pykspa | 6164906dbadeb6038df8acdc4bd7359289a3830591707974542964410e684c62

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	nsvchs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	nsvchs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	nsvchs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	abqgjobtkla.exe

Pykspa
Pykspa is a worm spreads via Skype uses DGA and it's written in C++.
worm pykspa
Pykspa family
pykspa

UAC bypass 3 TTPs 19 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	nsvchs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	nsvchs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	nsvchs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	nsvchs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	nsvchs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	nsvchs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	nsvchs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	nsvchs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	nsvchs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	nsvchs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	nsvchs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	nsvchs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe

Detect Pykspa worm 2 IoCs

worm

resource	yara_rule
behavioral2/files/0x0011000000023ed5-4.dat	family_pykspa
behavioral2/files/0x000b000000023ec1-82.dat	family_pykspa

Adds policy Run key to start application 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\agksykp = "asicusjxvjoxusdqlle.exe"	abqgjobtkla.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	nsvchs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oqsenp = "dulmkbzoqekvuuhwtvriz.exe"	nsvchs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nml = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bqfeaplyykoxusdqllf.exe"	nsvchs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\agksykp = "cwokeexnndkvuuhwtvqkc.exe"	nsvchs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oqsenp = "qesqlzugfqtbxueqkj.exe"	nsvchs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\agksykp = "ngxslkcrqflvtsesopjc.exe"	nsvchs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\twxc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\asicusjxvjoxusdqlle.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\twxc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cwokeexnndkvuuhwtvqkc.exe"	nsvchs.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\twxc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\asicusjxvjoxusdqlle.exe"	nsvchs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\agksykp = "gwkcsodplxahcyhsl.exe"	nsvchs.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	nsvchs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\agksykp = "asicusjxvjoxusdqlle.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\twxc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ngxslkcrqflvtsesopjc.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nml = "C:\\Users\\Admin\\AppData\\Local\\Temp\\amyunzsczijpjemw.exe"	nsvchs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\agksykp = "zobshcqbwhjpjemw.exe"	abqgjobtkla.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	nsvchs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\agksykp = "gwkcsodplxahcyhsl.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\agksykp = "cwokeexnndkvuuhwtvqkc.exe"	nsvchs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\twxc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ngxslkcrqflvtsesopjc.exe"	nsvchs.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\twxc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\asicusjxvjoxusdqlle.exe"	abqgjobtkla.exe

Disables RegEdit via registry modification 8 IoCs

defense_evasion

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	nsvchs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	nsvchs.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	nsvchs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	nsvchs.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	abqgjobtkla.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	nsvchs.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	nsvchs.exe

Checks computer location settings 2 TTPs 29 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	zobshcqbwhjpjemw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	ngxslkcrqflvtsesopjc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	pgvofcsfcptbxueqkj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	asicusjxvjoxusdqlle.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	zobshcqbwhjpjemw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	asicusjxvjoxusdqlle.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	gwkcsodplxahcyhsl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	asicusjxvjoxusdqlle.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	gwkcsodplxahcyhsl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	ngxslkcrqflvtsesopjc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	asicusjxvjoxusdqlle.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	asicusjxvjoxusdqlle.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	asicusjxvjoxusdqlle.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	cwokeexnndkvuuhwtvqkc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	abqgjobtkla.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	cwokeexnndkvuuhwtvqkc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	asicusjxvjoxusdqlle.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	zobshcqbwhjpjemw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	ngxslkcrqflvtsesopjc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	zobshcqbwhjpjemw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	asicusjxvjoxusdqlle.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	pgvofcsfcptbxueqkj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	zobshcqbwhjpjemw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	asicusjxvjoxusdqlle.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	JaffaCakes118_8f6670643f92a191cf11f597cdb31810.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	zobshcqbwhjpjemw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	ngxslkcrqflvtsesopjc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	gwkcsodplxahcyhsl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	pgvofcsfcptbxueqkj.exe

Executes dropped EXE 64 IoCs

pid	Process
2644	abqgjobtkla.exe
1836	ngxslkcrqflvtsesopjc.exe
2952	asicusjxvjoxusdqlle.exe
2520	abqgjobtkla.exe
3860	asicusjxvjoxusdqlle.exe
4304	gwkcsodplxahcyhsl.exe
2588	abqgjobtkla.exe
4144	cwokeexnndkvuuhwtvqkc.exe
3184	zobshcqbwhjpjemw.exe
4004	ngxslkcrqflvtsesopjc.exe
1776	abqgjobtkla.exe
2160	ngxslkcrqflvtsesopjc.exe
3996	abqgjobtkla.exe
1248	nsvchs.exe
3964	nsvchs.exe
4392	pgvofcsfcptbxueqkj.exe
1404	pgvofcsfcptbxueqkj.exe
4396	abqgjobtkla.exe
4600	cwokeexnndkvuuhwtvqkc.exe
1552	nsvchs.exe
2468	abqgjobtkla.exe
3916	pgvofcsfcptbxueqkj.exe
2692	gwkcsodplxahcyhsl.exe
3940	gwkcsodplxahcyhsl.exe
4304	asicusjxvjoxusdqlle.exe
4752	abqgjobtkla.exe
2280	abqgjobtkla.exe
1388	abqgjobtkla.exe
2944	abqgjobtkla.exe
2440	asicusjxvjoxusdqlle.exe
1396	zobshcqbwhjpjemw.exe
5108	asicusjxvjoxusdqlle.exe
632	cwokeexnndkvuuhwtvqkc.exe
3684	zobshcqbwhjpjemw.exe
2520	asicusjxvjoxusdqlle.exe
3764	cwokeexnndkvuuhwtvqkc.exe
2296	cwokeexnndkvuuhwtvqkc.exe
4396	zobshcqbwhjpjemw.exe
1388	abqgjobtkla.exe
2112	pgvofcsfcptbxueqkj.exe
4756	asicusjxvjoxusdqlle.exe
4792	abqgjobtkla.exe
4676	abqgjobtkla.exe
2112	abqgjobtkla.exe
5032	abqgjobtkla.exe
432	abqgjobtkla.exe
2464	abqgjobtkla.exe
464	ngxslkcrqflvtsesopjc.exe
2160	zobshcqbwhjpjemw.exe
2316	gwkcsodplxahcyhsl.exe
4424	zobshcqbwhjpjemw.exe
4604	abqgjobtkla.exe
4752	asicusjxvjoxusdqlle.exe
1404	abqgjobtkla.exe
540	ngxslkcrqflvtsesopjc.exe
4992	pgvofcsfcptbxueqkj.exe
5112	gwkcsodplxahcyhsl.exe
1612	abqgjobtkla.exe
4868	zobshcqbwhjpjemw.exe
2104	cwokeexnndkvuuhwtvqkc.exe
5004	asicusjxvjoxusdqlle.exe
3836	abqgjobtkla.exe
3180	abqgjobtkla.exe
2960	ngxslkcrqflvtsesopjc.exe

Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs

defense_evasion

Safe Mode Boot

T1562.009

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys	nsvchs.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc	nsvchs.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power	nsvchs.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys	nsvchs.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc	nsvchs.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager	nsvchs.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

defense_evasion persistence privilege_escalation

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cgios = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zobshcqbwhjpjemw.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cgios = "cwokeexnndkvuuhwtvqkc.exe"	nsvchs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hmrgsxjmc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\amyunzsczijpjemw.exe ."	nsvchs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\uemyiyhndjg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gwkcsodplxahcyhsl.exe"	nsvchs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cgios = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ngxslkcrqflvtsesopjc.exe"	nsvchs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\nsvchs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zobshcqbwhjpjemw.exe ."	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zipajyglaf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zobshcqbwhjpjemw.exe ."	nsvchs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cgios = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gwkcsodplxahcyhsl.exe"	nsvchs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nsvchs = "asicusjxvjoxusdqlle.exe ."	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nsvchs = "cwokeexnndkvuuhwtvqkc.exe ."	nsvchs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\uemyiyhndjg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gwkcsodplxahcyhsl.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cgios = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ngxslkcrqflvtsesopjc.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zipajyglaf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\asicusjxvjoxusdqlle.exe ."	nsvchs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\quymxbmo = "amyunzsczijpjemw.exe ."	nsvchs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hmrgsxjmc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oeuurhestglvtsesopka.exe ."	nsvchs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\uuue = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qesqlzugfqtbxueqkj.exe"	nsvchs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\gouemahlz = "gwkcsodplxahcyhsl.exe ."	nsvchs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zipajyglaf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zobshcqbwhjpjemw.exe ."	abqgjobtkla.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\nsvchs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ngxslkcrqflvtsesopjc.exe ."	abqgjobtkla.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\gouemahlz = "zobshcqbwhjpjemw.exe ."	nsvchs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cgios = "pgvofcsfcptbxueqkj.exe"	nsvchs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cgios = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gwkcsodplxahcyhsl.exe"	nsvchs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\uuue = "huheylfqoyahcyhsl.exe"	nsvchs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\uemyiyhndjg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ngxslkcrqflvtsesopjc.exe"	nsvchs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pwbkrekn = "gwkcsodplxahcyhsl.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\gouemahlz = "gwkcsodplxahcyhsl.exe ."	abqgjobtkla.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cgios = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ngxslkcrqflvtsesopjc.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nsvchs = "pgvofcsfcptbxueqkj.exe ."	nsvchs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\defqy = "bqfeaplyykoxusdqllf.exe ."	nsvchs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pwbkrekn = "ngxslkcrqflvtsesopjc.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\gouemahlz = "pgvofcsfcptbxueqkj.exe ."	abqgjobtkla.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pwbkrekn = "gwkcsodplxahcyhsl.exe"	nsvchs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\defqy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dulmkbzoqekvuuhwtvriz.exe ."	nsvchs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cgios = "zobshcqbwhjpjemw.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cgios = "cwokeexnndkvuuhwtvqkc.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pwbkrekn = "asicusjxvjoxusdqlle.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\quymxbmo = "huheylfqoyahcyhsl.exe ."	nsvchs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cgios = "pgvofcsfcptbxueqkj.exe"	nsvchs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\uemyiyhndjg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ngxslkcrqflvtsesopjc.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pwbkrekn = "cwokeexnndkvuuhwtvqkc.exe"	nsvchs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\gouemahlz = "asicusjxvjoxusdqlle.exe ."	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nsvchs = "asicusjxvjoxusdqlle.exe ."	nsvchs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\nsvchs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gwkcsodplxahcyhsl.exe ."	nsvchs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\uuue = "oeuurhestglvtsesopka.exe"	nsvchs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\behuehr = "oeuurhestglvtsesopka.exe"	nsvchs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pwbkrekn = "zobshcqbwhjpjemw.exe"	nsvchs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nsvchs = "asicusjxvjoxusdqlle.exe ."	abqgjobtkla.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\uuue = "C:\\Users\\Admin\\AppData\\Local\\Temp\\amyunzsczijpjemw.exe"	nsvchs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nsvchs = "zobshcqbwhjpjemw.exe ."	nsvchs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zipajyglaf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pgvofcsfcptbxueqkj.exe ."	abqgjobtkla.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\gouemahlz = "pgvofcsfcptbxueqkj.exe ."	nsvchs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cgios = "zobshcqbwhjpjemw.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\gouemahlz = "cwokeexnndkvuuhwtvqkc.exe ."	nsvchs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\uemyiyhndjg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ngxslkcrqflvtsesopjc.exe"	nsvchs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zipajyglaf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zobshcqbwhjpjemw.exe ."	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nsvchs = "asicusjxvjoxusdqlle.exe ."	abqgjobtkla.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pwbkrekn = "cwokeexnndkvuuhwtvqkc.exe"	nsvchs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\gouemahlz = "ngxslkcrqflvtsesopjc.exe ."	abqgjobtkla.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pwbkrekn = "pgvofcsfcptbxueqkj.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cgios = "ngxslkcrqflvtsesopjc.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\uemyiyhndjg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cwokeexnndkvuuhwtvqkc.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\uemyiyhndjg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\asicusjxvjoxusdqlle.exe"	nsvchs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\nsvchs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\asicusjxvjoxusdqlle.exe ."	nsvchs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cgios = "asicusjxvjoxusdqlle.exe"	nsvchs.exe

Checks whether UAC is enabled 1 TTPs 14 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	nsvchs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	nsvchs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	abqgjobtkla.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	abqgjobtkla.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	nsvchs.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	nsvchs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	nsvchs.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	nsvchs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe

Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 4 IoCs

Possible Turn off User Account Control's privilege elevation for standard users.

Executable Installer File Permissions Weakness

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	nsvchs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	nsvchs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	nsvchs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	abqgjobtkla.exe

Looks up external IP address via web service 8 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
55	whatismyip.everdot.org
28	www.whatismyip.ca
29	whatismyipaddress.com
31	www.showmyipaddress.com
39	www.whatismyip.ca
40	whatismyip.everdot.org
45	www.whatismyip.ca
48	whatismyip.everdot.org

Drops file in System32 directory 46 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\gwkcsodplxahcyhsl.exe	nsvchs.exe
File opened for modification	C:\Windows\SysWOW64\asicusjxvjoxusdqlle.exe	nsvchs.exe
File opened for modification	C:\Windows\SysWOW64\asicusjxvjoxusdqlle.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\pgvofcsfcptbxueqkj.exe	nsvchs.exe
File opened for modification	C:\Windows\SysWOW64\zobshcqbwhjpjemw.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\gwkcsodplxahcyhsl.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\asicusjxvjoxusdqlle.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\cwokeexnndkvuuhwtvqkc.exe	nsvchs.exe
File opened for modification	C:\Windows\SysWOW64\cwokeexnndkvuuhwtvqkc.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\tohezaulmdlxxymcadzunk.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\pgvofcsfcptbxueqkj.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\tohezaulmdlxxymcadzunk.exe	nsvchs.exe
File opened for modification	C:\Windows\SysWOW64\gwkcsodplxahcyhsl.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\cwokeexnndkvuuhwtvqkc.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\pgvofcsfcptbxueqkj.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\zobshcqbwhjpjemw.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\gwkcsodplxahcyhsl.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\tohezaulmdlxxymcadzunk.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\gwkcsodplxahcyhsl.exe	nsvchs.exe
File opened for modification	C:\Windows\SysWOW64\pgvofcsfcptbxueqkj.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\cwokeexnndkvuuhwtvqkc.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\zobshcqbwhjpjemw.exe	nsvchs.exe
File opened for modification	C:\Windows\SysWOW64\eeceekjflhulqwpknvwwuww.bxd	nsvchs.exe
File created	C:\Windows\SysWOW64\rclyjakripnpfwagunzktgriszqxvxneio.vhs	nsvchs.exe
File opened for modification	C:\Windows\SysWOW64\asicusjxvjoxusdqlle.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\ngxslkcrqflvtsesopjc.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\pgvofcsfcptbxueqkj.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\ngxslkcrqflvtsesopjc.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\ngxslkcrqflvtsesopjc.exe	nsvchs.exe
File opened for modification	C:\Windows\SysWOW64\asicusjxvjoxusdqlle.exe	nsvchs.exe
File opened for modification	C:\Windows\SysWOW64\zobshcqbwhjpjemw.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\tohezaulmdlxxymcadzunk.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\zobshcqbwhjpjemw.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\tohezaulmdlxxymcadzunk.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\asicusjxvjoxusdqlle.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\ngxslkcrqflvtsesopjc.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\ngxslkcrqflvtsesopjc.exe	nsvchs.exe
File opened for modification	C:\Windows\SysWOW64\cwokeexnndkvuuhwtvqkc.exe	nsvchs.exe
File created	C:\Windows\SysWOW64\eeceekjflhulqwpknvwwuww.bxd	nsvchs.exe
File opened for modification	C:\Windows\SysWOW64\cwokeexnndkvuuhwtvqkc.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\ngxslkcrqflvtsesopjc.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\tohezaulmdlxxymcadzunk.exe	nsvchs.exe
File opened for modification	C:\Windows\SysWOW64\rclyjakripnpfwagunzktgriszqxvxneio.vhs	nsvchs.exe
File opened for modification	C:\Windows\SysWOW64\gwkcsodplxahcyhsl.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\zobshcqbwhjpjemw.exe	nsvchs.exe
File opened for modification	C:\Windows\SysWOW64\pgvofcsfcptbxueqkj.exe	nsvchs.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\eeceekjflhulqwpknvwwuww.bxd	nsvchs.exe
File created	C:\Program Files (x86)\eeceekjflhulqwpknvwwuww.bxd	nsvchs.exe
File opened for modification	C:\Program Files (x86)\rclyjakripnpfwagunzktgriszqxvxneio.vhs	nsvchs.exe
File created	C:\Program Files (x86)\rclyjakripnpfwagunzktgriszqxvxneio.vhs	nsvchs.exe

