pykspa | 24ec6c4ca5205bad2e59f36bc875928bc2ef33aeb6fbc6c9f9b3a54f843dce6e

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	msbygo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	msbygo.exe

Pykspa
Pykspa is a worm spreads via Skype uses DGA and it's written in C++.
worm pykspa
Pykspa family
pykspa

UAC bypass 3 TTPs 22 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	whljbuilgrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	whljbuilgrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	whljbuilgrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	whljbuilgrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	whljbuilgrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	msbygo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	msbygo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	whljbuilgrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	whljbuilgrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	whljbuilgrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	whljbuilgrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	msbygo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	msbygo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	msbygo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	msbygo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	whljbuilgrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	whljbuilgrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	whljbuilgrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	whljbuilgrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	msbygo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	whljbuilgrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	msbygo.exe

Detect Pykspa worm 2 IoCs

worm

resource	yara_rule
behavioral2/files/0x0014000000023e6f-4.dat	family_pykspa
behavioral2/files/0x000200000001e97a-106.dat	family_pykspa

Adds policy Run key to start application 2 TTPs 47 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tesuhuergrc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mgdokgzvtnhubcebnoif.exe"	whljbuilgrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	whljbuilgrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	msbygo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qevaqgtjbpdklg = "ogbkeypjfxpafeezji.exe"	msbygo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tesuhuergrc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zsoytogbyrkwccdzkkd.exe"	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tesuhuergrc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ogbkeypjfxpafeezji.exe"	msbygo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	whljbuilgrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qevaqgtjbpdklg = "fwqyrkatofwgkihbk.exe"	whljbuilgrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qevaqgtjbpdklg = "zsoytogbyrkwccdzkkd.exe"	whljbuilgrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	msbygo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qevaqgtjbpdklg = "bwugdaurqlgucehfsupnz.exe"	msbygo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qevaqgtjbpdklg = "bwugdaurqlgucehfsupnz.exe"	msbygo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tesuhuergrc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zsoytogbyrkwccdzkkd.exe"	msbygo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qevaqgtjbpdklg = "ogbkeypjfxpafeezji.exe"	whljbuilgrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qevaqgtjbpdklg = "ogbkeypjfxpafeezji.exe"	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qevaqgtjbpdklg = "fwqyrkatofwgkihbk.exe"	msbygo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tesuhuergrc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mgdokgzvtnhubcebnoif.exe"	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qevaqgtjbpdklg = "mgdokgzvtnhubcebnoif.exe"	msbygo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qevaqgtjbpdklg = "ogbkeypjfxpafeezji.exe"	msbygo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tesuhuergrc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bwugdaurqlgucehfsupnz.exe"	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qevaqgtjbpdklg = "ogbkeypjfxpafeezji.exe"	whljbuilgrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tesuhuergrc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bwugdaurqlgucehfsupnz.exe"	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qevaqgtjbpdklg = "fwqyrkatofwgkihbk.exe"	msbygo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tesuhuergrc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yohogynfzpforomf.exe"	msbygo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tesuhuergrc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yohogynfzpforomf.exe"	msbygo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qevaqgtjbpdklg = "mgdokgzvtnhubcebnoif.exe"	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qevaqgtjbpdklg = "fwqyrkatofwgkihbk.exe"	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tesuhuergrc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mgdokgzvtnhubcebnoif.exe"	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tesuhuergrc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ogbkeypjfxpafeezji.exe"	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qevaqgtjbpdklg = "ogbkeypjfxpafeezji.exe"	whljbuilgrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qevaqgtjbpdklg = "zsoytogbyrkwccdzkkd.exe"	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tesuhuergrc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yohogynfzpforomf.exe"	whljbuilgrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qevaqgtjbpdklg = "yohogynfzpforomf.exe"	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tesuhuergrc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zsoytogbyrkwccdzkkd.exe"	msbygo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tesuhuergrc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mgdokgzvtnhubcebnoif.exe"	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tesuhuergrc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fwqyrkatofwgkihbk.exe"	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qevaqgtjbpdklg = "mgdokgzvtnhubcebnoif.exe"	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tesuhuergrc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yohogynfzpforomf.exe"	whljbuilgrv.exe

Blocklisted process makes network request 5 IoCs

flow	pid	Process
51	4328	Process not Found
55	4328	Process not Found
78	4328	Process not Found
80	4328	Process not Found
85	4328	Process not Found

Disables RegEdit via registry modification 16 IoCs

defense_evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	msbygo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	msbygo.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	whljbuilgrv.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	whljbuilgrv.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	whljbuilgrv.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	whljbuilgrv.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	whljbuilgrv.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	whljbuilgrv.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	msbygo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	msbygo.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	whljbuilgrv.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	whljbuilgrv.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	whljbuilgrv.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	whljbuilgrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	whljbuilgrv.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	whljbuilgrv.exe

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	yohogynfzpforomf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	fwqyrkatofwgkihbk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	fwqyrkatofwgkihbk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	bwugdaurqlgucehfsupnz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	mgdokgzvtnhubcebnoif.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	mgdokgzvtnhubcebnoif.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	yohogynfzpforomf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	bwugdaurqlgucehfsupnz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	mgdokgzvtnhubcebnoif.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	bwugdaurqlgucehfsupnz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	ogbkeypjfxpafeezji.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	mgdokgzvtnhubcebnoif.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	ogbkeypjfxpafeezji.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	mgdokgzvtnhubcebnoif.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	mgdokgzvtnhubcebnoif.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	yohogynfzpforomf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	zsoytogbyrkwccdzkkd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	zsoytogbyrkwccdzkkd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	ogbkeypjfxpafeezji.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	zsoytogbyrkwccdzkkd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	ogbkeypjfxpafeezji.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	mgdokgzvtnhubcebnoif.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	bwugdaurqlgucehfsupnz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	ogbkeypjfxpafeezji.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	mgdokgzvtnhubcebnoif.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	fwqyrkatofwgkihbk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	mgdokgzvtnhubcebnoif.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	fwqyrkatofwgkihbk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	yohogynfzpforomf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	fwqyrkatofwgkihbk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	mgdokgzvtnhubcebnoif.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	yohogynfzpforomf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	mgdokgzvtnhubcebnoif.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	fwqyrkatofwgkihbk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	fwqyrkatofwgkihbk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	yohogynfzpforomf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	yohogynfzpforomf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	ogbkeypjfxpafeezji.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	bwugdaurqlgucehfsupnz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	yohogynfzpforomf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	whljbuilgrv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	zsoytogbyrkwccdzkkd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	bwugdaurqlgucehfsupnz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	fwqyrkatofwgkihbk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	mgdokgzvtnhubcebnoif.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	JaffaCakes118_8ffa0d45d09347276beea00bea0457c9.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	ogbkeypjfxpafeezji.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	ogbkeypjfxpafeezji.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	fwqyrkatofwgkihbk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	fwqyrkatofwgkihbk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	ogbkeypjfxpafeezji.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	yohogynfzpforomf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	zsoytogbyrkwccdzkkd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	yohogynfzpforomf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	fwqyrkatofwgkihbk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	bwugdaurqlgucehfsupnz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	bwugdaurqlgucehfsupnz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	zsoytogbyrkwccdzkkd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	zsoytogbyrkwccdzkkd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	fwqyrkatofwgkihbk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	mgdokgzvtnhubcebnoif.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	fwqyrkatofwgkihbk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	ogbkeypjfxpafeezji.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	fwqyrkatofwgkihbk.exe

Executes dropped EXE 64 IoCs

pid	Process
1088	whljbuilgrv.exe
368	mgdokgzvtnhubcebnoif.exe
1892	zsoytogbyrkwccdzkkd.exe
4720	whljbuilgrv.exe
988	mgdokgzvtnhubcebnoif.exe
4852	ogbkeypjfxpafeezji.exe
1440	fwqyrkatofwgkihbk.exe
1408	fwqyrkatofwgkihbk.exe
5028	whljbuilgrv.exe
4384	yohogynfzpforomf.exe
4836	whljbuilgrv.exe
4940	mgdokgzvtnhubcebnoif.exe
4536	whljbuilgrv.exe
924	msbygo.exe
4896	msbygo.exe
1156	zsoytogbyrkwccdzkkd.exe
4540	mgdokgzvtnhubcebnoif.exe
1940	fwqyrkatofwgkihbk.exe
4448	yohogynfzpforomf.exe
3252	bwugdaurqlgucehfsupnz.exe
2260	whljbuilgrv.exe
2124	whljbuilgrv.exe
1592	mgdokgzvtnhubcebnoif.exe
1320	fwqyrkatofwgkihbk.exe
5076	bwugdaurqlgucehfsupnz.exe
3844	yohogynfzpforomf.exe
1492	bwugdaurqlgucehfsupnz.exe
452	mgdokgzvtnhubcebnoif.exe
2692	yohogynfzpforomf.exe
2372	whljbuilgrv.exe
3568	whljbuilgrv.exe
1528	mgdokgzvtnhubcebnoif.exe
2456	zsoytogbyrkwccdzkkd.exe
3040	bwugdaurqlgucehfsupnz.exe
3808	whljbuilgrv.exe
3884	whljbuilgrv.exe
1324	whljbuilgrv.exe
3328	zsoytogbyrkwccdzkkd.exe
4656	zsoytogbyrkwccdzkkd.exe
3544	whljbuilgrv.exe
3064	mgdokgzvtnhubcebnoif.exe
1260	yohogynfzpforomf.exe
3644	yohogynfzpforomf.exe
4112	whljbuilgrv.exe
4256	whljbuilgrv.exe
2684	fwqyrkatofwgkihbk.exe
1408	yohogynfzpforomf.exe
4724	whljbuilgrv.exe
2656	fwqyrkatofwgkihbk.exe
1324	fwqyrkatofwgkihbk.exe
4540	whljbuilgrv.exe
4296	yohogynfzpforomf.exe
1448	ogbkeypjfxpafeezji.exe
3288	whljbuilgrv.exe
3048	yohogynfzpforomf.exe
3748	zsoytogbyrkwccdzkkd.exe
2224	fwqyrkatofwgkihbk.exe
4628	zsoytogbyrkwccdzkkd.exe
692	whljbuilgrv.exe
5044	ogbkeypjfxpafeezji.exe
4140	bwugdaurqlgucehfsupnz.exe
1688	zsoytogbyrkwccdzkkd.exe
4680	whljbuilgrv.exe
1520	mgdokgzvtnhubcebnoif.exe

Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs

defense_evasion

Safe Mode Boot

T1562.009

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys	msbygo.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc	msbygo.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager	msbygo.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys	msbygo.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc	msbygo.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power	msbygo.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

defense_evasion persistence privilege_escalation

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ogbkeypjfxpafeezji = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zsoytogbyrkwccdzkkd.exe"	whljbuilgrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\yohogynfzpforomf = "bwugdaurqlgucehfsupnz.exe ."	whljbuilgrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qcruiwhvlxjo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bwugdaurqlgucehfsupnz.exe"	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qcruiwhvlxjo = "zsoytogbyrkwccdzkkd.exe"	whljbuilgrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiagxoctmbqyawt = "fwqyrkatofwgkihbk.exe"	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\fwqyrkatofwgkihbk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bwugdaurqlgucehfsupnz.exe ."	msbygo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\fwqyrkatofwgkihbk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yohogynfzpforomf.exe ."	whljbuilgrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiagxoctmbqyawt = "zsoytogbyrkwccdzkkd.exe"	msbygo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pcswlambsfsyy = "mgdokgzvtnhubcebnoif.exe ."	whljbuilgrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiagxoctmbqyawt = "mgdokgzvtnhubcebnoif.exe"	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ogbkeypjfxpafeezji = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zsoytogbyrkwccdzkkd.exe"	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\fwqyrkatofwgkihbk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fwqyrkatofwgkihbk.exe ."	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qcruiwhvlxjo = "mgdokgzvtnhubcebnoif.exe"	whljbuilgrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\pcswlambsfsyy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fwqyrkatofwgkihbk.exe ."	msbygo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\fwqyrkatofwgkihbk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fwqyrkatofwgkihbk.exe ."	msbygo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\fwqyrkatofwgkihbk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mgdokgzvtnhubcebnoif.exe ."	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ogbkeypjfxpafeezji = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yohogynfzpforomf.exe"	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qcruiwhvlxjo = "bwugdaurqlgucehfsupnz.exe"	msbygo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\pcswlambsfsyy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ogbkeypjfxpafeezji.exe ."	whljbuilgrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiagxoctmbqyawt = "ogbkeypjfxpafeezji.exe"	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pcswlambsfsyy = "yohogynfzpforomf.exe ."	msbygo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\yohogynfzpforomf = "yohogynfzpforomf.exe ."	msbygo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qcruiwhvlxjo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fwqyrkatofwgkihbk.exe"	whljbuilgrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\pcswlambsfsyy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fwqyrkatofwgkihbk.exe ."	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ogbkeypjfxpafeezji = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ogbkeypjfxpafeezji.exe"	whljbuilgrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qcruiwhvlxjo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yohogynfzpforomf.exe"	whljbuilgrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\pcswlambsfsyy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mgdokgzvtnhubcebnoif.exe ."	whljbuilgrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiagxoctmbqyawt = "mgdokgzvtnhubcebnoif.exe"	msbygo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\yohogynfzpforomf = "fwqyrkatofwgkihbk.exe ."	msbygo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qcruiwhvlxjo = "yohogynfzpforomf.exe"	whljbuilgrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\pcswlambsfsyy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mgdokgzvtnhubcebnoif.exe ."	whljbuilgrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\yohogynfzpforomf = "fwqyrkatofwgkihbk.exe ."	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ogbkeypjfxpafeezji = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bwugdaurqlgucehfsupnz.exe"	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\fwqyrkatofwgkihbk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ogbkeypjfxpafeezji.exe ."	msbygo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ogbkeypjfxpafeezji = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bwugdaurqlgucehfsupnz.exe"	whljbuilgrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qcruiwhvlxjo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fwqyrkatofwgkihbk.exe"	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\fwqyrkatofwgkihbk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ogbkeypjfxpafeezji.exe ."	msbygo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\yohogynfzpforomf = "yohogynfzpforomf.exe ."	whljbuilgrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\yohogynfzpforomf = "yohogynfzpforomf.exe ."	msbygo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pcswlambsfsyy = "yohogynfzpforomf.exe ."	whljbuilgrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiagxoctmbqyawt = "fwqyrkatofwgkihbk.exe"	whljbuilgrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qcruiwhvlxjo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zsoytogbyrkwccdzkkd.exe"	msbygo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qcruiwhvlxjo = "mgdokgzvtnhubcebnoif.exe"	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\fwqyrkatofwgkihbk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bwugdaurqlgucehfsupnz.exe ."	whljbuilgrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiagxoctmbqyawt = "zsoytogbyrkwccdzkkd.exe"	whljbuilgrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\yohogynfzpforomf = "fwqyrkatofwgkihbk.exe ."	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\fwqyrkatofwgkihbk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zsoytogbyrkwccdzkkd.exe ."	whljbuilgrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\yohogynfzpforomf = "ogbkeypjfxpafeezji.exe ."	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ogbkeypjfxpafeezji = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yohogynfzpforomf.exe"	msbygo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pcswlambsfsyy = "zsoytogbyrkwccdzkkd.exe ."	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pcswlambsfsyy = "mgdokgzvtnhubcebnoif.exe ."	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qcruiwhvlxjo = "mgdokgzvtnhubcebnoif.exe"	whljbuilgrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qcruiwhvlxjo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fwqyrkatofwgkihbk.exe"	msbygo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\pcswlambsfsyy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zsoytogbyrkwccdzkkd.exe ."	msbygo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\yohogynfzpforomf = "mgdokgzvtnhubcebnoif.exe ."	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pcswlambsfsyy = "ogbkeypjfxpafeezji.exe ."	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pcswlambsfsyy = "yohogynfzpforomf.exe ."	whljbuilgrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qcruiwhvlxjo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fwqyrkatofwgkihbk.exe"	whljbuilgrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\pcswlambsfsyy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ogbkeypjfxpafeezji.exe ."	whljbuilgrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\pcswlambsfsyy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zsoytogbyrkwccdzkkd.exe ."	msbygo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\pcswlambsfsyy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mgdokgzvtnhubcebnoif.exe ."	whljbuilgrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiagxoctmbqyawt = "fwqyrkatofwgkihbk.exe"	whljbuilgrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiagxoctmbqyawt = "fwqyrkatofwgkihbk.exe"	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qcruiwhvlxjo = "yohogynfzpforomf.exe"	whljbuilgrv.exe

Checks whether UAC is enabled 1 TTPs 26 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	whljbuilgrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	whljbuilgrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	whljbuilgrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	whljbuilgrv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	whljbuilgrv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msbygo.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	whljbuilgrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	whljbuilgrv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	whljbuilgrv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	whljbuilgrv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	whljbuilgrv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	whljbuilgrv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	whljbuilgrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	whljbuilgrv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	whljbuilgrv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msbygo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	msbygo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	whljbuilgrv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	whljbuilgrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	whljbuilgrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	whljbuilgrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	msbygo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	whljbuilgrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	whljbuilgrv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	whljbuilgrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	whljbuilgrv.exe

Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 3 IoCs

Possible Turn off User Account Control's privilege elevation for standard users.

