.exe
  C:\Users\Admin\AppData\Local\Temp\hribyhcvhxgtoppaz.exe
  2⤵
  PID:3976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bngbalidrjujgjlyzef.exe .
1⤵
PID:4584
- C:\Users\Admin\AppData\Local\Temp\bngbalidrjujgjlyzef.exe
  C:\Users\Admin\AppData\Local\Temp\bngbalidrjujgjlyzef.exe .
  2⤵
  PID:2848
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\bngbalidrjujgjlyzef.exe*."
    3⤵
    PID:5684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\drmjkxwtjdqhglpehorfa.exe
1⤵
PID:5600
- C:\Users\Admin\AppData\Local\Temp\drmjkxwtjdqhglpehorfa.exe
  C:\Users\Admin\AppData\Local\Temp\drmjkxwtjdqhglpehorfa.exe
  2⤵
  PID:1588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\drmjkxwtjdqhglpehorfa.exe .
1⤵
PID:748
- C:\Users\Admin\AppData\Local\Temp\drmjkxwtjdqhglpehorfa.exe
  C:\Users\Admin\AppData\Local\Temp\drmjkxwtjdqhglpehorfa.exe .
  2⤵
  PID:5312
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\drmjkxwtjdqhglpehorfa.exe*."
    3⤵
    PID:5020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c drmjkxwtjdqhglpehorfa.exe
1⤵
PID:1724
- C:\Windows\drmjkxwtjdqhglpehorfa.exe
  drmjkxwtjdqhglpehorfa.exe
  2⤵
  PID:5260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ajzrnvphshpbvvue.exe .
1⤵
PID:2728
- C:\Windows\ajzrnvphshpbvvue.exe
  ajzrnvphshpbvvue.exe .
  2⤵
  PID:5668
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\ajzrnvphshpbvvue.exe*."
    3⤵
    PID:1844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ajzrnvphshpbvvue.exe
1⤵
PID:4580
- C:\Windows\ajzrnvphshpbvvue.exe
  ajzrnvphshpbvvue.exe
  2⤵
  PID:1688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c drmjkxwtjdqhglpehorfa.exe .
1⤵
PID:3420
- C:\Windows\drmjkxwtjdqhglpehorfa.exe
  drmjkxwtjdqhglpehorfa.exe .
  2⤵
  PID:5972
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\drmjkxwtjdqhglpehorfa.exe*."
    3⤵
    PID:5212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bngbalidrjujgjlyzef.exe
1⤵
PID:976
- C:\Users\Admin\AppData\Local\Temp\bngbalidrjujgjlyzef.exe
  C:\Users\Admin\AppData\Local\Temp\bngbalidrjujgjlyzef.exe
  2⤵
  PID:5024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bngbalidrjujgjlyzef.exe .
1⤵
PID:2788
- C:\Users\Admin\AppData\Local\Temp\bngbalidrjujgjlyzef.exe
  C:\Users\Admin\AppData\Local\Temp\bngbalidrjujgjlyzef.exe .
  2⤵
  PID:5348
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\bngbalidrjujgjlyzef.exe*."
    3⤵
    PID:3152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qbtnlvrlypznjlmyyc.exe
1⤵
PID:4180
- C:\Users\Admin\AppData\Local\Temp\qbtnlvrlypznjlmyyc.exe
  C:\Users\Admin\AppData\Local\Temp\qbtnlvrlypznjlmyyc.exe
  2⤵
  PID:5508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hribyhcvhxgtoppaz.exe .
1⤵
PID:368
- C:\Users\Admin\AppData\Local\Temp\hribyhcvhxgtoppaz.exe
  C:\Users\Admin\AppData\Local\Temp\hribyhcvhxgtoppaz.exe .
  2⤵
  PID:4764
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\hribyhcvhxgtoppaz.exe*."
    3⤵
    PID:512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c drmjkxwtjdqhglpehorfa.exe
1⤵
PID:5356
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4828
- C:\Windows\drmjkxwtjdqhglpehorfa.exe
  drmjkxwtjdqhglpehorfa.exe
  2⤵
  PID:1988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ajzrnvphshpbvvue.exe .
1⤵
PID:4948
- C:\Windows\ajzrnvphshpbvvue.exe
  ajzrnvphshpbvvue.exe .
  2⤵
  PID:2740
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\ajzrnvphshpbvvue.exe*."
    3⤵
    PID:640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bngbalidrjujgjlyzef.exe
1⤵
PID:4600
- C:\Windows\bngbalidrjujgjlyzef.exe
  bngbalidrjujgjlyzef.exe
  2⤵
  PID:1200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bngbalidrjujgjlyzef.exe
1⤵
PID:4848
- C:\Windows\bngbalidrjujgjlyzef.exe
  bngbalidrjujgjlyzef.exe
  2⤵
  PID:1184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c drmjkxwtjdqhglpehorfa.exe .
1⤵
PID:6056
- C:\Windows\drmjkxwtjdqhglpehorfa.exe
  drmjkxwtjdqhglpehorfa.exe .
  2⤵
  PID:1584
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\drmjkxwtjdqhglpehorfa.exe*."
    3⤵
    PID:752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hribyhcvhxgtoppaz.exe
1⤵
PID:4076
- C:\Users\Admin\AppData\Local\Temp\hribyhcvhxgtoppaz.exe
  C:\Users\Admin\AppData\Local\Temp\hribyhcvhxgtoppaz.exe
  2⤵
  PID:5824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\obvrrdbxmfrhfjmacikx.exe .
1⤵
PID:5924
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3244
- C:\Users\Admin\AppData\Local\Temp\obvrrdbxmfrhfjmacikx.exe
  C:\Users\Admin\AppData\Local\Temp\obvrrdbxmfrhfjmacikx.exe .
  2⤵
  PID:208
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\obvrrdbxmfrhfjmacikx.exe*."
    3⤵
    PID:2020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bngbalidrjujgjlyzef.exe .
1⤵
PID:3556
- C:\Windows\bngbalidrjujgjlyzef.exe
  bngbalidrjujgjlyzef.exe .
  2⤵
  PID:2848
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\bngbalidrjujgjlyzef.exe*."
    3⤵
    PID:5928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bngbalidrjujgjlyzef.exe
1⤵
PID:5768
- C:\Windows\bngbalidrjujgjlyzef.exe
  bngbalidrjujgjlyzef.exe
  2⤵
  PID:2104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c obvrrdbxmfrhfjmacikx.exe
1⤵
PID:4460
- C:\Windows\obvrrdbxmfrhfjmacikx.exe
  obvrrdbxmfrhfjmacikx.exe
  2⤵
  PID:1244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bngbalidrjujgjlyzef.exe .
1⤵
PID:1300
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:6124
- C:\Windows\bngbalidrjujgjlyzef.exe
  bngbalidrjujgjlyzef.exe .
  2⤵
  PID:1688
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\bngbalidrjujgjlyzef.exe*."
    3⤵
    PID:3308