Drops file in Windows directory 46 IoCs

description	ioc	Process
File opened for modification	C:\Windows\gwkcsodplxahcyhsl.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\asicusjxvjoxusdqlle.exe	nsvchs.exe
File created	C:\Windows\eeceekjflhulqwpknvwwuww.bxd	nsvchs.exe
File opened for modification	C:\Windows\rclyjakripnpfwagunzktgriszqxvxneio.vhs	nsvchs.exe
File created	C:\Windows\rclyjakripnpfwagunzktgriszqxvxneio.vhs	nsvchs.exe
File opened for modification	C:\Windows\zobshcqbwhjpjemw.exe	nsvchs.exe
File opened for modification	C:\Windows\zobshcqbwhjpjemw.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\asicusjxvjoxusdqlle.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\asicusjxvjoxusdqlle.exe	nsvchs.exe
File opened for modification	C:\Windows\eeceekjflhulqwpknvwwuww.bxd	nsvchs.exe
File opened for modification	C:\Windows\zobshcqbwhjpjemw.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\gwkcsodplxahcyhsl.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\asicusjxvjoxusdqlle.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\gwkcsodplxahcyhsl.exe	nsvchs.exe
File opened for modification	C:\Windows\pgvofcsfcptbxueqkj.exe	nsvchs.exe
File opened for modification	C:\Windows\cwokeexnndkvuuhwtvqkc.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\tohezaulmdlxxymcadzunk.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\ngxslkcrqflvtsesopjc.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\cwokeexnndkvuuhwtvqkc.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\pgvofcsfcptbxueqkj.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\ngxslkcrqflvtsesopjc.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\asicusjxvjoxusdqlle.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\ngxslkcrqflvtsesopjc.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\pgvofcsfcptbxueqkj.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\tohezaulmdlxxymcadzunk.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\cwokeexnndkvuuhwtvqkc.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\tohezaulmdlxxymcadzunk.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\tohezaulmdlxxymcadzunk.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\tohezaulmdlxxymcadzunk.exe	nsvchs.exe
File opened for modification	C:\Windows\tohezaulmdlxxymcadzunk.exe	nsvchs.exe
File opened for modification	C:\Windows\pgvofcsfcptbxueqkj.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\ngxslkcrqflvtsesopjc.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\ngxslkcrqflvtsesopjc.exe	nsvchs.exe
File opened for modification	C:\Windows\zobshcqbwhjpjemw.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\gwkcsodplxahcyhsl.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\cwokeexnndkvuuhwtvqkc.exe	nsvchs.exe
File opened for modification	C:\Windows\cwokeexnndkvuuhwtvqkc.exe	nsvchs.exe
File opened for modification	C:\Windows\gwkcsodplxahcyhsl.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\pgvofcsfcptbxueqkj.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\ngxslkcrqflvtsesopjc.exe	nsvchs.exe
File opened for modification	C:\Windows\zobshcqbwhjpjemw.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\asicusjxvjoxusdqlle.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\cwokeexnndkvuuhwtvqkc.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\zobshcqbwhjpjemw.exe	nsvchs.exe
File opened for modification	C:\Windows\gwkcsodplxahcyhsl.exe	nsvchs.exe
File opened for modification	C:\Windows\pgvofcsfcptbxueqkj.exe	nsvchs.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 54 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dulmkbzoqekvuuhwtvriz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	asicusjxvjoxusdqlle.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ngxslkcrqflvtsesopjc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	amyunzsczijpjemw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bqfeaplyykoxusdqllf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	asicusjxvjoxusdqlle.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pgvofcsfcptbxueqkj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	asicusjxvjoxusdqlle.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	oeuurhestglvtsesopka.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zobshcqbwhjpjemw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gwkcsodplxahcyhsl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_8f6670643f92a191cf11f597cdb31810.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gwkcsodplxahcyhsl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zobshcqbwhjpjemw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zobshcqbwhjpjemw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zobshcqbwhjpjemw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	asicusjxvjoxusdqlle.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gwkcsodplxahcyhsl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ngxslkcrqflvtsesopjc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cwokeexnndkvuuhwtvqkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zobshcqbwhjpjemw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	asicusjxvjoxusdqlle.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	asicusjxvjoxusdqlle.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	abqgjobtkla.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ngxslkcrqflvtsesopjc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ngxslkcrqflvtsesopjc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gwkcsodplxahcyhsl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ngxslkcrqflvtsesopjc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ngxslkcrqflvtsesopjc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	asicusjxvjoxusdqlle.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nsvchs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	amyunzsczijpjemw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cwokeexnndkvuuhwtvqkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	huheylfqoyahcyhsl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qesqlzugfqtbxueqkj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	huheylfqoyahcyhsl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pgvofcsfcptbxueqkj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	asicusjxvjoxusdqlle.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cwokeexnndkvuuhwtvqkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zobshcqbwhjpjemw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zobshcqbwhjpjemw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pgvofcsfcptbxueqkj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pgvofcsfcptbxueqkj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pgvofcsfcptbxueqkj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	asicusjxvjoxusdqlle.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	oeuurhestglvtsesopka.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qesqlzugfqtbxueqkj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	asicusjxvjoxusdqlle.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nsvchs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zobshcqbwhjpjemw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gwkcsodplxahcyhsl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	oeuurhestglvtsesopka.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cwokeexnndkvuuhwtvqkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dulmkbzoqekvuuhwtvriz.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
4160	JaffaCakes118_8f6670643f92a191cf11f597cdb31810.exe
4160	JaffaCakes118_8f6670643f92a191cf11f597cdb31810.exe
4160	JaffaCakes118_8f6670643f92a191cf11f597cdb31810.exe
4160	JaffaCakes118_8f6670643f92a191cf11f597cdb31810.exe
4160	JaffaCakes118_8f6670643f92a191cf11f597cdb31810.exe
4160	JaffaCakes118_8f6670643f92a191cf11f597cdb31810.exe
4160	JaffaCakes118_8f6670643f92a191cf11f597cdb31810.exe
4160	JaffaCakes118_8f6670643f92a191cf11f597cdb31810.exe
4160	JaffaCakes118_8f6670643f92a191cf11f597cdb31810.exe
4160	JaffaCakes118_8f6670643f92a191cf11f597cdb31810.exe
4160	JaffaCakes118_8f6670643f92a191cf11f597cdb31810.exe
4160	JaffaCakes118_8f6670643f92a191cf11f597cdb31810.exe
4160	JaffaCakes118_8f6670643f92a191cf11f597cdb31810.exe
4160	JaffaCakes118_8f6670643f92a191cf11f597cdb31810.exe
4160	JaffaCakes118_8f6670643f92a191cf11f597cdb31810.exe
4160	JaffaCakes118_8f6670643f92a191cf11f597cdb31810.exe
1248	nsvchs.exe
1248	nsvchs.exe
4160	JaffaCakes118_8f6670643f92a191cf11f597cdb31810.exe
4160	JaffaCakes118_8f6670643f92a191cf11f597cdb31810.exe
4160	JaffaCakes118_8f6670643f92a191cf11f597cdb31810.exe
4160	JaffaCakes118_8f6670643f92a191cf11f597cdb31810.exe
4160	JaffaCakes118_8f6670643f92a191cf11f597cdb31810.exe
4160	JaffaCakes118_8f6670643f92a191cf11f597cdb31810.exe
4160	JaffaCakes118_8f6670643f92a191cf11f597cdb31810.exe
4160	JaffaCakes118_8f6670643f92a191cf11f597cdb31810.exe
4160	JaffaCakes118_8f6670643f92a191cf11f597cdb31810.exe
4160	JaffaCakes118_8f6670643f92a191cf11f597cdb31810.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1248	nsvchs.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4160 wrote to memory of 2644	4160	JaffaCakes118_8f6670643f92a191cf11f597cdb31810.exe	90
PID 4160 wrote to memory of 2644	4160	JaffaCakes118_8f6670643f92a191cf11f597cdb31810.exe	90
PID 4160 wrote to memory of 2644	4160	JaffaCakes118_8f6670643f92a191cf11f597cdb31810.exe	90
PID 1492 wrote to memory of 1836	1492	cmd.exe	93
PID 1492 wrote to memory of 1836	1492	cmd.exe	93
PID 1492 wrote to memory of 1836	1492	cmd.exe	93
PID 1296 wrote to memory of 2952	1296	cmd.exe	96
PID 1296 wrote to memory of 2952	1296	cmd.exe	96
PID 1296 wrote to memory of 2952	1296	cmd.exe	96
PID 2952 wrote to memory of 2520	2952	asicusjxvjoxusdqlle.exe	207
PID 2952 wrote to memory of 2520	2952	asicusjxvjoxusdqlle.exe	207
PID 2952 wrote to memory of 2520	2952	asicusjxvjoxusdqlle.exe	207
PID 2576 wrote to memory of 3860	2576	cmd.exe	179
PID 2576 wrote to memory of 3860	2576	cmd.exe	179
PID 2576 wrote to memory of 3860	2576	cmd.exe	179
PID 4596 wrote to memory of 4304	4596	cmd.exe	245
PID 4596 wrote to memory of 4304	4596	cmd.exe	245
PID 4596 wrote to memory of 4304	4596	cmd.exe	245
PID 4304 wrote to memory of 2588	4304	gwkcsodplxahcyhsl.exe	337
PID 4304 wrote to memory of 2588	4304	gwkcsodplxahcyhsl.exe	337
PID 4304 wrote to memory of 2588	4304	gwkcsodplxahcyhsl.exe	337
PID 624 wrote to memory of 4144	624	cmd.exe	356
PID 624 wrote to memory of 4144	624	cmd.exe	356
PID 624 wrote to memory of 4144	624	cmd.exe	356
PID 1376 wrote to memory of 3184	1376	cmd.exe	112
PID 1376 wrote to memory of 3184	1376	cmd.exe	112
PID 1376 wrote to memory of 3184	1376	cmd.exe	112
PID 1932 wrote to memory of 4004	1932	cmd.exe	115
PID 1932 wrote to memory of 4004	1932	cmd.exe	115
PID 1932 wrote to memory of 4004	1932	cmd.exe	115
PID 3184 wrote to memory of 1776	3184	zobshcqbwhjpjemw.exe	278
PID 3184 wrote to memory of 1776	3184	zobshcqbwhjpjemw.exe	278
PID 3184 wrote to memory of 1776	3184	zobshcqbwhjpjemw.exe	278
PID 4864 wrote to memory of 2160	4864	cmd.exe	226
PID 4864 wrote to memory of 2160	4864	cmd.exe	226
PID 4864 wrote to memory of 2160	4864	cmd.exe	226
PID 2160 wrote to memory of 3996	2160	ngxslkcrqflvtsesopjc.exe	118
PID 2160 wrote to memory of 3996	2160	ngxslkcrqflvtsesopjc.exe	118
PID 2160 wrote to memory of 3996	2160	ngxslkcrqflvtsesopjc.exe	118
PID 2644 wrote to memory of 1248	2644	abqgjobtkla.exe	121
PID 2644 wrote to memory of 1248	2644	abqgjobtkla.exe	121
PID 2644 wrote to memory of 1248	2644	abqgjobtkla.exe	121
PID 2644 wrote to memory of 3964	2644	abqgjobtkla.exe	122
PID 2644 wrote to memory of 3964	2644	abqgjobtkla.exe	122
PID 2644 wrote to memory of 3964	2644	abqgjobtkla.exe	122
PID 4844 wrote to memory of 4392	4844	cmd.exe	126
PID 4844 wrote to memory of 4392	4844	cmd.exe	126
PID 4844 wrote to memory of 4392	4844	cmd.exe	126
PID 3492 wrote to memory of 1404	3492	cmd.exe	450
PID 3492 wrote to memory of 1404	3492	cmd.exe	450
PID 3492 wrote to memory of 1404	3492	cmd.exe	450
PID 5032 wrote to memory of 2392	5032	cmd.exe	266
PID 5032 wrote to memory of 2392	5032	cmd.exe	266
PID 5032 wrote to memory of 2392	5032	cmd.exe	266
PID 2804 wrote to memory of 2904	2804	cmd.exe	254
PID 2804 wrote to memory of 2904	2804	cmd.exe	254
PID 2804 wrote to memory of 2904	2804	cmd.exe	254
PID 1404 wrote to memory of 4396	1404	pgvofcsfcptbxueqkj.exe	434
PID 1404 wrote to memory of 4396	1404	pgvofcsfcptbxueqkj.exe	434
PID 1404 wrote to memory of 4396	1404	pgvofcsfcptbxueqkj.exe	434
PID 2884 wrote to memory of 4600	2884	cmd.exe	144
PID 2884 wrote to memory of 4600	2884	cmd.exe	144
PID 2884 wrote to memory of 4600	2884	cmd.exe	144
PID 2644 wrote to memory of 1552	2644	abqgjobtkla.exe	148

System policy modification 1 TTPs 54 IoCs

defense_evasion

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	nsvchs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	nsvchs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	nsvchs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	nsvchs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	nsvchs.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	nsvchs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	nsvchs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	nsvchs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	nsvchs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	nsvchs.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	nsvchs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	nsvchs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	nsvchs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	nsvchs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	nsvchs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	nsvchs.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	nsvchs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	abqgjobtkla.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	nsvchs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	nsvchs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	nsvchs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	nsvchs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	nsvchs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	nsvchs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	nsvchs.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	nsvchs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	nsvchs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	nsvchs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	nsvchs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	nsvchs.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	abqgjobtkla.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	nsvchs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	nsvchs.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	nsvchs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	nsvchs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	nsvchs.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	nsvchs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	nsvchs.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8f6670643f92a191cf11f597cdb31810.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8f6670643f92a191cf11f597cdb31810.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4160
- C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
  "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\jaffacakes118_8f6670643f92a191cf11f597cdb31810.exe*"
  2⤵
  - Modifies WinLogon for persistence
  - UAC bypass
  - Adds policy Run key to start application
  - Disables RegEdit via registry modification
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Hijack Execution Flow: Executable Installer File Permissions Weakness
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2644
- - C:\Users\Admin\AppData\Local\Temp\nsvchs.exe
    "C:\Users\Admin\AppData\Local\Temp\nsvchs.exe" "-C:\Users\Admin\AppData\Local\Temp\zobshcqbwhjpjemw.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Impair Defenses: Safe Mode Boot
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Hijack Execution Flow: Executable Installer File Permissions Weakness
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:1248
- - C:\Users\Admin\AppData\Local\Temp\nsvchs.exe
    "C:\Users\Admin\AppData\Local\Temp\nsvchs.exe" "-C:\Users\Admin\AppData\Local\Temp\zobshcqbwhjpjemw.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Hijack Execution Flow: Executable Installer File Permissions Weakness
    - System Location Discovery: System Language Discovery
    - System policy modification
    PID:3964
  - - C:\Users\Admin\AppData\Local\Temp\oqsenp.exe
      "C:\Users\Admin\AppData\Local\Temp\oqsenp.exe" "-C:\Users\Admin\AppData\Local\Temp\amyunzsczijpjemw.exe"
      4⤵
      PID:1932
  - - C:\Users\Admin\AppData\Local\Temp\oqsenp.exe
      "C:\Users\Admin\AppData\Local\Temp\oqsenp.exe" "-C:\Users\Admin\AppData\Local\Temp\amyunzsczijpjemw.exe"
      4⤵
      PID:648
  - - C:\Users\Admin\AppData\Local\Temp\oqsenp.exe
      "C:\Users\Admin\AppData\Local\Temp\oqsenp.exe" "-C:\Users\Admin\AppData\Local\Temp\amyunzsczijpjemw.exe"
      4⤵
      PID:1084
  - - C:\Users\Admin\AppData\Local\Temp\oqsenp.exe
      "C:\Users\Admin\AppData\Local\Temp\oqsenp.exe" "-C:\Users\Admin\AppData\Local\Temp\amyunzsczijpjemw.exe"
      4⤵
      PID:2800
  - - C:\Users\Admin\AppData\Local\Temp\oqsenp.exe
      "C:\Users\Admin\AppData\Local\Temp\oqsenp.exe" "-C:\Users\Admin\AppData\Local\Temp\amyunzsczijpjemw.exe"
      4⤵
      PID:872
  - - C:\Users\Admin\AppData\Local\Temp\oqsenp.exe
      "C:\Users\Admin\AppData\Local\Temp\oqsenp.exe" "-C:\Users\Admin\AppData\Local\Temp\amyunzsczijpjemw.exe"
      4⤵
      PID:1620
  - - C:\Users\Admin\AppData\Local\Temp\oqsenp.exe
      "C:\Users\Admin\AppData\Local\Temp\oqsenp.exe" "-C:\Users\Admin\AppData\Local\Temp\amyunzsczijpjemw.exe"
      4⤵
      PID:4472
  - - C:\Users\Admin\AppData\Local\Temp\oqsenp.exe
      "C:\Users\Admin\AppData\Local\Temp\oqsenp.exe" "-C:\Users\Admin\AppData\Local\Temp\amyunzsczijpjemw.exe"
      4⤵
      PID:888
  - - C:\Users\Admin\AppData\Local\Temp\oqsenp.exe
      "C:\Users\Admin\AppData\Local\Temp\oqsenp.exe" "-C:\Users\Admin\AppData\Local\Temp\amyunzsczijpjemw.exe"
      4⤵
      PID:1048
  - - C:\Users\Admin\AppData\Local\Temp\oqsenp.exe
      "C:\Users\Admin\AppData\Local\Temp\oqsenp.exe" "-C:\Users\Admin\AppData\Local\Temp\amyunzsczijpjemw.exe"
      4⤵
      PID:1932
  - - C:\Users\Admin\AppData\Local\Temp\oqsenp.exe
      "C:\Users\Admin\AppData\Local\Temp\oqsenp.exe" "-C:\Users\Admin\AppData\Local\Temp\amyunzsczijpjemw.exe"
      4⤵
      PID:5832
  - - C:\Users\Admin\AppData\Local\Temp\oqsenp.exe
      "C:\Users\Admin\AppData\Local\Temp\oqsenp.exe" "-C:\Users\Admin\AppData\Local\Temp\amyunzsczijpjemw.exe"
      4⤵
      PID:2440
  - - C:\Users\Admin\AppData\Local\Temp\oqsenp.exe
      "C:\Users\Admin\AppData\Local\Temp\oqsenp.exe" "-C:\Users\Admin\AppData\Local\Temp\amyunzsczijpjemw.exe"
      4⤵
      PID:5372
  - - C:\Users\Admin\AppData\Local\Temp\oqsenp.exe
      "C:\Users\Admin\AppData\Local\Temp\oqsenp.exe" "-C:\Users\Admin\AppData\Local\Temp\amyunzsczijpjemw.exe"
      4⤵
      PID:5328
  - - C:\Users\Admin\AppData\Local\Temp\oqsenp.exe
      "C:\Users\Admin\AppData\Local\Temp\oqsenp.exe" "-C:\Users\Admin\AppData\Local\Temp\amyunzsczijpjemw.exe"
      4⤵
      PID:5512
  - - C:\Users\Admin\AppData\Local\Temp\oqsenp.exe
      "C:\Users\Admin\AppData\Local\Temp\oqsenp.exe" "-C:\Users\Admin\AppData\Local\Temp\amyunzsczijpjemw.exe"
      4⤵
      PID:4824
  - - C:\Users\Admin\AppData\Local\Temp\oqsenp.exe
      "C:\Users\Admin\AppData\Local\Temp\oqsenp.exe" "-C:\Users\Admin\AppData\Local\Temp\amyunzsczijpjemw.exe"
      4⤵
      PID:6020
  - - C:\Users\Admin\AppData\Local\Temp\oqsenp.exe
      "C:\Users\Admin\AppData\Local\Temp\oqsenp.exe" "-C:\Users\Admin\AppData\Local\Temp\amyunzsczijpjemw.exe"
      4⤵
      PID:5220
  - - C:\Users\Admin\AppData\Local\Temp\oqsenp.exe
      "C:\Users\Admin\AppData\Local\Temp\oqsenp.exe" "-C:\Users\Admin\AppData\Local\Temp\amyunzsczijpjemw.exe"
      4⤵
      PID:5628
  - - C:\Users\Admin\AppData\Local\Temp\oqsenp.exe
      "C:\Users\Admin\AppData\Local\Temp\oqsenp.exe" "-C:\Users\Admin\AppData\Local\Temp\amyunzsczijpjemw.exe"
      4⤵
      PID:6100
  - - C:\Users\Admin\AppData\Local\Temp\oqsenp.exe
      "C:\Users\Admin\AppData\Local\Temp\oqsenp.exe" "-C:\Users\Admin\AppData\Local\Temp\amyunzsczijpjemw.exe"
      4⤵
      PID:1812
  - - C:\Users\Admin\AppData\Local\Temp\oqsenp.exe
      "C:\Users\Admin\AppData\Local\Temp\oqsenp.exe" "-C:\Users\Admin\AppData\Local\Temp\amyunzsczijpjemw.exe"
      4⤵
      PID:5340
  - - C:\Users\Admin\AppData\Local\Temp\oqsenp.exe
      "C:\Users\Admin\AppData\Local\Temp\oqsenp.exe" "-C:\Users\Admin\AppData\Local\Temp\amyunzsczijpjemw.exe"
      4⤵
      PID:3440
  - - C:\Users\Admin\AppData\Local\Temp\oqsenp.exe
      "C:\Users\Admin\AppData\Local\Temp\oqsenp.exe" "-C:\Users\Admin\AppData\Local\Temp\amyunzsczijpjemw.exe"
      4⤵
      PID:4144
  - - C:\Users\Admin\AppData\Local\Temp\oqsenp.exe
      "C:\Users\Admin\AppData\Local\Temp\oqsenp.exe" "-C:\Users\Admin\AppData\Local\Temp\amyunzsczijpjemw.exe"
      4⤵
      PID:1528
  - - C:\Users\Admin\AppData\Local\Temp\oqsenp.exe
      "C:\Users\Admin\AppData\Local\Temp\oqsenp.exe" "-C:\Users\Admin\AppData\Local\Temp\amyunzsczijpjemw.exe"
      4⤵
      PID:736
  - - C:\Users\Admin\AppData\Local\Temp\oqsenp.exe
      "C:\Users\Admin\AppData\Local\Temp\oqsenp.exe" "-C:\Users\Admin\AppData\Local\Temp\amyunzsczijpjemw.exe"
      4⤵
      PID:5228
  - - C:\Users\Admin\AppData\Local\Temp\oqsenp.exe
      "C:\Users\Admin\AppData\Local\Temp\oqsenp.exe" "-C:\Users\Admin\AppData\Local\Temp\amyunzsczijpjemw.exe"
      4⤵
      PID:2248
  - - C:\Users\Admin\AppData\Local\Temp\oqsenp.exe
      "C:\Users\Admin\AppData\Local\Temp\oqsenp.exe" "-C:\Users\Admin\AppData\Local\Temp\amyunzsczijpjemw.exe"
      4⤵
      PID:4132
  - - C:\Users\Admin\AppData\Local\Temp\oqsenp.exe
      "C:\Users\Admin\AppData\Local\Temp\oqsenp.exe" "-C:\Users\Admin\AppData\Local\Temp\amyunzsczijpjemw.exe"
      4⤵
      PID:5248
  - - C:\Users\Admin\AppData\Local\Temp\oqsenp.exe
      "C:\Users\Admin\AppData\Local\Temp\oqsenp.exe" "-C:\Users\Admin\AppData\Local\Temp\amyunzsczijpjemw.exe"
      4⤵
      PID:5192
  - - C:\Users\Admin\AppData\Local\Temp\oqsenp.exe
      "C:\Users\Admin\AppData\Local\Temp\oqsenp.exe" "-C:\Users\Admin\AppData\Local\Temp\amyunzsczijpjemw.exe"
      4⤵
      PID:5436
  - - C:\Users\Admin\AppData\Local\Temp\oqsenp.exe
      "C:\Users\Admin\AppData\Local\Temp\oqsenp.exe" "-C:\Users\Admin\AppData\Local\Temp\amyunzsczijpjemw.exe"
      4⤵
      PID:5528
  - - C:\Users\Admin\AppData\Local\Temp\oqsenp.exe
      "C:\Users\Admin\AppData\Local\Temp\oqsenp.exe" "-C:\Users\Admin\AppData\Local\Temp\amyunzsczijpjemw.exe"
      4⤵
      PID:5732
  - - C:\Users\Admin\AppData\Local\Temp\oqsenp.exe
      "C:\Users\Admin\AppData\Local\Temp\oqsenp.exe" "-C:\Users\Admin\AppData\Local\Temp\amyunzsczijpjemw.exe"
      4⤵
      PID:4988
  - - C:\Users\Admin\AppData\Local\Temp\oqsenp.exe
      "C:\Users\Admin\AppData\Local\Temp\oqsenp.exe" "-C:\Users\Admin\AppData\Local\Temp\amyunzsczijpjemw.exe"
      4⤵
      PID:1952
  - - C:\Users\Admin\AppData\Local\Temp\oqsenp.exe
      "C:\Users\Admin\AppData\Local\Temp\oqsenp.exe" "-C:\Users\Admin\AppData\Local\Temp\amyunzsczijpjemw.exe"
      4⤵
      PID:5316
  - - C:\Users\Admin\AppData\Local\Temp\oqsenp.exe
      "C:\Users\Admin\AppData\Local\Temp\oqsenp.exe" "-C:\Users\Admin\AppData\Local\Temp\amyunzsczijpjemw.exe"
      4⤵
      PID:5580
  - - C:\Users\Admin\AppData\Local\Temp\oqsenp.exe
      "C:\Users\Admin\AppData\Local\Temp\oqsenp.exe" "-C:\Users\Admin\AppData\Local\Temp\amyunzsczijpjemw.exe"
      4⤵
      PID:6024
  - - C:\Users\Admin\AppData\Local\Temp\oqsenp.exe
      "C:\Users\Admin\AppData\Local\Temp\oqsenp.exe" "-C:\Users\Admin\AppData\Local\Temp\amyunzsczijpjemw.exe"
      4⤵
      PID:5548
  - - C:\Users\Admin\AppData\Local\Temp\oqsenp.exe
      "C:\Users\Admin\AppData\Local\Temp\oqsenp.exe" "-C:\Users\Admin\AppData\Local\Temp\amyunzsczijpjemw.exe"
      4⤵
      PID:4020
  - - C:\Users\Admin\AppData\Local\Temp\oqsenp.exe
      "C:\Users\Admin\AppData\Local\Temp\oqsenp.exe" "-C:\Users\Admin\AppData\Local\Temp\amyunzsczijpjemw.exe"
      4⤵
      PID:5328
- - C:\Users\Admin\AppData\Local\Temp\nsvchs.exe
    "C:\Users\Admin\AppData\Local\Temp\nsvchs.exe" "-C:\Users\Admin\AppData\Local\Temp\zobshcqbwhjpjemw.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Hijack Execution Flow: Executable Installer File Permissions Weakness
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:1552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ngxslkcrqflvtsesopjc.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:1492
- C:\Windows\ngxslkcrqflvtsesopjc.exe
  ngxslkcrqflvtsesopjc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c asicusjxvjoxusdqlle.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:1296
- C:\Windows\asicusjxvjoxusdqlle.exe
  asicusjxvjoxusdqlle.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2952
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\asicusjxvjoxusdqlle.exe*."
    3⤵
    - Executes dropped EXE
    PID:2520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c asicusjxvjoxusdqlle.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2576
- C:\Windows\asicusjxvjoxusdqlle.exe
  asicusjxvjoxusdqlle.exe
  2⤵
  - Executes dropped EXE
  PID:3860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gwkcsodplxahcyhsl.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:4596
- C:\Windows\gwkcsodplxahcyhsl.exe
  gwkcsodplxahcyhsl.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4304
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\gwkcsodplxahcyhsl.exe*."
    3⤵
    - Executes dropped EXE
    PID:2588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cwokeexnndkvuuhwtvqkc.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:624
- C:\Users\Admin\AppData\Local\Temp\cwokeexnndkvuuhwtvqkc.exe
  C:\Users\Admin\AppData\Local\Temp\cwokeexnndkvuuhwtvqkc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4144