Executable Installer File Permissions Weakness

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	whljbuilgrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	msbygo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	msbygo.exe

Looks up external IP address via web service 7 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
31	whatismyipaddress.com
39	www.whatismyip.ca
40	whatismyip.everdot.org
57	whatismyip.everdot.org
59	www.whatismyip.ca
24	www.showmyipaddress.com
29	whatismyip.everdot.org

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\sonaywrpplhwfimlzcyxki.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\SysWOW64\yohogynfzpforomf.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\SysWOW64\fwqyrkatofwgkihbk.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\SysWOW64\zsoytogbyrkwccdzkkd.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\SysWOW64\fwqyrkatofwgkihbk.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\SysWOW64\yohogynfzpforomf.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\SysWOW64\fwqyrkatofwgkihbk.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\SysWOW64\bwugdaurqlgucehfsupnz.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\SysWOW64\ogbkeypjfxpafeezji.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\SysWOW64\bwugdaurqlgucehfsupnz.exe	msbygo.exe
File opened for modification	C:\Windows\SysWOW64\ogbkeypjfxpafeezji.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\SysWOW64\ogbkeypjfxpafeezji.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\SysWOW64\fwqyrkatofwgkihbk.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\SysWOW64\ogbkeypjfxpafeezji.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\SysWOW64\ogbkeypjfxpafeezji.exe	msbygo.exe
File opened for modification	C:\Windows\SysWOW64\ogbkeypjfxpafeezji.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\SysWOW64\fwqyrkatofwgkihbk.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\SysWOW64\zsoytogbyrkwccdzkkd.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\SysWOW64\sonaywrpplhwfimlzcyxki.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\SysWOW64\bwugdaurqlgucehfsupnz.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\SysWOW64\ogbkeypjfxpafeezji.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\SysWOW64\ogbkeypjfxpafeezji.exe	msbygo.exe
File opened for modification	C:\Windows\SysWOW64\mgdokgzvtnhubcebnoif.exe	msbygo.exe
File opened for modification	C:\Windows\SysWOW64\sonaywrpplhwfimlzcyxki.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\SysWOW64\sonaywrpplhwfimlzcyxki.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\SysWOW64\fwqyrkatofwgkihbk.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\SysWOW64\bwugdaurqlgucehfsupnz.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\SysWOW64\fwqyrkatofwgkihbk.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\SysWOW64\bwugdaurqlgucehfsupnz.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\SysWOW64\sonaywrpplhwfimlzcyxki.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\SysWOW64\fwqyrkatofwgkihbk.exe	msbygo.exe
File opened for modification	C:\Windows\SysWOW64\sonaywrpplhwfimlzcyxki.exe	msbygo.exe
File opened for modification	C:\Windows\SysWOW64\zsoytogbyrkwccdzkkd.exe	msbygo.exe
File opened for modification	C:\Windows\SysWOW64\yohogynfzpforomf.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\SysWOW64\ogbkeypjfxpafeezji.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\SysWOW64\fwqyrkatofwgkihbk.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\SysWOW64\mgdokgzvtnhubcebnoif.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\SysWOW64\zsoytogbyrkwccdzkkd.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\SysWOW64\zsoytogbyrkwccdzkkd.exe	msbygo.exe
File opened for modification	C:\Windows\SysWOW64\fwqyrkatofwgkihbk.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\SysWOW64\zsoytogbyrkwccdzkkd.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\SysWOW64\mgdokgzvtnhubcebnoif.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\SysWOW64\yohogynfzpforomfnkataskzrlbradayrzwmfm.wld	msbygo.exe
File opened for modification	C:\Windows\SysWOW64\yohogynfzpforomf.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\SysWOW64\ogbkeypjfxpafeezji.exe	whljbuilgrv.exe
File created	C:\Windows\SysWOW64\yohogynfzpforomfnkataskzrlbradayrzwmfm.wld	msbygo.exe
File opened for modification	C:\Windows\SysWOW64\sonaywrpplhwfimlzcyxki.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\SysWOW64\mgdokgzvtnhubcebnoif.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\SysWOW64\ogbkeypjfxpafeezji.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\SysWOW64\mgdokgzvtnhubcebnoif.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\SysWOW64\bwugdaurqlgucehfsupnz.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\SysWOW64\sonaywrpplhwfimlzcyxki.exe	whljbuilgrv.exe
File created	C:\Windows\SysWOW64\bgokrycjsxcaserzwinvryfjqze.hzl	msbygo.exe
File opened for modification	C:\Windows\SysWOW64\zsoytogbyrkwccdzkkd.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\SysWOW64\mgdokgzvtnhubcebnoif.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\SysWOW64\yohogynfzpforomf.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\SysWOW64\sonaywrpplhwfimlzcyxki.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\SysWOW64\mgdokgzvtnhubcebnoif.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\SysWOW64\bwugdaurqlgucehfsupnz.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\SysWOW64\zsoytogbyrkwccdzkkd.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\SysWOW64\bwugdaurqlgucehfsupnz.exe	msbygo.exe
File opened for modification	C:\Windows\SysWOW64\mgdokgzvtnhubcebnoif.exe	msbygo.exe
File opened for modification	C:\Windows\SysWOW64\bgokrycjsxcaserzwinvryfjqze.hzl	msbygo.exe
File opened for modification	C:\Windows\SysWOW64\yohogynfzpforomf.exe	whljbuilgrv.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\bgokrycjsxcaserzwinvryfjqze.hzl	msbygo.exe
File created	C:\Program Files (x86)\bgokrycjsxcaserzwinvryfjqze.hzl	msbygo.exe
File opened for modification	C:\Program Files (x86)\yohogynfzpforomfnkataskzrlbradayrzwmfm.wld	msbygo.exe
File created	C:\Program Files (x86)\yohogynfzpforomfnkataskzrlbradayrzwmfm.wld	msbygo.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\yohogynfzpforomf.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\ogbkeypjfxpafeezji.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\bwugdaurqlgucehfsupnz.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\sonaywrpplhwfimlzcyxki.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\fwqyrkatofwgkihbk.exe	msbygo.exe
File opened for modification	C:\Windows\zsoytogbyrkwccdzkkd.exe	msbygo.exe
File opened for modification	C:\Windows\ogbkeypjfxpafeezji.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\sonaywrpplhwfimlzcyxki.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\yohogynfzpforomf.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\zsoytogbyrkwccdzkkd.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\mgdokgzvtnhubcebnoif.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\sonaywrpplhwfimlzcyxki.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\ogbkeypjfxpafeezji.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\bwugdaurqlgucehfsupnz.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\ogbkeypjfxpafeezji.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\mgdokgzvtnhubcebnoif.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\mgdokgzvtnhubcebnoif.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\zsoytogbyrkwccdzkkd.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\sonaywrpplhwfimlzcyxki.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\fwqyrkatofwgkihbk.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\mgdokgzvtnhubcebnoif.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\yohogynfzpforomf.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\zsoytogbyrkwccdzkkd.exe	msbygo.exe
File opened for modification	C:\Windows\zsoytogbyrkwccdzkkd.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\zsoytogbyrkwccdzkkd.exe	whljbuilgrv.exe
File created	C:\Windows\bgokrycjsxcaserzwinvryfjqze.hzl	msbygo.exe
File opened for modification	C:\Windows\mgdokgzvtnhubcebnoif.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\sonaywrpplhwfimlzcyxki.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\mgdokgzvtnhubcebnoif.exe	msbygo.exe
File opened for modification	C:\Windows\bwugdaurqlgucehfsupnz.exe	msbygo.exe
File opened for modification	C:\Windows\yohogynfzpforomfnkataskzrlbradayrzwmfm.wld	msbygo.exe
File created	C:\Windows\yohogynfzpforomfnkataskzrlbradayrzwmfm.wld	msbygo.exe
File opened for modification	C:\Windows\fwqyrkatofwgkihbk.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\ogbkeypjfxpafeezji.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\yohogynfzpforomf.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\bwugdaurqlgucehfsupnz.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\ogbkeypjfxpafeezji.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\fwqyrkatofwgkihbk.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\ogbkeypjfxpafeezji.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\yohogynfzpforomf.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\sonaywrpplhwfimlzcyxki.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\zsoytogbyrkwccdzkkd.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\mgdokgzvtnhubcebnoif.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\zsoytogbyrkwccdzkkd.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\mgdokgzvtnhubcebnoif.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\sonaywrpplhwfimlzcyxki.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\sonaywrpplhwfimlzcyxki.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\bwugdaurqlgucehfsupnz.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\fwqyrkatofwgkihbk.exe	msbygo.exe
File opened for modification	C:\Windows\sonaywrpplhwfimlzcyxki.exe	msbygo.exe
File opened for modification	C:\Windows\sonaywrpplhwfimlzcyxki.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\mgdokgzvtnhubcebnoif.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\yohogynfzpforomf.exe	msbygo.exe
File opened for modification	C:\Windows\yohogynfzpforomf.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\ogbkeypjfxpafeezji.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\zsoytogbyrkwccdzkkd.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\ogbkeypjfxpafeezji.exe	msbygo.exe
File opened for modification	C:\Windows\sonaywrpplhwfimlzcyxki.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\fwqyrkatofwgkihbk.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\mgdokgzvtnhubcebnoif.exe	msbygo.exe
File opened for modification	C:\Windows\bgokrycjsxcaserzwinvryfjqze.hzl	msbygo.exe
File opened for modification	C:\Windows\yohogynfzpforomf.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\fwqyrkatofwgkihbk.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\fwqyrkatofwgkihbk.exe	whljbuilgrv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yohogynfzpforomf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mgdokgzvtnhubcebnoif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fwqyrkatofwgkihbk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mgdokgzvtnhubcebnoif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fwqyrkatofwgkihbk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mgdokgzvtnhubcebnoif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yohogynfzpforomf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bwugdaurqlgucehfsupnz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ogbkeypjfxpafeezji.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fwqyrkatofwgkihbk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mgdokgzvtnhubcebnoif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bwugdaurqlgucehfsupnz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mgdokgzvtnhubcebnoif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mgdokgzvtnhubcebnoif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yohogynfzpforomf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ogbkeypjfxpafeezji.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mgdokgzvtnhubcebnoif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bwugdaurqlgucehfsupnz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bwugdaurqlgucehfsupnz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fwqyrkatofwgkihbk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mgdokgzvtnhubcebnoif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fwqyrkatofwgkihbk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zsoytogbyrkwccdzkkd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zsoytogbyrkwccdzkkd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bwugdaurqlgucehfsupnz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ogbkeypjfxpafeezji.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zsoytogbyrkwccdzkkd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ogbkeypjfxpafeezji.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mgdokgzvtnhubcebnoif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ogbkeypjfxpafeezji.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bwugdaurqlgucehfsupnz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mgdokgzvtnhubcebnoif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ogbkeypjfxpafeezji.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_8ffa0d45d09347276beea00bea0457c9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zsoytogbyrkwccdzkkd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bwugdaurqlgucehfsupnz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mgdokgzvtnhubcebnoif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yohogynfzpforomf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ogbkeypjfxpafeezji.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msbygo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bwugdaurqlgucehfsupnz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mgdokgzvtnhubcebnoif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yohogynfzpforomf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fwqyrkatofwgkihbk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ogbkeypjfxpafeezji.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fwqyrkatofwgkihbk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fwqyrkatofwgkihbk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yohogynfzpforomf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bwugdaurqlgucehfsupnz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mgdokgzvtnhubcebnoif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fwqyrkatofwgkihbk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yohogynfzpforomf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zsoytogbyrkwccdzkkd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fwqyrkatofwgkihbk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zsoytogbyrkwccdzkkd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mgdokgzvtnhubcebnoif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yohogynfzpforomf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fwqyrkatofwgkihbk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zsoytogbyrkwccdzkkd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fwqyrkatofwgkihbk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fwqyrkatofwgkihbk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fwqyrkatofwgkihbk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yohogynfzpforomf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bwugdaurqlgucehfsupnz.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3316	JaffaCakes118_8ffa0d45d09347276beea00bea0457c9.exe
3316	JaffaCakes118_8ffa0d45d09347276beea00bea0457c9.exe
3316	JaffaCakes118_8ffa0d45d09347276beea00bea0457c9.exe
3316	JaffaCakes118_8ffa0d45d09347276beea00bea0457c9.exe
3316	JaffaCakes118_8ffa0d45d09347276beea00bea0457c9.exe
3316	JaffaCakes118_8ffa0d45d09347276beea00bea0457c9.exe
3316	JaffaCakes118_8ffa0d45d09347276beea00bea0457c9.exe
3316	JaffaCakes118_8ffa0d45d09347276beea00bea0457c9.exe
3316	JaffaCakes118_8ffa0d45d09347276beea00bea0457c9.exe
3316	JaffaCakes118_8ffa0d45d09347276beea00bea0457c9.exe
3316	JaffaCakes118_8ffa0d45d09347276beea00bea0457c9.exe
3316	JaffaCakes118_8ffa0d45d09347276beea00bea0457c9.exe
3316	JaffaCakes118_8ffa0d45d09347276beea00bea0457c9.exe
3316	JaffaCakes118_8ffa0d45d09347276beea00bea0457c9.exe
3316	JaffaCakes118_8ffa0d45d09347276beea00bea0457c9.exe
3316	JaffaCakes118_8ffa0d45d09347276beea00bea0457c9.exe
924	msbygo.exe
924	msbygo.exe
3316	JaffaCakes118_8ffa0d45d09347276beea00bea0457c9.exe
3316	JaffaCakes118_8ffa0d45d09347276beea00bea0457c9.exe
3316	JaffaCakes118_8ffa0d45d09347276beea00bea0457c9.exe
3316	JaffaCakes118_8ffa0d45d09347276beea00bea0457c9.exe
3316	JaffaCakes118_8ffa0d45d09347276beea00bea0457c9.exe
3316	JaffaCakes118_8ffa0d45d09347276beea00bea0457c9.exe
3316	JaffaCakes118_8ffa0d45d09347276beea00bea0457c9.exe
3316	JaffaCakes118_8ffa0d45d09347276beea00bea0457c9.exe
3316	JaffaCakes118_8ffa0d45d09347276beea00bea0457c9.exe
3316	JaffaCakes118_8ffa0d45d09347276beea00bea0457c9.exe
3316	JaffaCakes118_8ffa0d45d09347276beea00bea0457c9.exe
3316	JaffaCakes118_8ffa0d45d09347276beea00bea0457c9.exe
3316	JaffaCakes118_8ffa0d45d09347276beea00bea0457c9.exe
3316	JaffaCakes118_8ffa0d45d09347276beea00bea0457c9.exe
3316	JaffaCakes118_8ffa0d45d09347276beea00bea0457c9.exe
3316	JaffaCakes118_8ffa0d45d09347276beea00bea0457c9.exe
3316	JaffaCakes118_8ffa0d45d09347276beea00bea0457c9.exe
3316	JaffaCakes118_8ffa0d45d09347276beea00bea0457c9.exe
3316	JaffaCakes118_8ffa0d45d09347276beea00bea0457c9.exe
3316	JaffaCakes118_8ffa0d45d09347276beea00bea0457c9.exe
3316	JaffaCakes118_8ffa0d45d09347276beea00bea0457c9.exe
3316	JaffaCakes118_8ffa0d45d09347276beea00bea0457c9.exe
3316	JaffaCakes118_8ffa0d45d09347276beea00bea0457c9.exe
3316	JaffaCakes118_8ffa0d45d09347276beea00bea0457c9.exe
3316	JaffaCakes118_8ffa0d45d09347276beea00bea0457c9.exe
3316	JaffaCakes118_8ffa0d45d09347276beea00bea0457c9.exe
3316	JaffaCakes118_8ffa0d45d09347276beea00bea0457c9.exe
3316	JaffaCakes118_8ffa0d45d09347276beea00bea0457c9.exe
3316	JaffaCakes118_8ffa0d45d09347276beea00bea0457c9.exe
3316	JaffaCakes118_8ffa0d45d09347276beea00bea0457c9.exe
3316	JaffaCakes118_8ffa0d45d09347276beea00bea0457c9.exe
3316	JaffaCakes118_8ffa0d45d09347276beea00bea0457c9.exe
3316	JaffaCakes118_8ffa0d45d09347276beea00bea0457c9.exe
3316	JaffaCakes118_8ffa0d45d09347276beea00bea0457c9.exe
3316	JaffaCakes118_8ffa0d45d09347276beea00bea0457c9.exe
3316	JaffaCakes118_8ffa0d45d09347276beea00bea0457c9.exe
924	msbygo.exe
924	msbygo.exe
3316	JaffaCakes118_8ffa0d45d09347276beea00bea0457c9.exe
3316	JaffaCakes118_8ffa0d45d09347276beea00bea0457c9.exe
3316	JaffaCakes118_8ffa0d45d09347276beea00bea0457c9.exe
3316	JaffaCakes118_8ffa0d45d09347276beea00bea0457c9.exe
3316	JaffaCakes118_8ffa0d45d09347276beea00bea0457c9.exe
3316	JaffaCakes118_8ffa0d45d09347276beea00bea0457c9.exe
3316	JaffaCakes118_8ffa0d45d09347276beea00bea0457c9.exe
3316	JaffaCakes118_8ffa0d45d09347276beea00bea0457c9.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	924	msbygo.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3316 wrote to memory of 1088	3316	JaffaCakes118_8ffa0d45d09347276beea00bea0457c9.exe	89
PID 3316 wrote to memory of 1088	3316	JaffaCakes118_8ffa0d45d09347276beea00bea0457c9.exe	89
PID 3316 wrote to memory of 1088	3316	JaffaCakes118_8ffa0d45d09347276beea00bea0457c9.exe	89
PID 2576 wrote to memory of 368	2576	cmd.exe	92
PID 2576 wrote to memory of 368	2576	cmd.exe	92
PID 2576 wrote to memory of 368	2576	cmd.exe	92
PID 1844 wrote to memory of 1892	1844	cmd.exe	95
PID 1844 wrote to memory of 1892	1844	cmd.exe	95
PID 1844 wrote to memory of 1892	1844	cmd.exe	95
PID 1892 wrote to memory of 4720	1892	zsoytogbyrkwccdzkkd.exe	98
PID 1892 wrote to memory of 4720	1892	zsoytogbyrkwccdzkkd.exe	98
PID 1892 wrote to memory of 4720	1892	zsoytogbyrkwccdzkkd.exe	98
PID 1716 wrote to memory of 988	1716	cmd.exe	101
PID 1716 wrote to memory of 988	1716	cmd.exe	101
PID 1716 wrote to memory of 988	1716	cmd.exe	101
PID 5108 wrote to memory of 4852	5108	cmd.exe	106
PID 5108 wrote to memory of 4852	5108	cmd.exe	106
PID 5108 wrote to memory of 4852	5108	cmd.exe	106
PID 2516 wrote to memory of 1440	2516	cmd.exe	107
PID 2516 wrote to memory of 1440	2516	cmd.exe	107
PID 2516 wrote to memory of 1440	2516	cmd.exe	107
PID 3288 wrote to memory of 1408	3288	cmd.exe	204
PID 3288 wrote to memory of 1408	3288	cmd.exe	204
PID 3288 wrote to memory of 1408	3288	cmd.exe	204
PID 4852 wrote to memory of 5028	4852	ogbkeypjfxpafeezji.exe	175
PID 4852 wrote to memory of 5028	4852	ogbkeypjfxpafeezji.exe	175
PID 4852 wrote to memory of 5028	4852	ogbkeypjfxpafeezji.exe	175
PID 2624 wrote to memory of 4384	2624	cmd.exe	114
PID 2624 wrote to memory of 4384	2624	cmd.exe	114
PID 2624 wrote to memory of 4384	2624	cmd.exe	114
PID 1408 wrote to memory of 4836	1408	fwqyrkatofwgkihbk.exe	115
PID 1408 wrote to memory of 4836	1408	fwqyrkatofwgkihbk.exe	115
PID 1408 wrote to memory of 4836	1408	fwqyrkatofwgkihbk.exe	115
PID 3748 wrote to memory of 4940	3748	cmd.exe	252
PID 3748 wrote to memory of 4940	3748	cmd.exe	252
PID 3748 wrote to memory of 4940	3748	cmd.exe	252
PID 4940 wrote to memory of 4536	4940	mgdokgzvtnhubcebnoif.exe	153
PID 4940 wrote to memory of 4536	4940	mgdokgzvtnhubcebnoif.exe	153
PID 4940 wrote to memory of 4536	4940	mgdokgzvtnhubcebnoif.exe	153
PID 1088 wrote to memory of 924	1088	whljbuilgrv.exe	122
PID 1088 wrote to memory of 924	1088	whljbuilgrv.exe	122
PID 1088 wrote to memory of 924	1088	whljbuilgrv.exe	122
PID 1088 wrote to memory of 4896	1088	whljbuilgrv.exe	123
PID 1088 wrote to memory of 4896	1088	whljbuilgrv.exe	123
PID 1088 wrote to memory of 4896	1088	whljbuilgrv.exe	123
PID 2576 wrote to memory of 1156	2576	cmd.exe	128
PID 2576 wrote to memory of 1156	2576	cmd.exe	128
PID 2576 wrote to memory of 1156	2576	cmd.exe	128
PID 4948 wrote to memory of 4540	4948	cmd.exe	208
PID 4948 wrote to memory of 4540	4948	cmd.exe	208
PID 4948 wrote to memory of 4540	4948	cmd.exe	208
PID 3016 wrote to memory of 1940	3016	cmd.exe	271
PID 3016 wrote to memory of 1940	3016	cmd.exe	271
PID 3016 wrote to memory of 1940	3016	cmd.exe	271
PID 452 wrote to memory of 4448	452	cmd.exe	169
PID 452 wrote to memory of 4448	452	cmd.exe	169
PID 452 wrote to memory of 4448	452	cmd.exe	169
PID 1528 wrote to memory of 3252	1528	cmd.exe	146
PID 1528 wrote to memory of 3252	1528	cmd.exe	146
PID 1528 wrote to memory of 3252	1528	cmd.exe	146
PID 4448 wrote to memory of 2260	4448	yohogynfzpforomf.exe	147
PID 4448 wrote to memory of 2260	4448	yohogynfzpforomf.exe	147
PID 4448 wrote to memory of 2260	4448	yohogynfzpforomf.exe	147
PID 1940 wrote to memory of 2124	1940	fwqyrkatofwgkihbk.exe	148