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ajzrnvphshpbvvue.exe
1⤵
PID:1500
- C:\Users\Admin\AppData\Local\Temp\ajzrnvphshpbvvue.exe
  C:\Users\Admin\AppData\Local\Temp\ajzrnvphshpbvvue.exe
  2⤵
  PID:3656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bngbalidrjujgjlyzef.exe .
1⤵
PID:3884
- C:\Users\Admin\AppData\Local\Temp\bngbalidrjujgjlyzef.exe
  C:\Users\Admin\AppData\Local\Temp\bngbalidrjujgjlyzef.exe .
  2⤵
  PID:1164
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\bngbalidrjujgjlyzef.exe*."
    3⤵
    PID:5236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ajzrnvphshpbvvue.exe
1⤵
PID:5260
- C:\Users\Admin\AppData\Local\Temp\ajzrnvphshpbvvue.exe
  C:\Users\Admin\AppData\Local\Temp\ajzrnvphshpbvvue.exe
  2⤵
  PID:4192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c drmjkxwtjdqhglpehorfa.exe .
1⤵
PID:6140
- C:\Windows\drmjkxwtjdqhglpehorfa.exe
  drmjkxwtjdqhglpehorfa.exe .
  2⤵
  PID:2044
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\drmjkxwtjdqhglpehorfa.exe*."
    3⤵
    PID:1248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hribyhcvhxgtoppaz.exe .
1⤵
PID:2512
- C:\Users\Admin\AppData\Local\Temp\hribyhcvhxgtoppaz.exe
  C:\Users\Admin\AppData\Local\Temp\hribyhcvhxgtoppaz.exe .
  2⤵
  PID:4680
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\hribyhcvhxgtoppaz.exe*."
    3⤵
    PID:4524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hribyhcvhxgtoppaz.exe
1⤵
PID:1364
- C:\Windows\hribyhcvhxgtoppaz.exe
  hribyhcvhxgtoppaz.exe
  2⤵
  PID:2444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ajzrnvphshpbvvue.exe .
1⤵
PID:1456
- C:\Windows\ajzrnvphshpbvvue.exe
  ajzrnvphshpbvvue.exe .
  2⤵
  PID:4764
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\ajzrnvphshpbvvue.exe*."
    3⤵
    PID:696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bngbalidrjujgjlyzef.exe
1⤵
PID:2016
- C:\Users\Admin\AppData\Local\Temp\bngbalidrjujgjlyzef.exe
  C:\Users\Admin\AppData\Local\Temp\bngbalidrjujgjlyzef.exe
  2⤵
  PID:4432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bngbalidrjujgjlyzef.exe
1⤵
PID:3500
- C:\Users\Admin\AppData\Local\Temp\bngbalidrjujgjlyzef.exe
  C:\Users\Admin\AppData\Local\Temp\bngbalidrjujgjlyzef.exe
  2⤵
  PID:2456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\obvrrdbxmfrhfjmacikx.exe .
1⤵
PID:4564
- C:\Users\Admin\AppData\Local\Temp\obvrrdbxmfrhfjmacikx.exe
  C:\Users\Admin\AppData\Local\Temp\obvrrdbxmfrhfjmacikx.exe .
  2⤵
  PID:1468
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\obvrrdbxmfrhfjmacikx.exe*."
    3⤵
    PID:4960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bngbalidrjujgjlyzef.exe .
1⤵
PID:3924
- C:\Users\Admin\AppData\Local\Temp\bngbalidrjujgjlyzef.exe
  C:\Users\Admin\AppData\Local\Temp\bngbalidrjujgjlyzef.exe .
  2⤵
  PID:2352
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\bngbalidrjujgjlyzef.exe*."
    3⤵
    PID:3412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hribyhcvhxgtoppaz.exe
1⤵
PID:4452
- C:\Windows\hribyhcvhxgtoppaz.exe
  hribyhcvhxgtoppaz.exe
  2⤵
  PID:6056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\drmjkxwtjdqhglpehorfa.exe
1⤵
PID:3432
- C:\Users\Admin\AppData\Local\Temp\drmjkxwtjdqhglpehorfa.exe
  C:\Users\Admin\AppData\Local\Temp\drmjkxwtjdqhglpehorfa.exe
  2⤵
  PID:5216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qbtnlvrlypznjlmyyc.exe .
1⤵
PID:5112
- C:\Users\Admin\AppData\Local\Temp\qbtnlvrlypznjlmyyc.exe
  C:\Users\Admin\AppData\Local\Temp\qbtnlvrlypznjlmyyc.exe .
  2⤵
  PID:5248
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\qbtnlvrlypznjlmyyc.exe*."
    3⤵
    PID:520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ajzrnvphshpbvvue.exe .
1⤵
PID:5700
- C:\Windows\ajzrnvphshpbvvue.exe
  ajzrnvphshpbvvue.exe .
  2⤵
  PID:5372
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\ajzrnvphshpbvvue.exe*."
    3⤵
    PID:752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hribyhcvhxgtoppaz.exe
1⤵
PID:6016