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zobshcqbwhjpjemw.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:1376
- C:\Users\Admin\AppData\Local\Temp\zobshcqbwhjpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\zobshcqbwhjpjemw.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3184
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\zobshcqbwhjpjemw.exe*."
    3⤵
    - Executes dropped EXE
    PID:1776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ngxslkcrqflvtsesopjc.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:1932
- C:\Users\Admin\AppData\Local\Temp\ngxslkcrqflvtsesopjc.exe
  C:\Users\Admin\AppData\Local\Temp\ngxslkcrqflvtsesopjc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ngxslkcrqflvtsesopjc.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:4864
- C:\Users\Admin\AppData\Local\Temp\ngxslkcrqflvtsesopjc.exe
  C:\Users\Admin\AppData\Local\Temp\ngxslkcrqflvtsesopjc.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2160
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\ngxslkcrqflvtsesopjc.exe*."
    3⤵
    - Executes dropped EXE
    PID:3996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pgvofcsfcptbxueqkj.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4844
- C:\Windows\pgvofcsfcptbxueqkj.exe
  pgvofcsfcptbxueqkj.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c oeuurhestglvtsesopka.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:5032
- C:\Windows\oeuurhestglvtsesopka.exe
  oeuurhestglvtsesopka.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pgvofcsfcptbxueqkj.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:3492
- C:\Windows\pgvofcsfcptbxueqkj.exe
  pgvofcsfcptbxueqkj.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1404
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\pgvofcsfcptbxueqkj.exe*."
    3⤵
    - Executes dropped EXE
    PID:4396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bqfeaplyykoxusdqllf.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:2804
- C:\Windows\bqfeaplyykoxusdqllf.exe
  bqfeaplyykoxusdqllf.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2904
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\bqfeaplyykoxusdqllf.exe*."
    3⤵
    - Executes dropped EXE
    PID:2468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cwokeexnndkvuuhwtvqkc.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2884
- C:\Windows\cwokeexnndkvuuhwtvqkc.exe
  cwokeexnndkvuuhwtvqkc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pgvofcsfcptbxueqkj.exe .
1⤵
PID:1068
- C:\Windows\pgvofcsfcptbxueqkj.exe
  pgvofcsfcptbxueqkj.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3916
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\pgvofcsfcptbxueqkj.exe*."
    3⤵
    - Executes dropped EXE
    PID:4752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c oeuurhestglvtsesopka.exe
1⤵
PID:1396
- C:\Windows\oeuurhestglvtsesopka.exe
  oeuurhestglvtsesopka.exe
  2⤵
  PID:2832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\asicusjxvjoxusdqlle.exe
1⤵
PID:1320
- C:\Users\Admin\AppData\Local\Temp\asicusjxvjoxusdqlle.exe
  C:\Users\Admin\AppData\Local\Temp\asicusjxvjoxusdqlle.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c amyunzsczijpjemw.exe .
1⤵
PID:2532
- C:\Windows\amyunzsczijpjemw.exe
  amyunzsczijpjemw.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2016
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\amyunzsczijpjemw.exe*."
    3⤵
    - Executes dropped EXE
    PID:2280

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gwkcsodplxahcyhsl.exe .
1⤵
PID:1528
- C:\Users\Admin\AppData\Local\Temp\gwkcsodplxahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\gwkcsodplxahcyhsl.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3940
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\gwkcsodplxahcyhsl.exe*."
    3⤵
    - Executes dropped EXE
    PID:1388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dulmkbzoqekvuuhwtvriz.exe
1⤵
PID:1292
- C:\Users\Admin\AppData\Local\Temp\dulmkbzoqekvuuhwtvriz.exe
  C:\Users\Admin\AppData\Local\Temp\dulmkbzoqekvuuhwtvriz.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oeuurhestglvtsesopka.exe .
1⤵
PID:1508
- C:\Users\Admin\AppData\Local\Temp\oeuurhestglvtsesopka.exe
  C:\Users\Admin\AppData\Local\Temp\oeuurhestglvtsesopka.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4132
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\oeuurhestglvtsesopka.exe*."
    3⤵
    - Executes dropped EXE
    PID:2944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gwkcsodplxahcyhsl.exe
1⤵
PID:4936
- C:\Users\Admin\AppData\Local\Temp\gwkcsodplxahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\gwkcsodplxahcyhsl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\asicusjxvjoxusdqlle.exe .
1⤵
PID:452
- C:\Users\Admin\AppData\Local\Temp\asicusjxvjoxusdqlle.exe
  C:\Users\Admin\AppData\Local\Temp\asicusjxvjoxusdqlle.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2520
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\asicusjxvjoxusdqlle.exe*."
    3⤵
    - Executes dropped EXE
    PID:5032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qesqlzugfqtbxueqkj.exe
1⤵
PID:3984
- C:\Users\Admin\AppData\Local\Temp\qesqlzugfqtbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\qesqlzugfqtbxueqkj.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zobshcqbwhjpjemw.exe
1⤵
PID:4048
- C:\Windows\zobshcqbwhjpjemw.exe
  zobshcqbwhjpjemw.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dulmkbzoqekvuuhwtvriz.exe .
1⤵
PID:4144
- C:\Users\Admin\AppData\Local\Temp\dulmkbzoqekvuuhwtvriz.exe
  C:\Users\Admin\AppData\Local\Temp\dulmkbzoqekvuuhwtvriz.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4424
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\dulmkbzoqekvuuhwtvriz.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:1388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c asicusjxvjoxusdqlle.exe
1⤵
PID:2200
- C:\Windows\asicusjxvjoxusdqlle.exe
  asicusjxvjoxusdqlle.exe
  2⤵
  - Executes dropped EXE
  PID:2440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c asicusjxvjoxusdqlle.exe .
1⤵
PID:2104
- C:\Windows\asicusjxvjoxusdqlle.exe
  asicusjxvjoxusdqlle.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5108
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\asicusjxvjoxusdqlle.exe*."
    3⤵
    - Executes dropped EXE
    PID:4792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cwokeexnndkvuuhwtvqkc.exe .
1⤵
PID:3860
- C:\Windows\cwokeexnndkvuuhwtvqkc.exe
  cwokeexnndkvuuhwtvqkc.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2296
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\cwokeexnndkvuuhwtvqkc.exe*."
    3⤵
    - Executes dropped EXE
    PID:432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pgvofcsfcptbxueqkj.exe
1⤵
PID:1924
- C:\Windows\pgvofcsfcptbxueqkj.exe
  pgvofcsfcptbxueqkj.exe
  2⤵
  - Executes dropped EXE
  PID:2112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zobshcqbwhjpjemw.exe
1⤵
PID:3528
- C:\Windows\zobshcqbwhjpjemw.exe
  zobshcqbwhjpjemw.exe
  2⤵
  - Executes dropped EXE
  PID:3684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c asicusjxvjoxusdqlle.exe .
1⤵
PID:1676
- C:\Windows\asicusjxvjoxusdqlle.exe
  asicusjxvjoxusdqlle.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4756
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\asicusjxvjoxusdqlle.exe*."
    3⤵
    - Executes dropped EXE
    PID:2464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cwokeexnndkvuuhwtvqkc.exe .
1⤵
PID:4008
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2468
- C:\Windows\cwokeexnndkvuuhwtvqkc.exe
  cwokeexnndkvuuhwtvqkc.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:632
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\cwokeexnndkvuuhwtvqkc.exe*."
    3⤵
    - Executes dropped EXE
    PID:4676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cwokeexnndkvuuhwtvqkc.exe
1⤵
PID:3796
- C:\Users\Admin\AppData\Local\Temp\cwokeexnndkvuuhwtvqkc.exe
  C:\Users\Admin\AppData\Local\Temp\cwokeexnndkvuuhwtvqkc.exe
  2⤵
  - Executes dropped EXE
  PID:3764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ngxslkcrqflvtsesopjc.exe
1⤵
PID:376
- C:\Users\Admin\AppData\Local\Temp\ngxslkcrqflvtsesopjc.exe
  C:\Users\Admin\AppData\Local\Temp\ngxslkcrqflvtsesopjc.exe
  2⤵
  - Executes dropped EXE
  PID:464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zobshcqbwhjpjemw.exe .
1⤵
PID:1520
- C:\Users\Admin\AppData\Local\Temp\zobshcqbwhjpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\zobshcqbwhjpjemw.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4396
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\zobshcqbwhjpjemw.exe*."
    3⤵
    - Executes dropped EXE
    PID:2112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gwkcsodplxahcyhsl.exe
1⤵
PID:3232
- C:\Users\Admin\AppData\Local\Temp\gwkcsodplxahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\gwkcsodplxahcyhsl.exe
  2⤵
  - Executes dropped EXE
  PID:2316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zobshcqbwhjpjemw.exe .
1⤵
PID:4928
- C:\Users\Admin\AppData\Local\Temp\zobshcqbwhjpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\zobshcqbwhjpjemw.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2160
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\zobshcqbwhjpjemw.exe*."
    3⤵
    - Executes dropped EXE
    PID:4604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zobshcqbwhjpjemw.exe
1⤵
PID:3608
- C:\Windows\zobshcqbwhjpjemw.exe
  zobshcqbwhjpjemw.exe
  2⤵
  - Executes dropped EXE
  PID:4424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c asicusjxvjoxusdqlle.exe .
1⤵
PID:2852
- C:\Windows\asicusjxvjoxusdqlle.exe
  asicusjxvjoxusdqlle.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4752
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\asicusjxvjoxusdqlle.exe*."
    3⤵
    - Executes dropped EXE
    PID:1404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ngxslkcrqflvtsesopjc.exe
1⤵
PID:3536
- C:\Windows\ngxslkcrqflvtsesopjc.exe
  ngxslkcrqflvtsesopjc.exe
  2⤵
  - Executes dropped EXE
  PID:540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pgvofcsfcptbxueqkj.exe .
1⤵
PID:664
- C:\Windows\pgvofcsfcptbxueqkj.exe
  pgvofcsfcptbxueqkj.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4992
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\pgvofcsfcptbxueqkj.exe*."
    3⤵
    - Executes dropped EXE
    PID:1612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gwkcsodplxahcyhsl.exe
1⤵
PID:4072
- C:\Users\Admin\AppData\Local\Temp\gwkcsodplxahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\gwkcsodplxahcyhsl.exe
  2⤵
  - Executes dropped EXE
  PID:5112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zobshcqbwhjpjemw.exe .
1⤵
PID:1996
- C:\Users\Admin\AppData\Local\Temp\zobshcqbwhjpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\zobshcqbwhjpjemw.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4868
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\zobshcqbwhjpjemw.exe*."
    3⤵
    - Executes dropped EXE
    PID:3836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cwokeexnndkvuuhwtvqkc.exe
1⤵
PID:4756
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4304
- C:\Windows\cwokeexnndkvuuhwtvqkc.exe
  cwokeexnndkvuuhwtvqkc.exe
  2⤵
  - Executes dropped EXE
  PID:2104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c huheylfqoyahcyhsl.exe
1⤵
PID:432
- C:\Windows\huheylfqoyahcyhsl.exe
  huheylfqoyahcyhsl.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c asicusjxvjoxusdqlle.exe .
1⤵
PID:4508
- C:\Windows\asicusjxvjoxusdqlle.exe
  asicusjxvjoxusdqlle.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5004
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\asicusjxvjoxusdqlle.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:3180

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c qesqlzugfqtbxueqkj.exe .
1⤵
PID:2684
- C:\Windows\qesqlzugfqtbxueqkj.exe
  qesqlzugfqtbxueqkj.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3940
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\qesqlzugfqtbxueqkj.exe*."
    3⤵
    PID:4468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ngxslkcrqflvtsesopjc.exe
1⤵
PID:3316
- C:\Users\Admin\AppData\Local\Temp\ngxslkcrqflvtsesopjc.exe
  C:\Users\Admin\AppData\Local\Temp\ngxslkcrqflvtsesopjc.exe
  2⤵
  - Executes dropped EXE
  PID:2960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ngxslkcrqflvtsesopjc.exe .
1⤵
PID:4656
- C:\Users\Admin\AppData\Local\Temp\ngxslkcrqflvtsesopjc.exe
  C:\Users\Admin\AppData\Local\Temp\ngxslkcrqflvtsesopjc.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1292
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\ngxslkcrqflvtsesopjc.exe*."
    3⤵
    PID:2028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gwkcsodplxahcyhsl.exe
1⤵
PID:3304
- C:\Windows\gwkcsodplxahcyhsl.exe
  gwkcsodplxahcyhsl.exe
  2⤵
  PID:1612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zobshcqbwhjpjemw.exe .
1⤵
PID:1236
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2392
- C:\Windows\zobshcqbwhjpjemw.exe
  zobshcqbwhjpjemw.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:2200
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\zobshcqbwhjpjemw.exe*."
    3⤵
    PID:2800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c oeuurhestglvtsesopka.exe
1⤵
PID:112
- C:\Windows\oeuurhestglvtsesopka.exe
  oeuurhestglvtsesopka.exe
  2⤵
  PID:4652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ngxslkcrqflvtsesopjc.exe
1⤵
PID:972
- C:\Users\Admin\AppData\Local\Temp\ngxslkcrqflvtsesopjc.exe
  C:\Users\Admin\AppData\Local\Temp\ngxslkcrqflvtsesopjc.exe
  2⤵
  PID:3796