System policy modification 1 TTPs 56 IoCs

defense_evasion

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	whljbuilgrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	whljbuilgrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	msbygo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	whljbuilgrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	msbygo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	msbygo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	whljbuilgrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	whljbuilgrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	whljbuilgrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	whljbuilgrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	msbygo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	msbygo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	msbygo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	whljbuilgrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	whljbuilgrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	msbygo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	msbygo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	msbygo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	whljbuilgrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	whljbuilgrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	whljbuilgrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	whljbuilgrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	whljbuilgrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	msbygo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	msbygo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	whljbuilgrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	whljbuilgrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	whljbuilgrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	whljbuilgrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	whljbuilgrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	msbygo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	whljbuilgrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	whljbuilgrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	whljbuilgrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	whljbuilgrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	whljbuilgrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	msbygo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	whljbuilgrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	whljbuilgrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	msbygo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	msbygo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	msbygo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	msbygo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	msbygo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	whljbuilgrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	msbygo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	msbygo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	whljbuilgrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	whljbuilgrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	whljbuilgrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	whljbuilgrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	whljbuilgrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	msbygo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	msbygo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	msbygo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	msbygo.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8ffa0d45d09347276beea00bea0457c9.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8ffa0d45d09347276beea00bea0457c9.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3316
- C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
  "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\jaffacakes118_8ffa0d45d09347276beea00bea0457c9.exe*"
  2⤵
  - Modifies WinLogon for persistence
  - UAC bypass
  - Adds policy Run key to start application
  - Disables RegEdit via registry modification
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Hijack Execution Flow: Executable Installer File Permissions Weakness
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1088
- - C:\Users\Admin\AppData\Local\Temp\msbygo.exe
    "C:\Users\Admin\AppData\Local\Temp\msbygo.exe" "-c:\users\admin\appdata\local\temp\jaffacakes118_8ffa0d45d09347276beea00bea0457c9.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Impair Defenses: Safe Mode Boot
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Hijack Execution Flow: Executable Installer File Permissions Weakness
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:924
- - C:\Users\Admin\AppData\Local\Temp\msbygo.exe
    "C:\Users\Admin\AppData\Local\Temp\msbygo.exe" "-c:\users\admin\appdata\local\temp\jaffacakes118_8ffa0d45d09347276beea00bea0457c9.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Hijack Execution Flow: Executable Installer File Permissions Weakness
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:4896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mgdokgzvtnhubcebnoif.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2576
- C:\Windows\mgdokgzvtnhubcebnoif.exe
  mgdokgzvtnhubcebnoif.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zsoytogbyrkwccdzkkd.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:1844
- C:\Windows\zsoytogbyrkwccdzkkd.exe
  zsoytogbyrkwccdzkkd.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1892
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\zsoytogbyrkwccdzkkd.exe*."
    3⤵
    - Executes dropped EXE
    PID:4720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mgdokgzvtnhubcebnoif.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:1716
- C:\Windows\mgdokgzvtnhubcebnoif.exe
  mgdokgzvtnhubcebnoif.exe
  2⤵
  - Executes dropped EXE
  PID:988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ogbkeypjfxpafeezji.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:5108
- C:\Windows\ogbkeypjfxpafeezji.exe
  ogbkeypjfxpafeezji.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4852
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\ogbkeypjfxpafeezji.exe*."
    3⤵
    - Executes dropped EXE
    PID:5028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fwqyrkatofwgkihbk.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2516
- C:\Users\Admin\AppData\Local\Temp\fwqyrkatofwgkihbk.exe
  C:\Users\Admin\AppData\Local\Temp\fwqyrkatofwgkihbk.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fwqyrkatofwgkihbk.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:3288
- C:\Users\Admin\AppData\Local\Temp\fwqyrkatofwgkihbk.exe
  C:\Users\Admin\AppData\Local\Temp\fwqyrkatofwgkihbk.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1408
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\fwqyrkatofwgkihbk.exe*."
    3⤵
    - Executes dropped EXE
    PID:4836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yohogynfzpforomf.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2624
- C:\Users\Admin\AppData\Local\Temp\yohogynfzpforomf.exe
  C:\Users\Admin\AppData\Local\Temp\yohogynfzpforomf.exe
  2⤵
  - Executes dropped EXE
  PID:4384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mgdokgzvtnhubcebnoif.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:3748
- C:\Users\Admin\AppData\Local\Temp\mgdokgzvtnhubcebnoif.exe
  C:\Users\Admin\AppData\Local\Temp\mgdokgzvtnhubcebnoif.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4940
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\mgdokgzvtnhubcebnoif.exe*."
    3⤵
    - Executes dropped EXE
    PID:4536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zsoytogbyrkwccdzkkd.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2576
- C:\Windows\zsoytogbyrkwccdzkkd.exe
  zsoytogbyrkwccdzkkd.exe
  2⤵
  - Executes dropped EXE
  PID:1156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mgdokgzvtnhubcebnoif.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4948
- C:\Windows\mgdokgzvtnhubcebnoif.exe
  mgdokgzvtnhubcebnoif.exe
  2⤵
  - Executes dropped EXE
  PID:4540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fwqyrkatofwgkihbk.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:3016
- C:\Windows\fwqyrkatofwgkihbk.exe
  fwqyrkatofwgkihbk.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1940
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\fwqyrkatofwgkihbk.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:2124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yohogynfzpforomf.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:452
- C:\Windows\yohogynfzpforomf.exe
  yohogynfzpforomf.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4448
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\yohogynfzpforomf.exe*."
    3⤵
    - Executes dropped EXE
    PID:2260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bwugdaurqlgucehfsupnz.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:1528
- C:\Windows\bwugdaurqlgucehfsupnz.exe
  bwugdaurqlgucehfsupnz.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mgdokgzvtnhubcebnoif.exe
1⤵
PID:2684
- C:\Windows\mgdokgzvtnhubcebnoif.exe
  mgdokgzvtnhubcebnoif.exe
  2⤵
  - Executes dropped EXE
  PID:1592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yohogynfzpforomf.exe .
1⤵
PID:5068
- C:\Windows\yohogynfzpforomf.exe
  yohogynfzpforomf.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3844
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\yohogynfzpforomf.exe*."
    3⤵
    - Executes dropped EXE
    PID:2372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bwugdaurqlgucehfsupnz.exe
1⤵
PID:3680
- C:\Users\Admin\AppData\Local\Temp\bwugdaurqlgucehfsupnz.exe
  C:\Users\Admin\AppData\Local\Temp\bwugdaurqlgucehfsupnz.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fwqyrkatofwgkihbk.exe .
1⤵
PID:3888
- C:\Windows\fwqyrkatofwgkihbk.exe
  fwqyrkatofwgkihbk.exe .
  2⤵
  - Executes dropped EXE
  PID:1320
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\fwqyrkatofwgkihbk.exe*."
    3⤵
    - Executes dropped EXE
    PID:3568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bwugdaurqlgucehfsupnz.exe .
1⤵
PID:4500
- C:\Users\Admin\AppData\Local\Temp\bwugdaurqlgucehfsupnz.exe
  C:\Users\Admin\AppData\Local\Temp\bwugdaurqlgucehfsupnz.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1492
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\bwugdaurqlgucehfsupnz.exe*."
    3⤵
    - Executes dropped EXE
    PID:3808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yohogynfzpforomf.exe
1⤵
PID:3752
- C:\Users\Admin\AppData\Local\Temp\yohogynfzpforomf.exe
  C:\Users\Admin\AppData\Local\Temp\yohogynfzpforomf.exe
  2⤵
  - Executes dropped EXE
  PID:2692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mgdokgzvtnhubcebnoif.exe .
1⤵
PID:4536
- C:\Users\Admin\AppData\Local\Temp\mgdokgzvtnhubcebnoif.exe
  C:\Users\Admin\AppData\Local\Temp\mgdokgzvtnhubcebnoif.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:452
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\mgdokgzvtnhubcebnoif.exe*."
    3⤵
    - Executes dropped EXE
    PID:3884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsoytogbyrkwccdzkkd.exe
1⤵
PID:4580
- C:\Users\Admin\AppData\Local\Temp\zsoytogbyrkwccdzkkd.exe
  C:\Users\Admin\AppData\Local\Temp\zsoytogbyrkwccdzkkd.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fwqyrkatofwgkihbk.exe
1⤵
PID:3360
- C:\Users\Admin\AppData\Local\Temp\fwqyrkatofwgkihbk.exe
  C:\Users\Admin\AppData\Local\Temp\fwqyrkatofwgkihbk.exe
  2⤵
  - Executes dropped EXE
  PID:1324

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mgdokgzvtnhubcebnoif.exe .
1⤵
PID:1280
- C:\Users\Admin\AppData\Local\Temp\mgdokgzvtnhubcebnoif.exe
  C:\Users\Admin\AppData\Local\Temp\mgdokgzvtnhubcebnoif.exe .
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1528
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\mgdokgzvtnhubcebnoif.exe*."
    3⤵
    - Executes dropped EXE
    PID:1324

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fwqyrkatofwgkihbk.exe .
1⤵
PID:1844
- C:\Users\Admin\AppData\Local\Temp\fwqyrkatofwgkihbk.exe
  C:\Users\Admin\AppData\Local\Temp\fwqyrkatofwgkihbk.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2684
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\fwqyrkatofwgkihbk.exe*."
    3⤵
    - Executes dropped EXE
    PID:4724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bwugdaurqlgucehfsupnz.exe
1⤵
PID:4392
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4448
- C:\Windows\bwugdaurqlgucehfsupnz.exe
  bwugdaurqlgucehfsupnz.exe
  2⤵
  - Executes dropped EXE
  PID:3040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zsoytogbyrkwccdzkkd.exe .
1⤵
PID:3692
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5028
- C:\Windows\zsoytogbyrkwccdzkkd.exe
  zsoytogbyrkwccdzkkd.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3328
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\zsoytogbyrkwccdzkkd.exe*."
    3⤵
    - Executes dropped EXE
    PID:3544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zsoytogbyrkwccdzkkd.exe
1⤵
PID:5008
- C:\Windows\zsoytogbyrkwccdzkkd.exe
  zsoytogbyrkwccdzkkd.exe
  2⤵
  - Executes dropped EXE
  PID:4656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mgdokgzvtnhubcebnoif.exe .
1⤵
PID:668
- C:\Windows\mgdokgzvtnhubcebnoif.exe
  mgdokgzvtnhubcebnoif.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:3064
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\mgdokgzvtnhubcebnoif.exe*."
    3⤵
    - Executes dropped EXE
    PID:4112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yohogynfzpforomf.exe
1⤵
PID:4140
- C:\Users\Admin\AppData\Local\Temp\yohogynfzpforomf.exe
  C:\Users\Admin\AppData\Local\Temp\yohogynfzpforomf.exe
  2⤵
  - Executes dropped EXE
  PID:3644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yohogynfzpforomf.exe .
1⤵
PID:1796
- C:\Users\Admin\AppData\Local\Temp\yohogynfzpforomf.exe
  C:\Users\Admin\AppData\Local\Temp\yohogynfzpforomf.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1260
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\yohogynfzpforomf.exe*."
    3⤵
    - Executes dropped EXE
    PID:4256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yohogynfzpforomf.exe
1⤵
PID:2424
- C:\Users\Admin\AppData\Local\Temp\yohogynfzpforomf.exe
  C:\Users\Admin\AppData\Local\Temp\yohogynfzpforomf.exe
  2⤵
  - Executes dropped EXE
  PID:1408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fwqyrkatofwgkihbk.exe .
1⤵
PID:988
- C:\Users\Admin\AppData\Local\Temp\fwqyrkatofwgkihbk.exe
  C:\Users\Admin\AppData\Local\Temp\fwqyrkatofwgkihbk.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2656
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\fwqyrkatofwgkihbk.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:4540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yohogynfzpforomf.exe
1⤵
PID:3832
- C:\Windows\yohogynfzpforomf.exe
  yohogynfzpforomf.exe
  2⤵
  - Executes dropped EXE
  PID:4296

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ogbkeypjfxpafeezji.exe .
1⤵
PID:1588
- C:\Windows\ogbkeypjfxpafeezji.exe
  ogbkeypjfxpafeezji.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1448
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\ogbkeypjfxpafeezji.exe*."
    3⤵
    - Executes dropped EXE
    PID:3288

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zsoytogbyrkwccdzkkd.exe
1⤵
PID:1688
- C:\Windows\zsoytogbyrkwccdzkkd.exe
  zsoytogbyrkwccdzkkd.exe
  2⤵
  - Executes dropped EXE
  PID:3748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yohogynfzpforomf.exe
1⤵
PID:3652
- C:\Windows\yohogynfzpforomf.exe
  yohogynfzpforomf.exe
  2⤵
  - Executes dropped EXE
  PID:3048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zsoytogbyrkwccdzkkd.exe
1⤵
PID:2028
- C:\Windows\zsoytogbyrkwccdzkkd.exe
  zsoytogbyrkwccdzkkd.exe
  2⤵
  - Executes dropped EXE
  PID:4628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fwqyrkatofwgkihbk.exe .
1⤵
PID:4112
- C:\Windows\fwqyrkatofwgkihbk.exe
  fwqyrkatofwgkihbk.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2224
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\fwqyrkatofwgkihbk.exe*."
    3⤵
    - Executes dropped EXE
    PID:692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ogbkeypjfxpafeezji.exe .
1⤵
PID:1260
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4256
- C:\Windows\ogbkeypjfxpafeezji.exe
  ogbkeypjfxpafeezji.exe .
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5044
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\ogbkeypjfxpafeezji.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:4680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fwqyrkatofwgkihbk.exe
1⤵
PID:3568
- C:\Users\Admin\AppData\Local\Temp\fwqyrkatofwgkihbk.exe
  C:\Users\Admin\AppData\Local\Temp\fwqyrkatofwgkihbk.exe
  2⤵
  PID:5752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bwugdaurqlgucehfsupnz.exe .
1⤵
PID:1140
- C:\Windows\bwugdaurqlgucehfsupnz.exe
  bwugdaurqlgucehfsupnz.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4140
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\bwugdaurqlgucehfsupnz.exe*."
    3⤵
    PID:5164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mgdokgzvtnhubcebnoif.exe .
1⤵
PID:1408
- C:\Users\Admin\AppData\Local\Temp\mgdokgzvtnhubcebnoif.exe
  C:\Users\Admin\AppData\Local\Temp\mgdokgzvtnhubcebnoif.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1520
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\mgdokgzvtnhubcebnoif.exe*."
    3⤵
    PID:5228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zsoytogbyrkwccdzkkd.exe
1⤵
PID:4724
- C:\Windows\zsoytogbyrkwccdzkkd.exe
  zsoytogbyrkwccdzkkd.exe
  2⤵
  - Executes dropped EXE
  PID:1688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bwugdaurqlgucehfsupnz.exe
1⤵
PID:1696
- C:\Windows\bwugdaurqlgucehfsupnz.exe
  bwugdaurqlgucehfsupnz.exe
  2⤵
  PID:4468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fwqyrkatofwgkihbk.exe .
1⤵
PID:2460
- C:\Windows\fwqyrkatofwgkihbk.exe
  fwqyrkatofwgkihbk.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3956
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\fwqyrkatofwgkihbk.exe*."
    3⤵
    PID:5196