- C:\Windows\hribyhcvhxgtoppaz.exe
  hribyhcvhxgtoppaz.exe
  2⤵
  PID:2480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c obvrrdbxmfrhfjmacikx.exe .
1⤵
PID:4500
- C:\Windows\obvrrdbxmfrhfjmacikx.exe
  obvrrdbxmfrhfjmacikx.exe .
  2⤵
  PID:3196
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\obvrrdbxmfrhfjmacikx.exe*."
    3⤵
    PID:4584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hribyhcvhxgtoppaz.exe
1⤵
PID:4092
- C:\Users\Admin\AppData\Local\Temp\hribyhcvhxgtoppaz.exe
  C:\Users\Admin\AppData\Local\Temp\hribyhcvhxgtoppaz.exe
  2⤵
  PID:4176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bngbalidrjujgjlyzef.exe .
1⤵
PID:2020
- C:\Users\Admin\AppData\Local\Temp\bngbalidrjujgjlyzef.exe
  C:\Users\Admin\AppData\Local\Temp\bngbalidrjujgjlyzef.exe .
  2⤵
  PID:4776
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\bngbalidrjujgjlyzef.exe*."
    3⤵
    PID:2572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bngbalidrjujgjlyzef.exe
1⤵
PID:1536
- C:\Users\Admin\AppData\Local\Temp\bngbalidrjujgjlyzef.exe
  C:\Users\Admin\AppData\Local\Temp\bngbalidrjujgjlyzef.exe
  2⤵
  PID:6080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hribyhcvhxgtoppaz.exe .
1⤵
PID:4448
- C:\Users\Admin\AppData\Local\Temp\hribyhcvhxgtoppaz.exe
  C:\Users\Admin\AppData\Local\Temp\hribyhcvhxgtoppaz.exe .
  2⤵
  PID:4744
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\hribyhcvhxgtoppaz.exe*."
    3⤵
    PID:468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c obvrrdbxmfrhfjmacikx.exe
1⤵
PID:5024
- C:\Windows\obvrrdbxmfrhfjmacikx.exe
  obvrrdbxmfrhfjmacikx.exe
  2⤵
  PID:4988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c qbtnlvrlypznjlmyyc.exe .
1⤵
PID:1052
- C:\Windows\qbtnlvrlypznjlmyyc.exe
  qbtnlvrlypznjlmyyc.exe .
  2⤵
  PID:3280
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\qbtnlvrlypznjlmyyc.exe*."
    3⤵
    PID:5524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c drmjkxwtjdqhglpehorfa.exe
1⤵
PID:4004
- C:\Windows\drmjkxwtjdqhglpehorfa.exe
  drmjkxwtjdqhglpehorfa.exe
  2⤵
  PID:4788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hribyhcvhxgtoppaz.exe .
1⤵
PID:4628
- C:\Windows\hribyhcvhxgtoppaz.exe
  hribyhcvhxgtoppaz.exe .
  2⤵
  PID:4968
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\hribyhcvhxgtoppaz.exe*."
    3⤵
    PID:1904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hribyhcvhxgtoppaz.exe
1⤵
PID:3384
- C:\Users\Admin\AppData\Local\Temp\hribyhcvhxgtoppaz.exe
  C:\Users\Admin\AppData\Local\Temp\hribyhcvhxgtoppaz.exe
  2⤵
  PID:3504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\drmjkxwtjdqhglpehorfa.exe .
1⤵
PID:2728
- C:\Users\Admin\AppData\Local\Temp\drmjkxwtjdqhglpehorfa.exe
  C:\Users\Admin\AppData\Local\Temp\drmjkxwtjdqhglpehorfa.exe .
  2⤵
  PID:4168
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\drmjkxwtjdqhglpehorfa.exe*."
    3⤵
    PID:4880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\drmjkxwtjdqhglpehorfa.exe
1⤵
PID:3736
- C:\Users\Admin\AppData\Local\Temp\drmjkxwtjdqhglpehorfa.exe
  C:\Users\Admin\AppData\Local\Temp\drmjkxwtjdqhglpehorfa.exe
  2⤵
  PID:2108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hribyhcvhxgtoppaz.exe .
1⤵
PID:1160
- C:\Users\Admin\AppData\Local\Temp\hribyhcvhxgtoppaz.exe
  C:\Users\Admin\AppData\Local\Temp\hribyhcvhxgtoppaz.exe .
  2⤵
  PID:1468
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\hribyhcvhxgtoppaz.exe*."
    3⤵
    PID:872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c drmjkxwtjdqhglpehorfa.exe
1⤵
PID:5216
- C:\Windows\drmjkxwtjdqhglpehorfa.exe
  drmjkxwtjdqhglpehorfa.exe
  2⤵
  PID:3420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c drmjkxwtjdqhglpehorfa.exe .
1⤵
PID:1456
- C:\Windows\drmjkxwtjdqhglpehorfa.exe
  drmjkxwtjdqhglpehorfa.exe .
  2⤵
  PID:2384
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\drmjkxwtjdqhglpehorfa.exe*."
    3⤵
    PID:3632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c obvrrdbxmfrhfjmacikx.exe
1⤵
PID:5564