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c huheylfqoyahcyhsl.exe .
1⤵
PID:4372
- C:\Windows\huheylfqoyahcyhsl.exe
  huheylfqoyahcyhsl.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4472
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\huheylfqoyahcyhsl.exe*."
    3⤵
    PID:464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ngxslkcrqflvtsesopjc.exe .
1⤵
PID:1396
- C:\Users\Admin\AppData\Local\Temp\ngxslkcrqflvtsesopjc.exe
  C:\Users\Admin\AppData\Local\Temp\ngxslkcrqflvtsesopjc.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:2588
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\ngxslkcrqflvtsesopjc.exe*."
    3⤵
    PID:624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dulmkbzoqekvuuhwtvriz.exe
1⤵
PID:3980
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1776
- C:\Users\Admin\AppData\Local\Temp\dulmkbzoqekvuuhwtvriz.exe
  C:\Users\Admin\AppData\Local\Temp\dulmkbzoqekvuuhwtvriz.exe
  2⤵
  PID:632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\amyunzsczijpjemw.exe .
1⤵
PID:2004
- C:\Users\Admin\AppData\Local\Temp\amyunzsczijpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\amyunzsczijpjemw.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4684
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\amyunzsczijpjemw.exe*."
    3⤵
    PID:2296

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gwkcsodplxahcyhsl.exe
1⤵
PID:2952
- C:\Users\Admin\AppData\Local\Temp\gwkcsodplxahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\gwkcsodplxahcyhsl.exe
  2⤵
  PID:3488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\asicusjxvjoxusdqlle.exe .
1⤵
PID:5016
- C:\Users\Admin\AppData\Local\Temp\asicusjxvjoxusdqlle.exe
  C:\Users\Admin\AppData\Local\Temp\asicusjxvjoxusdqlle.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:2684
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\asicusjxvjoxusdqlle.exe*."
    3⤵
    PID:440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\amyunzsczijpjemw.exe
1⤵
PID:2300
- C:\Users\Admin\AppData\Local\Temp\amyunzsczijpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\amyunzsczijpjemw.exe
  2⤵
  PID:1932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cwokeexnndkvuuhwtvqkc.exe
1⤵
PID:3956
- C:\Windows\cwokeexnndkvuuhwtvqkc.exe
  cwokeexnndkvuuhwtvqkc.exe
  2⤵
  PID:3156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oeuurhestglvtsesopka.exe .
1⤵
PID:1344
- C:\Users\Admin\AppData\Local\Temp\oeuurhestglvtsesopka.exe
  C:\Users\Admin\AppData\Local\Temp\oeuurhestglvtsesopka.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1520
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\oeuurhestglvtsesopka.exe*."
    3⤵
    PID:2804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pgvofcsfcptbxueqkj.exe
1⤵
PID:4556
- C:\Windows\pgvofcsfcptbxueqkj.exe
  pgvofcsfcptbxueqkj.exe
  2⤵
  PID:3492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c asicusjxvjoxusdqlle.exe .
1⤵
PID:3868
- C:\Windows\asicusjxvjoxusdqlle.exe
  asicusjxvjoxusdqlle.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4684
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\asicusjxvjoxusdqlle.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:4560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zobshcqbwhjpjemw.exe .
1⤵
PID:5092
- C:\Windows\zobshcqbwhjpjemw.exe
  zobshcqbwhjpjemw.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1284
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\zobshcqbwhjpjemw.exe*."
    3⤵
    PID:3880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gwkcsodplxahcyhsl.exe
1⤵
PID:1612
- C:\Windows\gwkcsodplxahcyhsl.exe
  gwkcsodplxahcyhsl.exe
  2⤵
  PID:2588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cwokeexnndkvuuhwtvqkc.exe
1⤵
PID:2528
- C:\Windows\cwokeexnndkvuuhwtvqkc.exe
  cwokeexnndkvuuhwtvqkc.exe
  2⤵
  PID:1140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ngxslkcrqflvtsesopjc.exe .
1⤵
PID:2284
- C:\Windows\ngxslkcrqflvtsesopjc.exe
  ngxslkcrqflvtsesopjc.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1636
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\ngxslkcrqflvtsesopjc.exe*."
    3⤵
    PID:1796

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gwkcsodplxahcyhsl.exe .
1⤵
PID:4452
- C:\Windows\gwkcsodplxahcyhsl.exe
  gwkcsodplxahcyhsl.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:632
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\gwkcsodplxahcyhsl.exe*."
    3⤵
    PID:4556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ngxslkcrqflvtsesopjc.exe
1⤵
PID:4264
- C:\Users\Admin\AppData\Local\Temp\ngxslkcrqflvtsesopjc.exe
  C:\Users\Admin\AppData\Local\Temp\ngxslkcrqflvtsesopjc.exe
  2⤵
  PID:920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gwkcsodplxahcyhsl.exe
1⤵
PID:4072
- C:\Users\Admin\AppData\Local\Temp\gwkcsodplxahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\gwkcsodplxahcyhsl.exe
  2⤵
  PID:1456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pgvofcsfcptbxueqkj.exe .
1⤵
PID:3680
- C:\Users\Admin\AppData\Local\Temp\pgvofcsfcptbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\pgvofcsfcptbxueqkj.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4992
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\pgvofcsfcptbxueqkj.exe*."
    3⤵
    PID:3880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\asicusjxvjoxusdqlle.exe .
1⤵
PID:2240
- C:\Users\Admin\AppData\Local\Temp\asicusjxvjoxusdqlle.exe
  C:\Users\Admin\AppData\Local\Temp\asicusjxvjoxusdqlle.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4144
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\asicusjxvjoxusdqlle.exe*."
    3⤵
    PID:4432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zobshcqbwhjpjemw.exe
1⤵
PID:4752
- C:\Users\Admin\AppData\Local\Temp\zobshcqbwhjpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\zobshcqbwhjpjemw.exe
  2⤵
  PID:3956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ngxslkcrqflvtsesopjc.exe
1⤵
PID:4796
- C:\Users\Admin\AppData\Local\Temp\ngxslkcrqflvtsesopjc.exe
  C:\Users\Admin\AppData\Local\Temp\ngxslkcrqflvtsesopjc.exe
  2⤵
  PID:1996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zobshcqbwhjpjemw.exe .
1⤵
PID:1676
- C:\Users\Admin\AppData\Local\Temp\zobshcqbwhjpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\zobshcqbwhjpjemw.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5032
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\zobshcqbwhjpjemw.exe*."
    3⤵
    PID:4000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gwkcsodplxahcyhsl.exe .
1⤵
PID:1508
- C:\Users\Admin\AppData\Local\Temp\gwkcsodplxahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\gwkcsodplxahcyhsl.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2952
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\gwkcsodplxahcyhsl.exe*."
    3⤵
    PID:1612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gwkcsodplxahcyhsl.exe
1⤵
PID:3316
- C:\Windows\gwkcsodplxahcyhsl.exe
  gwkcsodplxahcyhsl.exe
  2⤵
  PID:920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gwkcsodplxahcyhsl.exe .
1⤵
PID:2852
- C:\Windows\gwkcsodplxahcyhsl.exe
  gwkcsodplxahcyhsl.exe .
  2⤵
  PID:2104
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\gwkcsodplxahcyhsl.exe*."
    3⤵
    PID:4360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c asicusjxvjoxusdqlle.exe
1⤵
PID:4676
- C:\Windows\asicusjxvjoxusdqlle.exe
  asicusjxvjoxusdqlle.exe
  2⤵
  PID:1636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zobshcqbwhjpjemw.exe .
1⤵
PID:808
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4016
- C:\Windows\zobshcqbwhjpjemw.exe
  zobshcqbwhjpjemw.exe .
  2⤵
  PID:4792
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\zobshcqbwhjpjemw.exe*."
    3⤵
    PID:536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cwokeexnndkvuuhwtvqkc.exe
1⤵
PID:3028
- C:\Users\Admin\AppData\Local\Temp\cwokeexnndkvuuhwtvqkc.exe
  C:\Users\Admin\AppData\Local\Temp\cwokeexnndkvuuhwtvqkc.exe
  2⤵
  PID:1080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ngxslkcrqflvtsesopjc.exe .
1⤵
PID:3280
- C:\Users\Admin\AppData\Local\Temp\ngxslkcrqflvtsesopjc.exe
  C:\Users\Admin\AppData\Local\Temp\ngxslkcrqflvtsesopjc.exe .
  2⤵
  PID:3232
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\ngxslkcrqflvtsesopjc.exe*."
    3⤵
    PID:556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gwkcsodplxahcyhsl.exe
1⤵
PID:452
- C:\Users\Admin\AppData\Local\Temp\gwkcsodplxahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\gwkcsodplxahcyhsl.exe
  2⤵
  PID:5016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pgvofcsfcptbxueqkj.exe .
1⤵
PID:2284
- C:\Users\Admin\AppData\Local\Temp\pgvofcsfcptbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\pgvofcsfcptbxueqkj.exe .
  2⤵
  PID:1652
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\pgvofcsfcptbxueqkj.exe*."
    3⤵
    PID:2244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zobshcqbwhjpjemw.exe
1⤵
PID:624
- C:\Windows\zobshcqbwhjpjemw.exe
  zobshcqbwhjpjemw.exe
  2⤵
  PID:2328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c asicusjxvjoxusdqlle.exe .
1⤵
PID:2368
- C:\Windows\asicusjxvjoxusdqlle.exe
  asicusjxvjoxusdqlle.exe .
  2⤵
  PID:4300
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\asicusjxvjoxusdqlle.exe*."
    3⤵
    PID:3608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pgvofcsfcptbxueqkj.exe
1⤵
PID:3436
- C:\Windows\pgvofcsfcptbxueqkj.exe
  pgvofcsfcptbxueqkj.exe
  2⤵
  PID:5020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c asicusjxvjoxusdqlle.exe .
1⤵
PID:4424
- C:\Windows\asicusjxvjoxusdqlle.exe
  asicusjxvjoxusdqlle.exe .
  2⤵
  PID:4960
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\asicusjxvjoxusdqlle.exe*."
    3⤵
    PID:1796

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gwkcsodplxahcyhsl.exe
1⤵
PID:968
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:920
- C:\Users\Admin\AppData\Local\Temp\gwkcsodplxahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\gwkcsodplxahcyhsl.exe
  2⤵
  PID:4360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zobshcqbwhjpjemw.exe .
1⤵
PID:1932
- C:\Users\Admin\AppData\Local\Temp\zobshcqbwhjpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\zobshcqbwhjpjemw.exe .
  2⤵
  PID:224
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\zobshcqbwhjpjemw.exe*."
    3⤵
    PID:1860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gwkcsodplxahcyhsl.exe
1⤵
PID:3316
- C:\Users\Admin\AppData\Local\Temp\gwkcsodplxahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\gwkcsodplxahcyhsl.exe
  2⤵
  PID:3992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ngxslkcrqflvtsesopjc.exe .
1⤵
PID:4368
- C:\Users\Admin\AppData\Local\Temp\ngxslkcrqflvtsesopjc.exe
  C:\Users\Admin\AppData\Local\Temp\ngxslkcrqflvtsesopjc.exe .
  2⤵
  PID:4844
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\ngxslkcrqflvtsesopjc.exe*."
    3⤵
    PID:2532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gwkcsodplxahcyhsl.exe
1⤵
PID:464
- C:\Windows\gwkcsodplxahcyhsl.exe
  gwkcsodplxahcyhsl.exe
  2⤵
  PID:3540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pgvofcsfcptbxueqkj.exe .
1⤵
PID:4132
- C:\Windows\pgvofcsfcptbxueqkj.exe
  pgvofcsfcptbxueqkj.exe .
  2⤵
  PID:4560
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\pgvofcsfcptbxueqkj.exe*."
    3⤵
    PID:2684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cwokeexnndkvuuhwtvqkc.exe
1⤵
PID:5000
- C:\Windows\cwokeexnndkvuuhwtvqkc.exe
  cwokeexnndkvuuhwtvqkc.exe
  2⤵
  PID:1052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c asicusjxvjoxusdqlle.exe .
1⤵
PID:3764
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4396
- C:\Windows\asicusjxvjoxusdqlle.exe
  asicusjxvjoxusdqlle.exe .
  2⤵
  PID:2916
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\asicusjxvjoxusdqlle.exe*."
    3⤵
    PID:220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\asicusjxvjoxusdqlle.exe
1⤵
PID:184
- C:\Users\Admin\AppData\Local\Temp\asicusjxvjoxusdqlle.exe
  C:\Users\Admin\AppData\Local\Temp\asicusjxvjoxusdqlle.exe
  2⤵
  PID:3608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zobshcqbwhjpjemw.exe .
1⤵
PID:3692
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3940
- C:\Users\Admin\AppData\Local\Temp\zobshcqbwhjpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\zobshcqbwhjpjemw.exe .
  2⤵
  PID:4724
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\zobshcqbwhjpjemw.exe*."
    3⤵
    PID:208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pgvofcsfcptbxueqkj.exe
1⤵
PID:4412
- C:\Users\Admin\AppData\Local\Temp\pgvofcsfcptbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\pgvofcsfcptbxueqkj.exe
  2⤵
  PID:4980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gwkcsodplxahcyhsl.exe .
1⤵
PID:320
- C:\Users\Admin\AppData\Local\Temp\gwkcsodplxahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\gwkcsodplxahcyhsl.exe .
  2⤵
  PID:4564
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\gwkcsodplxahcyhsl.exe*."
    3⤵
    PID:1404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ngxslkcrqflvtsesopjc.exe
1⤵
PID:224
- C:\Windows\ngxslkcrqflvtsesopjc.exe
  ngxslkcrqflvtsesopjc.exe
  2⤵
  PID:3528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pgvofcsfcptbxueqkj.exe .
1⤵
PID:1080
- C:\Windows\pgvofcsfcptbxueqkj.exe
  pgvofcsfcptbxueqkj.exe .
  2⤵
  PID:448
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\pgvofcsfcptbxueqkj.exe*."
    3⤵
    PID:3436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gwkcsodplxahcyhsl.exe
1⤵
PID:4820
- C:\Windows\gwkcsodplxahcyhsl.exe
  gwkcsodplxahcyhsl.exe
  2⤵
  PID:2300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cwokeexnndkvuuhwtvqkc.exe .
1⤵
PID:2960
- C:\Windows\cwokeexnndkvuuhwtvqkc.exe
  cwokeexnndkvuuhwtvqkc.exe .
  2⤵
  PID:2004
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\cwokeexnndkvuuhwtvqkc.exe*."
    3⤵
    PID:4372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pgvofcsfcptbxueqkj.exe
1⤵
PID:4524
- C:\Users\Admin\AppData\Local\Temp\pgvofcsfcptbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\pgvofcsfcptbxueqkj.exe
  2⤵
  PID:1284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pgvofcsfcptbxueqkj.exe .
1⤵
PID:4792
- C:\Users\Admin\AppData\Local\Temp\pgvofcsfcptbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\pgvofcsfcptbxueqkj.exe .
  2⤵
  PID:2836
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\pgvofcsfcptbxueqkj.exe*."
    3⤵
    PID:4264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gwkcsodplxahcyhsl.exe
1⤵
PID:2952
- C:\Users\Admin\AppData\Local\Temp\gwkcsodplxahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\gwkcsodplxahcyhsl.exe
  2⤵
  PID:2280

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\asicusjxvjoxusdqlle.exe .
1⤵
PID:3536
- C:\Users\Admin\AppData\Local\Temp\asicusjxvjoxusdqlle.exe
  C:\Users\Admin\AppData\Local\Temp\asicusjxvjoxusdqlle.exe .
  2⤵
  PID:440
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\asicusjxvjoxusdqlle.exe*."
    3⤵
    PID:5000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pgvofcsfcptbxueqkj.exe
1⤵
PID:4108
- C:\Windows\pgvofcsfcptbxueqkj.exe
  pgvofcsfcptbxueqkj.exe
  2⤵
  PID:3184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gwkcsodplxahcyhsl.exe .
1⤵
PID:1396
- C:\Windows\gwkcsodplxahcyhsl.exe
  gwkcsodplxahcyhsl.exe .
  2⤵
  PID:4056
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\gwkcsodplxahcyhsl.exe*."
    3⤵
    PID:4696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c asicusjxvjoxusdqlle.exe
1⤵
PID:208
- C:\Windows\asicusjxvjoxusdqlle.exe
  asicusjxvjoxusdqlle.exe
  2⤵
  PID:3016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gwkcsodplxahcyhsl.exe .
1⤵
PID:4980
- C:\Windows\gwkcsodplxahcyhsl.exe
  gwkcsodplxahcyhsl.exe .
  2⤵
  PID:1068
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\gwkcsodplxahcyhsl.exe*."
    3⤵
    PID:4676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cwokeexnndkvuuhwtvqkc.exe
1⤵
PID:4304
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1796
- C:\Users\Admin\AppData\Local\Temp\cwokeexnndkvuuhwtvqkc.exe
  C:\Users\Admin\AppData\Local\Temp\cwokeexnndkvuuhwtvqkc.exe
  2⤵
  PID:3960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cwokeexnndkvuuhwtvqkc.exe .
1⤵
PID:1376
- C:\Users\Admin\AppData\Local\Temp\cwokeexnndkvuuhwtvqkc.exe
  C:\Users\Admin\AppData\Local\Temp\cwokeexnndkvuuhwtvqkc.exe .
  2⤵
  PID:2440
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\cwokeexnndkvuuhwtvqkc.exe*."
    3⤵
    PID:4968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ngxslkcrqflvtsesopjc.exe
1⤵
PID:4580
- C:\Windows\ngxslkcrqflvtsesopjc.exe
  ngxslkcrqflvtsesopjc.exe
  2⤵
  PID:1320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c qesqlzugfqtbxueqkj.exe
1⤵
PID:2800
- C:\Windows\qesqlzugfqtbxueqkj.exe
  qesqlzugfqtbxueqkj.exe
  2⤵
  PID:4916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pgvofcsfcptbxueqkj.exe
1⤵
PID:1384
- C:\Users\Admin\AppData\Local\Temp\pgvofcsfcptbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\pgvofcsfcptbxueqkj.exe
  2⤵
  PID:3316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pgvofcsfcptbxueqkj.exe .
1⤵
PID:4392
- C:\Windows\pgvofcsfcptbxueqkj.exe
  pgvofcsfcptbxueqkj.exe .
  2⤵
  PID:3836
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\pgvofcsfcptbxueqkj.exe*."
    3⤵
    PID:4256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zobshcqbwhjpjemw.exe .
1⤵
PID:2944
- C:\Users\Admin\AppData\Local\Temp\zobshcqbwhjpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\zobshcqbwhjpjemw.exe .
  2⤵
  PID:2836
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\zobshcqbwhjpjemw.exe*."
    3⤵
    PID:3488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bqfeaplyykoxusdqllf.exe .
1⤵
PID:1812
- C:\Windows\bqfeaplyykoxusdqllf.exe
  bqfeaplyykoxusdqllf.exe .
  2⤵
  PID:3604
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\bqfeaplyykoxusdqllf.exe*."
    3⤵
    PID:4280