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yohogynfzpforomf.exe
1⤵
PID:3808
- C:\Users\Admin\AppData\Local\Temp\yohogynfzpforomf.exe
  C:\Users\Admin\AppData\Local\Temp\yohogynfzpforomf.exe
  2⤵
  PID:1720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yohogynfzpforomf.exe .
1⤵
PID:4020
- C:\Windows\yohogynfzpforomf.exe
  yohogynfzpforomf.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:2624
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\yohogynfzpforomf.exe*."
    3⤵
    PID:5504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yohogynfzpforomf.exe
1⤵
PID:5036
- C:\Users\Admin\AppData\Local\Temp\yohogynfzpforomf.exe
  C:\Users\Admin\AppData\Local\Temp\yohogynfzpforomf.exe
  2⤵
  PID:1940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ogbkeypjfxpafeezji.exe .
1⤵
PID:4296
- C:\Users\Admin\AppData\Local\Temp\ogbkeypjfxpafeezji.exe
  C:\Users\Admin\AppData\Local\Temp\ogbkeypjfxpafeezji.exe .
  2⤵
  - Checks computer location settings
  PID:5136
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\ogbkeypjfxpafeezji.exe*."
    3⤵
    PID:5572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yohogynfzpforomf.exe
1⤵
PID:4940
- C:\Users\Admin\AppData\Local\Temp\yohogynfzpforomf.exe
  C:\Users\Admin\AppData\Local\Temp\yohogynfzpforomf.exe
  2⤵
  PID:5312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bwugdaurqlgucehfsupnz.exe .
1⤵
PID:4500
- C:\Users\Admin\AppData\Local\Temp\bwugdaurqlgucehfsupnz.exe
  C:\Users\Admin\AppData\Local\Temp\bwugdaurqlgucehfsupnz.exe .
  2⤵
  - Checks computer location settings
  PID:5332
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\bwugdaurqlgucehfsupnz.exe*."
    3⤵
    PID:5596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mgdokgzvtnhubcebnoif.exe .
1⤵
PID:1448
- C:\Users\Admin\AppData\Local\Temp\mgdokgzvtnhubcebnoif.exe
  C:\Users\Admin\AppData\Local\Temp\mgdokgzvtnhubcebnoif.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:2144
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\mgdokgzvtnhubcebnoif.exe*."
    3⤵
    PID:5380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fwqyrkatofwgkihbk.exe
1⤵
PID:5004
- C:\Users\Admin\AppData\Local\Temp\fwqyrkatofwgkihbk.exe
  C:\Users\Admin\AppData\Local\Temp\fwqyrkatofwgkihbk.exe
  2⤵
  PID:5728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yohogynfzpforomf.exe
1⤵
PID:2640
- C:\Users\Admin\AppData\Local\Temp\yohogynfzpforomf.exe
  C:\Users\Admin\AppData\Local\Temp\yohogynfzpforomf.exe
  2⤵
  PID:5400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsoytogbyrkwccdzkkd.exe .
1⤵
PID:1088
- C:\Users\Admin\AppData\Local\Temp\zsoytogbyrkwccdzkkd.exe
  C:\Users\Admin\AppData\Local\Temp\zsoytogbyrkwccdzkkd.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:5372
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\zsoytogbyrkwccdzkkd.exe*."
    3⤵
    PID:5612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsoytogbyrkwccdzkkd.exe .
1⤵
PID:2028
- C:\Users\Admin\AppData\Local\Temp\zsoytogbyrkwccdzkkd.exe
  C:\Users\Admin\AppData\Local\Temp\zsoytogbyrkwccdzkkd.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:5364
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\zsoytogbyrkwccdzkkd.exe*."
    3⤵
    PID:5652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yohogynfzpforomf.exe
1⤵
PID:5424
- C:\Windows\yohogynfzpforomf.exe
  yohogynfzpforomf.exe
  2⤵
  PID:5680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yohogynfzpforomf.exe .
1⤵
PID:5620
- C:\Windows\yohogynfzpforomf.exe
  yohogynfzpforomf.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:5720
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\yohogynfzpforomf.exe*."
    3⤵
    PID:5840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ogbkeypjfxpafeezji.exe
1⤵
PID:5784
- C:\Windows\ogbkeypjfxpafeezji.exe
  ogbkeypjfxpafeezji.exe
  2⤵
  PID:5896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fwqyrkatofwgkihbk.exe .
1⤵
PID:5856
- C:\Windows\fwqyrkatofwgkihbk.exe
  fwqyrkatofwgkihbk.exe .
  2⤵
  - Checks computer location settings
  PID:5960
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\fwqyrkatofwgkihbk.exe*."
    3⤵
    PID:6128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsoytogbyrkwccdzkkd.exe
1⤵
PID:5932
- C:\Users\Admin\AppData\Local\Temp\zsoytogbyrkwccdzkkd.exe
  C:\Users\Admin\AppData\Local\Temp\zsoytogbyrkwccdzkkd.exe
  2⤵
  PID:6104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsoytogbyrkwccdzkkd.exe .
1⤵
PID:6028
- C:\Users\Admin\AppData\Local\Temp\zsoytogbyrkwccdzkkd.exe
  C:\Users\Admin\AppData\Local\Temp\zsoytogbyrkwccdzkkd.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:3084
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\zsoytogbyrkwccdzkkd.exe*."
    3⤵
    PID:2456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fwqyrkatofwgkihbk.exe
1⤵
PID:4988
- C:\Users\Admin\AppData\Local\Temp\fwqyrkatofwgkihbk.exe
  C:\Users\Admin\AppData\Local\Temp\fwqyrkatofwgkihbk.exe
  2⤵
  PID:2788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mgdokgzvtnhubcebnoif.exe .
1⤵
PID:1320
- C:\Users\Admin\AppData\Local\Temp\mgdokgzvtnhubcebnoif.exe
  C:\Users\Admin\AppData\Local\Temp\mgdokgzvtnhubcebnoif.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4656
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\mgdokgzvtnhubcebnoif.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:4468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yohogynfzpforomf.exe
1⤵
PID:5292
- C:\Windows\yohogynfzpforomf.exe
  yohogynfzpforomf.exe
  2⤵
  PID:5316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mgdokgzvtnhubcebnoif.exe .
1⤵
PID:5312
- C:\Windows\mgdokgzvtnhubcebnoif.exe
  mgdokgzvtnhubcebnoif.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4936
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\mgdokgzvtnhubcebnoif.exe*."
    3⤵
    PID:3736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fwqyrkatofwgkihbk.exe
1⤵
PID:1844
- C:\Windows\fwqyrkatofwgkihbk.exe
  fwqyrkatofwgkihbk.exe
  2⤵
  PID:2148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yohogynfzpforomf.exe .
1⤵
PID:2416
- C:\Windows\yohogynfzpforomf.exe
  yohogynfzpforomf.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:5160
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\yohogynfzpforomf.exe*."
    3⤵
    PID:2984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yohogynfzpforomf.exe
1⤵
PID:1408
- C:\Users\Admin\AppData\Local\Temp\yohogynfzpforomf.exe
  C:\Users\Admin\AppData\Local\Temp\yohogynfzpforomf.exe
  2⤵
  PID:5572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fwqyrkatofwgkihbk.exe .
1⤵
PID:5540
- C:\Users\Admin\AppData\Local\Temp\fwqyrkatofwgkihbk.exe
  C:\Users\Admin\AppData\Local\Temp\fwqyrkatofwgkihbk.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:3832
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\fwqyrkatofwgkihbk.exe*."
    3⤵
    PID:1892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fwqyrkatofwgkihbk.exe
1⤵
PID:5460
- C:\Users\Admin\AppData\Local\Temp\fwqyrkatofwgkihbk.exe
  C:\Users\Admin\AppData\Local\Temp\fwqyrkatofwgkihbk.exe
  2⤵
  PID:5412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bwugdaurqlgucehfsupnz.exe .
1⤵
PID:3280
- C:\Users\Admin\AppData\Local\Temp\bwugdaurqlgucehfsupnz.exe
  C:\Users\Admin\AppData\Local\Temp\bwugdaurqlgucehfsupnz.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:5616
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\bwugdaurqlgucehfsupnz.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:2000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zsoytogbyrkwccdzkkd.exe
1⤵
PID:5652
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3644
- C:\Windows\zsoytogbyrkwccdzkkd.exe
  zsoytogbyrkwccdzkkd.exe
  2⤵
  PID:4948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zsoytogbyrkwccdzkkd.exe .
1⤵
PID:5692
- C:\Windows\zsoytogbyrkwccdzkkd.exe
  zsoytogbyrkwccdzkkd.exe .
  2⤵
  - Checks computer location settings
  PID:1124
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\zsoytogbyrkwccdzkkd.exe*."
    3⤵
    PID:3560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fwqyrkatofwgkihbk.exe
1⤵
PID:5408
- C:\Windows\fwqyrkatofwgkihbk.exe
  fwqyrkatofwgkihbk.exe
  2⤵
  PID:4996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bwugdaurqlgucehfsupnz.exe .
1⤵
PID:4692
- C:\Windows\bwugdaurqlgucehfsupnz.exe
  bwugdaurqlgucehfsupnz.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:3040
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\bwugdaurqlgucehfsupnz.exe*."
    3⤵
    PID:4460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bwugdaurqlgucehfsupnz.exe
1⤵
PID:680
- C:\Users\Admin\AppData\Local\Temp\bwugdaurqlgucehfsupnz.exe
  C:\Users\Admin\AppData\Local\Temp\bwugdaurqlgucehfsupnz.exe
  2⤵
  PID:5808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mgdokgzvtnhubcebnoif.exe .
1⤵
PID:5800
- C:\Users\Admin\AppData\Local\Temp\mgdokgzvtnhubcebnoif.exe
  C:\Users\Admin\AppData\Local\Temp\mgdokgzvtnhubcebnoif.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:5912
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\mgdokgzvtnhubcebnoif.exe*."
    3⤵
    PID:5640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fwqyrkatofwgkihbk.exe
1⤵
PID:5788
- C:\Users\Admin\AppData\Local\Temp\fwqyrkatofwgkihbk.exe
  C:\Users\Admin\AppData\Local\Temp\fwqyrkatofwgkihbk.exe
  2⤵
  PID:6140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ogbkeypjfxpafeezji.exe .
1⤵
PID:6020
- C:\Users\Admin\AppData\Local\Temp\ogbkeypjfxpafeezji.exe
  C:\Users\Admin\AppData\Local\Temp\ogbkeypjfxpafeezji.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1404
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\ogbkeypjfxpafeezji.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:5860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mgdokgzvtnhubcebnoif.exe
1⤵
PID:4544
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5076
- C:\Windows\mgdokgzvtnhubcebnoif.exe
  mgdokgzvtnhubcebnoif.exe
  2⤵
  PID:6028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fwqyrkatofwgkihbk.exe .
1⤵
PID:2472
- C:\Windows\fwqyrkatofwgkihbk.exe
  fwqyrkatofwgkihbk.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1800
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\fwqyrkatofwgkihbk.exe*."
    3⤵
    PID:5200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zsoytogbyrkwccdzkkd.exe
1⤵
PID:1836
- C:\Windows\zsoytogbyrkwccdzkkd.exe
  zsoytogbyrkwccdzkkd.exe
  2⤵
  PID:2288

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fwqyrkatofwgkihbk.exe .
1⤵
PID:1212
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1592
- C:\Windows\fwqyrkatofwgkihbk.exe
  fwqyrkatofwgkihbk.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:2424
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\fwqyrkatofwgkihbk.exe*."
    3⤵
    PID:5244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fwqyrkatofwgkihbk.exe
1⤵
PID:2152
- C:\Users\Admin\AppData\Local\Temp\fwqyrkatofwgkihbk.exe
  C:\Users\Admin\AppData\Local\Temp\fwqyrkatofwgkihbk.exe
  2⤵
  PID:2688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mgdokgzvtnhubcebnoif.exe .
1⤵
PID:5220
- C:\Users\Admin\AppData\Local\Temp\mgdokgzvtnhubcebnoif.exe
  C:\Users\Admin\AppData\Local\Temp\mgdokgzvtnhubcebnoif.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:628
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\mgdokgzvtnhubcebnoif.exe*."
    3⤵
    PID:4200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bwugdaurqlgucehfsupnz.exe
1⤵
PID:1288
- C:\Users\Admin\AppData\Local\Temp\bwugdaurqlgucehfsupnz.exe
  C:\Users\Admin\AppData\Local\Temp\bwugdaurqlgucehfsupnz.exe
  2⤵
  PID:896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mgdokgzvtnhubcebnoif.exe .
1⤵
PID:1300
- C:\Users\Admin\AppData\Local\Temp\mgdokgzvtnhubcebnoif.exe
  C:\Users\Admin\AppData\Local\Temp\mgdokgzvtnhubcebnoif.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:5188
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\mgdokgzvtnhubcebnoif.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:4920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mgdokgzvtnhubcebnoif.exe
1⤵
PID:5136
- C:\Windows\mgdokgzvtnhubcebnoif.exe
  mgdokgzvtnhubcebnoif.exe
  2⤵
  PID:5508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ogbkeypjfxpafeezji.exe .
1⤵
PID:5284
- C:\Windows\ogbkeypjfxpafeezji.exe
  ogbkeypjfxpafeezji.exe .
  2⤵
  - Checks computer location settings
  PID:3328
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\ogbkeypjfxpafeezji.exe*."
    3⤵
    PID:5340

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mgdokgzvtnhubcebnoif.exe
1⤵
PID:3544
- C:\Windows\mgdokgzvtnhubcebnoif.exe
  mgdokgzvtnhubcebnoif.exe
  2⤵
  PID:5296

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ogbkeypjfxpafeezji.exe .
1⤵
PID:5132
- C:\Windows\ogbkeypjfxpafeezji.exe
  ogbkeypjfxpafeezji.exe .
  2⤵
  - Checks computer location settings
  PID:5468
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\ogbkeypjfxpafeezji.exe*."
    3⤵
    PID:5600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsoytogbyrkwccdzkkd.exe
1⤵
PID:5644
- C:\Users\Admin\AppData\Local\Temp\zsoytogbyrkwccdzkkd.exe
  C:\Users\Admin\AppData\Local\Temp\zsoytogbyrkwccdzkkd.exe
  2⤵
  PID:5484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsoytogbyrkwccdzkkd.exe .
1⤵
PID:4468
- C:\Users\Admin\AppData\Local\Temp\zsoytogbyrkwccdzkkd.exe
  C:\Users\Admin\AppData\Local\Temp\zsoytogbyrkwccdzkkd.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1844
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\zsoytogbyrkwccdzkkd.exe*."
    3⤵
    PID:4052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fwqyrkatofwgkihbk.exe
1⤵
PID:5044
- C:\Users\Admin\AppData\Local\Temp\fwqyrkatofwgkihbk.exe
  C:\Users\Admin\AppData\Local\Temp\fwqyrkatofwgkihbk.exe
  2⤵
  PID:5708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yohogynfzpforomf.exe .
1⤵
PID:464
- C:\Users\Admin\AppData\Local\Temp\yohogynfzpforomf.exe
  C:\Users\Admin\AppData\Local\Temp\yohogynfzpforomf.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1124
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\yohogynfzpforomf.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:1672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mgdokgzvtnhubcebnoif.exe
1⤵
PID:5204
- C:\Windows\mgdokgzvtnhubcebnoif.exe
  mgdokgzvtnhubcebnoif.exe
  2⤵
  PID:5060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bwugdaurqlgucehfsupnz.exe .
1⤵
PID:4132
- C:\Windows\bwugdaurqlgucehfsupnz.exe
  bwugdaurqlgucehfsupnz.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:3040
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\bwugdaurqlgucehfsupnz.exe*."
    3⤵
    PID:5696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fwqyrkatofwgkihbk.exe
1⤵
PID:5756
- C:\Windows\fwqyrkatofwgkihbk.exe
  fwqyrkatofwgkihbk.exe
  2⤵
  PID:5764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fwqyrkatofwgkihbk.exe .
1⤵
PID:4644
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3568
- C:\Windows\fwqyrkatofwgkihbk.exe
  fwqyrkatofwgkihbk.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:6064
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\fwqyrkatofwgkihbk.exe*."
    3⤵
    PID:4072

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bwugdaurqlgucehfsupnz.exe
1⤵
PID:6140
- C:\Users\Admin\AppData\Local\Temp\bwugdaurqlgucehfsupnz.exe
  C:\Users\Admin\AppData\Local\Temp\bwugdaurqlgucehfsupnz.exe
  2⤵
  PID:6012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bwugdaurqlgucehfsupnz.exe .
1⤵
PID:5948
- C:\Users\Admin\AppData\Local\Temp\bwugdaurqlgucehfsupnz.exe
  C:\Users\Admin\AppData\Local\Temp\bwugdaurqlgucehfsupnz.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:436
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\bwugdaurqlgucehfsupnz.exe*."
    3⤵
    PID:1312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bwugdaurqlgucehfsupnz.exe
1⤵
PID:5908
- C:\Windows\bwugdaurqlgucehfsupnz.exe
  bwugdaurqlgucehfsupnz.exe
  2⤵
  PID:5080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zsoytogbyrkwccdzkkd.exe
1⤵
PID:6016
- C:\Windows\zsoytogbyrkwccdzkkd.exe
  zsoytogbyrkwccdzkkd.exe
  2⤵
  PID:780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bwugdaurqlgucehfsupnz.exe
1⤵
PID:1896
- C:\Users\Admin\AppData\Local\Temp\bwugdaurqlgucehfsupnz.exe
  C:\Users\Admin\AppData\Local\Temp\bwugdaurqlgucehfsupnz.exe
  2⤵
  PID:1880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mgdokgzvtnhubcebnoif.exe .
1⤵
PID:1872
- C:\Windows\mgdokgzvtnhubcebnoif.exe
  mgdokgzvtnhubcebnoif.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:5228
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\mgdokgzvtnhubcebnoif.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:2520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bwugdaurqlgucehfsupnz.exe .
1⤵
PID:2472
- C:\Windows\bwugdaurqlgucehfsupnz.exe
  bwugdaurqlgucehfsupnz.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1456
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\bwugdaurqlgucehfsupnz.exe*."
    3⤵
    PID:4380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ogbkeypjfxpafeezji.exe .
1⤵
PID:3372
- C:\Users\Admin\AppData\Local\Temp\ogbkeypjfxpafeezji.exe
  C:\Users\Admin\AppData\Local\Temp\ogbkeypjfxpafeezji.exe .
  2⤵
  - Checks computer location settings
  PID:2932
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\ogbkeypjfxpafeezji.exe*."
    3⤵
    PID:3544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zsoytogbyrkwccdzkkd.exe
1⤵
PID:2812
- C:\Windows\zsoytogbyrkwccdzkkd.exe
  zsoytogbyrkwccdzkkd.exe
  2⤵
  PID:4564

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zsoytogbyrkwccdzkkd.exe
1⤵
PID:2424
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1260
- C:\Windows\zsoytogbyrkwccdzkkd.exe
  zsoytogbyrkwccdzkkd.exe
  2⤵
  PID:4116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mgdokgzvtnhubcebnoif.exe .
1⤵
PID:1864
- C:\Windows\mgdokgzvtnhubcebnoif.exe
  mgdokgzvtnhubcebnoif.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:5336
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\mgdokgzvtnhubcebnoif.exe*."
    3⤵
    PID:4060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fwqyrkatofwgkihbk.exe .
1⤵
PID:4200
- C:\Windows\fwqyrkatofwgkihbk.exe
  fwqyrkatofwgkihbk.exe .
  2⤵
  - Checks computer location settings
  PID:5348
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\fwqyrkatofwgkihbk.exe*."
    3⤵
    PID:4996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yohogynfzpforomf.exe
1⤵
PID:5184
- C:\Users\Admin\AppData\Local\Temp\yohogynfzpforomf.exe
  C:\Users\Admin\AppData\Local\Temp\yohogynfzpforomf.exe
  2⤵
  PID:5648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsoytogbyrkwccdzkkd.exe
1⤵
PID:1288
- C:\Users\Admin\AppData\Local\Temp\zsoytogbyrkwccdzkkd.exe
  C:\Users\Admin\AppData\Local\Temp\zsoytogbyrkwccdzkkd.exe
  2⤵
  PID:3116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fwqyrkatofwgkihbk.exe .
1⤵
PID:3648
- C:\Users\Admin\AppData\Local\Temp\fwqyrkatofwgkihbk.exe
  C:\Users\Admin\AppData\Local\Temp\fwqyrkatofwgkihbk.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:5044
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\fwqyrkatofwgkihbk.exe*."
    3⤵
    PID:5844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ogbkeypjfxpafeezji.exe .
1⤵
PID:320
- C:\Users\Admin\AppData\Local\Temp\ogbkeypjfxpafeezji.exe
  C:\Users\Admin\AppData\Local\Temp\ogbkeypjfxpafeezji.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:5616
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\ogbkeypjfxpafeezji.exe*."
    3⤵
    PID:2028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yohogynfzpforomf.exe
1⤵
PID:5340
- C:\Users\Admin\AppData\Local\Temp\yohogynfzpforomf.exe
  C:\Users\Admin\AppData\Local\Temp\yohogynfzpforomf.exe
  2⤵
  PID:1528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsoytogbyrkwccdzkkd.exe
1⤵
PID:2392
- C:\Users\Admin\AppData\Local\Temp\zsoytogbyrkwccdzkkd.exe
  C:\Users\Admin\AppData\Local\Temp\zsoytogbyrkwccdzkkd.exe
  2⤵
  PID:2260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bwugdaurqlgucehfsupnz.exe .
1⤵
PID:5468
- C:\Users\Admin\AppData\Local\Temp\bwugdaurqlgucehfsupnz.exe
  C:\Users\Admin\AppData\Local\Temp\bwugdaurqlgucehfsupnz.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:5736
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\bwugdaurqlgucehfsupnz.exe*."
    3⤵
    PID:1724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mgdokgzvtnhubcebnoif.exe .
1⤵
PID:5036
- C:\Users\Admin\AppData\Local\Temp\mgdokgzvtnhubcebnoif.exe
  C:\Users\Admin\AppData\Local\Temp\mgdokgzvtnhubcebnoif.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:464
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\mgdokgzvtnhubcebnoif.exe*."
    3⤵
    PID:4104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yohogynfzpforomf.exe
1⤵
PID:1124
- C:\Windows\yohogynfzpforomf.exe
  yohogynfzpforomf.exe
  2⤵
  PID:624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mgdokgzvtnhubcebnoif.exe .
1⤵
PID:2224
- C:\Windows\mgdokgzvtnhubcebnoif.exe
  mgdokgzvtnhubcebnoif.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:5084
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\mgdokgzvtnhubcebnoif.exe*."
    3⤵
    PID:5888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ogbkeypjfxpafeezji.exe
1⤵
PID:5852
- C:\Windows\ogbkeypjfxpafeezji.exe
  ogbkeypjfxpafeezji.exe
  2⤵
  PID:5956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yohogynfzpforomf.exe .
1⤵
PID:5968
- C:\Windows\yohogynfzpforomf.exe
  yohogynfzpforomf.exe .
  2⤵
  - Checks computer location settings
  PID:6128
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\yohogynfzpforomf.exe*."
    3⤵
    PID:6124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsoytogbyrkwccdzkkd.exe
1⤵
PID:1404
- C:\Users\Admin\AppData\Local\Temp\zsoytogbyrkwccdzkkd.exe
  C:\Users\Admin\AppData\Local\Temp\zsoytogbyrkwccdzkkd.exe
  2⤵
  PID:5076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ogbkeypjfxpafeezji.exe .
1⤵
PID:6076
- C:\Users\Admin\AppData\Local\Temp\ogbkeypjfxpafeezji.exe
  C:\Users\Admin\AppData\Local\Temp\ogbkeypjfxpafeezji.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:6060
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\ogbkeypjfxpafeezji.exe*."
    3⤵
    PID:6024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bwugdaurqlgucehfsupnz.exe
1⤵
PID:5924
- C:\Users\Admin\AppData\Local\Temp\bwugdaurqlgucehfsupnz.exe
  C:\Users\Admin\AppData\Local\Temp\bwugdaurqlgucehfsupnz.exe
  2⤵
  PID:2456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fwqyrkatofwgkihbk.exe .
1⤵
PID:468
- C:\Users\Admin\AppData\Local\Temp\fwqyrkatofwgkihbk.exe
  C:\Users\Admin\AppData\Local\Temp\fwqyrkatofwgkihbk.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:708
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\fwqyrkatofwgkihbk.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:4936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zsoytogbyrkwccdzkkd.exe
1⤵
PID:5300
- C:\Windows\zsoytogbyrkwccdzkkd.exe
  zsoytogbyrkwccdzkkd.exe
  2⤵
  PID:3628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yohogynfzpforomf.exe .
1⤵
PID:3948
- C:\Windows\yohogynfzpforomf.exe
  yohogynfzpforomf.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4276
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\yohogynfzpforomf.exe*."
    3⤵
    PID:5628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fwqyrkatofwgkihbk.exe
1⤵
PID:2636
- C:\Windows\fwqyrkatofwgkihbk.exe
  fwqyrkatofwgkihbk.exe
  2⤵
  PID:2288