- C:\Windows\obvrrdbxmfrhfjmacikx.exe
  obvrrdbxmfrhfjmacikx.exe
  2⤵
  PID:3888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c obvrrdbxmfrhfjmacikx.exe .
1⤵
PID:3044
- C:\Windows\obvrrdbxmfrhfjmacikx.exe
  obvrrdbxmfrhfjmacikx.exe .
  2⤵
  PID:4308
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\obvrrdbxmfrhfjmacikx.exe*."
    3⤵
    PID:1512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hribyhcvhxgtoppaz.exe
1⤵
PID:5112
- C:\Users\Admin\AppData\Local\Temp\hribyhcvhxgtoppaz.exe
  C:\Users\Admin\AppData\Local\Temp\hribyhcvhxgtoppaz.exe
  2⤵
  PID:3792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hribyhcvhxgtoppaz.exe .
1⤵
PID:3732
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1672
- C:\Users\Admin\AppData\Local\Temp\hribyhcvhxgtoppaz.exe
  C:\Users\Admin\AppData\Local\Temp\hribyhcvhxgtoppaz.exe .
  2⤵
  PID:2076
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\hribyhcvhxgtoppaz.exe*."
    3⤵
    PID:2444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hribyhcvhxgtoppaz.exe
1⤵
PID:4980
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2304
- C:\Users\Admin\AppData\Local\Temp\hribyhcvhxgtoppaz.exe
  C:\Users\Admin\AppData\Local\Temp\hribyhcvhxgtoppaz.exe
  2⤵
  PID:1992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qbtnlvrlypznjlmyyc.exe .
1⤵
PID:2040
- C:\Users\Admin\AppData\Local\Temp\qbtnlvrlypznjlmyyc.exe
  C:\Users\Admin\AppData\Local\Temp\qbtnlvrlypznjlmyyc.exe .
  2⤵
  PID:4248
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\qbtnlvrlypznjlmyyc.exe*."
    3⤵
    PID:1852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c qbtnlvrlypznjlmyyc.exe
1⤵
PID:5964
- C:\Windows\qbtnlvrlypznjlmyyc.exe
  qbtnlvrlypznjlmyyc.exe
  2⤵
  PID:3276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c obvrrdbxmfrhfjmacikx.exe .
1⤵
PID:1592
- C:\Windows\obvrrdbxmfrhfjmacikx.exe
  obvrrdbxmfrhfjmacikx.exe .
  2⤵
  PID:4728
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\obvrrdbxmfrhfjmacikx.exe*."
    3⤵
    PID:1824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c qbtnlvrlypznjlmyyc.exe
1⤵
PID:1500
- C:\Windows\qbtnlvrlypznjlmyyc.exe
  qbtnlvrlypznjlmyyc.exe
  2⤵
  PID:2768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c qbtnlvrlypznjlmyyc.exe .
1⤵
PID:5476
- C:\Windows\qbtnlvrlypznjlmyyc.exe
  qbtnlvrlypznjlmyyc.exe .
  2⤵
  PID:1628
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\qbtnlvrlypznjlmyyc.exe*."
    3⤵
    PID:1728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qbtnlvrlypznjlmyyc.exe
1⤵
PID:5260
- C:\Users\Admin\AppData\Local\Temp\qbtnlvrlypznjlmyyc.exe
  C:\Users\Admin\AppData\Local\Temp\qbtnlvrlypznjlmyyc.exe
  2⤵
  PID:4788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hribyhcvhxgtoppaz.exe .
1⤵
PID:3280
- C:\Users\Admin\AppData\Local\Temp\hribyhcvhxgtoppaz.exe
  C:\Users\Admin\AppData\Local\Temp\hribyhcvhxgtoppaz.exe .
  2⤵
  PID:1972
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\hribyhcvhxgtoppaz.exe*."
    3⤵
    PID:1408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jfyvndyvmfrhfjmacifb.exe
1⤵
PID:1732
- C:\Windows\jfyvndyvmfrhfjmacifb.exe
  jfyvndyvmfrhfjmacifb.exe
  2⤵
  PID:1248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yvpngxtrjdqhglpehomjd.exe .
1⤵
PID:4968
- C:\Windows\yvpngxtrjdqhglpehomjd.exe
  yvpngxtrjdqhglpehomjd.exe .
  2⤵
  PID:6068
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\yvpngxtrjdqhglpehomjd.exe*."
    3⤵
    PID:2772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ajzrnvphshpbvvue.exe
1⤵
PID:5832
- C:\Users\Admin\AppData\Local\Temp\ajzrnvphshpbvvue.exe
  C:\Users\Admin\AppData\Local\Temp\ajzrnvphshpbvvue.exe
  2⤵
  PID:4840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\obvrrdbxmfrhfjmacikx.exe .
1⤵
PID:2372
- C:\Users\Admin\AppData\Local\Temp\obvrrdbxmfrhfjmacikx.exe
  C:\Users\Admin\AppData\Local\Temp\obvrrdbxmfrhfjmacikx.exe .
  2⤵
  PID:5820
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\obvrrdbxmfrhfjmacikx.exe*."
    3⤵
