pykspa | 1b1f772b3fba3cc0537b5346915ffbe9668a239a310d9d37e2d938e604cc4adf

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	zhjqv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	zhjqv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	whljbuilgrv.exe

Pykspa
Pykspa is a worm spreads via Skype uses DGA and it's written in C++.
worm pykspa
Pykspa family
pykspa

UAC bypass 3 TTPs 21 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	whljbuilgrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	zhjqv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	zhjqv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	whljbuilgrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	zhjqv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	whljbuilgrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	whljbuilgrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	whljbuilgrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	zhjqv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	whljbuilgrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	whljbuilgrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	whljbuilgrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	whljbuilgrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	whljbuilgrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	whljbuilgrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	zhjqv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	zhjqv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	zhjqv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	whljbuilgrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	whljbuilgrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	zhjqv.exe

Detect Pykspa worm 2 IoCs

worm

resource	yara_rule
behavioral2/files/0x004500000002386d-4.dat	family_pykspa
behavioral2/files/0x000500000001e449-86.dat	family_pykspa

Adds policy Run key to start application 2 TTPs 41 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	zhjqv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ofqgukqgzhdryz = "dxlevoxqmxwnxbzys.exe"	zhjqv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rfnalyboejc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xtjexsdywjkdpvvwsdb.exe"	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rfnalyboejc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mhwqicmgdpphsxwwrb.exe"	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rfnalyboejc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\khyuokwsrfhbovwyvhgd.exe"	zhjqv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ofqgukqgzhdryz = "dxlevoxqmxwnxbzys.exe"	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rfnalyboejc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zxpmheroodgbpxzcannld.exe"	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rfnalyboejc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mhwqicmgdpphsxwwrb.exe"	zhjqv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ofqgukqgzhdryz = "wpcukckcxhfvehec.exe"	whljbuilgrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rfnalyboejc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dxlevoxqmxwnxbzys.exe"	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ofqgukqgzhdryz = "mhwqicmgdpphsxwwrb.exe"	zhjqv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rfnalyboejc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xtjexsdywjkdpvvwsdb.exe"	zhjqv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ofqgukqgzhdryz = "zxpmheroodgbpxzcannld.exe"	zhjqv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ofqgukqgzhdryz = "xtjexsdywjkdpvvwsdb.exe"	whljbuilgrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	whljbuilgrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	whljbuilgrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ofqgukqgzhdryz = "khyuokwsrfhbovwyvhgd.exe"	whljbuilgrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ofqgukqgzhdryz = "wpcukckcxhfvehec.exe"	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rfnalyboejc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zxpmheroodgbpxzcannld.exe"	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rfnalyboejc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dxlevoxqmxwnxbzys.exe"	zhjqv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rfnalyboejc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zxpmheroodgbpxzcannld.exe"	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ofqgukqgzhdryz = "mhwqicmgdpphsxwwrb.exe"	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rfnalyboejc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wpcukckcxhfvehec.exe"	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ofqgukqgzhdryz = "xtjexsdywjkdpvvwsdb.exe"	zhjqv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ofqgukqgzhdryz = "dxlevoxqmxwnxbzys.exe"	whljbuilgrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	whljbuilgrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	zhjqv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ofqgukqgzhdryz = "zxpmheroodgbpxzcannld.exe"	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rfnalyboejc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\khyuokwsrfhbovwyvhgd.exe"	whljbuilgrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ofqgukqgzhdryz = "wpcukckcxhfvehec.exe"	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ofqgukqgzhdryz = "dxlevoxqmxwnxbzys.exe"	zhjqv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ofqgukqgzhdryz = "zxpmheroodgbpxzcannld.exe"	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rfnalyboejc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mhwqicmgdpphsxwwrb.exe"	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rfnalyboejc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\khyuokwsrfhbovwyvhgd.exe"	whljbuilgrv.exe

Disables RegEdit via registry modification 6 IoCs

defense_evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	zhjqv.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	zhjqv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	zhjqv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	zhjqv.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	whljbuilgrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	whljbuilgrv.exe