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yohogynfzpforomf.exe .
1⤵
PID:2628
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5680
- C:\Windows\yohogynfzpforomf.exe
  yohogynfzpforomf.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:5356
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\yohogynfzpforomf.exe*."
    3⤵
    PID:1264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ogbkeypjfxpafeezji.exe
1⤵
PID:2500
- C:\Users\Admin\AppData\Local\Temp\ogbkeypjfxpafeezji.exe
  C:\Users\Admin\AppData\Local\Temp\ogbkeypjfxpafeezji.exe
  2⤵
  PID:2812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fwqyrkatofwgkihbk.exe .
1⤵
PID:5220
- C:\Users\Admin\AppData\Local\Temp\fwqyrkatofwgkihbk.exe
  C:\Users\Admin\AppData\Local\Temp\fwqyrkatofwgkihbk.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4020
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\fwqyrkatofwgkihbk.exe*."
    3⤵
    PID:5380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fwqyrkatofwgkihbk.exe
1⤵
PID:1520
- C:\Users\Admin\AppData\Local\Temp\fwqyrkatofwgkihbk.exe
  C:\Users\Admin\AppData\Local\Temp\fwqyrkatofwgkihbk.exe
  2⤵
  PID:5292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ogbkeypjfxpafeezji.exe .
1⤵
PID:3020
- C:\Users\Admin\AppData\Local\Temp\ogbkeypjfxpafeezji.exe
  C:\Users\Admin\AppData\Local\Temp\ogbkeypjfxpafeezji.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:2724
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\ogbkeypjfxpafeezji.exe*."
    3⤵
    PID:644

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
PID:1720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zsoytogbyrkwccdzkkd.exe
1⤵
PID:5280
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:6140
- C:\Windows\zsoytogbyrkwccdzkkd.exe
  zsoytogbyrkwccdzkkd.exe
  2⤵
  PID:1788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yohogynfzpforomf.exe
1⤵
PID:3084
- C:\Windows\yohogynfzpforomf.exe
  yohogynfzpforomf.exe
  2⤵
  PID:6032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ogbkeypjfxpafeezji.exe .
1⤵
PID:5832
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:6104
- C:\Windows\ogbkeypjfxpafeezji.exe
  ogbkeypjfxpafeezji.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3528
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\ogbkeypjfxpafeezji.exe*."
    3⤵
    PID:5304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fwqyrkatofwgkihbk.exe .
1⤵
PID:1876
- C:\Windows\fwqyrkatofwgkihbk.exe
  fwqyrkatofwgkihbk.exe .
  2⤵
  PID:628
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\fwqyrkatofwgkihbk.exe*."
    3⤵
    PID:368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fwqyrkatofwgkihbk.exe
1⤵
PID:3928
- C:\Windows\fwqyrkatofwgkihbk.exe
  fwqyrkatofwgkihbk.exe
  2⤵
  PID:5300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zsoytogbyrkwccdzkkd.exe
1⤵
PID:2296
- C:\Windows\zsoytogbyrkwccdzkkd.exe
  zsoytogbyrkwccdzkkd.exe
  2⤵
  PID:1260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zsoytogbyrkwccdzkkd.exe .
1⤵
PID:5108
- C:\Windows\zsoytogbyrkwccdzkkd.exe
  zsoytogbyrkwccdzkkd.exe .
  2⤵
  PID:2144
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\zsoytogbyrkwccdzkkd.exe*."
    3⤵
    PID:4632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ogbkeypjfxpafeezji.exe .
1⤵
PID:1636
- C:\Windows\ogbkeypjfxpafeezji.exe
  ogbkeypjfxpafeezji.exe .
  2⤵
  PID:1492
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\ogbkeypjfxpafeezji.exe*."
    3⤵
    PID:5508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yohogynfzpforomf.exe
1⤵
PID:1148
- C:\Users\Admin\AppData\Local\Temp\yohogynfzpforomf.exe
  C:\Users\Admin\AppData\Local\Temp\yohogynfzpforomf.exe
  2⤵
  PID:5504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mgdokgzvtnhubcebnoif.exe
1⤵
PID:1444
- C:\Users\Admin\AppData\Local\Temp\mgdokgzvtnhubcebnoif.exe
  C:\Users\Admin\AppData\Local\Temp\mgdokgzvtnhubcebnoif.exe
  2⤵
  PID:5860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fwqyrkatofwgkihbk.exe .
1⤵
PID:1824
- C:\Users\Admin\AppData\Local\Temp\fwqyrkatofwgkihbk.exe
  C:\Users\Admin\AppData\Local\Temp\fwqyrkatofwgkihbk.exe .
  2⤵
  PID:1996
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\fwqyrkatofwgkihbk.exe*."
    3⤵
    PID:5408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ogbkeypjfxpafeezji.exe .
1⤵
PID:1456
- C:\Users\Admin\AppData\Local\Temp\ogbkeypjfxpafeezji.exe
  C:\Users\Admin\AppData\Local\Temp\ogbkeypjfxpafeezji.exe .
  2⤵
  PID:5404
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\ogbkeypjfxpafeezji.exe*."
    3⤵
    PID:3280

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fwqyrkatofwgkihbk.exe
1⤵
PID:880
- C:\Users\Admin\AppData\Local\Temp\fwqyrkatofwgkihbk.exe
  C:\Users\Admin\AppData\Local\Temp\fwqyrkatofwgkihbk.exe
  2⤵
  PID:5844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ogbkeypjfxpafeezji.exe .
1⤵
PID:4100
- C:\Users\Admin\AppData\Local\Temp\ogbkeypjfxpafeezji.exe
  C:\Users\Admin\AppData\Local\Temp\ogbkeypjfxpafeezji.exe .
  2⤵
  PID:4664
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\ogbkeypjfxpafeezji.exe*."
    3⤵
    PID:5828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yohogynfzpforomf.exe
1⤵
PID:4216
- C:\Users\Admin\AppData\Local\Temp\yohogynfzpforomf.exe
  C:\Users\Admin\AppData\Local\Temp\yohogynfzpforomf.exe
  2⤵
  PID:1844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ogbkeypjfxpafeezji.exe .
1⤵
PID:5292
- C:\Users\Admin\AppData\Local\Temp\ogbkeypjfxpafeezji.exe
  C:\Users\Admin\AppData\Local\Temp\ogbkeypjfxpafeezji.exe .
  2⤵
  PID:5740
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\ogbkeypjfxpafeezji.exe*."
    3⤵
    PID:5960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yohogynfzpforomf.exe
1⤵
PID:2768
- C:\Windows\yohogynfzpforomf.exe
  yohogynfzpforomf.exe
  2⤵
  PID:5876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fwqyrkatofwgkihbk.exe .
1⤵
PID:3844
- C:\Windows\fwqyrkatofwgkihbk.exe
  fwqyrkatofwgkihbk.exe .
  2⤵
  PID:5140
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\fwqyrkatofwgkihbk.exe*."
    3⤵
    PID:5944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zsoytogbyrkwccdzkkd.exe
1⤵
PID:5264
- C:\Windows\zsoytogbyrkwccdzkkd.exe
  zsoytogbyrkwccdzkkd.exe
  2⤵
  PID:5660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bwugdaurqlgucehfsupnz.exe .
1⤵
PID:5036
- C:\Windows\bwugdaurqlgucehfsupnz.exe
  bwugdaurqlgucehfsupnz.exe .
  2⤵
  PID:6136
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\bwugdaurqlgucehfsupnz.exe*."
    3⤵
    PID:3188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ogbkeypjfxpafeezji.exe
1⤵
PID:1172
- C:\Users\Admin\AppData\Local\Temp\ogbkeypjfxpafeezji.exe
  C:\Users\Admin\AppData\Local\Temp\ogbkeypjfxpafeezji.exe
  2⤵
  PID:4544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yohogynfzpforomf.exe .
1⤵
PID:6008
- C:\Users\Admin\AppData\Local\Temp\yohogynfzpforomf.exe
  C:\Users\Admin\AppData\Local\Temp\yohogynfzpforomf.exe .
  2⤵
  PID:5800
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\yohogynfzpforomf.exe*."
    3⤵
    PID:5080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bwugdaurqlgucehfsupnz.exe
1⤵
PID:1960
- C:\Users\Admin\AppData\Local\Temp\bwugdaurqlgucehfsupnz.exe
  C:\Users\Admin\AppData\Local\Temp\bwugdaurqlgucehfsupnz.exe
  2⤵
  PID:4428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsoytogbyrkwccdzkkd.exe .
1⤵
PID:2688
- C:\Users\Admin\AppData\Local\Temp\zsoytogbyrkwccdzkkd.exe
  C:\Users\Admin\AppData\Local\Temp\zsoytogbyrkwccdzkkd.exe .
  2⤵
  PID:452
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\zsoytogbyrkwccdzkkd.exe*."
    3⤵
    PID:692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mgdokgzvtnhubcebnoif.exe
1⤵
PID:3628
- C:\Windows\mgdokgzvtnhubcebnoif.exe
  mgdokgzvtnhubcebnoif.exe
  2⤵
  PID:4164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zsoytogbyrkwccdzkkd.exe .
1⤵
PID:1212
- C:\Windows\zsoytogbyrkwccdzkkd.exe
  zsoytogbyrkwccdzkkd.exe .
  2⤵
  PID:3928
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\zsoytogbyrkwccdzkkd.exe*."
    3⤵
    PID:1876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yohogynfzpforomf.exe
1⤵
PID:3756
- C:\Windows\yohogynfzpforomf.exe
  yohogynfzpforomf.exe
  2⤵
  PID:3064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zsoytogbyrkwccdzkkd.exe .
1⤵
PID:1880
- C:\Windows\zsoytogbyrkwccdzkkd.exe
  zsoytogbyrkwccdzkkd.exe .
  2⤵
  PID:3808
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\zsoytogbyrkwccdzkkd.exe*."
    3⤵
    PID:3432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mgdokgzvtnhubcebnoif.exe
1⤵
PID:5168
- C:\Users\Admin\AppData\Local\Temp\mgdokgzvtnhubcebnoif.exe
  C:\Users\Admin\AppData\Local\Temp\mgdokgzvtnhubcebnoif.exe
  2⤵
  PID:5108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bwugdaurqlgucehfsupnz.exe .
1⤵
PID:4008
- C:\Users\Admin\AppData\Local\Temp\bwugdaurqlgucehfsupnz.exe
  C:\Users\Admin\AppData\Local\Temp\bwugdaurqlgucehfsupnz.exe .
  2⤵
  PID:5808
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\bwugdaurqlgucehfsupnz.exe*."
    3⤵
    PID:5204

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mgdokgzvtnhubcebnoif.exe
1⤵
PID:2656
- C:\Users\Admin\AppData\Local\Temp\mgdokgzvtnhubcebnoif.exe
  C:\Users\Admin\AppData\Local\Temp\mgdokgzvtnhubcebnoif.exe
  2⤵
  PID:4992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mgdokgzvtnhubcebnoif.exe .
1⤵
PID:5440
- C:\Users\Admin\AppData\Local\Temp\mgdokgzvtnhubcebnoif.exe
  C:\Users\Admin\AppData\Local\Temp\mgdokgzvtnhubcebnoif.exe .
  2⤵
  PID:4780
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\mgdokgzvtnhubcebnoif.exe*."
    3⤵
    PID:5044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fwqyrkatofwgkihbk.exe
1⤵
PID:4700
- C:\Windows\fwqyrkatofwgkihbk.exe
  fwqyrkatofwgkihbk.exe
  2⤵
  PID:5576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yohogynfzpforomf.exe
1⤵
PID:5260
- C:\Windows\yohogynfzpforomf.exe
  yohogynfzpforomf.exe
  2⤵
  PID:5648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mgdokgzvtnhubcebnoif.exe .
1⤵
PID:2500
- C:\Windows\mgdokgzvtnhubcebnoif.exe
  mgdokgzvtnhubcebnoif.exe .
  2⤵
  PID:1824
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\mgdokgzvtnhubcebnoif.exe*."
    3⤵
    PID:5960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yohogynfzpforomf.exe .
1⤵
PID:1864
- C:\Windows\yohogynfzpforomf.exe
  yohogynfzpforomf.exe .
  2⤵
  PID:5736
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\yohogynfzpforomf.exe*."
    3⤵
    PID:5956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bwugdaurqlgucehfsupnz.exe
1⤵
PID:5596
- C:\Windows\bwugdaurqlgucehfsupnz.exe
  bwugdaurqlgucehfsupnz.exe
  2⤵
  PID:4544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bwugdaurqlgucehfsupnz.exe .
1⤵
PID:5632
- C:\Windows\bwugdaurqlgucehfsupnz.exe
  bwugdaurqlgucehfsupnz.exe .
  2⤵
  PID:5888
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\bwugdaurqlgucehfsupnz.exe*."
    3⤵
    PID:4580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ogbkeypjfxpafeezji.exe
1⤵
PID:5660
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5616
- C:\Windows\ogbkeypjfxpafeezji.exe
  ogbkeypjfxpafeezji.exe
  2⤵
  PID:2000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsoytogbyrkwccdzkkd.exe
1⤵
PID:3780
- C:\Users\Admin\AppData\Local\Temp\zsoytogbyrkwccdzkkd.exe
  C:\Users\Admin\AppData\Local\Temp\zsoytogbyrkwccdzkkd.exe
  2⤵
  PID:5036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ogbkeypjfxpafeezji.exe .
1⤵
PID:3832
- C:\Windows\ogbkeypjfxpafeezji.exe
  ogbkeypjfxpafeezji.exe .
  2⤵
  PID:784
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\ogbkeypjfxpafeezji.exe*."
    3⤵
    PID:2260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yohogynfzpforomf.exe .
1⤵
PID:5868
- C:\Users\Admin\AppData\Local\Temp\yohogynfzpforomf.exe
  C:\Users\Admin\AppData\Local\Temp\yohogynfzpforomf.exe .
  2⤵
  PID:6016
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\yohogynfzpforomf.exe*."
    3⤵
    PID:2724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yohogynfzpforomf.exe
1⤵
PID:4612
- C:\Users\Admin\AppData\Local\Temp\yohogynfzpforomf.exe
  C:\Users\Admin\AppData\Local\Temp\yohogynfzpforomf.exe
  2⤵
  PID:780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsoytogbyrkwccdzkkd.exe .
1⤵
PID:5768
- C:\Users\Admin\AppData\Local\Temp\zsoytogbyrkwccdzkkd.exe
  C:\Users\Admin\AppData\Local\Temp\zsoytogbyrkwccdzkkd.exe .
  2⤵
  PID:2288
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\zsoytogbyrkwccdzkkd.exe*."
    3⤵
    PID:5320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bwugdaurqlgucehfsupnz.exe
1⤵
PID:5444
- C:\Users\Admin\AppData\Local\Temp\bwugdaurqlgucehfsupnz.exe
  C:\Users\Admin\AppData\Local\Temp\bwugdaurqlgucehfsupnz.exe
  2⤵
  PID:5156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bwugdaurqlgucehfsupnz.exe .
1⤵
PID:6008
- C:\Users\Admin\AppData\Local\Temp\bwugdaurqlgucehfsupnz.exe
  C:\Users\Admin\AppData\Local\Temp\bwugdaurqlgucehfsupnz.exe .
  2⤵
  PID:708
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\bwugdaurqlgucehfsupnz.exe*."
    3⤵
    PID:5204