    PID:5136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yvpngxtrjdqhglpehomjd.exe
1⤵
PID:3860
- C:\Windows\yvpngxtrjdqhglpehomjd.exe
  yvpngxtrjdqhglpehomjd.exe
  2⤵
  PID:3412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wrjfwlfbrjujgjlyzea.exe .
1⤵
PID:5568
- C:\Windows\wrjfwlfbrjujgjlyzea.exe
  wrjfwlfbrjujgjlyzea.exe .
  2⤵
  PID:5240
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\wrjfwlfbrjujgjlyzea.exe*."
    3⤵
    PID:3924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lfwrhvojypznjlmyyc.exe
1⤵
PID:2352
- C:\Users\Admin\AppData\Local\Temp\lfwrhvojypznjlmyyc.exe
  C:\Users\Admin\AppData\Local\Temp\lfwrhvojypznjlmyyc.exe
  2⤵
  PID:1636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jfyvndyvmfrhfjmacifb.exe .
1⤵
PID:4384
- C:\Users\Admin\AppData\Local\Temp\jfyvndyvmfrhfjmacifb.exe
  C:\Users\Admin\AppData\Local\Temp\jfyvndyvmfrhfjmacifb.exe .
  2⤵
  PID:2344
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\jfyvndyvmfrhfjmacifb.exe*."
    3⤵
    PID:3396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hribyhcvhxgtoppaz.exe
1⤵
PID:3804
- C:\Windows\hribyhcvhxgtoppaz.exe
  hribyhcvhxgtoppaz.exe
  2⤵
  PID:5512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yvpngxtrjdqhglpehomjd.exe
1⤵
PID:3140
- C:\Users\Admin\AppData\Local\Temp\yvpngxtrjdqhglpehomjd.exe
  C:\Users\Admin\AppData\Local\Temp\yvpngxtrjdqhglpehomjd.exe
  2⤵
  PID:4452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cvlfuhzthxgtoppaz.exe .
1⤵
PID:1068
- C:\Users\Admin\AppData\Local\Temp\cvlfuhzthxgtoppaz.exe
  C:\Users\Admin\AppData\Local\Temp\cvlfuhzthxgtoppaz.exe .
  2⤵
  PID:5780
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\cvlfuhzthxgtoppaz.exe*."
    3⤵
    PID:1452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c drmjkxwtjdqhglpehorfa.exe .
1⤵
PID:5052
- C:\Windows\drmjkxwtjdqhglpehorfa.exe
  drmjkxwtjdqhglpehorfa.exe .
  2⤵
  PID:4848
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\drmjkxwtjdqhglpehorfa.exe*."
    3⤵
    PID:2628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c drmjkxwtjdqhglpehorfa.exe
1⤵
PID:2248
- C:\Windows\drmjkxwtjdqhglpehorfa.exe
  drmjkxwtjdqhglpehorfa.exe
  2⤵
  PID:844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ajzrnvphshpbvvue.exe .
1⤵
PID:4748
- C:\Windows\ajzrnvphshpbvvue.exe
  ajzrnvphshpbvvue.exe .
  2⤵
  PID:4500
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\ajzrnvphshpbvvue.exe*."
    3⤵
    PID:2020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bngbalidrjujgjlyzef.exe
1⤵
PID:5740
- C:\Users\Admin\AppData\Local\Temp\bngbalidrjujgjlyzef.exe
  C:\Users\Admin\AppData\Local\Temp\bngbalidrjujgjlyzef.exe
  2⤵
  PID:3276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\obvrrdbxmfrhfjmacikx.exe .
1⤵
PID:3672
- C:\Users\Admin\AppData\Local\Temp\obvrrdbxmfrhfjmacikx.exe
  C:\Users\Admin\AppData\Local\Temp\obvrrdbxmfrhfjmacikx.exe .
  2⤵
  PID:4592
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\obvrrdbxmfrhfjmacikx.exe*."
    3⤵
    PID:5792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ajzrnvphshpbvvue.exe
1⤵
PID:4640
- C:\Users\Admin\AppData\Local\Temp\ajzrnvphshpbvvue.exe
  C:\Users\Admin\AppData\Local\Temp\ajzrnvphshpbvvue.exe
  2⤵
  PID:5840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bngbalidrjujgjlyzef.exe .
1⤵
PID:3480
- C:\Users\Admin\AppData\Local\Temp\bngbalidrjujgjlyzef.exe
  C:\Users\Admin\AppData\Local\Temp\bngbalidrjujgjlyzef.exe .
  2⤵
  PID:1844
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\bngbalidrjujgjlyzef.exe*."
    3⤵
    PID:400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bngbalidrjujgjlyzef.exe
1⤵
PID:2680
- C:\Windows\bngbalidrjujgjlyzef.exe
  bngbalidrjujgjlyzef.exe
  2⤵
  PID:5212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bngbalidrjujgjlyzef.exe .
1⤵
PID:1628
- C:\Windows\bngbalidrjujgjlyzef.exe
  bngbalidrjujgjlyzef.exe .
  2⤵
  PID:3940
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\bngbalidrjujgjlyzef.exe*."
    3⤵