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	zxpmheroodgbpxzcannld.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	xtjexsdywjkdpvvwsdb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	khyuokwsrfhbovwyvhgd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	mhwqicmgdpphsxwwrb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	dxlevoxqmxwnxbzys.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	wpcukckcxhfvehec.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	dxlevoxqmxwnxbzys.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	xtjexsdywjkdpvvwsdb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	zxpmheroodgbpxzcannld.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	xtjexsdywjkdpvvwsdb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	xtjexsdywjkdpvvwsdb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	xtjexsdywjkdpvvwsdb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	mhwqicmgdpphsxwwrb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	xtjexsdywjkdpvvwsdb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	xtjexsdywjkdpvvwsdb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	xtjexsdywjkdpvvwsdb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	khyuokwsrfhbovwyvhgd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	xtjexsdywjkdpvvwsdb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	khyuokwsrfhbovwyvhgd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	wpcukckcxhfvehec.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	khyuokwsrfhbovwyvhgd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	khyuokwsrfhbovwyvhgd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	wpcukckcxhfvehec.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	xtjexsdywjkdpvvwsdb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	dxlevoxqmxwnxbzys.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	khyuokwsrfhbovwyvhgd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	xtjexsdywjkdpvvwsdb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	khyuokwsrfhbovwyvhgd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	zxpmheroodgbpxzcannld.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	xtjexsdywjkdpvvwsdb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	wpcukckcxhfvehec.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	wpcukckcxhfvehec.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	JaffaCakes118_90ac8e58b702c30eb1b23a50795b14c5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	whljbuilgrv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	dxlevoxqmxwnxbzys.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	wpcukckcxhfvehec.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	xtjexsdywjkdpvvwsdb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	khyuokwsrfhbovwyvhgd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	zxpmheroodgbpxzcannld.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	xtjexsdywjkdpvvwsdb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	wpcukckcxhfvehec.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	wpcukckcxhfvehec.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	khyuokwsrfhbovwyvhgd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	xtjexsdywjkdpvvwsdb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	xtjexsdywjkdpvvwsdb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	xtjexsdywjkdpvvwsdb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	xtjexsdywjkdpvvwsdb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	wpcukckcxhfvehec.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	wpcukckcxhfvehec.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	wpcukckcxhfvehec.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	dxlevoxqmxwnxbzys.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	wpcukckcxhfvehec.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	zxpmheroodgbpxzcannld.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	dxlevoxqmxwnxbzys.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	xtjexsdywjkdpvvwsdb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	xtjexsdywjkdpvvwsdb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	dxlevoxqmxwnxbzys.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	xtjexsdywjkdpvvwsdb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	zxpmheroodgbpxzcannld.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	khyuokwsrfhbovwyvhgd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	xtjexsdywjkdpvvwsdb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	mhwqicmgdpphsxwwrb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	dxlevoxqmxwnxbzys.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	dxlevoxqmxwnxbzys.exe

Executes dropped EXE 64 IoCs

pid	Process
1792	whljbuilgrv.exe
3988	zxpmheroodgbpxzcannld.exe
4672	khyuokwsrfhbovwyvhgd.exe
3476	whljbuilgrv.exe
4216	mhwqicmgdpphsxwwrb.exe
2832	xtjexsdywjkdpvvwsdb.exe
3216	dxlevoxqmxwnxbzys.exe
2416	whljbuilgrv.exe
2576	xtjexsdywjkdpvvwsdb.exe
4120	whljbuilgrv.exe
3140	mhwqicmgdpphsxwwrb.exe
1896	xtjexsdywjkdpvvwsdb.exe
2372	whljbuilgrv.exe
2816	zhjqv.exe
3296	zhjqv.exe
3888	zxpmheroodgbpxzcannld.exe
1876	wpcukckcxhfvehec.exe
3096	khyuokwsrfhbovwyvhgd.exe
1120	dxlevoxqmxwnxbzys.exe
4772	whljbuilgrv.exe
3432	mhwqicmgdpphsxwwrb.exe
4980	whljbuilgrv.exe
4792	dxlevoxqmxwnxbzys.exe
3260	wpcukckcxhfvehec.exe
3652	wpcukckcxhfvehec.exe
4536	mhwqicmgdpphsxwwrb.exe
4900	xtjexsdywjkdpvvwsdb.exe
2936	dxlevoxqmxwnxbzys.exe
392	xtjexsdywjkdpvvwsdb.exe
3816	zxpmheroodgbpxzcannld.exe
3448	khyuokwsrfhbovwyvhgd.exe
3504	xtjexsdywjkdpvvwsdb.exe
4724	wpcukckcxhfvehec.exe
2600	khyuokwsrfhbovwyvhgd.exe
2280	xtjexsdywjkdpvvwsdb.exe
2300	wpcukckcxhfvehec.exe
3560	wpcukckcxhfvehec.exe
1368	mhwqicmgdpphsxwwrb.exe
4820	xtjexsdywjkdpvvwsdb.exe
3960	whljbuilgrv.exe
4476	whljbuilgrv.exe
2916	whljbuilgrv.exe
3236	whljbuilgrv.exe
3232	whljbuilgrv.exe
3004	whljbuilgrv.exe
3448	zxpmheroodgbpxzcannld.exe
2308	whljbuilgrv.exe
1244	whljbuilgrv.exe
4388	khyuokwsrfhbovwyvhgd.exe
3456	whljbuilgrv.exe
1312	whljbuilgrv.exe
1956	mhwqicmgdpphsxwwrb.exe
4724	khyuokwsrfhbovwyvhgd.exe
3464	whljbuilgrv.exe
3816	wpcukckcxhfvehec.exe
1384	khyuokwsrfhbovwyvhgd.exe
3172	wpcukckcxhfvehec.exe
3572	khyuokwsrfhbovwyvhgd.exe
2848	khyuokwsrfhbovwyvhgd.exe
3908	xtjexsdywjkdpvvwsdb.exe
2532	zxpmheroodgbpxzcannld.exe
4352	whljbuilgrv.exe
1536	khyuokwsrfhbovwyvhgd.exe
3056	whljbuilgrv.exe

Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs

defense_evasion

Safe Mode Boot

T1562.009

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power	zhjqv.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys	zhjqv.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc	zhjqv.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager	zhjqv.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys	zhjqv.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc	zhjqv.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

defense_evasion persistence privilege_escalation

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ndncpejyqxsfl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\khyuokwsrfhbovwyvhgd.exe ."	whljbuilgrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wpcukckcxhfvehec = "wpcukckcxhfvehec.exe ."	zhjqv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wpcukckcxhfvehec = "wpcukckcxhfvehec.exe ."	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\dxlevoxqmxwnxbzys = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zxpmheroodgbpxzcannld.exe ."	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\odmamaesjpjv = "zxpmheroodgbpxzcannld.exe"	zhjqv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mhwqicmgdpphsxwwrb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dxlevoxqmxwnxbzys.exe"	whljbuilgrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wpcukckcxhfvehec = "khyuokwsrfhbovwyvhgd.exe ."	whljbuilgrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wpcukckcxhfvehec = "xtjexsdywjkdpvvwsdb.exe ."	whljbuilgrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\odmamaesjpjv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\khyuokwsrfhbovwyvhgd.exe"	zhjqv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\odmamaesjpjv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\khyuokwsrfhbovwyvhgd.exe"	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ndncpejyqxsfl = "xtjexsdywjkdpvvwsdb.exe ."	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mhwqicmgdpphsxwwrb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dxlevoxqmxwnxbzys.exe"	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\odmamaesjpjv = "xtjexsdywjkdpvvwsdb.exe"	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ndncpejyqxsfl = "zxpmheroodgbpxzcannld.exe ."	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mhwqicmgdpphsxwwrb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dxlevoxqmxwnxbzys.exe"	zhjqv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wpcukckcxhfvehec = "khyuokwsrfhbovwyvhgd.exe ."	whljbuilgrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wpcukckcxhfvehec = "wpcukckcxhfvehec.exe ."	zhjqv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\odmamaesjpjv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zxpmheroodgbpxzcannld.exe"	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mhwqicmgdpphsxwwrb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wpcukckcxhfvehec.exe"	zhjqv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ndncpejyqxsfl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wpcukckcxhfvehec.exe ."	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\dxlevoxqmxwnxbzys = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xtjexsdywjkdpvvwsdb.exe ."	whljbuilgrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rjvmbszqktqfnpl = "wpcukckcxhfvehec.exe"	zhjqv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\odmamaesjpjv = "mhwqicmgdpphsxwwrb.exe"	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ndncpejyqxsfl = "khyuokwsrfhbovwyvhgd.exe ."	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ndncpejyqxsfl = "xtjexsdywjkdpvvwsdb.exe ."	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ndncpejyqxsfl = "mhwqicmgdpphsxwwrb.exe ."	zhjqv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\dxlevoxqmxwnxbzys = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dxlevoxqmxwnxbzys.exe ."	zhjqv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\odmamaesjpjv = "khyuokwsrfhbovwyvhgd.exe"	whljbuilgrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ndncpejyqxsfl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wpcukckcxhfvehec.exe ."	zhjqv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ndncpejyqxsfl = "dxlevoxqmxwnxbzys.exe ."	zhjqv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rjvmbszqktqfnpl = "wpcukckcxhfvehec.exe"	whljbuilgrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rjvmbszqktqfnpl = "mhwqicmgdpphsxwwrb.exe"	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\odmamaesjpjv = "khyuokwsrfhbovwyvhgd.exe"	whljbuilgrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ndncpejyqxsfl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xtjexsdywjkdpvvwsdb.exe ."	whljbuilgrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\odmamaesjpjv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\khyuokwsrfhbovwyvhgd.exe"	zhjqv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mhwqicmgdpphsxwwrb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mhwqicmgdpphsxwwrb.exe"	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\dxlevoxqmxwnxbzys = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xtjexsdywjkdpvvwsdb.exe ."	