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ngxslkcrqflvtsesopjc.exe
1⤵
PID:3540
- C:\Windows\ngxslkcrqflvtsesopjc.exe
  ngxslkcrqflvtsesopjc.exe
  2⤵
  PID:5032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gwkcsodplxahcyhsl.exe .
1⤵
PID:4452
- C:\Windows\gwkcsodplxahcyhsl.exe
  gwkcsodplxahcyhsl.exe .
  2⤵
  PID:5060
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\gwkcsodplxahcyhsl.exe*."
    3⤵
    PID:4100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bqfeaplyykoxusdqllf.exe
1⤵
PID:464
- C:\Windows\bqfeaplyykoxusdqllf.exe
  bqfeaplyykoxusdqllf.exe
  2⤵
  PID:4952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cwokeexnndkvuuhwtvqkc.exe
1⤵
PID:2576
- C:\Users\Admin\AppData\Local\Temp\cwokeexnndkvuuhwtvqkc.exe
  C:\Users\Admin\AppData\Local\Temp\cwokeexnndkvuuhwtvqkc.exe
  2⤵
  PID:2804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c oeuurhestglvtsesopka.exe .
1⤵
PID:540
- C:\Windows\oeuurhestglvtsesopka.exe
  oeuurhestglvtsesopka.exe .
  2⤵
  PID:4352
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\oeuurhestglvtsesopka.exe*."
    3⤵
    PID:3856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pgvofcsfcptbxueqkj.exe .
1⤵
PID:3412
- C:\Users\Admin\AppData\Local\Temp\pgvofcsfcptbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\pgvofcsfcptbxueqkj.exe .
  2⤵
  PID:4868
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\pgvofcsfcptbxueqkj.exe*."
    3⤵
    PID:1996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\amyunzsczijpjemw.exe
1⤵
PID:3712
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3916
- C:\Users\Admin\AppData\Local\Temp\amyunzsczijpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\amyunzsczijpjemw.exe
  2⤵
  PID:2988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qesqlzugfqtbxueqkj.exe .
1⤵
PID:5056
- C:\Users\Admin\AppData\Local\Temp\qesqlzugfqtbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\qesqlzugfqtbxueqkj.exe .
  2⤵
  PID:2392
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\qesqlzugfqtbxueqkj.exe*."
    3⤵
    PID:3300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pgvofcsfcptbxueqkj.exe
1⤵
PID:2112
- C:\Users\Admin\AppData\Local\Temp\pgvofcsfcptbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\pgvofcsfcptbxueqkj.exe
  2⤵
  PID:5000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oeuurhestglvtsesopka.exe
1⤵
PID:5072
- C:\Users\Admin\AppData\Local\Temp\oeuurhestglvtsesopka.exe
  C:\Users\Admin\AppData\Local\Temp\oeuurhestglvtsesopka.exe
  2⤵
  PID:4820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\asicusjxvjoxusdqlle.exe .
1⤵
PID:4468
- C:\Users\Admin\AppData\Local\Temp\asicusjxvjoxusdqlle.exe
  C:\Users\Admin\AppData\Local\Temp\asicusjxvjoxusdqlle.exe .
  2⤵
  PID:4476
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\asicusjxvjoxusdqlle.exe*."
    3⤵
    PID:4008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oeuurhestglvtsesopka.exe .
1⤵
PID:2116
- C:\Users\Admin\AppData\Local\Temp\oeuurhestglvtsesopka.exe
  C:\Users\Admin\AppData\Local\Temp\oeuurhestglvtsesopka.exe .
  2⤵
  PID:4796
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\oeuurhestglvtsesopka.exe*."
    3⤵
    PID:2012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cwokeexnndkvuuhwtvqkc.exe
1⤵
PID:4756
- C:\Windows\cwokeexnndkvuuhwtvqkc.exe
  cwokeexnndkvuuhwtvqkc.exe
  2⤵
  PID:3280

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pgvofcsfcptbxueqkj.exe .
1⤵
PID:648
- C:\Windows\pgvofcsfcptbxueqkj.exe
  pgvofcsfcptbxueqkj.exe .
  2⤵
  PID:4560
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\pgvofcsfcptbxueqkj.exe*."
    3⤵
    PID:3972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zobshcqbwhjpjemw.exe
1⤵
PID:4424
- C:\Windows\zobshcqbwhjpjemw.exe
  zobshcqbwhjpjemw.exe
  2⤵
  PID:1520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zobshcqbwhjpjemw.exe
1⤵
PID:1596
- C:\Windows\zobshcqbwhjpjemw.exe
  zobshcqbwhjpjemw.exe
  2⤵
  PID:5016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ngxslkcrqflvtsesopjc.exe .
1⤵
PID:4524
- C:\Windows\ngxslkcrqflvtsesopjc.exe
  ngxslkcrqflvtsesopjc.exe .
  2⤵
  PID:2300
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\ngxslkcrqflvtsesopjc.exe*."
    3⤵
    PID:3912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c asicusjxvjoxusdqlle.exe .
1⤵
PID:556
- C:\Windows\asicusjxvjoxusdqlle.exe
  asicusjxvjoxusdqlle.exe .
  2⤵
  PID:2916
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\asicusjxvjoxusdqlle.exe*."
    3⤵
    PID:3980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gwkcsodplxahcyhsl.exe
1⤵
PID:3180
- C:\Users\Admin\AppData\Local\Temp\gwkcsodplxahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\gwkcsodplxahcyhsl.exe
  2⤵
  PID:4868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ngxslkcrqflvtsesopjc.exe
1⤵
PID:2684
- C:\Windows\ngxslkcrqflvtsesopjc.exe
  ngxslkcrqflvtsesopjc.exe
  2⤵
  PID:4584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pgvofcsfcptbxueqkj.exe .
1⤵
PID:4280
- C:\Users\Admin\AppData\Local\Temp\pgvofcsfcptbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\pgvofcsfcptbxueqkj.exe .
  2⤵
  PID:1528
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\pgvofcsfcptbxueqkj.exe*."
    3⤵
    PID:2104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pgvofcsfcptbxueqkj.exe .
1⤵
PID:3992
- C:\Windows\pgvofcsfcptbxueqkj.exe
  pgvofcsfcptbxueqkj.exe .
  2⤵
  PID:1068
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\pgvofcsfcptbxueqkj.exe*."
    3⤵
    PID:2692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zobshcqbwhjpjemw.exe
1⤵
PID:4580
- C:\Users\Admin\AppData\Local\Temp\zobshcqbwhjpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\zobshcqbwhjpjemw.exe
  2⤵
  PID:4012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\asicusjxvjoxusdqlle.exe .
1⤵
PID:3304
- C:\Users\Admin\AppData\Local\Temp\asicusjxvjoxusdqlle.exe
  C:\Users\Admin\AppData\Local\Temp\asicusjxvjoxusdqlle.exe .
  2⤵
  PID:1564
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\asicusjxvjoxusdqlle.exe*."
    3⤵
    PID:3492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\asicusjxvjoxusdqlle.exe
1⤵
PID:1676
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4752
- C:\Users\Admin\AppData\Local\Temp\asicusjxvjoxusdqlle.exe
  C:\Users\Admin\AppData\Local\Temp\asicusjxvjoxusdqlle.exe
  2⤵
  PID:536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\asicusjxvjoxusdqlle.exe .
1⤵
PID:5044
- C:\Users\Admin\AppData\Local\Temp\asicusjxvjoxusdqlle.exe
  C:\Users\Admin\AppData\Local\Temp\asicusjxvjoxusdqlle.exe .
  2⤵
  PID:2520
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\asicusjxvjoxusdqlle.exe*."
    3⤵
    PID:1508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pgvofcsfcptbxueqkj.exe
1⤵
PID:2244
- C:\Users\Admin\AppData\Local\Temp\pgvofcsfcptbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\pgvofcsfcptbxueqkj.exe
  2⤵
  PID:5020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zobshcqbwhjpjemw.exe .
1⤵
PID:2176
- C:\Users\Admin\AppData\Local\Temp\zobshcqbwhjpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\zobshcqbwhjpjemw.exe .
  2⤵
  PID:4916
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\zobshcqbwhjpjemw.exe*."
    3⤵
    PID:3476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ngxslkcrqflvtsesopjc.exe
1⤵
PID:4684
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2832
- C:\Windows\ngxslkcrqflvtsesopjc.exe
  ngxslkcrqflvtsesopjc.exe
  2⤵
  PID:3156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zobshcqbwhjpjemw.exe .
1⤵
PID:640
- C:\Windows\zobshcqbwhjpjemw.exe
  zobshcqbwhjpjemw.exe .
  2⤵
  PID:5108
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\zobshcqbwhjpjemw.exe*."
    3⤵
    PID:4284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ngxslkcrqflvtsesopjc.exe
1⤵
PID:2464
- C:\Windows\ngxslkcrqflvtsesopjc.exe
  ngxslkcrqflvtsesopjc.exe
  2⤵
  PID:4508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cwokeexnndkvuuhwtvqkc.exe .
1⤵
PID:4864
- C:\Windows\cwokeexnndkvuuhwtvqkc.exe
  cwokeexnndkvuuhwtvqkc.exe .
  2⤵
  PID:1092
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\cwokeexnndkvuuhwtvqkc.exe*."
    3⤵
    PID:3048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ngxslkcrqflvtsesopjc.exe
1⤵
PID:3224
- C:\Users\Admin\AppData\Local\Temp\ngxslkcrqflvtsesopjc.exe
  C:\Users\Admin\AppData\Local\Temp\ngxslkcrqflvtsesopjc.exe
  2⤵
  PID:3440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ngxslkcrqflvtsesopjc.exe .
1⤵
PID:4580
- C:\Users\Admin\AppData\Local\Temp\ngxslkcrqflvtsesopjc.exe
  C:\Users\Admin\AppData\Local\Temp\ngxslkcrqflvtsesopjc.exe .
  2⤵
  PID:4452
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\ngxslkcrqflvtsesopjc.exe*."
    3⤵
    PID:4336

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ngxslkcrqflvtsesopjc.exe
1⤵
PID:3232
- C:\Users\Admin\AppData\Local\Temp\ngxslkcrqflvtsesopjc.exe
  C:\Users\Admin\AppData\Local\Temp\ngxslkcrqflvtsesopjc.exe
  2⤵
  PID:2280

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gwkcsodplxahcyhsl.exe .
1⤵
PID:3412
- C:\Users\Admin\AppData\Local\Temp\gwkcsodplxahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\gwkcsodplxahcyhsl.exe .
  2⤵
  PID:2112
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\gwkcsodplxahcyhsl.exe*."
    3⤵
    PID:3476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cwokeexnndkvuuhwtvqkc.exe
1⤵
PID:4808
- C:\Windows\cwokeexnndkvuuhwtvqkc.exe
  cwokeexnndkvuuhwtvqkc.exe
  2⤵
  PID:1740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gwkcsodplxahcyhsl.exe .
1⤵
PID:3992
- C:\Windows\gwkcsodplxahcyhsl.exe
  gwkcsodplxahcyhsl.exe .
  2⤵
  PID:3028
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\gwkcsodplxahcyhsl.exe*."
    3⤵
    PID:2240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gwkcsodplxahcyhsl.exe
1⤵
PID:3356
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1388
- C:\Windows\gwkcsodplxahcyhsl.exe
  gwkcsodplxahcyhsl.exe
  2⤵
  PID:2296

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c asicusjxvjoxusdqlle.exe .
1⤵
PID:1048
- C:\Windows\asicusjxvjoxusdqlle.exe
  asicusjxvjoxusdqlle.exe .
  2⤵
  PID:2200
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\asicusjxvjoxusdqlle.exe*."
    3⤵
    PID:3184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\asicusjxvjoxusdqlle.exe
1⤵
PID:3508
- C:\Users\Admin\AppData\Local\Temp\asicusjxvjoxusdqlle.exe
  C:\Users\Admin\AppData\Local\Temp\asicusjxvjoxusdqlle.exe
  2⤵
  PID:1344

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cwokeexnndkvuuhwtvqkc.exe .
1⤵
PID:3516
- C:\Users\Admin\AppData\Local\Temp\cwokeexnndkvuuhwtvqkc.exe
  C:\Users\Admin\AppData\Local\Temp\cwokeexnndkvuuhwtvqkc.exe .
  2⤵
  PID:5108
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\cwokeexnndkvuuhwtvqkc.exe*."
    3⤵
    PID:1620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zobshcqbwhjpjemw.exe
1⤵
PID:4652
- C:\Users\Admin\AppData\Local\Temp\zobshcqbwhjpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\zobshcqbwhjpjemw.exe
  2⤵
  PID:3684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gwkcsodplxahcyhsl.exe .
1⤵
PID:2460
- C:\Users\Admin\AppData\Local\Temp\gwkcsodplxahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\gwkcsodplxahcyhsl.exe .
  2⤵
  PID:2076
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\gwkcsodplxahcyhsl.exe*."
    3⤵
    PID:3972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ngxslkcrqflvtsesopjc.exe
1⤵
PID:2252
- C:\Windows\ngxslkcrqflvtsesopjc.exe
  ngxslkcrqflvtsesopjc.exe
  2⤵
  PID:2768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c asicusjxvjoxusdqlle.exe .
1⤵
PID:3488
- C:\Windows\asicusjxvjoxusdqlle.exe
  asicusjxvjoxusdqlle.exe .
  2⤵
  PID:1932
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\asicusjxvjoxusdqlle.exe*."
    3⤵
    PID:3992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c asicusjxvjoxusdqlle.exe
1⤵
PID:1404
- C:\Windows\asicusjxvjoxusdqlle.exe
  asicusjxvjoxusdqlle.exe
  2⤵
  PID:2296

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pgvofcsfcptbxueqkj.exe .
1⤵
PID:2228
- C:\Windows\pgvofcsfcptbxueqkj.exe
  pgvofcsfcptbxueqkj.exe .
  2⤵
  PID:1824
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\pgvofcsfcptbxueqkj.exe*."
    3⤵
    PID:5000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pgvofcsfcptbxueqkj.exe
1⤵
PID:4044
- C:\Users\Admin\AppData\Local\Temp\pgvofcsfcptbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\pgvofcsfcptbxueqkj.exe
  2⤵
  PID:4676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\asicusjxvjoxusdqlle.exe .
1⤵
PID:1776
- C:\Users\Admin\AppData\Local\Temp\asicusjxvjoxusdqlle.exe
  C:\Users\Admin\AppData\Local\Temp\asicusjxvjoxusdqlle.exe .
  2⤵
  PID:1284
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\asicusjxvjoxusdqlle.exe*."
    3⤵
    PID:2944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cwokeexnndkvuuhwtvqkc.exe
1⤵
PID:808
- C:\Users\Admin\AppData\Local\Temp\cwokeexnndkvuuhwtvqkc.exe
  C:\Users\Admin\AppData\Local\Temp\cwokeexnndkvuuhwtvqkc.exe
  2⤵
  PID:2104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cwokeexnndkvuuhwtvqkc.exe .
1⤵
PID:464
- C:\Users\Admin\AppData\Local\Temp\cwokeexnndkvuuhwtvqkc.exe
  C:\Users\Admin\AppData\Local\Temp\cwokeexnndkvuuhwtvqkc.exe .
  2⤵
  PID:4100
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\cwokeexnndkvuuhwtvqkc.exe*."
    3⤵
    PID:2804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zobshcqbwhjpjemw.exe
1⤵
PID:2316
- C:\Windows\zobshcqbwhjpjemw.exe
  zobshcqbwhjpjemw.exe
  2⤵
  PID:2392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c asicusjxvjoxusdqlle.exe .
1⤵
PID:1676
- C:\Windows\asicusjxvjoxusdqlle.exe
  asicusjxvjoxusdqlle.exe .
  2⤵
  PID:2472
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\asicusjxvjoxusdqlle.exe*."
    3⤵
    PID:3992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cwokeexnndkvuuhwtvqkc.exe
1⤵
PID:3836
- C:\Windows\cwokeexnndkvuuhwtvqkc.exe
  cwokeexnndkvuuhwtvqkc.exe
  2⤵
  PID:1404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c asicusjxvjoxusdqlle.exe .
1⤵
PID:1236
- C:\Windows\asicusjxvjoxusdqlle.exe
  asicusjxvjoxusdqlle.exe .
  2⤵
  PID:4980
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\asicusjxvjoxusdqlle.exe*."
    3⤵
    PID:4952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zobshcqbwhjpjemw.exe
1⤵
PID:2192
- C:\Users\Admin\AppData\Local\Temp\zobshcqbwhjpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\zobshcqbwhjpjemw.exe
  2⤵
  PID:2336

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cwokeexnndkvuuhwtvqkc.exe .
1⤵
PID:4056
- C:\Users\Admin\AppData\Local\Temp\cwokeexnndkvuuhwtvqkc.exe
  C:\Users\Admin\AppData\Local\Temp\cwokeexnndkvuuhwtvqkc.exe .
  2⤵
  PID:1284
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\cwokeexnndkvuuhwtvqkc.exe*."
    3⤵
    PID:2228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\asicusjxvjoxusdqlle.exe
1⤵
PID:1776
- C:\Users\Admin\AppData\Local\Temp\asicusjxvjoxusdqlle.exe
  C:\Users\Admin\AppData\Local\Temp\asicusjxvjoxusdqlle.exe
  2⤵
  PID:4524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gwkcsodplxahcyhsl.exe .
1⤵
PID:2104
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2280
- C:\Users\Admin\AppData\Local\Temp\gwkcsodplxahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\gwkcsodplxahcyhsl.exe .
  2⤵
  PID:736
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\gwkcsodplxahcyhsl.exe*."
    3⤵
    PID:4336