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yohogynfzpforomf.exe
1⤵
PID:5604
- C:\Windows\yohogynfzpforomf.exe
  yohogynfzpforomf.exe
  2⤵
  PID:5516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bwugdaurqlgucehfsupnz.exe
1⤵
PID:6096
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3084
- C:\Users\Admin\AppData\Local\Temp\bwugdaurqlgucehfsupnz.exe
  C:\Users\Admin\AppData\Local\Temp\bwugdaurqlgucehfsupnz.exe
  2⤵
  PID:4940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bwugdaurqlgucehfsupnz.exe .
1⤵
PID:5312
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5600
- C:\Users\Admin\AppData\Local\Temp\bwugdaurqlgucehfsupnz.exe
  C:\Users\Admin\AppData\Local\Temp\bwugdaurqlgucehfsupnz.exe .
  2⤵
  PID:3640
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\bwugdaurqlgucehfsupnz.exe*."
    3⤵
    PID:5416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bwugdaurqlgucehfsupnz.exe .
1⤵
PID:1260
- C:\Windows\bwugdaurqlgucehfsupnz.exe
  bwugdaurqlgucehfsupnz.exe .
  2⤵
  PID:5452
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\bwugdaurqlgucehfsupnz.exe*."
    3⤵
    PID:1444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yohogynfzpforomf.exe
1⤵
PID:5568
- C:\Windows\yohogynfzpforomf.exe
  yohogynfzpforomf.exe
  2⤵
  PID:1312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zsoytogbyrkwccdzkkd.exe .
1⤵
PID:5448
- C:\Windows\zsoytogbyrkwccdzkkd.exe
  zsoytogbyrkwccdzkkd.exe .
  2⤵
  PID:5068
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\zsoytogbyrkwccdzkkd.exe*."
    3⤵
    PID:3220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fwqyrkatofwgkihbk.exe
1⤵
PID:2208
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5808
- C:\Users\Admin\AppData\Local\Temp\fwqyrkatofwgkihbk.exe
  C:\Users\Admin\AppData\Local\Temp\fwqyrkatofwgkihbk.exe
  2⤵
  PID:6028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ogbkeypjfxpafeezji.exe .
1⤵
PID:5588
- C:\Users\Admin\AppData\Local\Temp\ogbkeypjfxpafeezji.exe
  C:\Users\Admin\AppData\Local\Temp\ogbkeypjfxpafeezji.exe .
  2⤵
  PID:2788
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\ogbkeypjfxpafeezji.exe*."
    3⤵
    PID:5880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fwqyrkatofwgkihbk.exe
1⤵
PID:640
- C:\Users\Admin\AppData\Local\Temp\fwqyrkatofwgkihbk.exe
  C:\Users\Admin\AppData\Local\Temp\fwqyrkatofwgkihbk.exe
  2⤵
  PID:4464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mgdokgzvtnhubcebnoif.exe .
1⤵
PID:5316
- C:\Users\Admin\AppData\Local\Temp\mgdokgzvtnhubcebnoif.exe
  C:\Users\Admin\AppData\Local\Temp\mgdokgzvtnhubcebnoif.exe .
  2⤵
  PID:4500
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\mgdokgzvtnhubcebnoif.exe*."
    3⤵
    PID:5536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mgdokgzvtnhubcebnoif.exe
1⤵
PID:2300
- C:\Windows\mgdokgzvtnhubcebnoif.exe
  mgdokgzvtnhubcebnoif.exe
  2⤵
  PID:5852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bwugdaurqlgucehfsupnz.exe .
1⤵
PID:3692
- C:\Windows\bwugdaurqlgucehfsupnz.exe
  bwugdaurqlgucehfsupnz.exe .
  2⤵
  PID:4380
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\bwugdaurqlgucehfsupnz.exe*."
    3⤵
    PID:5080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yohogynfzpforomf.exe
1⤵
PID:4628
- C:\Windows\yohogynfzpforomf.exe
  yohogynfzpforomf.exe
  2⤵
  PID:1800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yohogynfzpforomf.exe .
1⤵
PID:1456
- C:\Windows\yohogynfzpforomf.exe
  yohogynfzpforomf.exe .
  2⤵
  PID:1864
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\yohogynfzpforomf.exe*."
    3⤵
    PID:4164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsoytogbyrkwccdzkkd.exe
1⤵
PID:5580
- C:\Users\Admin\AppData\Local\Temp\zsoytogbyrkwccdzkkd.exe
  C:\Users\Admin\AppData\Local\Temp\zsoytogbyrkwccdzkkd.exe
  2⤵
  PID:5156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ogbkeypjfxpafeezji.exe .
1⤵
PID:6076
- C:\Users\Admin\AppData\Local\Temp\ogbkeypjfxpafeezji.exe
  C:\Users\Admin\AppData\Local\Temp\ogbkeypjfxpafeezji.exe .
  2⤵
  PID:3884
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\ogbkeypjfxpafeezji.exe*."
    3⤵
    PID:5188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ogbkeypjfxpafeezji.exe
1⤵
PID:5420
- C:\Users\Admin\AppData\Local\Temp\ogbkeypjfxpafeezji.exe
  C:\Users\Admin\AppData\Local\Temp\ogbkeypjfxpafeezji.exe
  2⤵
  PID:3060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fwqyrkatofwgkihbk.exe .
1⤵
PID:2796
- C:\Users\Admin\AppData\Local\Temp\fwqyrkatofwgkihbk.exe
  C:\Users\Admin\AppData\Local\Temp\fwqyrkatofwgkihbk.exe .
  2⤵
  PID:5376
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\fwqyrkatofwgkihbk.exe*."
    3⤵
    PID:1408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zsoytogbyrkwccdzkkd.exe
1⤵
PID:4768
- C:\Windows\zsoytogbyrkwccdzkkd.exe
  zsoytogbyrkwccdzkkd.exe
  2⤵
  PID:4388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ogbkeypjfxpafeezji.exe .
1⤵
PID:2288
- C:\Windows\ogbkeypjfxpafeezji.exe
  ogbkeypjfxpafeezji.exe .
  2⤵
  PID:5320
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\ogbkeypjfxpafeezji.exe*."
    3⤵
    PID:5368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zsoytogbyrkwccdzkkd.exe
1⤵
PID:2624
- C:\Windows\zsoytogbyrkwccdzkkd.exe
  zsoytogbyrkwccdzkkd.exe
  2⤵
  PID:5292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mgdokgzvtnhubcebnoif.exe .
1⤵
PID:6060
- C:\Windows\mgdokgzvtnhubcebnoif.exe
  mgdokgzvtnhubcebnoif.exe .
  2⤵
  PID:4420
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\mgdokgzvtnhubcebnoif.exe*."
    3⤵
    PID:5128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mgdokgzvtnhubcebnoif.exe
1⤵
PID:4112
- C:\Users\Admin\AppData\Local\Temp\mgdokgzvtnhubcebnoif.exe
  C:\Users\Admin\AppData\Local\Temp\mgdokgzvtnhubcebnoif.exe
  2⤵
  PID:1720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fwqyrkatofwgkihbk.exe .
1⤵
PID:5400
- C:\Users\Admin\AppData\Local\Temp\fwqyrkatofwgkihbk.exe
  C:\Users\Admin\AppData\Local\Temp\fwqyrkatofwgkihbk.exe .
  2⤵
  PID:1312
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\fwqyrkatofwgkihbk.exe*."
    3⤵
    PID:2656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bwugdaurqlgucehfsupnz.exe
1⤵
PID:5920
- C:\Users\Admin\AppData\Local\Temp\bwugdaurqlgucehfsupnz.exe
  C:\Users\Admin\AppData\Local\Temp\bwugdaurqlgucehfsupnz.exe
  2⤵
  PID:4928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ogbkeypjfxpafeezji.exe .
1⤵
PID:5352
- C:\Users\Admin\AppData\Local\Temp\ogbkeypjfxpafeezji.exe
  C:\Users\Admin\AppData\Local\Temp\ogbkeypjfxpafeezji.exe .
  2⤵
  PID:3220
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\ogbkeypjfxpafeezji.exe*."
    3⤵
    PID:1132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ogbkeypjfxpafeezji.exe
1⤵
PID:5832
- C:\Windows\ogbkeypjfxpafeezji.exe
  ogbkeypjfxpafeezji.exe
  2⤵
  PID:4992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fwqyrkatofwgkihbk.exe .
1⤵
PID:1260
- C:\Windows\fwqyrkatofwgkihbk.exe
  fwqyrkatofwgkihbk.exe .
  2⤵
  PID:952
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\fwqyrkatofwgkihbk.exe*."
    3⤵
    PID:2876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ogbkeypjfxpafeezji.exe
1⤵
PID:1532
- C:\Windows\ogbkeypjfxpafeezji.exe
  ogbkeypjfxpafeezji.exe
  2⤵
  PID:676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yohogynfzpforomf.exe .
1⤵
PID:640
- C:\Windows\yohogynfzpforomf.exe
  yohogynfzpforomf.exe .
  2⤵
  PID:5200
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\yohogynfzpforomf.exe*."
    3⤵
    PID:3172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bwugdaurqlgucehfsupnz.exe
1⤵
PID:5076
- C:\Users\Admin\AppData\Local\Temp\bwugdaurqlgucehfsupnz.exe
  C:\Users\Admin\AppData\Local\Temp\bwugdaurqlgucehfsupnz.exe
  2⤵
  PID:3456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mgdokgzvtnhubcebnoif.exe .
1⤵
PID:1824
- C:\Users\Admin\AppData\Local\Temp\mgdokgzvtnhubcebnoif.exe
  C:\Users\Admin\AppData\Local\Temp\mgdokgzvtnhubcebnoif.exe .
  2⤵
  PID:2844
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\mgdokgzvtnhubcebnoif.exe*."
    3⤵
    PID:2768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fwqyrkatofwgkihbk.exe
1⤵
PID:3844
- C:\Users\Admin\AppData\Local\Temp\fwqyrkatofwgkihbk.exe
  C:\Users\Admin\AppData\Local\Temp\fwqyrkatofwgkihbk.exe
  2⤵
  PID:2108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bwugdaurqlgucehfsupnz.exe .
1⤵
PID:5736
- C:\Users\Admin\AppData\Local\Temp\bwugdaurqlgucehfsupnz.exe
  C:\Users\Admin\AppData\Local\Temp\bwugdaurqlgucehfsupnz.exe .
  2⤵
  PID:5640
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\bwugdaurqlgucehfsupnz.exe*."
    3⤵
    PID:3488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mgdokgzvtnhubcebnoif.exe
1⤵
PID:5656
- C:\Windows\mgdokgzvtnhubcebnoif.exe
  mgdokgzvtnhubcebnoif.exe
  2⤵
  PID:5172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bwugdaurqlgucehfsupnz.exe .
1⤵
PID:4140
- C:\Windows\bwugdaurqlgucehfsupnz.exe
  bwugdaurqlgucehfsupnz.exe .
  2⤵
  PID:3076
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\bwugdaurqlgucehfsupnz.exe*."
    3⤵
    PID:3780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bwugdaurqlgucehfsupnz.exe
1⤵
PID:5188
- C:\Windows\bwugdaurqlgucehfsupnz.exe
  bwugdaurqlgucehfsupnz.exe
  2⤵
  PID:1688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yohogynfzpforomf.exe .
1⤵
PID:5884
- C:\Windows\yohogynfzpforomf.exe
  yohogynfzpforomf.exe .
  2⤵
  PID:6136
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\yohogynfzpforomf.exe*."
    3⤵
    PID:752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fwqyrkatofwgkihbk.exe
1⤵
PID:4704
- C:\Users\Admin\AppData\Local\Temp\fwqyrkatofwgkihbk.exe
  C:\Users\Admin\AppData\Local\Temp\fwqyrkatofwgkihbk.exe
  2⤵
  PID:5164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yohogynfzpforomf.exe .
1⤵
PID:988
- C:\Users\Admin\AppData\Local\Temp\yohogynfzpforomf.exe
  C:\Users\Admin\AppData\Local\Temp\yohogynfzpforomf.exe .
  2⤵
  PID:5584
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\yohogynfzpforomf.exe*."
    3⤵
    PID:5308

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsoytogbyrkwccdzkkd.exe
1⤵
PID:1268
- C:\Users\Admin\AppData\Local\Temp\zsoytogbyrkwccdzkkd.exe
  C:\Users\Admin\AppData\Local\Temp\zsoytogbyrkwccdzkkd.exe
  2⤵
  PID:2724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bwugdaurqlgucehfsupnz.exe .
1⤵
PID:4856
- C:\Users\Admin\AppData\Local\Temp\bwugdaurqlgucehfsupnz.exe
  C:\Users\Admin\AppData\Local\Temp\bwugdaurqlgucehfsupnz.exe .
  2⤵
  PID:2216
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\bwugdaurqlgucehfsupnz.exe*."
    3⤵
    PID:3628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yohogynfzpforomf.exe
1⤵
PID:3320
- C:\Windows\yohogynfzpforomf.exe
  yohogynfzpforomf.exe
  2⤵
  PID:5380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fwqyrkatofwgkihbk.exe .
1⤵
PID:5592
- C:\Windows\fwqyrkatofwgkihbk.exe
  fwqyrkatofwgkihbk.exe .
  2⤵
  PID:1312
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\fwqyrkatofwgkihbk.exe*."
    3⤵
    PID:5452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yohogynfzpforomf.exe
1⤵
PID:888
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2688
- C:\Windows\yohogynfzpforomf.exe
  yohogynfzpforomf.exe
  2⤵
  PID:2128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bwugdaurqlgucehfsupnz.exe .
1⤵
PID:3668
- C:\Windows\bwugdaurqlgucehfsupnz.exe
  bwugdaurqlgucehfsupnz.exe .
  2⤵
  PID:3116
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\bwugdaurqlgucehfsupnz.exe*."
    3⤵
    PID:4780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsoytogbyrkwccdzkkd.exe
1⤵
PID:5440
- C:\Users\Admin\AppData\Local\Temp\zsoytogbyrkwccdzkkd.exe
  C:\Users\Admin\AppData\Local\Temp\zsoytogbyrkwccdzkkd.exe
  2⤵
  PID:1300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bwugdaurqlgucehfsupnz.exe .
1⤵
PID:5416
- C:\Users\Admin\AppData\Local\Temp\bwugdaurqlgucehfsupnz.exe
  C:\Users\Admin\AppData\Local\Temp\bwugdaurqlgucehfsupnz.exe .
  2⤵
  PID:3928
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\bwugdaurqlgucehfsupnz.exe*."
    3⤵
    PID:5832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ogbkeypjfxpafeezji.exe
1⤵
PID:6036
- C:\Users\Admin\AppData\Local\Temp\ogbkeypjfxpafeezji.exe
  C:\Users\Admin\AppData\Local\Temp\ogbkeypjfxpafeezji.exe
  2⤵
  PID:5508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fwqyrkatofwgkihbk.exe .
1⤵
PID:5880
- C:\Users\Admin\AppData\Local\Temp\fwqyrkatofwgkihbk.exe
  C:\Users\Admin\AppData\Local\Temp\fwqyrkatofwgkihbk.exe .
  2⤵
  PID:6128
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\fwqyrkatofwgkihbk.exe*."
    3⤵
    PID:5220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yohogynfzpforomf.exe
1⤵
PID:5132
- C:\Windows\yohogynfzpforomf.exe
  yohogynfzpforomf.exe
  2⤵
  PID:5552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mgdokgzvtnhubcebnoif.exe .
1⤵
PID:4772
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4948
- C:\Windows\mgdokgzvtnhubcebnoif.exe
  mgdokgzvtnhubcebnoif.exe .
  2⤵
  PID:640
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\mgdokgzvtnhubcebnoif.exe*."
    3⤵
    PID:1260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mgdokgzvtnhubcebnoif.exe
1⤵
PID:2300
- C:\Windows\mgdokgzvtnhubcebnoif.exe
  mgdokgzvtnhubcebnoif.exe
  2⤵
  PID:2764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zsoytogbyrkwccdzkkd.exe
1⤵
PID:3636
- C:\Windows\zsoytogbyrkwccdzkkd.exe
  zsoytogbyrkwccdzkkd.exe
  2⤵
  PID:3388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ogbkeypjfxpafeezji.exe .
1⤵
PID:5232
- C:\Windows\ogbkeypjfxpafeezji.exe
  ogbkeypjfxpafeezji.exe .
  2⤵
  PID:5256
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\ogbkeypjfxpafeezji.exe*."
    3⤵
    PID:4600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zsoytogbyrkwccdzkkd.exe
1⤵
PID:4544
- C:\Windows\zsoytogbyrkwccdzkkd.exe
  zsoytogbyrkwccdzkkd.exe
  2⤵
  PID:1456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fwqyrkatofwgkihbk.exe .
1⤵
PID:1612
- C:\Windows\fwqyrkatofwgkihbk.exe
  fwqyrkatofwgkihbk.exe .
  2⤵
  PID:3288
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\fwqyrkatofwgkihbk.exe*."
    3⤵
    PID:1884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yohogynfzpforomf.exe
1⤵
PID:2224
- C:\Users\Admin\AppData\Local\Temp\yohogynfzpforomf.exe
  C:\Users\Admin\AppData\Local\Temp\yohogynfzpforomf.exe
  2⤵
  PID:2640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bwugdaurqlgucehfsupnz.exe
1⤵
PID:1744
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5080
- C:\Windows\bwugdaurqlgucehfsupnz.exe
  bwugdaurqlgucehfsupnz.exe
  2⤵
  PID:4856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fwqyrkatofwgkihbk.exe .
1⤵
PID:2120
- C:\Windows\fwqyrkatofwgkihbk.exe
  fwqyrkatofwgkihbk.exe .
  2⤵
  PID:3360
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\fwqyrkatofwgkihbk.exe*."
    3⤵
    PID:3416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsoytogbyrkwccdzkkd.exe .
1⤵
PID:5172
- C:\Users\Admin\AppData\Local\Temp\zsoytogbyrkwccdzkkd.exe
  C:\Users\Admin\AppData\Local\Temp\zsoytogbyrkwccdzkkd.exe .
  2⤵
  PID:396
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\zsoytogbyrkwccdzkkd.exe*."
    3⤵
    PID:4564

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ogbkeypjfxpafeezji.exe .
1⤵
PID:5544
- C:\Windows\ogbkeypjfxpafeezji.exe
  ogbkeypjfxpafeezji.exe .
  2⤵
  PID:3488
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\ogbkeypjfxpafeezji.exe*."
    3⤵
    PID:5532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsoytogbyrkwccdzkkd.exe
1⤵
PID:5028
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5956
- C:\Users\Admin\AppData\Local\Temp\zsoytogbyrkwccdzkkd.exe
  C:\Users\Admin\AppData\Local\Temp\zsoytogbyrkwccdzkkd.exe
  2⤵
  PID:3280

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bwugdaurqlgucehfsupnz.exe
1⤵
PID:3212
- C:\Windows\bwugdaurqlgucehfsupnz.exe
  bwugdaurqlgucehfsupnz.exe
  2⤵
  PID:3640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yohogynfzpforomf.exe .
1⤵
PID:6032
- C:\Users\Admin\AppData\Local\Temp\yohogynfzpforomf.exe
  C:\Users\Admin\AppData\Local\Temp\yohogynfzpforomf.exe .
  2⤵
  PID:2472
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\yohogynfzpforomf.exe*."
    3⤵
    PID:5876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zsoytogbyrkwccdzkkd.exe .
1⤵
PID:4388
- C:\Windows\zsoytogbyrkwccdzkkd.exe
  zsoytogbyrkwccdzkkd.exe .
  2⤵
  PID:5988
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\zsoytogbyrkwccdzkkd.exe*."
    3⤵
    PID:5456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsoytogbyrkwccdzkkd.exe
1⤵
PID:2144
- C:\Users\Admin\AppData\Local\Temp\zsoytogbyrkwccdzkkd.exe
  C:\Users\Admin\AppData\Local\Temp\zsoytogbyrkwccdzkkd.exe
  2⤵
  PID:2800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bwugdaurqlgucehfsupnz.exe
1⤵
PID:5760
- C:\Users\Admin\AppData\Local\Temp\bwugdaurqlgucehfsupnz.exe
  C:\Users\Admin\AppData\Local\Temp\bwugdaurqlgucehfsupnz.exe
  2⤵
  PID:1624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mgdokgzvtnhubcebnoif.exe .
1⤵
PID:3740
- C:\Users\Admin\AppData\Local\Temp\mgdokgzvtnhubcebnoif.exe
  C:\Users\Admin\AppData\Local\Temp\mgdokgzvtnhubcebnoif.exe .
  2⤵
  PID:3580
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\mgdokgzvtnhubcebnoif.exe*."
    3⤵
    PID:4836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ogbkeypjfxpafeezji.exe .
1⤵
PID:5168
- C:\Users\Admin\AppData\Local\Temp\ogbkeypjfxpafeezji.exe
  C:\Users\Admin\AppData\Local\Temp\ogbkeypjfxpafeezji.exe .
  2⤵
  PID:1164
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\ogbkeypjfxpafeezji.exe*."
    3⤵
    PID:5576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mgdokgzvtnhubcebnoif.exe
1⤵
PID:5368
- C:\Users\Admin\AppData\Local\Temp\mgdokgzvtnhubcebnoif.exe
  C:\Users\Admin\AppData\Local\Temp\mgdokgzvtnhubcebnoif.exe
  2⤵
  PID:952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsoytogbyrkwccdzkkd.exe .
1⤵
PID:1820
- C:\Users\Admin\AppData\Local\Temp\zsoytogbyrkwccdzkkd.exe
  C:\Users\Admin\AppData\Local\Temp\zsoytogbyrkwccdzkkd.exe .
  2⤵
  PID:5268
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\zsoytogbyrkwccdzkkd.exe*."
    3⤵
    PID:5912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yohogynfzpforomf.exe
1⤵
PID:3608
- C:\Users\Admin\AppData\Local\Temp\yohogynfzpforomf.exe
  C:\Users\Admin\AppData\Local\Temp\yohogynfzpforomf.exe
  2⤵
  PID:5212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mgdokgzvtnhubcebnoif.exe .
1⤵
PID:468
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:6028
- C:\Users\Admin\AppData\Local\Temp\mgdokgzvtnhubcebnoif.exe
  C:\Users\Admin\AppData\Local\Temp\mgdokgzvtnhubcebnoif.exe .
  2⤵
  PID:6132
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\mgdokgzvtnhubcebnoif.exe*."
    3⤵
    PID:5724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fwqyrkatofwgkihbk.exe
1⤵
PID:1288
- C:\Windows\fwqyrkatofwgkihbk.exe
  fwqyrkatofwgkihbk.exe
  2⤵
  PID:772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yohogynfzpforomf.exe .
1⤵
PID:1304
- C:\Windows\yohogynfzpforomf.exe
  yohogynfzpforomf.exe .
  2⤵
  PID:4692
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\yohogynfzpforomf.exe*."
    3⤵
    PID:5288