zhjqv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rjvmbszqktqfnpl = "wpcukckcxhfvehec.exe"	whljbuilgrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wpcukckcxhfvehec = "wpcukckcxhfvehec.exe ."	whljbuilgrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ndncpejyqxsfl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mhwqicmgdpphsxwwrb.exe ."	whljbuilgrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\odmamaesjpjv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dxlevoxqmxwnxbzys.exe"	zhjqv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\dxlevoxqmxwnxbzys = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xtjexsdywjkdpvvwsdb.exe ."	whljbuilgrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\odmamaesjpjv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\khyuokwsrfhbovwyvhgd.exe"	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\odmamaesjpjv = "khyuokwsrfhbovwyvhgd.exe"	whljbuilgrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rjvmbszqktqfnpl = "zxpmheroodgbpxzcannld.exe"	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ndncpejyqxsfl = "xtjexsdywjkdpvvwsdb.exe ."	zhjqv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\dxlevoxqmxwnxbzys = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wpcukckcxhfvehec.exe ."	whljbuilgrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\odmamaesjpjv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xtjexsdywjkdpvvwsdb.exe"	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mhwqicmgdpphsxwwrb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xtjexsdywjkdpvvwsdb.exe"	zhjqv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ndncpejyqxsfl = "zxpmheroodgbpxzcannld.exe ."	whljbuilgrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wpcukckcxhfvehec = "dxlevoxqmxwnxbzys.exe ."	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\odmamaesjpjv = "wpcukckcxhfvehec.exe"	zhjqv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ndncpejyqxsfl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xtjexsdywjkdpvvwsdb.exe ."	zhjqv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rjvmbszqktqfnpl = "wpcukckcxhfvehec.exe"	whljbuilgrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wpcukckcxhfvehec = "xtjexsdywjkdpvvwsdb.exe ."	zhjqv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\odmamaesjpjv = "dxlevoxqmxwnxbzys.exe"	whljbuilgrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ndncpejyqxsfl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\khyuokwsrfhbovwyvhgd.exe ."	zhjqv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ndncpejyqxsfl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wpcukckcxhfvehec.exe ."	zhjqv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mhwqicmgdpphsxwwrb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\khyuokwsrfhbovwyvhgd.exe"	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\dxlevoxqmxwnxbzys = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dxlevoxqmxwnxbzys.exe ."	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\odmamaesjpjv = "khyuokwsrfhbovwyvhgd.exe"	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ndncpejyqxsfl = "dxlevoxqmxwnxbzys.exe ."	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ndncpejyqxsfl = "zxpmheroodgbpxzcannld.exe ."	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\odmamaesjpjv = "zxpmheroodgbpxzcannld.exe"	whljbuilgrv.exe

Checks whether UAC is enabled 1 TTPs 24 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	whljbuilgrv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	whljbuilgrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	zhjqv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	whljbuilgrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	whljbuilgrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	whljbuilgrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	whljbuilgrv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	zhjqv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	zhjqv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	whljbuilgrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	whljbuilgrv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	whljbuilgrv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	whljbuilgrv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	whljbuilgrv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	whljbuilgrv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	whljbuilgrv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	whljbuilgrv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	whljbuilgrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	whljbuilgrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	whljbuilgrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	zhjqv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	whljbuilgrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	whljbuilgrv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	whljbuilgrv.exe

Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 3 IoCs

Possible Turn off User Account Control's privilege elevation for standard users.