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pgvofcsfcptbxueqkj.exe
1⤵
PID:4144
- C:\Windows\pgvofcsfcptbxueqkj.exe
  pgvofcsfcptbxueqkj.exe
  2⤵
  PID:3028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cwokeexnndkvuuhwtvqkc.exe .
1⤵
PID:3156
- C:\Windows\cwokeexnndkvuuhwtvqkc.exe
  cwokeexnndkvuuhwtvqkc.exe .
  2⤵
  PID:2240
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\cwokeexnndkvuuhwtvqkc.exe*."
    3⤵
    PID:5032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cwokeexnndkvuuhwtvqkc.exe
1⤵
PID:1404
- C:\Windows\cwokeexnndkvuuhwtvqkc.exe
  cwokeexnndkvuuhwtvqkc.exe
  2⤵
  PID:4676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zobshcqbwhjpjemw.exe .
1⤵
PID:1048
- C:\Windows\zobshcqbwhjpjemw.exe
  zobshcqbwhjpjemw.exe .
  2⤵
  PID:1620
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\zobshcqbwhjpjemw.exe*."
    3⤵
    PID:1924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zobshcqbwhjpjemw.exe
1⤵
PID:4952
- C:\Users\Admin\AppData\Local\Temp\zobshcqbwhjpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\zobshcqbwhjpjemw.exe
  2⤵
  PID:1396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ngxslkcrqflvtsesopjc.exe .
1⤵
PID:1860
- C:\Users\Admin\AppData\Local\Temp\ngxslkcrqflvtsesopjc.exe
  C:\Users\Admin\AppData\Local\Temp\ngxslkcrqflvtsesopjc.exe .
  2⤵
  PID:4108
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\ngxslkcrqflvtsesopjc.exe*."
    3⤵
    PID:1392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gwkcsodplxahcyhsl.exe
1⤵
PID:3972
- C:\Users\Admin\AppData\Local\Temp\gwkcsodplxahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\gwkcsodplxahcyhsl.exe
  2⤵
  PID:2044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zobshcqbwhjpjemw.exe
1⤵
PID:2112
- C:\Windows\zobshcqbwhjpjemw.exe
  zobshcqbwhjpjemw.exe
  2⤵
  PID:2372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\asicusjxvjoxusdqlle.exe .
1⤵
PID:5104
- C:\Users\Admin\AppData\Local\Temp\asicusjxvjoxusdqlle.exe
  C:\Users\Admin\AppData\Local\Temp\asicusjxvjoxusdqlle.exe .
  2⤵
  PID:4808
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\asicusjxvjoxusdqlle.exe*."
    3⤵
    PID:2164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c oeuurhestglvtsesopka.exe
1⤵
PID:3628
- C:\Windows\oeuurhestglvtsesopka.exe
  oeuurhestglvtsesopka.exe
  2⤵
  PID:3528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gwkcsodplxahcyhsl.exe .
1⤵
PID:4012
- C:\Windows\gwkcsodplxahcyhsl.exe
  gwkcsodplxahcyhsl.exe .
  2⤵
  PID:1400
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\gwkcsodplxahcyhsl.exe*."
    3⤵
    PID:4100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bqfeaplyykoxusdqllf.exe .
1⤵
PID:1376
- C:\Windows\bqfeaplyykoxusdqllf.exe
  bqfeaplyykoxusdqllf.exe .
  2⤵
  PID:3860
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\bqfeaplyykoxusdqllf.exe*."
    3⤵
    PID:228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gwkcsodplxahcyhsl.exe
1⤵
PID:1236
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1396
- C:\Windows\gwkcsodplxahcyhsl.exe
  gwkcsodplxahcyhsl.exe
  2⤵
  PID:3356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cwokeexnndkvuuhwtvqkc.exe .
1⤵
PID:1924
- C:\Windows\cwokeexnndkvuuhwtvqkc.exe
  cwokeexnndkvuuhwtvqkc.exe .
  2⤵
  PID:1860
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\cwokeexnndkvuuhwtvqkc.exe*."
    3⤵
    PID:2284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c amyunzsczijpjemw.exe
1⤵
PID:2944
- C:\Windows\amyunzsczijpjemw.exe
  amyunzsczijpjemw.exe
  2⤵
  PID:3796

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cwokeexnndkvuuhwtvqkc.exe
1⤵
PID:2440
- C:\Users\Admin\AppData\Local\Temp\cwokeexnndkvuuhwtvqkc.exe
  C:\Users\Admin\AppData\Local\Temp\cwokeexnndkvuuhwtvqkc.exe
  2⤵
  PID:4424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bqfeaplyykoxusdqllf.exe .
1⤵
PID:3440
- C:\Windows\bqfeaplyykoxusdqllf.exe
  bqfeaplyykoxusdqllf.exe .
  2⤵
  PID:2340
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\bqfeaplyykoxusdqllf.exe*."
    3⤵
    PID:5392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cwokeexnndkvuuhwtvqkc.exe .
1⤵
PID:736
- C:\Users\Admin\AppData\Local\Temp\cwokeexnndkvuuhwtvqkc.exe
  C:\Users\Admin\AppData\Local\Temp\cwokeexnndkvuuhwtvqkc.exe .
  2⤵
  PID:2644
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\cwokeexnndkvuuhwtvqkc.exe*."
    3⤵
    PID:5424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qesqlzugfqtbxueqkj.exe
1⤵
PID:1392
- C:\Users\Admin\AppData\Local\Temp\qesqlzugfqtbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\qesqlzugfqtbxueqkj.exe
  2⤵
  PID:4396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oeuurhestglvtsesopka.exe .
1⤵
PID:3692
- C:\Users\Admin\AppData\Local\Temp\oeuurhestglvtsesopka.exe
  C:\Users\Admin\AppData\Local\Temp\oeuurhestglvtsesopka.exe .
  2⤵
  PID:440
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\oeuurhestglvtsesopka.exe*."
    3⤵
    PID:4324

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c asicusjxvjoxusdqlle.exe
1⤵
PID:4824
- C:\Windows\asicusjxvjoxusdqlle.exe
  asicusjxvjoxusdqlle.exe
  2⤵
  PID:5236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cwokeexnndkvuuhwtvqkc.exe
1⤵
PID:2092
- C:\Users\Admin\AppData\Local\Temp\cwokeexnndkvuuhwtvqkc.exe
  C:\Users\Admin\AppData\Local\Temp\cwokeexnndkvuuhwtvqkc.exe
  2⤵
  PID:5336

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ngxslkcrqflvtsesopjc.exe .
1⤵
PID:4376
- C:\Windows\ngxslkcrqflvtsesopjc.exe
  ngxslkcrqflvtsesopjc.exe .
  2⤵
  PID:5412
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\ngxslkcrqflvtsesopjc.exe*."
    3⤵
    PID:5744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zobshcqbwhjpjemw.exe .
1⤵
PID:3092
- C:\Users\Admin\AppData\Local\Temp\zobshcqbwhjpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\zobshcqbwhjpjemw.exe .
  2⤵
  PID:5728
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\zobshcqbwhjpjemw.exe*."
    3⤵
    PID:6072

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oeuurhestglvtsesopka.exe
1⤵
PID:3944
- C:\Users\Admin\AppData\Local\Temp\oeuurhestglvtsesopka.exe
  C:\Users\Admin\AppData\Local\Temp\oeuurhestglvtsesopka.exe
  2⤵
  PID:5452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\huheylfqoyahcyhsl.exe .
1⤵
PID:2228
- C:\Users\Admin\AppData\Local\Temp\huheylfqoyahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\huheylfqoyahcyhsl.exe .
  2⤵
  PID:5372
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\huheylfqoyahcyhsl.exe*."
    3⤵
    PID:5844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c asicusjxvjoxusdqlle.exe
1⤵
PID:4524
- C:\Windows\asicusjxvjoxusdqlle.exe
  asicusjxvjoxusdqlle.exe
  2⤵
  PID:5496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pgvofcsfcptbxueqkj.exe .
1⤵
PID:5032
- C:\Windows\pgvofcsfcptbxueqkj.exe
  pgvofcsfcptbxueqkj.exe .
  2⤵
  PID:5588
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\pgvofcsfcptbxueqkj.exe*."
    3⤵
    PID:5972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gwkcsodplxahcyhsl.exe
1⤵
PID:1172
- C:\Users\Admin\AppData\Local\Temp\gwkcsodplxahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\gwkcsodplxahcyhsl.exe
  2⤵
  PID:5616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\asicusjxvjoxusdqlle.exe .
1⤵
PID:5176
- C:\Users\Admin\AppData\Local\Temp\asicusjxvjoxusdqlle.exe
  C:\Users\Admin\AppData\Local\Temp\asicusjxvjoxusdqlle.exe .
  2⤵
  PID:5880
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\asicusjxvjoxusdqlle.exe*."
    3⤵
    PID:1124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pgvofcsfcptbxueqkj.exe
1⤵
PID:5460
- C:\Windows\pgvofcsfcptbxueqkj.exe
  pgvofcsfcptbxueqkj.exe
  2⤵
  PID:4508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zobshcqbwhjpjemw.exe
1⤵
PID:5480
- C:\Users\Admin\AppData\Local\Temp\zobshcqbwhjpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\zobshcqbwhjpjemw.exe
  2⤵
  PID:4564

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ngxslkcrqflvtsesopjc.exe .
1⤵
PID:5628
- C:\Users\Admin\AppData\Local\Temp\ngxslkcrqflvtsesopjc.exe
  C:\Users\Admin\AppData\Local\Temp\ngxslkcrqflvtsesopjc.exe .
  2⤵
  PID:4284
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\ngxslkcrqflvtsesopjc.exe*."
    3⤵
    PID:2116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cwokeexnndkvuuhwtvqkc.exe .
1⤵
PID:5736
- C:\Windows\cwokeexnndkvuuhwtvqkc.exe
  cwokeexnndkvuuhwtvqkc.exe .
  2⤵
  PID:4196
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\cwokeexnndkvuuhwtvqkc.exe*."
    3⤵
    PID:5396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ngxslkcrqflvtsesopjc.exe
1⤵
PID:5916
- C:\Windows\ngxslkcrqflvtsesopjc.exe
  ngxslkcrqflvtsesopjc.exe
  2⤵
  PID:624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pgvofcsfcptbxueqkj.exe .
1⤵
PID:6000
- C:\Windows\pgvofcsfcptbxueqkj.exe
  pgvofcsfcptbxueqkj.exe .
  2⤵
  PID:5288
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\pgvofcsfcptbxueqkj.exe*."
    3⤵
    PID:1384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cwokeexnndkvuuhwtvqkc.exe
1⤵
PID:6080
- C:\Users\Admin\AppData\Local\Temp\cwokeexnndkvuuhwtvqkc.exe
  C:\Users\Admin\AppData\Local\Temp\cwokeexnndkvuuhwtvqkc.exe
  2⤵
  PID:5420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pgvofcsfcptbxueqkj.exe .
1⤵
PID:3528
- C:\Users\Admin\AppData\Local\Temp\pgvofcsfcptbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\pgvofcsfcptbxueqkj.exe .
  2⤵
  PID:648
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\pgvofcsfcptbxueqkj.exe*."
    3⤵
    PID:5476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gwkcsodplxahcyhsl.exe
1⤵
PID:4384
- C:\Windows\gwkcsodplxahcyhsl.exe
  gwkcsodplxahcyhsl.exe
  2⤵
  PID:5452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zobshcqbwhjpjemw.exe
1⤵
PID:4980
- C:\Users\Admin\AppData\Local\Temp\zobshcqbwhjpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\zobshcqbwhjpjemw.exe
  2⤵
  PID:6140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ngxslkcrqflvtsesopjc.exe .
1⤵
PID:4652
- C:\Windows\ngxslkcrqflvtsesopjc.exe
  ngxslkcrqflvtsesopjc.exe .
  2⤵
  PID:5908
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\ngxslkcrqflvtsesopjc.exe*."
    3⤵
    PID:5852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zobshcqbwhjpjemw.exe .
1⤵
PID:2644
- C:\Users\Admin\AppData\Local\Temp\zobshcqbwhjpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\zobshcqbwhjpjemw.exe .
  2⤵
  PID:6132
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\zobshcqbwhjpjemw.exe*."
    3⤵
    PID:440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ngxslkcrqflvtsesopjc.exe
1⤵
PID:5500
- C:\Windows\ngxslkcrqflvtsesopjc.exe
  ngxslkcrqflvtsesopjc.exe
  2⤵
  PID:4940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gwkcsodplxahcyhsl.exe .
1⤵
PID:5124
- C:\Windows\gwkcsodplxahcyhsl.exe
  gwkcsodplxahcyhsl.exe .
  2⤵
  PID:3424
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\gwkcsodplxahcyhsl.exe*."
    3⤵
    PID:5752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gwkcsodplxahcyhsl.exe
1⤵
PID:5416
- C:\Users\Admin\AppData\Local\Temp\gwkcsodplxahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\gwkcsodplxahcyhsl.exe
  2⤵
  PID:5688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cwokeexnndkvuuhwtvqkc.exe .
1⤵
PID:5660
- C:\Users\Admin\AppData\Local\Temp\cwokeexnndkvuuhwtvqkc.exe
  C:\Users\Admin\AppData\Local\Temp\cwokeexnndkvuuhwtvqkc.exe .
  2⤵
  PID:5640
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\cwokeexnndkvuuhwtvqkc.exe*."
    3⤵
    PID:6056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zobshcqbwhjpjemw.exe
1⤵
PID:1508
- C:\Users\Admin\AppData\Local\Temp\zobshcqbwhjpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\zobshcqbwhjpjemw.exe
  2⤵
  PID:1596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\asicusjxvjoxusdqlle.exe .
1⤵
PID:1172
- C:\Users\Admin\AppData\Local\Temp\asicusjxvjoxusdqlle.exe
  C:\Users\Admin\AppData\Local\Temp\asicusjxvjoxusdqlle.exe .
  2⤵
  PID:3516
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\asicusjxvjoxusdqlle.exe*."
    3⤵
    PID:1772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c asicusjxvjoxusdqlle.exe
1⤵
PID:3508
- C:\Windows\asicusjxvjoxusdqlle.exe
  asicusjxvjoxusdqlle.exe
  2⤵
  PID:4580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gwkcsodplxahcyhsl.exe .
1⤵
PID:624
- C:\Windows\gwkcsodplxahcyhsl.exe
  gwkcsodplxahcyhsl.exe .
  2⤵
  PID:1400
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\gwkcsodplxahcyhsl.exe*."
    3⤵
    PID:5460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c asicusjxvjoxusdqlle.exe
1⤵
PID:5340
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2944
- C:\Windows\asicusjxvjoxusdqlle.exe
  asicusjxvjoxusdqlle.exe
  2⤵
  PID:1236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gwkcsodplxahcyhsl.exe .
1⤵
PID:3972
- C:\Windows\gwkcsodplxahcyhsl.exe
  gwkcsodplxahcyhsl.exe .
  2⤵
  PID:5944
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\gwkcsodplxahcyhsl.exe*."
    3⤵
    PID:5740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cwokeexnndkvuuhwtvqkc.exe
1⤵
PID:1064
- C:\Users\Admin\AppData\Local\Temp\cwokeexnndkvuuhwtvqkc.exe
  C:\Users\Admin\AppData\Local\Temp\cwokeexnndkvuuhwtvqkc.exe
  2⤵
  PID:4396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\asicusjxvjoxusdqlle.exe .
1⤵
PID:5684
- C:\Users\Admin\AppData\Local\Temp\asicusjxvjoxusdqlle.exe
  C:\Users\Admin\AppData\Local\Temp\asicusjxvjoxusdqlle.exe .
  2⤵
  PID:5496
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\asicusjxvjoxusdqlle.exe*."
    3⤵
    PID:5212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ngxslkcrqflvtsesopjc.exe
1⤵
PID:4384
- C:\Users\Admin\AppData\Local\Temp\ngxslkcrqflvtsesopjc.exe
  C:\Users\Admin\AppData\Local\Temp\ngxslkcrqflvtsesopjc.exe
  2⤵
  PID:2016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ngxslkcrqflvtsesopjc.exe .
1⤵
PID:6004
- C:\Users\Admin\AppData\Local\Temp\ngxslkcrqflvtsesopjc.exe
  C:\Users\Admin\AppData\Local\Temp\ngxslkcrqflvtsesopjc.exe .
  2⤵
  PID:2176
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\ngxslkcrqflvtsesopjc.exe*."
    3⤵
    PID:3944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gwkcsodplxahcyhsl.exe
1⤵
PID:2472
- C:\Windows\gwkcsodplxahcyhsl.exe
  gwkcsodplxahcyhsl.exe
  2⤵
  PID:1092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cwokeexnndkvuuhwtvqkc.exe .
1⤵
PID:4652
- C:\Windows\cwokeexnndkvuuhwtvqkc.exe
  cwokeexnndkvuuhwtvqkc.exe .
  2⤵
  PID:5816
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\cwokeexnndkvuuhwtvqkc.exe*."
    3⤵
    PID:3940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zobshcqbwhjpjemw.exe
1⤵
PID:6128
- C:\Windows\zobshcqbwhjpjemw.exe
  zobshcqbwhjpjemw.exe
  2⤵
  PID:5640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ngxslkcrqflvtsesopjc.exe .
1⤵
PID:2164
- C:\Windows\ngxslkcrqflvtsesopjc.exe
  ngxslkcrqflvtsesopjc.exe .
  2⤵
  PID:440
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\ngxslkcrqflvtsesopjc.exe*."
    3⤵
    PID:3064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gwkcsodplxahcyhsl.exe
1⤵
PID:3092
- C:\Users\Admin\AppData\Local\Temp\gwkcsodplxahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\gwkcsodplxahcyhsl.exe
  2⤵
  PID:3516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gwkcsodplxahcyhsl.exe .
1⤵
PID:5660
- C:\Users\Admin\AppData\Local\Temp\gwkcsodplxahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\gwkcsodplxahcyhsl.exe .
  2⤵
  PID:4604
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\gwkcsodplxahcyhsl.exe*."
    3⤵
    PID:2736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pgvofcsfcptbxueqkj.exe
1⤵
PID:6136
- C:\Users\Admin\AppData\Local\Temp\pgvofcsfcptbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\pgvofcsfcptbxueqkj.exe
  2⤵
  PID:1596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gwkcsodplxahcyhsl.exe .
1⤵
PID:2644
- C:\Users\Admin\AppData\Local\Temp\gwkcsodplxahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\gwkcsodplxahcyhsl.exe .
  2⤵
  PID:5708
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\gwkcsodplxahcyhsl.exe*."
    3⤵
    PID:5108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gwkcsodplxahcyhsl.exe
1⤵
PID:5172
- C:\Windows\gwkcsodplxahcyhsl.exe
  gwkcsodplxahcyhsl.exe
  2⤵
  PID:5672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gwkcsodplxahcyhsl.exe .
1⤵
PID:5284
- C:\Windows\gwkcsodplxahcyhsl.exe
  gwkcsodplxahcyhsl.exe .
  2⤵
  PID:6084
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\gwkcsodplxahcyhsl.exe*."
    3⤵
    PID:5704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gwkcsodplxahcyhsl.exe
1⤵
PID:6016
- C:\Windows\gwkcsodplxahcyhsl.exe
  gwkcsodplxahcyhsl.exe
  2⤵
  PID:1064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cwokeexnndkvuuhwtvqkc.exe .
1⤵
PID:5944
- C:\Windows\cwokeexnndkvuuhwtvqkc.exe
  cwokeexnndkvuuhwtvqkc.exe .
  2⤵
  PID:5512
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\cwokeexnndkvuuhwtvqkc.exe*."
    3⤵
    PID:2016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\asicusjxvjoxusdqlle.exe
1⤵
PID:3436
- C:\Users\Admin\AppData\Local\Temp\asicusjxvjoxusdqlle.exe
  C:\Users\Admin\AppData\Local\Temp\asicusjxvjoxusdqlle.exe
  2⤵
  PID:3476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zobshcqbwhjpjemw.exe .
1⤵
PID:5864
- C:\Users\Admin\AppData\Local\Temp\zobshcqbwhjpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\zobshcqbwhjpjemw.exe .
  2⤵
  PID:5984
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\zobshcqbwhjpjemw.exe*."
    3⤵
    PID:2176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ngxslkcrqflvtsesopjc.exe
1⤵
PID:6056
- C:\Users\Admin\AppData\Local\Temp\ngxslkcrqflvtsesopjc.exe
  C:\Users\Admin\AppData\Local\Temp\ngxslkcrqflvtsesopjc.exe
  2⤵
  PID:220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\asicusjxvjoxusdqlle.exe .
1⤵
PID:6048
- C:\Users\Admin\AppData\Local\Temp\asicusjxvjoxusdqlle.exe
  C:\Users\Admin\AppData\Local\Temp\asicusjxvjoxusdqlle.exe .
  2⤵
  PID:5500
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\asicusjxvjoxusdqlle.exe*."
    3⤵
    PID:5724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zobshcqbwhjpjemw.exe
1⤵
PID:5732
- C:\Windows\zobshcqbwhjpjemw.exe
  zobshcqbwhjpjemw.exe
  2⤵
  PID:4056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pgvofcsfcptbxueqkj.exe .
1⤵
PID:1244
- C:\Windows\pgvofcsfcptbxueqkj.exe
  pgvofcsfcptbxueqkj.exe .
  2⤵
  PID:2804
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\pgvofcsfcptbxueqkj.exe*."
    3⤵
    PID:5216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gwkcsodplxahcyhsl.exe
1⤵
PID:736
- C:\Windows\gwkcsodplxahcyhsl.exe
  gwkcsodplxahcyhsl.exe
  2⤵
  PID:5472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cwokeexnndkvuuhwtvqkc.exe .
1⤵
PID:1112
- C:\Windows\cwokeexnndkvuuhwtvqkc.exe
  cwokeexnndkvuuhwtvqkc.exe .
  2⤵
  PID:4576
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\cwokeexnndkvuuhwtvqkc.exe*."
    3⤵
    PID:3404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zobshcqbwhjpjemw.exe
1⤵
PID:1772
- C:\Users\Admin\AppData\Local\Temp\zobshcqbwhjpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\zobshcqbwhjpjemw.exe
  2⤵
  PID:1864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cwokeexnndkvuuhwtvqkc.exe .
1⤵
PID:5332
- C:\Users\Admin\AppData\Local\Temp\cwokeexnndkvuuhwtvqkc.exe
  C:\Users\Admin\AppData\Local\Temp\cwokeexnndkvuuhwtvqkc.exe .
  2⤵
  PID:5588
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\cwokeexnndkvuuhwtvqkc.exe*."
    3⤵
    PID:6136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cwokeexnndkvuuhwtvqkc.exe
1⤵
PID:5656
- C:\Users\Admin\AppData\Local\Temp\cwokeexnndkvuuhwtvqkc.exe
  C:\Users\Admin\AppData\Local\Temp\cwokeexnndkvuuhwtvqkc.exe
  2⤵
  PID:5456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ngxslkcrqflvtsesopjc.exe .
1⤵
PID:5020
- C:\Users\Admin\AppData\Local\Temp\ngxslkcrqflvtsesopjc.exe
  C:\Users\Admin\AppData\Local\Temp\ngxslkcrqflvtsesopjc.exe .
  2⤵
  PID:5608
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\ngxslkcrqflvtsesopjc.exe*."
    3⤵
    PID:3992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cwokeexnndkvuuhwtvqkc.exe
1⤵
PID:6064
- C:\Windows\cwokeexnndkvuuhwtvqkc.exe
  cwokeexnndkvuuhwtvqkc.exe
  2⤵
  PID:6084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zobshcqbwhjpjemw.exe
1⤵
PID:5956
- C:\Windows\zobshcqbwhjpjemw.exe
  zobshcqbwhjpjemw.exe
  2⤵
  PID:4584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c huheylfqoyahcyhsl.exe
1⤵
PID:6036
- C:\Windows\huheylfqoyahcyhsl.exe
  huheylfqoyahcyhsl.exe
  2⤵
  PID:5980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c asicusjxvjoxusdqlle.exe .
1⤵
PID:888
- C:\Windows\asicusjxvjoxusdqlle.exe
  asicusjxvjoxusdqlle.exe .
  2⤵
  PID:3972
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\asicusjxvjoxusdqlle.exe*."
    3⤵
    PID:5688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zobshcqbwhjpjemw.exe .
1⤵
PID:4868
- C:\Windows\zobshcqbwhjpjemw.exe
  zobshcqbwhjpjemw.exe .
  2⤵
  PID:3536
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\zobshcqbwhjpjemw.exe*."
    3⤵
    PID:5616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c qesqlzugfqtbxueqkj.exe .
1⤵
PID:5636
- C:\Windows\qesqlzugfqtbxueqkj.exe
  qesqlzugfqtbxueqkj.exe .
  2⤵
  PID:3156
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\qesqlzugfqtbxueqkj.exe*."
    3⤵
    PID:5448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gwkcsodplxahcyhsl.exe
1⤵
PID:3692
- C:\Windows\gwkcsodplxahcyhsl.exe
  gwkcsodplxahcyhsl.exe
  2⤵
  PID:5600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ngxslkcrqflvtsesopjc.exe .
1⤵
PID:2184
- C:\Windows\ngxslkcrqflvtsesopjc.exe
  ngxslkcrqflvtsesopjc.exe .
  2⤵
  PID:5472
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\ngxslkcrqflvtsesopjc.exe*."
    3⤵
    PID:1508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pgvofcsfcptbxueqkj.exe
1⤵
PID:3492
- C:\Windows\pgvofcsfcptbxueqkj.exe
  pgvofcsfcptbxueqkj.exe
  2⤵
  PID:6136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c oeuurhestglvtsesopka.exe
1⤵
PID:4248
- C:\Windows\oeuurhestglvtsesopka.exe
  oeuurhestglvtsesopka.exe
  2⤵
  PID:5436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gwkcsodplxahcyhsl.exe
1⤵
PID:4008
- C:\Users\Admin\AppData\Local\Temp\gwkcsodplxahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\gwkcsodplxahcyhsl.exe
  2⤵
  PID:1772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pgvofcsfcptbxueqkj.exe .
1⤵
PID:2176
- C:\Windows\pgvofcsfcptbxueqkj.exe
  pgvofcsfcptbxueqkj.exe .
  2⤵
  PID:2468
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\pgvofcsfcptbxueqkj.exe*."
    3⤵
    PID:4804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ngxslkcrqflvtsesopjc.exe .
1⤵
PID:208
- C:\Users\Admin\AppData\Local\Temp\ngxslkcrqflvtsesopjc.exe
  C:\Users\Admin\AppData\Local\Temp\ngxslkcrqflvtsesopjc.exe .
  2⤵
  PID:5092
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\ngxslkcrqflvtsesopjc.exe*."
    3⤵
    PID:5924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c oeuurhestglvtsesopka.exe .
1⤵
PID:5680
- C:\Windows\oeuurhestglvtsesopka.exe
  oeuurhestglvtsesopka.exe .
  2⤵
  PID:3424
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\oeuurhestglvtsesopka.exe*."
    3⤵
    PID:5696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zobshcqbwhjpjemw.exe
1⤵
PID:4980
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1388
- C:\Users\Admin\AppData\Local\Temp\zobshcqbwhjpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\zobshcqbwhjpjemw.exe
  2⤵
  PID:2944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\amyunzsczijpjemw.exe
1⤵
PID:4432
- C:\Users\Admin\AppData\Local\Temp\amyunzsczijpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\amyunzsczijpjemw.exe
  2⤵
  PID:2336