    PID:5596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hribyhcvhxgtoppaz.exe
1⤵
PID:4524
- C:\Windows\hribyhcvhxgtoppaz.exe
  hribyhcvhxgtoppaz.exe
  2⤵
  PID:4864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c qbtnlvrlypznjlmyyc.exe .
1⤵
PID:4976
- C:\Windows\qbtnlvrlypznjlmyyc.exe
  qbtnlvrlypznjlmyyc.exe .
  2⤵
  PID:3844
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\qbtnlvrlypznjlmyyc.exe*."
    3⤵
    PID:2456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ajzrnvphshpbvvue.exe
1⤵
PID:5696
- C:\Users\Admin\AppData\Local\Temp\ajzrnvphshpbvvue.exe
  C:\Users\Admin\AppData\Local\Temp\ajzrnvphshpbvvue.exe
  2⤵
  PID:1696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qbtnlvrlypznjlmyyc.exe .
1⤵
PID:4880
- C:\Users\Admin\AppData\Local\Temp\qbtnlvrlypznjlmyyc.exe
  C:\Users\Admin\AppData\Local\Temp\qbtnlvrlypznjlmyyc.exe .
  2⤵
  PID:3736
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\qbtnlvrlypznjlmyyc.exe*."
    3⤵
    PID:2044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hribyhcvhxgtoppaz.exe
1⤵
PID:5920
- C:\Users\Admin\AppData\Local\Temp\hribyhcvhxgtoppaz.exe
  C:\Users\Admin\AppData\Local\Temp\hribyhcvhxgtoppaz.exe
  2⤵
  PID:560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ajzrnvphshpbvvue.exe .
1⤵
PID:1160
- C:\Users\Admin\AppData\Local\Temp\ajzrnvphshpbvvue.exe
  C:\Users\Admin\AppData\Local\Temp\ajzrnvphshpbvvue.exe .
  2⤵
  PID:5020
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\ajzrnvphshpbvvue.exe*."
    3⤵
    PID:3836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bngbalidrjujgjlyzef.exe
1⤵
PID:4000
- C:\Windows\bngbalidrjujgjlyzef.exe
  bngbalidrjujgjlyzef.exe
  2⤵
  PID:1468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c drmjkxwtjdqhglpehorfa.exe
1⤵
PID:4208
- C:\Windows\drmjkxwtjdqhglpehorfa.exe
  drmjkxwtjdqhglpehorfa.exe
  2⤵
  PID:1892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c obvrrdbxmfrhfjmacikx.exe .
1⤵
PID:5124
- C:\Windows\obvrrdbxmfrhfjmacikx.exe
  obvrrdbxmfrhfjmacikx.exe .
  2⤵
  PID:3628
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\obvrrdbxmfrhfjmacikx.exe*."
    3⤵
    PID:1200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c drmjkxwtjdqhglpehorfa.exe .
1⤵
PID:3432
- C:\Windows\drmjkxwtjdqhglpehorfa.exe
  drmjkxwtjdqhglpehorfa.exe .
  2⤵
  PID:1184
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\drmjkxwtjdqhglpehorfa.exe*."
    3⤵
    PID:1452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c drmjkxwtjdqhglpehorfa.exe
1⤵
PID:1584
- C:\Windows\drmjkxwtjdqhglpehorfa.exe
  drmjkxwtjdqhglpehorfa.exe
  2⤵
  PID:3636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bngbalidrjujgjlyzef.exe
1⤵
PID:5248
- C:\Windows\bngbalidrjujgjlyzef.exe
  bngbalidrjujgjlyzef.exe
  2⤵
  PID:3816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ajzrnvphshpbvvue.exe .
1⤵
PID:1992
- C:\Windows\ajzrnvphshpbvvue.exe
  ajzrnvphshpbvvue.exe .
  2⤵
  PID:4812
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\ajzrnvphshpbvvue.exe*."
    3⤵
    PID:4460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c obvrrdbxmfrhfjmacikx.exe .
1⤵
PID:5664
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1068
- C:\Windows\obvrrdbxmfrhfjmacikx.exe
  obvrrdbxmfrhfjmacikx.exe .
  2⤵
  PID:2384
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\obvrrdbxmfrhfjmacikx.exe*."
    3⤵
    PID:3800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c obvrrdbxmfrhfjmacikx.exe
1⤵
PID:3732
- C:\Windows\obvrrdbxmfrhfjmacikx.exe
  obvrrdbxmfrhfjmacikx.exe
  2⤵
  PID:1076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\obvrrdbxmfrhfjmacikx.exe
1⤵
PID:5836
- C:\Users\Admin\AppData\Local\Temp\obvrrdbxmfrhfjmacikx.exe
  C:\Users\Admin\AppData\Local\Temp\obvrrdbxmfrhfjmacikx.exe
  2⤵
  PID:2620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ajzrnvphshpbvvue.exe
1⤵
PID:4092
- C:\Users\Admin\AppData\Local\Temp\ajzrnvphshpbvvue.exe
  C:\Users\Admin\AppData\Local\Temp\ajzrnvphshpbvvue.exe
  2⤵
  PID:5288