Executable Installer File Permissions Weakness

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	whljbuilgrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	zhjqv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	zhjqv.exe

Looks up external IP address via web service 6 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
29	www.showmyipaddress.com
35	whatismyipaddress.com
38	whatismyip.everdot.org
42	whatismyip.everdot.org
45	whatismyip.everdot.org
47	www.whatismyip.ca

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\xtjexsdywjkdpvvwsdb.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\SysWOW64\dxlevoxqmxwnxbzys.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\SysWOW64\dxlevoxqmxwnxbzys.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\SysWOW64\khyuokwsrfhbovwyvhgd.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\SysWOW64\dxlevoxqmxwnxbzys.exe	zhjqv.exe
File opened for modification	C:\Windows\SysWOW64\xtjexsdywjkdpvvwsdb.exe	zhjqv.exe
File opened for modification	C:\Windows\SysWOW64\khyuokwsrfhbovwyvhgd.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\SysWOW64\xtjexsdywjkdpvvwsdb.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\SysWOW64\mhwqicmgdpphsxwwrb.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\SysWOW64\qpigcaomndhdsbeihvwvom.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\SysWOW64\dxlevoxqmxwnxbzys.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\SysWOW64\mhwqicmgdpphsxwwrb.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\SysWOW64\wpcukckcxhfvehec.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\SysWOW64\dxlevoxqmxwnxbzys.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\SysWOW64\zxpmheroodgbpxzcannld.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\SysWOW64\khyuokwsrfhbovwyvhgd.exe	zhjqv.exe
File opened for modification	C:\Windows\SysWOW64\qpigcaomndhdsbeihvwvom.exe	zhjqv.exe
File opened for modification	C:\Windows\SysWOW64\ejimosmqxtdfapyinhotswyc.ahd	zhjqv.exe
File created	C:\Windows\SysWOW64\ndncpejyqxsfllfaqvndncpejyqxsfllfaq.ndn	zhjqv.exe
File opened for modification	C:\Windows\SysWOW64\xtjexsdywjkdpvvwsdb.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\SysWOW64\xtjexsdywjkdpvvwsdb.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\SysWOW64\khyuokwsrfhbovwyvhgd.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\SysWOW64\dxlevoxqmxwnxbzys.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\SysWOW64\khyuokwsrfhbovwyvhgd.exe	zhjqv.exe
File opened for modification	C:\Windows\SysWOW64\ndncpejyqxsfllfaqvndncpejyqxsfllfaq.ndn	zhjqv.exe
File opened for modification	C:\Windows\SysWOW64\zxpmheroodgbpxzcannld.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\SysWOW64\khyuokwsrfhbovwyvhgd.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\SysWOW64\mhwqicmgdpphsxwwrb.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\SysWOW64\xtjexsdywjkdpvvwsdb.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\SysWOW64\khyuokwsrfhbovwyvhgd.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\SysWOW64\dxlevoxqmxwnxbzys.exe	zhjqv.exe
File opened for modification	C:\Windows\SysWOW64\wpcukckcxhfvehec.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\SysWOW64\xtjexsdywjkdpvvwsdb.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\SysWOW64\mhwqicmgdpphsxwwrb.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\SysWOW64\mhwqicmgdpphsxwwrb.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\SysWOW64\mhwqicmgdpphsxwwrb.exe	zhjqv.exe
File opened for modification	C:\Windows\SysWOW64\zxpmheroodgbpxzcannld.exe	zhjqv.exe
File opened for modification	C:\Windows\SysWOW64\mhwqicmgdpphsxwwrb.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\SysWOW64\qpigcaomndhdsbeihvwvom.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\SysWOW64\wpcukckcxhfvehec.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\SysWOW64\wpcukckcxhfvehec.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\SysWOW64\khyuokwsrfhbovwyvhgd.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\SysWOW64\khyuokwsrfhbovwyvhgd.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\SysWOW64\zxpmheroodgbpxzcannld.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\SysWOW64\mhwqicmgdpphsxwwrb.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\SysWOW64\xtjexsdywjkdpvvwsdb.exe	zhjqv.exe
File opened for modification	C:\Windows\SysWOW64\dxlevoxqmxwnxbzys.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\SysWOW64\wpcukckcxhfvehec.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\SysWOW64\wpcukckcxhfvehec.exe	zhjqv.exe