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\asicusjxvjoxusdqlle.exe .
1⤵
PID:5416
- C:\Users\Admin\AppData\Local\Temp\asicusjxvjoxusdqlle.exe
  C:\Users\Admin\AppData\Local\Temp\asicusjxvjoxusdqlle.exe .
  2⤵
  PID:5316
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\asicusjxvjoxusdqlle.exe*."
    3⤵
    PID:5412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qesqlzugfqtbxueqkj.exe .
1⤵
PID:2472
- C:\Users\Admin\AppData\Local\Temp\qesqlzugfqtbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\qesqlzugfqtbxueqkj.exe .
  2⤵
  PID:1292
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\qesqlzugfqtbxueqkj.exe*."
    3⤵
    PID:5888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zobshcqbwhjpjemw.exe
1⤵
PID:5732
- C:\Users\Admin\AppData\Local\Temp\zobshcqbwhjpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\zobshcqbwhjpjemw.exe
  2⤵
  PID:6080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zobshcqbwhjpjemw.exe .
1⤵
PID:5640
- C:\Users\Admin\AppData\Local\Temp\zobshcqbwhjpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\zobshcqbwhjpjemw.exe .
  2⤵
  PID:4020
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\zobshcqbwhjpjemw.exe*."
    3⤵
    PID:3064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cwokeexnndkvuuhwtvqkc.exe
1⤵
PID:5104
- C:\Users\Admin\AppData\Local\Temp\cwokeexnndkvuuhwtvqkc.exe
  C:\Users\Admin\AppData\Local\Temp\cwokeexnndkvuuhwtvqkc.exe
  2⤵
  PID:5020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qesqlzugfqtbxueqkj.exe
1⤵
PID:5248
- C:\Users\Admin\AppData\Local\Temp\qesqlzugfqtbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\qesqlzugfqtbxueqkj.exe
  2⤵
  PID:6056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cwokeexnndkvuuhwtvqkc.exe .
1⤵
PID:2164
- C:\Users\Admin\AppData\Local\Temp\cwokeexnndkvuuhwtvqkc.exe
  C:\Users\Admin\AppData\Local\Temp\cwokeexnndkvuuhwtvqkc.exe .
  2⤵
  PID:3412
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\cwokeexnndkvuuhwtvqkc.exe*."
    3⤵
    PID:1860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\huheylfqoyahcyhsl.exe .
1⤵
PID:5128
- C:\Users\Admin\AppData\Local\Temp\huheylfqoyahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\huheylfqoyahcyhsl.exe .
  2⤵
  PID:1068
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\huheylfqoyahcyhsl.exe*."
    3⤵
    PID:5228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ngxslkcrqflvtsesopjc.exe
1⤵
PID:5520
- C:\Windows\ngxslkcrqflvtsesopjc.exe
  ngxslkcrqflvtsesopjc.exe
  2⤵
  PID:4568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c asicusjxvjoxusdqlle.exe .
1⤵
PID:5576
- C:\Windows\asicusjxvjoxusdqlle.exe
  asicusjxvjoxusdqlle.exe .
  2⤵
  PID:972
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\asicusjxvjoxusdqlle.exe*."
    3⤵
    PID:4724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ngxslkcrqflvtsesopjc.exe
1⤵
PID:3852
- C:\Windows\ngxslkcrqflvtsesopjc.exe
  ngxslkcrqflvtsesopjc.exe
  2⤵
  PID:5432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pgvofcsfcptbxueqkj.exe
1⤵
PID:4292
- C:\Windows\pgvofcsfcptbxueqkj.exe
  pgvofcsfcptbxueqkj.exe
  2⤵
  PID:4848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cwokeexnndkvuuhwtvqkc.exe .
1⤵
PID:1380
- C:\Windows\cwokeexnndkvuuhwtvqkc.exe
  cwokeexnndkvuuhwtvqkc.exe .
  2⤵
  PID:4324
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\cwokeexnndkvuuhwtvqkc.exe*."
    3⤵
    PID:5404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pgvofcsfcptbxueqkj.exe .
1⤵
PID:3156
- C:\Windows\pgvofcsfcptbxueqkj.exe
  pgvofcsfcptbxueqkj.exe .
  2⤵
  PID:1824
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\pgvofcsfcptbxueqkj.exe*."
    3⤵
    PID:5168

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\asicusjxvjoxusdqlle.exe
1⤵
PID:112
- C:\Users\Admin\AppData\Local\Temp\asicusjxvjoxusdqlle.exe
  C:\Users\Admin\AppData\Local\Temp\asicusjxvjoxusdqlle.exe
  2⤵
  PID:5492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c asicusjxvjoxusdqlle.exe
1⤵
PID:5448
- C:\Windows\asicusjxvjoxusdqlle.exe
  asicusjxvjoxusdqlle.exe
  2⤵
  PID:2944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cwokeexnndkvuuhwtvqkc.exe .
1⤵
PID:2636
- C:\Users\Admin\AppData\Local\Temp\cwokeexnndkvuuhwtvqkc.exe
  C:\Users\Admin\AppData\Local\Temp\cwokeexnndkvuuhwtvqkc.exe .
  2⤵
  PID:3436
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\cwokeexnndkvuuhwtvqkc.exe*."
    3⤵
    PID:5952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ngxslkcrqflvtsesopjc.exe .
1⤵
PID:2832
- C:\Windows\ngxslkcrqflvtsesopjc.exe
  ngxslkcrqflvtsesopjc.exe .
  2⤵
  PID:6016
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\ngxslkcrqflvtsesopjc.exe*."
    3⤵
    PID:4012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gwkcsodplxahcyhsl.exe
1⤵
PID:5976
- C:\Users\Admin\AppData\Local\Temp\gwkcsodplxahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\gwkcsodplxahcyhsl.exe
  2⤵
  PID:5316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gwkcsodplxahcyhsl.exe .
1⤵
PID:3960
- C:\Users\Admin\AppData\Local\Temp\gwkcsodplxahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\gwkcsodplxahcyhsl.exe .
  2⤵
  PID:5776
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\gwkcsodplxahcyhsl.exe*."
    3⤵
    PID:5888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\asicusjxvjoxusdqlle.exe
1⤵
PID:2532
- C:\Users\Admin\AppData\Local\Temp\asicusjxvjoxusdqlle.exe
  C:\Users\Admin\AppData\Local\Temp\asicusjxvjoxusdqlle.exe
  2⤵
  PID:5212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ngxslkcrqflvtsesopjc.exe .
1⤵
PID:5292
- C:\Users\Admin\AppData\Local\Temp\ngxslkcrqflvtsesopjc.exe
  C:\Users\Admin\AppData\Local\Temp\ngxslkcrqflvtsesopjc.exe .
  2⤵
  PID:5268
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\ngxslkcrqflvtsesopjc.exe*."
    3⤵
    PID:4056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\asicusjxvjoxusdqlle.exe
1⤵
PID:6128
- C:\Users\Admin\AppData\Local\Temp\asicusjxvjoxusdqlle.exe
  C:\Users\Admin\AppData\Local\Temp\asicusjxvjoxusdqlle.exe
  2⤵
  PID:4100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ngxslkcrqflvtsesopjc.exe .
1⤵
PID:2112
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4992
- C:\Users\Admin\AppData\Local\Temp\ngxslkcrqflvtsesopjc.exe
  C:\Users\Admin\AppData\Local\Temp\ngxslkcrqflvtsesopjc.exe .
  2⤵
  PID:2012
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\ngxslkcrqflvtsesopjc.exe*."
    3⤵
    PID:3040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c asicusjxvjoxusdqlle.exe
1⤵
PID:5628
- C:\Windows\asicusjxvjoxusdqlle.exe
  asicusjxvjoxusdqlle.exe
  2⤵
  PID:4044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cwokeexnndkvuuhwtvqkc.exe .
1⤵
PID:5140
- C:\Windows\cwokeexnndkvuuhwtvqkc.exe
  cwokeexnndkvuuhwtvqkc.exe .
  2⤵
  PID:5184
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\cwokeexnndkvuuhwtvqkc.exe*."
    3⤵
    PID:3944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cwokeexnndkvuuhwtvqkc.exe
1⤵
PID:2192
- C:\Windows\cwokeexnndkvuuhwtvqkc.exe
  cwokeexnndkvuuhwtvqkc.exe
  2⤵
  PID:5652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cwokeexnndkvuuhwtvqkc.exe .
1⤵
PID:4564
- C:\Windows\cwokeexnndkvuuhwtvqkc.exe
  cwokeexnndkvuuhwtvqkc.exe .
  2⤵
  PID:3540
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\cwokeexnndkvuuhwtvqkc.exe*."
    3⤵
    PID:1496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\asicusjxvjoxusdqlle.exe
1⤵
PID:5640
- C:\Users\Admin\AppData\Local\Temp\asicusjxvjoxusdqlle.exe
  C:\Users\Admin\AppData\Local\Temp\asicusjxvjoxusdqlle.exe
  2⤵
  PID:3856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gwkcsodplxahcyhsl.exe .
1⤵
PID:5660
- C:\Users\Admin\AppData\Local\Temp\gwkcsodplxahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\gwkcsodplxahcyhsl.exe .
  2⤵
  PID:5308
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\gwkcsodplxahcyhsl.exe*."
    3⤵
    PID:3616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zobshcqbwhjpjemw.exe
1⤵
PID:3876
- C:\Users\Admin\AppData\Local\Temp\zobshcqbwhjpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\zobshcqbwhjpjemw.exe
  2⤵
  PID:4756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zobshcqbwhjpjemw.exe .
1⤵
PID:2240
- C:\Users\Admin\AppData\Local\Temp\zobshcqbwhjpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\zobshcqbwhjpjemw.exe .
  2⤵
  PID:4484
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\zobshcqbwhjpjemw.exe*."
    3⤵
    PID:4432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c asicusjxvjoxusdqlle.exe
1⤵
PID:1140
- C:\Windows\asicusjxvjoxusdqlle.exe
  asicusjxvjoxusdqlle.exe
  2⤵
  PID:1504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zobshcqbwhjpjemw.exe .
1⤵
PID:2736
- C:\Windows\zobshcqbwhjpjemw.exe
  zobshcqbwhjpjemw.exe .
  2⤵
  PID:3436
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\zobshcqbwhjpjemw.exe*."
    3⤵
    PID:3180

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cwokeexnndkvuuhwtvqkc.exe
1⤵
PID:452
- C:\Windows\cwokeexnndkvuuhwtvqkc.exe
  cwokeexnndkvuuhwtvqkc.exe
  2⤵
  PID:2300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ngxslkcrqflvtsesopjc.exe .
1⤵
PID:5732
- C:\Windows\ngxslkcrqflvtsesopjc.exe
  ngxslkcrqflvtsesopjc.exe .
  2⤵
  PID:6076
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\ngxslkcrqflvtsesopjc.exe*."
    3⤵
    PID:2056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zobshcqbwhjpjemw.exe
1⤵
PID:5376
- C:\Users\Admin\AppData\Local\Temp\zobshcqbwhjpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\zobshcqbwhjpjemw.exe
  2⤵
  PID:5296