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fwqyrkatofwgkihbk.exe
1⤵
PID:5316
- C:\Windows\fwqyrkatofwgkihbk.exe
  fwqyrkatofwgkihbk.exe
  2⤵
  PID:4512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bwugdaurqlgucehfsupnz.exe .
1⤵
PID:1260
- C:\Windows\bwugdaurqlgucehfsupnz.exe
  bwugdaurqlgucehfsupnz.exe .
  2⤵
  PID:5804
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\bwugdaurqlgucehfsupnz.exe*."
    3⤵
    PID:5864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mgdokgzvtnhubcebnoif.exe
1⤵
PID:4664
- C:\Users\Admin\AppData\Local\Temp\mgdokgzvtnhubcebnoif.exe
  C:\Users\Admin\AppData\Local\Temp\mgdokgzvtnhubcebnoif.exe
  2⤵
  PID:1592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fwqyrkatofwgkihbk.exe .
1⤵
PID:5388
- C:\Users\Admin\AppData\Local\Temp\fwqyrkatofwgkihbk.exe
  C:\Users\Admin\AppData\Local\Temp\fwqyrkatofwgkihbk.exe .
  2⤵
  PID:2228
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\fwqyrkatofwgkihbk.exe*."
    3⤵
    PID:2092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bwugdaurqlgucehfsupnz.exe
1⤵
PID:768
- C:\Users\Admin\AppData\Local\Temp\bwugdaurqlgucehfsupnz.exe
  C:\Users\Admin\AppData\Local\Temp\bwugdaurqlgucehfsupnz.exe
  2⤵
  PID:5472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bwugdaurqlgucehfsupnz.exe .
1⤵
PID:2188
- C:\Users\Admin\AppData\Local\Temp\bwugdaurqlgucehfsupnz.exe
  C:\Users\Admin\AppData\Local\Temp\bwugdaurqlgucehfsupnz.exe .
  2⤵
  PID:3648
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\bwugdaurqlgucehfsupnz.exe*."
    3⤵
    PID:1872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mgdokgzvtnhubcebnoif.exe
1⤵
PID:3588
- C:\Windows\mgdokgzvtnhubcebnoif.exe
  mgdokgzvtnhubcebnoif.exe
  2⤵
  PID:2148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ogbkeypjfxpafeezji.exe .
1⤵
PID:3420
- C:\Windows\ogbkeypjfxpafeezji.exe
  ogbkeypjfxpafeezji.exe .
  2⤵
  PID:5400
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\ogbkeypjfxpafeezji.exe*."
    3⤵
    PID:5188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fwqyrkatofwgkihbk.exe
1⤵
PID:3808
- C:\Windows\fwqyrkatofwgkihbk.exe
  fwqyrkatofwgkihbk.exe
  2⤵
  PID:5108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yohogynfzpforomf.exe .
1⤵
PID:5204
- C:\Windows\yohogynfzpforomf.exe
  yohogynfzpforomf.exe .
  2⤵
  PID:5544
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\yohogynfzpforomf.exe*."
    3⤵
    PID:368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ogbkeypjfxpafeezji.exe
1⤵
PID:3036
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4460
- C:\Users\Admin\AppData\Local\Temp\ogbkeypjfxpafeezji.exe
  C:\Users\Admin\AppData\Local\Temp\ogbkeypjfxpafeezji.exe
  2⤵
  PID:3528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yohogynfzpforomf.exe .
1⤵
PID:5800
- C:\Users\Admin\AppData\Local\Temp\yohogynfzpforomf.exe
  C:\Users\Admin\AppData\Local\Temp\yohogynfzpforomf.exe .
  2⤵
  PID:5904
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\yohogynfzpforomf.exe*."
    3⤵
    PID:3484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fwqyrkatofwgkihbk.exe
1⤵
PID:2472
- C:\Users\Admin\AppData\Local\Temp\fwqyrkatofwgkihbk.exe
  C:\Users\Admin\AppData\Local\Temp\fwqyrkatofwgkihbk.exe
  2⤵
  PID:5380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yohogynfzpforomf.exe .
1⤵
PID:5068
- C:\Users\Admin\AppData\Local\Temp\yohogynfzpforomf.exe
  C:\Users\Admin\AppData\Local\Temp\yohogynfzpforomf.exe .
  2⤵
  PID:780
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\yohogynfzpforomf.exe*."
    3⤵
    PID:1144

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fwqyrkatofwgkihbk.exe
1⤵
PID:5236
- C:\Windows\fwqyrkatofwgkihbk.exe
  fwqyrkatofwgkihbk.exe
  2⤵
  PID:5732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yohogynfzpforomf.exe .
1⤵
PID:6124
- C:\Windows\yohogynfzpforomf.exe
  yohogynfzpforomf.exe .
  2⤵
  PID:5416
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\yohogynfzpforomf.exe*."
    3⤵
    PID:5976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bwugdaurqlgucehfsupnz.exe
1⤵
PID:2944
- C:\Windows\bwugdaurqlgucehfsupnz.exe
  bwugdaurqlgucehfsupnz.exe
  2⤵
  PID:4748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mgdokgzvtnhubcebnoif.exe .
1⤵
PID:6132
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1404
- C:\Windows\mgdokgzvtnhubcebnoif.exe
  mgdokgzvtnhubcebnoif.exe .
  2⤵
  PID:2516
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\mgdokgzvtnhubcebnoif.exe*."
    3⤵
    PID:5404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yohogynfzpforomf.exe
1⤵
PID:952
- C:\Users\Admin\AppData\Local\Temp\yohogynfzpforomf.exe
  C:\Users\Admin\AppData\Local\Temp\yohogynfzpforomf.exe
  2⤵
  PID:4060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mgdokgzvtnhubcebnoif.exe .
1⤵
PID:4200
- C:\Users\Admin\AppData\Local\Temp\mgdokgzvtnhubcebnoif.exe
  C:\Users\Admin\AppData\Local\Temp\mgdokgzvtnhubcebnoif.exe .
  2⤵
  PID:6100
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\mgdokgzvtnhubcebnoif.exe*."
    3⤵
    PID:1836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bwugdaurqlgucehfsupnz.exe
1⤵
PID:5816
- C:\Users\Admin\AppData\Local\Temp\bwugdaurqlgucehfsupnz.exe
  C:\Users\Admin\AppData\Local\Temp\bwugdaurqlgucehfsupnz.exe
  2⤵
  PID:2624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsoytogbyrkwccdzkkd.exe .
1⤵
PID:3084
- C:\Users\Admin\AppData\Local\Temp\zsoytogbyrkwccdzkkd.exe
  C:\Users\Admin\AppData\Local\Temp\zsoytogbyrkwccdzkkd.exe .
  2⤵
  PID:4468
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\zsoytogbyrkwccdzkkd.exe*."
    3⤵
    PID:1304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yohogynfzpforomf.exe
1⤵
PID:5240
- C:\Windows\yohogynfzpforomf.exe
  yohogynfzpforomf.exe
  2⤵
  PID:1788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mgdokgzvtnhubcebnoif.exe .
1⤵
PID:5176
- C:\Windows\mgdokgzvtnhubcebnoif.exe
  mgdokgzvtnhubcebnoif.exe .
  2⤵
  PID:464
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\mgdokgzvtnhubcebnoif.exe*."
    3⤵
    PID:2520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yohogynfzpforomf.exe
1⤵
PID:5180
- C:\Windows\yohogynfzpforomf.exe
  yohogynfzpforomf.exe
  2⤵
  PID:4164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mgdokgzvtnhubcebnoif.exe .
1⤵
PID:4580
- C:\Windows\mgdokgzvtnhubcebnoif.exe
  mgdokgzvtnhubcebnoif.exe .
  2⤵
  PID:5472
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\mgdokgzvtnhubcebnoif.exe*."
    3⤵
    PID:5228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bwugdaurqlgucehfsupnz.exe
1⤵
PID:5248
- C:\Users\Admin\AppData\Local\Temp\bwugdaurqlgucehfsupnz.exe
  C:\Users\Admin\AppData\Local\Temp\bwugdaurqlgucehfsupnz.exe
  2⤵
  PID:6024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yohogynfzpforomf.exe .
1⤵
PID:4780
- C:\Users\Admin\AppData\Local\Temp\yohogynfzpforomf.exe
  C:\Users\Admin\AppData\Local\Temp\yohogynfzpforomf.exe .
  2⤵
  PID:2188
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\yohogynfzpforomf.exe*."
    3⤵
    PID:5484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mgdokgzvtnhubcebnoif.exe
1⤵
PID:668
- C:\Users\Admin\AppData\Local\Temp\mgdokgzvtnhubcebnoif.exe
  C:\Users\Admin\AppData\Local\Temp\mgdokgzvtnhubcebnoif.exe
  2⤵
  PID:3656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mgdokgzvtnhubcebnoif.exe .
1⤵
PID:5532
- C:\Users\Admin\AppData\Local\Temp\mgdokgzvtnhubcebnoif.exe
  C:\Users\Admin\AppData\Local\Temp\mgdokgzvtnhubcebnoif.exe .
  2⤵
  PID:5128
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\mgdokgzvtnhubcebnoif.exe*."
    3⤵
    PID:5768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fwqyrkatofwgkihbk.exe
1⤵
PID:1532
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:628
- C:\Windows\fwqyrkatofwgkihbk.exe
  fwqyrkatofwgkihbk.exe
  2⤵
  PID:5740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fwqyrkatofwgkihbk.exe .
1⤵
PID:3168
- C:\Windows\fwqyrkatofwgkihbk.exe
  fwqyrkatofwgkihbk.exe .
  2⤵
  PID:4460
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\fwqyrkatofwgkihbk.exe*."
    3⤵
    PID:1636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yohogynfzpforomf.exe
1⤵
PID:896
- C:\Windows\yohogynfzpforomf.exe
  yohogynfzpforomf.exe
  2⤵
  PID:5152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mgdokgzvtnhubcebnoif.exe .
1⤵
PID:1672
- C:\Windows\mgdokgzvtnhubcebnoif.exe
  mgdokgzvtnhubcebnoif.exe .
  2⤵
  PID:3484
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\mgdokgzvtnhubcebnoif.exe*."
    3⤵
    PID:5480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsoytogbyrkwccdzkkd.exe
1⤵
PID:5992
- C:\Users\Admin\AppData\Local\Temp\zsoytogbyrkwccdzkkd.exe
  C:\Users\Admin\AppData\Local\Temp\zsoytogbyrkwccdzkkd.exe
  2⤵
  PID:5764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsoytogbyrkwccdzkkd.exe .
1⤵
PID:6032
- C:\Users\Admin\AppData\Local\Temp\zsoytogbyrkwccdzkkd.exe
  C:\Users\Admin\AppData\Local\Temp\zsoytogbyrkwccdzkkd.exe .
  2⤵
  PID:1540
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\zsoytogbyrkwccdzkkd.exe*."
    3⤵
    PID:784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mgdokgzvtnhubcebnoif.exe
1⤵
PID:3300
- C:\Users\Admin\AppData\Local\Temp\mgdokgzvtnhubcebnoif.exe
  C:\Users\Admin\AppData\Local\Temp\mgdokgzvtnhubcebnoif.exe
  2⤵
  PID:5720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fwqyrkatofwgkihbk.exe .
1⤵
PID:1408
- C:\Users\Admin\AppData\Local\Temp\fwqyrkatofwgkihbk.exe
  C:\Users\Admin\AppData\Local\Temp\fwqyrkatofwgkihbk.exe .
  2⤵
  PID:5172
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\fwqyrkatofwgkihbk.exe*."
    3⤵
    PID:5268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fwqyrkatofwgkihbk.exe
1⤵
PID:5312
- C:\Windows\fwqyrkatofwgkihbk.exe
  fwqyrkatofwgkihbk.exe
  2⤵
  PID:4020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yohogynfzpforomf.exe .
1⤵
PID:6028
- C:\Windows\yohogynfzpforomf.exe
  yohogynfzpforomf.exe .
  2⤵
  PID:5276
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\yohogynfzpforomf.exe*."
    3⤵
    PID:5900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ogbkeypjfxpafeezji.exe
1⤵
PID:2636
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4060
- C:\Windows\ogbkeypjfxpafeezji.exe
  ogbkeypjfxpafeezji.exe
  2⤵
  PID:60

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zsoytogbyrkwccdzkkd.exe .
1⤵
PID:5928
- C:\Windows\zsoytogbyrkwccdzkkd.exe
  zsoytogbyrkwccdzkkd.exe .
  2⤵
  PID:5692
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\zsoytogbyrkwccdzkkd.exe*."
    3⤵
    PID:5816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bwugdaurqlgucehfsupnz.exe
1⤵
PID:1404
- C:\Users\Admin\AppData\Local\Temp\bwugdaurqlgucehfsupnz.exe
  C:\Users\Admin\AppData\Local\Temp\bwugdaurqlgucehfsupnz.exe
  2⤵
  PID:5576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bwugdaurqlgucehfsupnz.exe
1⤵
PID:6084
- C:\Windows\bwugdaurqlgucehfsupnz.exe
  bwugdaurqlgucehfsupnz.exe
  2⤵
  PID:5288

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bwugdaurqlgucehfsupnz.exe .
1⤵
PID:1172
- C:\Users\Admin\AppData\Local\Temp\bwugdaurqlgucehfsupnz.exe
  C:\Users\Admin\AppData\Local\Temp\bwugdaurqlgucehfsupnz.exe .
  2⤵
  PID:1144
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\bwugdaurqlgucehfsupnz.exe*."
    3⤵
    PID:1788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yohogynfzpforomf.exe
1⤵
PID:4468
- C:\Windows\yohogynfzpforomf.exe
  yohogynfzpforomf.exe
  2⤵
  PID:4856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bwugdaurqlgucehfsupnz.exe .
1⤵
PID:1440
- C:\Windows\bwugdaurqlgucehfsupnz.exe
  bwugdaurqlgucehfsupnz.exe .
  2⤵
  PID:1336
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\bwugdaurqlgucehfsupnz.exe*."
    3⤵
    PID:5140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bwugdaurqlgucehfsupnz.exe
1⤵
PID:5336
- C:\Users\Admin\AppData\Local\Temp\bwugdaurqlgucehfsupnz.exe
  C:\Users\Admin\AppData\Local\Temp\bwugdaurqlgucehfsupnz.exe
  2⤵
  PID:1884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ogbkeypjfxpafeezji.exe .
1⤵
PID:5240
- C:\Windows\ogbkeypjfxpafeezji.exe
  ogbkeypjfxpafeezji.exe .
  2⤵
  PID:4532
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\ogbkeypjfxpafeezji.exe*."
    3⤵
    PID:3212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zsoytogbyrkwccdzkkd.exe
1⤵
PID:3388
- C:\Windows\zsoytogbyrkwccdzkkd.exe
  zsoytogbyrkwccdzkkd.exe
  2⤵
  PID:2392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fwqyrkatofwgkihbk.exe .
1⤵
PID:3132
- C:\Users\Admin\AppData\Local\Temp\fwqyrkatofwgkihbk.exe
  C:\Users\Admin\AppData\Local\Temp\fwqyrkatofwgkihbk.exe .
  2⤵
  PID:5500
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\fwqyrkatofwgkihbk.exe*."
    3⤵
    PID:1152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mgdokgzvtnhubcebnoif.exe .
1⤵
PID:4600
- C:\Windows\mgdokgzvtnhubcebnoif.exe
  mgdokgzvtnhubcebnoif.exe .
  2⤵
  PID:2216
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\mgdokgzvtnhubcebnoif.exe*."
    3⤵
    PID:3580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yohogynfzpforomf.exe
1⤵
PID:5476
- C:\Windows\yohogynfzpforomf.exe
  yohogynfzpforomf.exe
  2⤵
  PID:1636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bwugdaurqlgucehfsupnz.exe
1⤵
PID:4404
- C:\Users\Admin\AppData\Local\Temp\bwugdaurqlgucehfsupnz.exe
  C:\Users\Admin\AppData\Local\Temp\bwugdaurqlgucehfsupnz.exe
  2⤵
  PID:3168

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsoytogbyrkwccdzkkd.exe .
1⤵
PID:5420
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4104
- C:\Users\Admin\AppData\Local\Temp\zsoytogbyrkwccdzkkd.exe
  C:\Users\Admin\AppData\Local\Temp\zsoytogbyrkwccdzkkd.exe .
  2⤵
  PID:856
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\zsoytogbyrkwccdzkkd.exe*."
    3⤵
    PID:2908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mgdokgzvtnhubcebnoif.exe .
1⤵
PID:3692
- C:\Windows\mgdokgzvtnhubcebnoif.exe
  mgdokgzvtnhubcebnoif.exe .
  2⤵
  PID:3888
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\mgdokgzvtnhubcebnoif.exe*."
    3⤵
    PID:3740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fwqyrkatofwgkihbk.exe
1⤵
PID:2844
- C:\Users\Admin\AppData\Local\Temp\fwqyrkatofwgkihbk.exe
  C:\Users\Admin\AppData\Local\Temp\fwqyrkatofwgkihbk.exe
  2⤵
  PID:5152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsoytogbyrkwccdzkkd.exe .
1⤵
PID:2968
- C:\Users\Admin\AppData\Local\Temp\zsoytogbyrkwccdzkkd.exe
  C:\Users\Admin\AppData\Local\Temp\zsoytogbyrkwccdzkkd.exe .
  2⤵
  PID:4540
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\zsoytogbyrkwccdzkkd.exe*."
    3⤵
    PID:5380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ogbkeypjfxpafeezji.exe
1⤵
PID:5156
- C:\Users\Admin\AppData\Local\Temp\ogbkeypjfxpafeezji.exe
  C:\Users\Admin\AppData\Local\Temp\ogbkeypjfxpafeezji.exe
  2⤵
  PID:5924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsoytogbyrkwccdzkkd.exe .
1⤵
PID:5512
- C:\Users\Admin\AppData\Local\Temp\zsoytogbyrkwccdzkkd.exe
  C:\Users\Admin\AppData\Local\Temp\zsoytogbyrkwccdzkkd.exe .
  2⤵
  PID:5772
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\zsoytogbyrkwccdzkkd.exe*."
    3⤵
    PID:5056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ogbkeypjfxpafeezji.exe
1⤵
PID:5912
- C:\Users\Admin\AppData\Local\Temp\ogbkeypjfxpafeezji.exe
  C:\Users\Admin\AppData\Local\Temp\ogbkeypjfxpafeezji.exe
  2⤵
  PID:5504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mgdokgzvtnhubcebnoif.exe .
1⤵
PID:2340
- C:\Users\Admin\AppData\Local\Temp\mgdokgzvtnhubcebnoif.exe
  C:\Users\Admin\AppData\Local\Temp\mgdokgzvtnhubcebnoif.exe .
  2⤵
  PID:5212
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\mgdokgzvtnhubcebnoif.exe*."
    3⤵
    PID:4696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yohogynfzpforomf.exe
1⤵
PID:5988
- C:\Windows\yohogynfzpforomf.exe
  yohogynfzpforomf.exe
  2⤵
  PID:5904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fwqyrkatofwgkihbk.exe .
1⤵
PID:2460
- C:\Windows\fwqyrkatofwgkihbk.exe
  fwqyrkatofwgkihbk.exe .
  2⤵
  PID:3300
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\fwqyrkatofwgkihbk.exe*."
    3⤵
    PID:3836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yohogynfzpforomf.exe
1⤵
PID:5460
- C:\Windows\yohogynfzpforomf.exe
  yohogynfzpforomf.exe
  2⤵
  PID:1032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fwqyrkatofwgkihbk.exe .
1⤵
PID:5768
- C:\Windows\fwqyrkatofwgkihbk.exe
  fwqyrkatofwgkihbk.exe .
  2⤵
  PID:816
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\fwqyrkatofwgkihbk.exe*."
    3⤵
    PID:5196

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yohogynfzpforomf.exe
1⤵
PID:5616
- C:\Users\Admin\AppData\Local\Temp\yohogynfzpforomf.exe
  C:\Users\Admin\AppData\Local\Temp\yohogynfzpforomf.exe
  2⤵
  PID:5368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bwugdaurqlgucehfsupnz.exe .
1⤵
PID:4832
- C:\Users\Admin\AppData\Local\Temp\bwugdaurqlgucehfsupnz.exe
  C:\Users\Admin\AppData\Local\Temp\bwugdaurqlgucehfsupnz.exe .
  2⤵
  PID:5436
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\bwugdaurqlgucehfsupnz.exe*."
    3⤵
    PID:1820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsoytogbyrkwccdzkkd.exe
1⤵
PID:5792
- C:\Users\Admin\AppData\Local\Temp\zsoytogbyrkwccdzkkd.exe
  C:\Users\Admin\AppData\Local\Temp\zsoytogbyrkwccdzkkd.exe
  2⤵
  PID:1296