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qbtnlvrlypznjlmyyc.exe .
1⤵
PID:2104
- C:\Users\Admin\AppData\Local\Temp\qbtnlvrlypznjlmyyc.exe
  C:\Users\Admin\AppData\Local\Temp\qbtnlvrlypznjlmyyc.exe .
  2⤵
  PID:5084
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\qbtnlvrlypznjlmyyc.exe*."
    3⤵
    PID:4380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ajzrnvphshpbvvue.exe .
1⤵
PID:4952
- C:\Users\Admin\AppData\Local\Temp\ajzrnvphshpbvvue.exe
  C:\Users\Admin\AppData\Local\Temp\ajzrnvphshpbvvue.exe .
  2⤵
  PID:368
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\ajzrnvphshpbvvue.exe*."
    3⤵
    PID:4000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c qbtnlvrlypznjlmyyc.exe .
1⤵
PID:208
- C:\Windows\qbtnlvrlypznjlmyyc.exe
  qbtnlvrlypznjlmyyc.exe .
  2⤵
  PID:4156
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\qbtnlvrlypznjlmyyc.exe*."
    3⤵
    PID:4576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hribyhcvhxgtoppaz.exe
1⤵
PID:5928
- C:\Windows\hribyhcvhxgtoppaz.exe
  hribyhcvhxgtoppaz.exe
  2⤵
  PID:4660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bngbalidrjujgjlyzef.exe
1⤵
PID:1536
- C:\Users\Admin\AppData\Local\Temp\bngbalidrjujgjlyzef.exe
  C:\Users\Admin\AppData\Local\Temp\bngbalidrjujgjlyzef.exe
  2⤵
  PID:5432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hribyhcvhxgtoppaz.exe .
1⤵
PID:4712
- C:\Windows\hribyhcvhxgtoppaz.exe
  hribyhcvhxgtoppaz.exe .
  2⤵
  PID:4936
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\hribyhcvhxgtoppaz.exe*."
    3⤵
    PID:4880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ajzrnvphshpbvvue.exe
1⤵
PID:4724
- C:\Users\Admin\AppData\Local\Temp\ajzrnvphshpbvvue.exe
  C:\Users\Admin\AppData\Local\Temp\ajzrnvphshpbvvue.exe
  2⤵
  PID:664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ajzrnvphshpbvvue.exe .
1⤵
PID:5792
- C:\Users\Admin\AppData\Local\Temp\ajzrnvphshpbvvue.exe
  C:\Users\Admin\AppData\Local\Temp\ajzrnvphshpbvvue.exe .
  2⤵
  PID:2972
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\ajzrnvphshpbvvue.exe*."
    3⤵
    PID:3924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qbtnlvrlypznjlmyyc.exe .
1⤵
PID:1028
- C:\Users\Admin\AppData\Local\Temp\qbtnlvrlypznjlmyyc.exe
  C:\Users\Admin\AppData\Local\Temp\qbtnlvrlypznjlmyyc.exe .
  2⤵
  PID:3152
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\qbtnlvrlypznjlmyyc.exe*."
    3⤵
    PID:4784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bngbalidrjujgjlyzef.exe
1⤵
PID:2940
- C:\Users\Admin\AppData\Local\Temp\bngbalidrjujgjlyzef.exe
  C:\Users\Admin\AppData\Local\Temp\bngbalidrjujgjlyzef.exe
  2⤵
  PID:4336