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zobshcqbwhjpjemw.exe .
1⤵
PID:5232
- C:\Users\Admin\AppData\Local\Temp\zobshcqbwhjpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\zobshcqbwhjpjemw.exe .
  2⤵
  PID:2912
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\zobshcqbwhjpjemw.exe*."
    3⤵
    PID:2560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gwkcsodplxahcyhsl.exe
1⤵
PID:2252
- C:\Users\Admin\AppData\Local\Temp\gwkcsodplxahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\gwkcsodplxahcyhsl.exe
  2⤵
  PID:3232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gwkcsodplxahcyhsl.exe .
1⤵
PID:5536
- C:\Users\Admin\AppData\Local\Temp\gwkcsodplxahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\gwkcsodplxahcyhsl.exe .
  2⤵
  PID:6088
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\gwkcsodplxahcyhsl.exe*."
    3⤵
    PID:5812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ngxslkcrqflvtsesopjc.exe
1⤵
PID:5736
- C:\Windows\ngxslkcrqflvtsesopjc.exe
  ngxslkcrqflvtsesopjc.exe
  2⤵
  PID:5496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gwkcsodplxahcyhsl.exe .
1⤵
PID:2804
- C:\Windows\gwkcsodplxahcyhsl.exe
  gwkcsodplxahcyhsl.exe .
  2⤵
  PID:5624
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\gwkcsodplxahcyhsl.exe*."
    3⤵
    PID:5216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zobshcqbwhjpjemw.exe
1⤵
PID:1124
- C:\Windows\zobshcqbwhjpjemw.exe
  zobshcqbwhjpjemw.exe
  2⤵
  PID:6112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ngxslkcrqflvtsesopjc.exe .
1⤵
PID:1636
- C:\Windows\ngxslkcrqflvtsesopjc.exe
  ngxslkcrqflvtsesopjc.exe .
  2⤵
  PID:5136
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\ngxslkcrqflvtsesopjc.exe*."
    3⤵
    PID:3852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pgvofcsfcptbxueqkj.exe
1⤵
PID:5596
- C:\Users\Admin\AppData\Local\Temp\pgvofcsfcptbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\pgvofcsfcptbxueqkj.exe
  2⤵
  PID:1624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pgvofcsfcptbxueqkj.exe .
1⤵
PID:2164
- C:\Users\Admin\AppData\Local\Temp\pgvofcsfcptbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\pgvofcsfcptbxueqkj.exe .
  2⤵
  PID:5452
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\pgvofcsfcptbxueqkj.exe*."
    3⤵
    PID:5756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pgvofcsfcptbxueqkj.exe
1⤵
PID:5352
- C:\Users\Admin\AppData\Local\Temp\pgvofcsfcptbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\pgvofcsfcptbxueqkj.exe
  2⤵
  PID:2016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ngxslkcrqflvtsesopjc.exe .
1⤵
PID:1244
- C:\Users\Admin\AppData\Local\Temp\ngxslkcrqflvtsesopjc.exe
  C:\Users\Admin\AppData\Local\Temp\ngxslkcrqflvtsesopjc.exe .
  2⤵
  PID:5980
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\ngxslkcrqflvtsesopjc.exe*."
    3⤵
    PID:6080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c asicusjxvjoxusdqlle.exe
1⤵
PID:6048
- C:\Windows\asicusjxvjoxusdqlle.exe
  asicusjxvjoxusdqlle.exe
  2⤵
  PID:1140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zobshcqbwhjpjemw.exe .
1⤵
PID:4980
- C:\Windows\zobshcqbwhjpjemw.exe
  zobshcqbwhjpjemw.exe .
  2⤵
  PID:5168
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\zobshcqbwhjpjemw.exe*."
    3⤵
    PID:6104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zobshcqbwhjpjemw.exe
1⤵
PID:2736
- C:\Windows\zobshcqbwhjpjemw.exe
  zobshcqbwhjpjemw.exe
  2⤵
  PID:3156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zobshcqbwhjpjemw.exe .
1⤵
PID:5664
- C:\Windows\zobshcqbwhjpjemw.exe
  zobshcqbwhjpjemw.exe .
  2⤵
  PID:5296
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\zobshcqbwhjpjemw.exe*."
    3⤵
    PID:4468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gwkcsodplxahcyhsl.exe
1⤵
PID:3424
- C:\Users\Admin\AppData\Local\Temp\gwkcsodplxahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\gwkcsodplxahcyhsl.exe
  2⤵
  PID:1344

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cwokeexnndkvuuhwtvqkc.exe .
1⤵
PID:5672
- C:\Users\Admin\AppData\Local\Temp\cwokeexnndkvuuhwtvqkc.exe
  C:\Users\Admin\AppData\Local\Temp\cwokeexnndkvuuhwtvqkc.exe .
  2⤵
  PID:5400
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\cwokeexnndkvuuhwtvqkc.exe*."
    3⤵
    PID:2532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\asicusjxvjoxusdqlle.exe
1⤵
PID:4584
- C:\Users\Admin\AppData\Local\Temp\asicusjxvjoxusdqlle.exe
  C:\Users\Admin\AppData\Local\Temp\asicusjxvjoxusdqlle.exe
  2⤵
  PID:1856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cwokeexnndkvuuhwtvqkc.exe .
1⤵
PID:5288
- C:\Users\Admin\AppData\Local\Temp\cwokeexnndkvuuhwtvqkc.exe
  C:\Users\Admin\AppData\Local\Temp\cwokeexnndkvuuhwtvqkc.exe .
  2⤵
  PID:5372
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\cwokeexnndkvuuhwtvqkc.exe*."
    3⤵
    PID:5656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c asicusjxvjoxusdqlle.exe
1⤵
PID:6008
- C:\Windows\asicusjxvjoxusdqlle.exe
  asicusjxvjoxusdqlle.exe
  2⤵
  PID:1500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cwokeexnndkvuuhwtvqkc.exe .
1⤵
PID:1564
- C:\Windows\cwokeexnndkvuuhwtvqkc.exe
  cwokeexnndkvuuhwtvqkc.exe .
  2⤵
  PID:5744
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\cwokeexnndkvuuhwtvqkc.exe*."
    3⤵
    PID:1448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gwkcsodplxahcyhsl.exe
1⤵
PID:5900
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4684
- C:\Windows\gwkcsodplxahcyhsl.exe
  gwkcsodplxahcyhsl.exe
  2⤵
  PID:2360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c asicusjxvjoxusdqlle.exe
1⤵
PID:5760
- C:\Windows\asicusjxvjoxusdqlle.exe
  asicusjxvjoxusdqlle.exe
  2⤵
  PID:5624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gwkcsodplxahcyhsl.exe .
1⤵
PID:2472
- C:\Windows\gwkcsodplxahcyhsl.exe
  gwkcsodplxahcyhsl.exe .
  2⤵
  PID:5568
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\gwkcsodplxahcyhsl.exe*."
    3⤵
    PID:5884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cwokeexnndkvuuhwtvqkc.exe .
1⤵
PID:2464
- C:\Windows\cwokeexnndkvuuhwtvqkc.exe
  cwokeexnndkvuuhwtvqkc.exe .
  2⤵
  PID:5384
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\cwokeexnndkvuuhwtvqkc.exe*."
    3⤵
    PID:5196

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cwokeexnndkvuuhwtvqkc.exe
1⤵
PID:5332
- C:\Users\Admin\AppData\Local\Temp\cwokeexnndkvuuhwtvqkc.exe
  C:\Users\Admin\AppData\Local\Temp\cwokeexnndkvuuhwtvqkc.exe
  2⤵
  PID:4988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c huheylfqoyahcyhsl.exe
1⤵
PID:6024
- C:\Windows\huheylfqoyahcyhsl.exe
  huheylfqoyahcyhsl.exe
  2⤵
  PID:6028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ngxslkcrqflvtsesopjc.exe
1⤵
PID:808
- C:\Windows\ngxslkcrqflvtsesopjc.exe
  ngxslkcrqflvtsesopjc.exe
  2⤵
  PID:4108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zobshcqbwhjpjemw.exe .
1⤵
PID:4604
- C:\Users\Admin\AppData\Local\Temp\zobshcqbwhjpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\zobshcqbwhjpjemw.exe .
  2⤵
  PID:1824
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\zobshcqbwhjpjemw.exe*."
    3⤵
    PID:1644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gwkcsodplxahcyhsl.exe .
1⤵
PID:4496
- C:\Windows\gwkcsodplxahcyhsl.exe
  gwkcsodplxahcyhsl.exe .
  2⤵
  PID:5340
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\gwkcsodplxahcyhsl.exe*."
    3⤵
    PID:5400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bqfeaplyykoxusdqllf.exe .
1⤵
PID:1968
- C:\Windows\bqfeaplyykoxusdqllf.exe
  bqfeaplyykoxusdqllf.exe .
  2⤵
  PID:5636
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\bqfeaplyykoxusdqllf.exe*."
    3⤵
    PID:6092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cwokeexnndkvuuhwtvqkc.exe
1⤵
PID:3516
- C:\Users\Admin\AppData\Local\Temp\cwokeexnndkvuuhwtvqkc.exe
  C:\Users\Admin\AppData\Local\Temp\cwokeexnndkvuuhwtvqkc.exe
  2⤵
  PID:5444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\asicusjxvjoxusdqlle.exe .
1⤵
PID:5756
- C:\Users\Admin\AppData\Local\Temp\asicusjxvjoxusdqlle.exe
  C:\Users\Admin\AppData\Local\Temp\asicusjxvjoxusdqlle.exe .
  2⤵
  PID:2532
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\asicusjxvjoxusdqlle.exe*."
    3⤵
    PID:3440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cwokeexnndkvuuhwtvqkc.exe
1⤵
PID:5544
- C:\Users\Admin\AppData\Local\Temp\cwokeexnndkvuuhwtvqkc.exe
  C:\Users\Admin\AppData\Local\Temp\cwokeexnndkvuuhwtvqkc.exe
  2⤵
  PID:2684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c huheylfqoyahcyhsl.exe
1⤵
PID:5220
- C:\Windows\huheylfqoyahcyhsl.exe
  huheylfqoyahcyhsl.exe
  2⤵
  PID:2440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gwkcsodplxahcyhsl.exe .
1⤵
PID:3492
- C:\Users\Admin\AppData\Local\Temp\gwkcsodplxahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\gwkcsodplxahcyhsl.exe .
  2⤵
  PID:5460
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\gwkcsodplxahcyhsl.exe*."
    3⤵
    PID:5600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c qesqlzugfqtbxueqkj.exe .
1⤵
PID:3476
- C:\Windows\qesqlzugfqtbxueqkj.exe
  qesqlzugfqtbxueqkj.exe .
  2⤵
  PID:5684
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\qesqlzugfqtbxueqkj.exe*."
    3⤵
    PID:4056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ngxslkcrqflvtsesopjc.exe
1⤵
PID:4868
- C:\Users\Admin\AppData\Local\Temp\ngxslkcrqflvtsesopjc.exe
  C:\Users\Admin\AppData\Local\Temp\ngxslkcrqflvtsesopjc.exe
  2⤵
  PID:5248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\amyunzsczijpjemw.exe
1⤵
PID:1504
- C:\Users\Admin\AppData\Local\Temp\amyunzsczijpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\amyunzsczijpjemw.exe
  2⤵
  PID:5572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zobshcqbwhjpjemw.exe .
1⤵
PID:5244
- C:\Users\Admin\AppData\Local\Temp\zobshcqbwhjpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\zobshcqbwhjpjemw.exe .
  2⤵
  PID:4396
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\zobshcqbwhjpjemw.exe*."
    3⤵
    PID:4044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dulmkbzoqekvuuhwtvriz.exe .
1⤵
PID:432
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4792
- C:\Users\Admin\AppData\Local\Temp\dulmkbzoqekvuuhwtvriz.exe
  C:\Users\Admin\AppData\Local\Temp\dulmkbzoqekvuuhwtvriz.exe .
  2⤵
  PID:3092
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\dulmkbzoqekvuuhwtvriz.exe*."
    3⤵
    PID:5900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\huheylfqoyahcyhsl.exe
1⤵
PID:5772
- C:\Users\Admin\AppData\Local\Temp\huheylfqoyahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\huheylfqoyahcyhsl.exe
  2⤵
  PID:5928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dulmkbzoqekvuuhwtvriz.exe .
1⤵
PID:6012
- C:\Users\Admin\AppData\Local\Temp\dulmkbzoqekvuuhwtvriz.exe
  C:\Users\Admin\AppData\Local\Temp\dulmkbzoqekvuuhwtvriz.exe .
  2⤵
  PID:5744
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\dulmkbzoqekvuuhwtvriz.exe*."
    3⤵
    PID:5820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zobshcqbwhjpjemw.exe
1⤵
PID:5540
- C:\Windows\zobshcqbwhjpjemw.exe
  zobshcqbwhjpjemw.exe
  2⤵
  PID:3712

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ngxslkcrqflvtsesopjc.exe .
1⤵
PID:5096
- C:\Windows\ngxslkcrqflvtsesopjc.exe
  ngxslkcrqflvtsesopjc.exe .
  2⤵
  PID:972
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\ngxslkcrqflvtsesopjc.exe*."
    3⤵
    PID:6116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pgvofcsfcptbxueqkj.exe
1⤵
PID:224
- C:\Windows\pgvofcsfcptbxueqkj.exe
  pgvofcsfcptbxueqkj.exe
  2⤵
  PID:4132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ngxslkcrqflvtsesopjc.exe .
1⤵
PID:2328
- C:\Windows\ngxslkcrqflvtsesopjc.exe
  ngxslkcrqflvtsesopjc.exe .
  2⤵
  PID:1864
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\ngxslkcrqflvtsesopjc.exe*."
    3⤵
    PID:6108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zobshcqbwhjpjemw.exe
1⤵
PID:3796
- C:\Users\Admin\AppData\Local\Temp\zobshcqbwhjpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\zobshcqbwhjpjemw.exe
  2⤵
  PID:5976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\asicusjxvjoxusdqlle.exe .
1⤵
PID:1524
- C:\Users\Admin\AppData\Local\Temp\asicusjxvjoxusdqlle.exe
  C:\Users\Admin\AppData\Local\Temp\asicusjxvjoxusdqlle.exe .
  2⤵
  PID:848
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\asicusjxvjoxusdqlle.exe*."
    3⤵
    PID:6052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cwokeexnndkvuuhwtvqkc.exe
1⤵
PID:3680
- C:\Users\Admin\AppData\Local\Temp\cwokeexnndkvuuhwtvqkc.exe
  C:\Users\Admin\AppData\Local\Temp\cwokeexnndkvuuhwtvqkc.exe
  2⤵
  PID:1812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pgvofcsfcptbxueqkj.exe
1⤵
PID:4740
- C:\Windows\pgvofcsfcptbxueqkj.exe
  pgvofcsfcptbxueqkj.exe
  2⤵
  PID:6000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zobshcqbwhjpjemw.exe .
1⤵
PID:5992
- C:\Users\Admin\AppData\Local\Temp\zobshcqbwhjpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\zobshcqbwhjpjemw.exe .
  2⤵
  PID:3536
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\zobshcqbwhjpjemw.exe*."
    3⤵
    PID:6092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cwokeexnndkvuuhwtvqkc.exe .
1⤵
PID:4392
- C:\Windows\cwokeexnndkvuuhwtvqkc.exe
  cwokeexnndkvuuhwtvqkc.exe .
  2⤵
  PID:2920
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\cwokeexnndkvuuhwtvqkc.exe*."
    3⤵
    PID:4576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zobshcqbwhjpjemw.exe
1⤵
PID:3824
- C:\Windows\zobshcqbwhjpjemw.exe
  zobshcqbwhjpjemw.exe
  2⤵
  PID:5092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gwkcsodplxahcyhsl.exe .
1⤵
PID:5476
- C:\Windows\gwkcsodplxahcyhsl.exe
  gwkcsodplxahcyhsl.exe .
  2⤵
  PID:1092
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\gwkcsodplxahcyhsl.exe*."
    3⤵
    PID:4420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\asicusjxvjoxusdqlle.exe
1⤵
PID:2936
- C:\Users\Admin\AppData\Local\Temp\asicusjxvjoxusdqlle.exe
  C:\Users\Admin\AppData\Local\Temp\asicusjxvjoxusdqlle.exe
  2⤵
  PID:4716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cwokeexnndkvuuhwtvqkc.exe .
1⤵
PID:6056
- C:\Users\Admin\AppData\Local\Temp\cwokeexnndkvuuhwtvqkc.exe
  C:\Users\Admin\AppData\Local\Temp\cwokeexnndkvuuhwtvqkc.exe .
  2⤵
  PID:4652
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\cwokeexnndkvuuhwtvqkc.exe*."
    3⤵
    PID:4044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pgvofcsfcptbxueqkj.exe
1⤵
PID:5208
- C:\Windows\pgvofcsfcptbxueqkj.exe
  pgvofcsfcptbxueqkj.exe
  2⤵
  PID:5872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cwokeexnndkvuuhwtvqkc.exe
1⤵
PID:2104
- C:\Users\Admin\AppData\Local\Temp\cwokeexnndkvuuhwtvqkc.exe
  C:\Users\Admin\AppData\Local\Temp\cwokeexnndkvuuhwtvqkc.exe
  2⤵
  PID:4324

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cwokeexnndkvuuhwtvqkc.exe .
1⤵
PID:4384
- C:\Users\Admin\AppData\Local\Temp\cwokeexnndkvuuhwtvqkc.exe
  C:\Users\Admin\AppData\Local\Temp\cwokeexnndkvuuhwtvqkc.exe .
  2⤵
  PID:208
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\cwokeexnndkvuuhwtvqkc.exe*."
    3⤵
    PID:4568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pgvofcsfcptbxueqkj.exe .
1⤵
PID:3940
- C:\Windows\pgvofcsfcptbxueqkj.exe
  pgvofcsfcptbxueqkj.exe .
  2⤵
  PID:5772
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\pgvofcsfcptbxueqkj.exe*."
    3⤵
    PID:6020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cwokeexnndkvuuhwtvqkc.exe
1⤵
PID:3424
- C:\Windows\cwokeexnndkvuuhwtvqkc.exe
  cwokeexnndkvuuhwtvqkc.exe
  2⤵
  PID:5660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cwokeexnndkvuuhwtvqkc.exe .
1⤵
PID:2736
- C:\Windows\cwokeexnndkvuuhwtvqkc.exe
  cwokeexnndkvuuhwtvqkc.exe .
  2⤵
  PID:5924
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\cwokeexnndkvuuhwtvqkc.exe*."
    3⤵
    PID:5780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zobshcqbwhjpjemw.exe
1⤵
PID:5540
- C:\Users\Admin\AppData\Local\Temp\zobshcqbwhjpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\zobshcqbwhjpjemw.exe
  2⤵
  PID:5316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cwokeexnndkvuuhwtvqkc.exe .
1⤵
PID:5704
- C:\Users\Admin\AppData\Local\Temp\cwokeexnndkvuuhwtvqkc.exe
  C:\Users\Admin\AppData\Local\Temp\cwokeexnndkvuuhwtvqkc.exe .
  2⤵
  PID:6112
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\cwokeexnndkvuuhwtvqkc.exe*."
    3⤵
    PID:968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pgvofcsfcptbxueqkj.exe
1⤵
PID:5364
- C:\Users\Admin\AppData\Local\Temp\pgvofcsfcptbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\pgvofcsfcptbxueqkj.exe
  2⤵
  PID:2584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zobshcqbwhjpjemw.exe .
1⤵
PID:3768
- C:\Users\Admin\AppData\Local\Temp\zobshcqbwhjpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\zobshcqbwhjpjemw.exe .
  2⤵
  PID:4896
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\zobshcqbwhjpjemw.exe*."
    3⤵
    PID:2472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gwkcsodplxahcyhsl.exe
1⤵
PID:1776
- C:\Windows\gwkcsodplxahcyhsl.exe
  gwkcsodplxahcyhsl.exe
  2⤵
  PID:5568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zobshcqbwhjpjemw.exe .
1⤵
PID:5784
- C:\Windows\zobshcqbwhjpjemw.exe
  zobshcqbwhjpjemw.exe .
  2⤵
  PID:4952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Winlogon Helper DLL

T1547.004

Hijack Execution Flow

T1574

Executable Installer File Permissions Weakness

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Winlogon Helper DLL

T1547.004

Hijack Execution Flow

T1574

Executable Installer File Permissions Weakness

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hijack Execution Flow

T1574

Executable Installer File Permissions Weakness

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Safe Mode Boot

T1562.009

Modify Registry