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bwugdaurqlgucehfsupnz.exe .
1⤵
PID:5076
- C:\Users\Admin\AppData\Local\Temp\bwugdaurqlgucehfsupnz.exe
  C:\Users\Admin\AppData\Local\Temp\bwugdaurqlgucehfsupnz.exe .
  2⤵
  PID:5852
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\bwugdaurqlgucehfsupnz.exe*."
    3⤵
    PID:1728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mgdokgzvtnhubcebnoif.exe
1⤵
PID:5536
- C:\Windows\mgdokgzvtnhubcebnoif.exe
  mgdokgzvtnhubcebnoif.exe
  2⤵
  PID:3820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mgdokgzvtnhubcebnoif.exe .
1⤵
PID:5948
- C:\Windows\mgdokgzvtnhubcebnoif.exe
  mgdokgzvtnhubcebnoif.exe .
  2⤵
  PID:5296
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\mgdokgzvtnhubcebnoif.exe*."
    3⤵
    PID:680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bwugdaurqlgucehfsupnz.exe
1⤵
PID:1592
- C:\Windows\bwugdaurqlgucehfsupnz.exe
  bwugdaurqlgucehfsupnz.exe
  2⤵
  PID:3956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bwugdaurqlgucehfsupnz.exe .
1⤵
PID:5128
- C:\Windows\bwugdaurqlgucehfsupnz.exe
  bwugdaurqlgucehfsupnz.exe .
  2⤵
  PID:1896
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\bwugdaurqlgucehfsupnz.exe*."
    3⤵
    PID:5656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yohogynfzpforomf.exe
1⤵
PID:1336
- C:\Users\Admin\AppData\Local\Temp\yohogynfzpforomf.exe
  C:\Users\Admin\AppData\Local\Temp\yohogynfzpforomf.exe
  2⤵
  PID:5152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fwqyrkatofwgkihbk.exe .
1⤵
PID:4980
- C:\Users\Admin\AppData\Local\Temp\fwqyrkatofwgkihbk.exe
  C:\Users\Admin\AppData\Local\Temp\fwqyrkatofwgkihbk.exe .
  2⤵
  PID:752
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\fwqyrkatofwgkihbk.exe*."
    3⤵
    PID:3132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fwqyrkatofwgkihbk.exe
1⤵
PID:5748
- C:\Users\Admin\AppData\Local\Temp\fwqyrkatofwgkihbk.exe
  C:\Users\Admin\AppData\Local\Temp\fwqyrkatofwgkihbk.exe
  2⤵
  PID:5860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mgdokgzvtnhubcebnoif.exe .
1⤵
PID:3656
- C:\Users\Admin\AppData\Local\Temp\mgdokgzvtnhubcebnoif.exe
  C:\Users\Admin\AppData\Local\Temp\mgdokgzvtnhubcebnoif.exe .
  2⤵
  PID:644
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\mgdokgzvtnhubcebnoif.exe*."
    3⤵
    PID:4404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bwugdaurqlgucehfsupnz.exe
1⤵
PID:5856
- C:\Windows\bwugdaurqlgucehfsupnz.exe
  bwugdaurqlgucehfsupnz.exe
  2⤵
  PID:4664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fwqyrkatofwgkihbk.exe .
1⤵
PID:5964
- C:\Windows\fwqyrkatofwgkihbk.exe
  fwqyrkatofwgkihbk.exe .
  2⤵
  PID:5216
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\fwqyrkatofwgkihbk.exe*."
    3⤵
    PID:5232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fwqyrkatofwgkihbk.exe
1⤵
PID:5264
- C:\Windows\fwqyrkatofwgkihbk.exe
  fwqyrkatofwgkihbk.exe
  2⤵
  PID:5156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zsoytogbyrkwccdzkkd.exe .
1⤵
PID:1588
- C:\Windows\zsoytogbyrkwccdzkkd.exe
  zsoytogbyrkwccdzkkd.exe .
  2⤵
  PID:4568
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\zsoytogbyrkwccdzkkd.exe*."
    3⤵
    PID:5044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ogbkeypjfxpafeezji.exe
1⤵
PID:4928
- C:\Users\Admin\AppData\Local\Temp\ogbkeypjfxpafeezji.exe
  C:\Users\Admin\AppData\Local\Temp\ogbkeypjfxpafeezji.exe
  2⤵
  PID:4656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yohogynfzpforomf.exe .
1⤵
PID:2120
- C:\Users\Admin\AppData\Local\Temp\yohogynfzpforomf.exe
  C:\Users\Admin\AppData\Local\Temp\yohogynfzpforomf.exe .
  2⤵
  PID:5736
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\yohogynfzpforomf.exe*."
    3⤵
    PID:3568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsoytogbyrkwccdzkkd.exe
1⤵
PID:3928
- C:\Users\Admin\AppData\Local\Temp\zsoytogbyrkwccdzkkd.exe
  C:\Users\Admin\AppData\Local\Temp\zsoytogbyrkwccdzkkd.exe
  2⤵
  PID:5916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bwugdaurqlgucehfsupnz.exe .
1⤵
PID:5732
- C:\Users\Admin\AppData\Local\Temp\bwugdaurqlgucehfsupnz.exe
  C:\Users\Admin\AppData\Local\Temp\bwugdaurqlgucehfsupnz.exe .
  2⤵
  PID:3036
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\bwugdaurqlgucehfsupnz.exe*."
    3⤵
    PID:4064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yohogynfzpforomf.exe
1⤵
PID:5640
- C:\Windows\yohogynfzpforomf.exe
  yohogynfzpforomf.exe
  2⤵
  PID:5976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ogbkeypjfxpafeezji.exe .
1⤵
PID:3744
- C:\Windows\ogbkeypjfxpafeezji.exe
  ogbkeypjfxpafeezji.exe .
  2⤵
  PID:5060
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\ogbkeypjfxpafeezji.exe*."
    3⤵
    PID:1432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zsoytogbyrkwccdzkkd.exe
1⤵
PID:5196
- C:\Windows\zsoytogbyrkwccdzkkd.exe
  zsoytogbyrkwccdzkkd.exe
  2⤵
  PID:5708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zsoytogbyrkwccdzkkd.exe .
1⤵
PID:1096
- C:\Windows\zsoytogbyrkwccdzkkd.exe
  zsoytogbyrkwccdzkkd.exe .
  2⤵
  PID:5576
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\zsoytogbyrkwccdzkkd.exe*."
    3⤵
    PID:4164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mgdokgzvtnhubcebnoif.exe
1⤵
PID:5284
- C:\Users\Admin\AppData\Local\Temp\mgdokgzvtnhubcebnoif.exe
  C:\Users\Admin\AppData\Local\Temp\mgdokgzvtnhubcebnoif.exe
  2⤵
  PID:1296

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ogbkeypjfxpafeezji.exe .
1⤵
PID:3740
- C:\Users\Admin\AppData\Local\Temp\ogbkeypjfxpafeezji.exe
  C:\Users\Admin\AppData\Local\Temp\ogbkeypjfxpafeezji.exe .
  2⤵
  PID:532
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\ogbkeypjfxpafeezji.exe*."
    3⤵
    PID:5628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yohogynfzpforomf.exe
1⤵
PID:336
- C:\Users\Admin\AppData\Local\Temp\yohogynfzpforomf.exe
  C:\Users\Admin\AppData\Local\Temp\yohogynfzpforomf.exe
  2⤵
  PID:5132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fwqyrkatofwgkihbk.exe .
1⤵
PID:6064
- C:\Users\Admin\AppData\Local\Temp\fwqyrkatofwgkihbk.exe
  C:\Users\Admin\AppData\Local\Temp\fwqyrkatofwgkihbk.exe .
  2⤵
  PID:1404
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\fwqyrkatofwgkihbk.exe*."
    3⤵
    PID:3980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yohogynfzpforomf.exe
1⤵
PID:1956
- C:\Windows\yohogynfzpforomf.exe
  yohogynfzpforomf.exe
  2⤵
  PID:1876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yohogynfzpforomf.exe .
1⤵
PID:1936
- C:\Windows\yohogynfzpforomf.exe
  yohogynfzpforomf.exe .
  2⤵
  PID:6120
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\yohogynfzpforomf.exe*."
    3⤵
    PID:396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bwugdaurqlgucehfsupnz.exe
1⤵
PID:4724
- C:\Windows\bwugdaurqlgucehfsupnz.exe
  bwugdaurqlgucehfsupnz.exe
  2⤵
  PID:1556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fwqyrkatofwgkihbk.exe .
1⤵
PID:5296
- C:\Windows\fwqyrkatofwgkihbk.exe
  fwqyrkatofwgkihbk.exe .
  2⤵
  PID:6088
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\fwqyrkatofwgkihbk.exe*."
    3⤵
    PID:5500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bwugdaurqlgucehfsupnz.exe
1⤵
PID:5152
- C:\Users\Admin\AppData\Local\Temp\bwugdaurqlgucehfsupnz.exe
  C:\Users\Admin\AppData\Local\Temp\bwugdaurqlgucehfsupnz.exe
  2⤵
  PID:4532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bwugdaurqlgucehfsupnz.exe .
1⤵
PID:5740
- C:\Users\Admin\AppData\Local\Temp\bwugdaurqlgucehfsupnz.exe
  C:\Users\Admin\AppData\Local\Temp\bwugdaurqlgucehfsupnz.exe .
  2⤵
  PID:1440
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\bwugdaurqlgucehfsupnz.exe*."
    3⤵
    PID:1696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsoytogbyrkwccdzkkd.exe
1⤵
PID:3132
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3116
- C:\Users\Admin\AppData\Local\Temp\zsoytogbyrkwccdzkkd.exe
  C:\Users\Admin\AppData\Local\Temp\zsoytogbyrkwccdzkkd.exe
  2⤵
  PID:640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bwugdaurqlgucehfsupnz.exe .
1⤵
PID:3212
- C:\Users\Admin\AppData\Local\Temp\bwugdaurqlgucehfsupnz.exe
  C:\Users\Admin\AppData\Local\Temp\bwugdaurqlgucehfsupnz.exe .
  2⤵
  PID:1444
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\bwugdaurqlgucehfsupnz.exe*."
    3⤵
    PID:3640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bwugdaurqlgucehfsupnz.exe
1⤵
PID:2008
- C:\Windows\bwugdaurqlgucehfsupnz.exe
  bwugdaurqlgucehfsupnz.exe
  2⤵
  PID:2768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mgdokgzvtnhubcebnoif.exe .
1⤵
PID:1268
- C:\Windows\mgdokgzvtnhubcebnoif.exe
  mgdokgzvtnhubcebnoif.exe .
  2⤵
  PID:632
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\mgdokgzvtnhubcebnoif.exe*."
    3⤵
    PID:708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fwqyrkatofwgkihbk.exe
1⤵
PID:5216
- C:\Windows\fwqyrkatofwgkihbk.exe
  fwqyrkatofwgkihbk.exe
  2⤵
  PID:5420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zsoytogbyrkwccdzkkd.exe .
1⤵
PID:4328
- C:\Windows\zsoytogbyrkwccdzkkd.exe
  zsoytogbyrkwccdzkkd.exe .
  2⤵
  PID:888
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\zsoytogbyrkwccdzkkd.exe*."
    3⤵
    PID:4696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fwqyrkatofwgkihbk.exe
1⤵
PID:6076
- C:\Users\Admin\AppData\Local\Temp\fwqyrkatofwgkihbk.exe
  C:\Users\Admin\AppData\Local\Temp\fwqyrkatofwgkihbk.exe
  2⤵
  PID:1532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yohogynfzpforomf.exe .
1⤵
PID:5188
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5044
- C:\Users\Admin\AppData\Local\Temp\yohogynfzpforomf.exe
  C:\Users\Admin\AppData\Local\Temp\yohogynfzpforomf.exe .
  2⤵
  PID:5408
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\yohogynfzpforomf.exe*."
    3⤵
    PID:2224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zsoytogbyrkwccdzkkd.exe
1⤵
PID:4228
- C:\Windows\zsoytogbyrkwccdzkkd.exe
  zsoytogbyrkwccdzkkd.exe
  2⤵
  PID:3788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ogbkeypjfxpafeezji.exe
1⤵
PID:2232
- C:\Windows\ogbkeypjfxpafeezji.exe
  ogbkeypjfxpafeezji.exe
  2⤵
  PID:5480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fwqyrkatofwgkihbk.exe
1⤵
PID:4112
- C:\Users\Admin\AppData\Local\Temp\fwqyrkatofwgkihbk.exe
  C:\Users\Admin\AppData\Local\Temp\fwqyrkatofwgkihbk.exe
  2⤵
  PID:3736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mgdokgzvtnhubcebnoif.exe .
1⤵
PID:5300
- C:\Windows\mgdokgzvtnhubcebnoif.exe
  mgdokgzvtnhubcebnoif.exe .
  2⤵
  PID:2216
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\mgdokgzvtnhubcebnoif.exe*."
    3⤵
    PID:3844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mgdokgzvtnhubcebnoif.exe .
1⤵
PID:5944
- C:\Users\Admin\AppData\Local\Temp\mgdokgzvtnhubcebnoif.exe
  C:\Users\Admin\AppData\Local\Temp\mgdokgzvtnhubcebnoif.exe .
  2⤵
  PID:6132
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\mgdokgzvtnhubcebnoif.exe*."
    3⤵
    PID:2680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ogbkeypjfxpafeezji.exe .
1⤵
PID:2788
- C:\Windows\ogbkeypjfxpafeezji.exe
  ogbkeypjfxpafeezji.exe .
  2⤵
  PID:624
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\ogbkeypjfxpafeezji.exe*."
    3⤵
    PID:6092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ogbkeypjfxpafeezji.exe
1⤵
PID:2640
- C:\Windows\ogbkeypjfxpafeezji.exe
  ogbkeypjfxpafeezji.exe
  2⤵
  PID:3740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zsoytogbyrkwccdzkkd.exe .
1⤵
PID:6028
- C:\Windows\zsoytogbyrkwccdzkkd.exe
  zsoytogbyrkwccdzkkd.exe .
  2⤵
  PID:2580
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\zsoytogbyrkwccdzkkd.exe*."
    3⤵
    PID:4468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fwqyrkatofwgkihbk.exe
1⤵
PID:3144
- C:\Windows\fwqyrkatofwgkihbk.exe
  fwqyrkatofwgkihbk.exe
  2⤵
  PID:5600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mgdokgzvtnhubcebnoif.exe
1⤵
PID:2636
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3628
- C:\Users\Admin\AppData\Local\Temp\mgdokgzvtnhubcebnoif.exe
  C:\Users\Admin\AppData\Local\Temp\mgdokgzvtnhubcebnoif.exe
  2⤵
  PID:6120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fwqyrkatofwgkihbk.exe .
1⤵
PID:4080
- C:\Windows\fwqyrkatofwgkihbk.exe
  fwqyrkatofwgkihbk.exe .
  2⤵
  PID:5260
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\fwqyrkatofwgkihbk.exe*."
    3⤵
    PID:5500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ogbkeypjfxpafeezji.exe .
1⤵
PID:2800
- C:\Users\Admin\AppData\Local\Temp\ogbkeypjfxpafeezji.exe
  C:\Users\Admin\AppData\Local\Temp\ogbkeypjfxpafeezji.exe .
  2⤵
  PID:208
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\ogbkeypjfxpafeezji.exe*."
    3⤵
    PID:2352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yohogynfzpforomf.exe
1⤵
PID:5552
- C:\Users\Admin\AppData\Local\Temp\yohogynfzpforomf.exe
  C:\Users\Admin\AppData\Local\Temp\yohogynfzpforomf.exe
  2⤵
  PID:4300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsoytogbyrkwccdzkkd.exe .
1⤵
PID:5560
- C:\Users\Admin\AppData\Local\Temp\zsoytogbyrkwccdzkkd.exe
  C:\Users\Admin\AppData\Local\Temp\zsoytogbyrkwccdzkkd.exe .
  2⤵
  PID:4036
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\zsoytogbyrkwccdzkkd.exe*."
    3⤵
    PID:768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yohogynfzpforomf.exe
1⤵
PID:6100
- C:\Users\Admin\AppData\Local\Temp\yohogynfzpforomf.exe
  C:\Users\Admin\AppData\Local\Temp\yohogynfzpforomf.exe
  2⤵
  PID:6024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yohogynfzpforomf.exe .
1⤵
PID:5804
- C:\Users\Admin\AppData\Local\Temp\yohogynfzpforomf.exe
  C:\Users\Admin\AppData\Local\Temp\yohogynfzpforomf.exe .
  2⤵
  PID:2464
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\yohogynfzpforomf.exe*."
    3⤵
    PID:5084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bwugdaurqlgucehfsupnz.exe
1⤵
PID:5076
- C:\Users\Admin\AppData\Local\Temp\bwugdaurqlgucehfsupnz.exe
  C:\Users\Admin\AppData\Local\Temp\bwugdaurqlgucehfsupnz.exe
  2⤵
  PID:5824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsoytogbyrkwccdzkkd.exe .
1⤵
PID:2764
- C:\Users\Admin\AppData\Local\Temp\zsoytogbyrkwccdzkkd.exe
  C:\Users\Admin\AppData\Local\Temp\zsoytogbyrkwccdzkkd.exe .
  2⤵
  PID:4100
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\zsoytogbyrkwccdzkkd.exe*."
    3⤵
    PID:5860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zsoytogbyrkwccdzkkd.exe
1⤵
PID:4488
- C:\Windows\zsoytogbyrkwccdzkkd.exe
  zsoytogbyrkwccdzkkd.exe
  2⤵
  PID:3980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zsoytogbyrkwccdzkkd.exe .
1⤵
PID:6012
- C:\Windows\zsoytogbyrkwccdzkkd.exe
  zsoytogbyrkwccdzkkd.exe .
  2⤵
  PID:5796
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\zsoytogbyrkwccdzkkd.exe*."
    3⤵
    PID:2148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bwugdaurqlgucehfsupnz.exe
1⤵
PID:3212
- C:\Windows\bwugdaurqlgucehfsupnz.exe
  bwugdaurqlgucehfsupnz.exe
  2⤵
  PID:2768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mgdokgzvtnhubcebnoif.exe .
1⤵
PID:5068
- C:\Windows\mgdokgzvtnhubcebnoif.exe
  mgdokgzvtnhubcebnoif.exe .
  2⤵
  PID:5420
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\mgdokgzvtnhubcebnoif.exe*."
    3⤵
    PID:708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fwqyrkatofwgkihbk.exe
1⤵
PID:5316
- C:\Users\Admin\AppData\Local\Temp\fwqyrkatofwgkihbk.exe
  C:\Users\Admin\AppData\Local\Temp\fwqyrkatofwgkihbk.exe
  2⤵
  PID:4472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fwqyrkatofwgkihbk.exe .
1⤵
PID:3560
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2260
- C:\Users\Admin\AppData\Local\Temp\fwqyrkatofwgkihbk.exe
  C:\Users\Admin\AppData\Local\Temp\fwqyrkatofwgkihbk.exe .
  2⤵
  PID:5780
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\fwqyrkatofwgkihbk.exe*."
    3⤵
    PID:1532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mgdokgzvtnhubcebnoif.exe
1⤵
PID:5476
- C:\Users\Admin\AppData\Local\Temp\mgdokgzvtnhubcebnoif.exe
  C:\Users\Admin\AppData\Local\Temp\mgdokgzvtnhubcebnoif.exe
  2⤵
  PID:5632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yohogynfzpforomf.exe .
1⤵
PID:5212
- C:\Users\Admin\AppData\Local\Temp\yohogynfzpforomf.exe
  C:\Users\Admin\AppData\Local\Temp\yohogynfzpforomf.exe .
  2⤵
  PID:1864
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\yohogynfzpforomf.exe*."
    3⤵
    PID:3244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zsoytogbyrkwccdzkkd.exe
1⤵
PID:428
- C:\Windows\zsoytogbyrkwccdzkkd.exe
  zsoytogbyrkwccdzkkd.exe
  2⤵
  PID:5884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zsoytogbyrkwccdzkkd.exe .
1⤵
PID:60
- C:\Windows\zsoytogbyrkwccdzkkd.exe
  zsoytogbyrkwccdzkkd.exe .
  2⤵
  PID:4172
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\zsoytogbyrkwccdzkkd.exe*."
    3⤵
    PID:5628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ogbkeypjfxpafeezji.exe
1⤵
PID:2144
- C:\Windows\ogbkeypjfxpafeezji.exe
  ogbkeypjfxpafeezji.exe
  2⤵
  PID:4860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bwugdaurqlgucehfsupnz.exe .
1⤵
PID:3692
- C:\Windows\bwugdaurqlgucehfsupnz.exe
  bwugdaurqlgucehfsupnz.exe .
  2⤵
  PID:1124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yohogynfzpforomf.exe
1⤵
PID:6064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Winlogon Helper DLL

T1547.004

Hijack Execution Flow

T1574

Executable Installer File Permissions Weakness

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Winlogon Helper DLL

T1547.004

Hijack Execution Flow

T1574

Executable Installer File Permissions Weakness

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hijack Execution Flow

T1574

Executable Installer File Permissions Weakness

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Safe Mode Boot

T1562.009

Modify Registry