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bngbalidrjujgjlyzef.exe .
1⤵
PID:924
- C:\Users\Admin\AppData\Local\Temp\bngbalidrjujgjlyzef.exe
  C:\Users\Admin\AppData\Local\Temp\bngbalidrjujgjlyzef.exe .
  2⤵
  PID:1876
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\bngbalidrjujgjlyzef.exe*."
    3⤵
    PID:560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\drmjkxwtjdqhglpehorfa.exe
1⤵
PID:2184
- C:\Users\Admin\AppData\Local\Temp\drmjkxwtjdqhglpehorfa.exe
  C:\Users\Admin\AppData\Local\Temp\drmjkxwtjdqhglpehorfa.exe
  2⤵
  PID:5356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\obvrrdbxmfrhfjmacikx.exe .
1⤵
PID:4896
- C:\Users\Admin\AppData\Local\Temp\obvrrdbxmfrhfjmacikx.exe
  C:\Users\Admin\AppData\Local\Temp\obvrrdbxmfrhfjmacikx.exe .
  2⤵
  PID:5140
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\obvrrdbxmfrhfjmacikx.exe*."
    3⤵
    PID:5136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bngbalidrjujgjlyzef.exe
1⤵
PID:772
- C:\Windows\bngbalidrjujgjlyzef.exe
  bngbalidrjujgjlyzef.exe
  2⤵
  PID:5444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c obvrrdbxmfrhfjmacikx.exe .
1⤵
PID:1820
- C:\Windows\obvrrdbxmfrhfjmacikx.exe
  obvrrdbxmfrhfjmacikx.exe .
  2⤵
  PID:3440
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\obvrrdbxmfrhfjmacikx.exe*."
    3⤵
    PID:4328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hribyhcvhxgtoppaz.exe
1⤵
PID:3308
- C:\Windows\hribyhcvhxgtoppaz.exe
  hribyhcvhxgtoppaz.exe
  2⤵
  PID:4940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c drmjkxwtjdqhglpehorfa.exe .
1⤵
PID:4460
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5176
- C:\Windows\drmjkxwtjdqhglpehorfa.exe
  drmjkxwtjdqhglpehorfa.exe .
  2⤵
  PID:5704
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\drmjkxwtjdqhglpehorfa.exe*."
    3⤵
    PID:4660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\drmjkxwtjdqhglpehorfa.exe
1⤵
PID:3836
- C:\Users\Admin\AppData\Local\Temp\drmjkxwtjdqhglpehorfa.exe
  C:\Users\Admin\AppData\Local\Temp\drmjkxwtjdqhglpehorfa.exe
  2⤵
  PID:932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\obvrrdbxmfrhfjmacikx.exe .
1⤵
PID:1952
- C:\Users\Admin\AppData\Local\Temp\obvrrdbxmfrhfjmacikx.exe
  C:\Users\Admin\AppData\Local\Temp\obvrrdbxmfrhfjmacikx.exe .
  2⤵
  PID:6056
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\obvrrdbxmfrhfjmacikx.exe*."
    3⤵
    PID:4788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hribyhcvhxgtoppaz.exe
1⤵
PID:6068
- C:\Users\Admin\AppData\Local\Temp\hribyhcvhxgtoppaz.exe
  C:\Users\Admin\AppData\Local\Temp\hribyhcvhxgtoppaz.exe
  2⤵
  PID:5808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qbtnlvrlypznjlmyyc.exe .
1⤵
PID:4728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Winlogon Helper DLL

T1547.004

Hijack Execution Flow

T1574

Executable Installer File Permissions Weakness

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Winlogon Helper DLL

T1547.004

Hijack Execution Flow

T1574

Executable Installer File Permissions Weakness

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hijack Execution Flow

T1574

Executable Installer File Permissions Weakness

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Safe Mode Boot

T1562.009

Modify Registry