File opened for modification	C:\Windows\SysWOW64\khyuokwsrfhbovwyvhgd.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\SysWOW64\qpigcaomndhdsbeihvwvom.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\SysWOW64\wpcukckcxhfvehec.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\SysWOW64\khyuokwsrfhbovwyvhgd.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\SysWOW64\zxpmheroodgbpxzcannld.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\SysWOW64\qpigcaomndhdsbeihvwvom.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\SysWOW64\khyuokwsrfhbovwyvhgd.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\SysWOW64\xtjexsdywjkdpvvwsdb.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\SysWOW64\dxlevoxqmxwnxbzys.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\SysWOW64\qpigcaomndhdsbeihvwvom.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\SysWOW64\qpigcaomndhdsbeihvwvom.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\SysWOW64\zxpmheroodgbpxzcannld.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\SysWOW64\zxpmheroodgbpxzcannld.exe	whljbuilgrv.exe
File created	C:\Windows\SysWOW64\ejimosmqxtdfapyinhotswyc.ahd	zhjqv.exe
File opened for modification	C:\Windows\SysWOW64\wpcukckcxhfvehec.exe	whljbuilgrv.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\ndncpejyqxsfllfaqvndncpejyqxsfllfaq.ndn	zhjqv.exe
File created	C:\Program Files (x86)\ndncpejyqxsfllfaqvndncpejyqxsfllfaq.ndn	zhjqv.exe
File opened for modification	C:\Program Files (x86)\ejimosmqxtdfapyinhotswyc.ahd	zhjqv.exe
File created	C:\Program Files (x86)\ejimosmqxtdfapyinhotswyc.ahd	zhjqv.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\qpigcaomndhdsbeihvwvom.exe	zhjqv.exe
File opened for modification	C:\Windows\khyuokwsrfhbovwyvhgd.exe	zhjqv.exe
File opened for modification	C:\Windows\khyuokwsrfhbovwyvhgd.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\qpigcaomndhdsbeihvwvom.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\qpigcaomndhdsbeihvwvom.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\qpigcaomndhdsbeihvwvom.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\xtjexsdywjkdpvvwsdb.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\mhwqicmgdpphsxwwrb.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\xtjexsdywjkdpvvwsdb.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\zxpmheroodgbpxzcannld.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\mhwqicmgdpphsxwwrb.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\qpigcaomndhdsbeihvwvom.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\xtjexsdywjkdpvvwsdb.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\khyuokwsrfhbovwyvhgd.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\dxlevoxqmxwnxbzys.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\ndncpejyqxsfllfaqvndncpejyqxsfllfaq.ndn	zhjqv.exe
File opened for modification	C:\Windows\dxlevoxqmxwnxbzys.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\zxpmheroodgbpxzcannld.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\mhwqicmgdpphsxwwrb.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\zxpmheroodgbpxzcannld.exe	whljbuilgrv.exe
File created	C:\Windows\ndncpejyqxsfllfaqvndncpejyqxsfllfaq.ndn	zhjqv.exe
File opened for modification	C:\Windows\wpcukckcxhfvehec.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\zxpmheroodgbpxzcannld.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\dxlevoxqmxwnxbzys.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\khyuokwsrfhbovwyvhgd.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\xtjexsdywjkdpvvwsdb.exe	zhjqv.exe
File opened for modification	C:\Windows\mhwqicmgdpphsxwwrb.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\qpigcaomndhdsbeihvwvom.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\dxlevoxqmxwnxbzys.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\mhwqicmgdpphsxwwrb.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\wpcukckcxhfvehec.exe	zhjqv.exe
File opened for modification	C:\Windows\mhwqicmgdpphsxwwrb.exe	zhjqv.exe
File opened for modification	C:\Windows\khyuokwsrfhbovwyvhgd.exe	zhjqv.exe
File created	C:\Windows\ejimosmqxtdfapyinhotswyc.ahd	zhjqv.exe
File opened for modification	C:\Windows\wpcukckcxhfvehec.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\khyuokwsrfhbovwyvhgd.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\dxlevoxqmxwnxbzys.exe	zhjqv.exe
File opened for modification	C:\Windows\ejimosmqxtdfapyinhotswyc.ahd	zhjqv.exe
File opened for modification	C:\Windows\xtjexsdywjkdpvvwsdb.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\khyuokwsrfhbovwyvhgd.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\dxlevoxqmxwnxbzys.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\xtjexsdywjkdpvvwsdb.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\zxpmheroodgbpxzcannld.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\xtjexsdywjkdpvvwsdb.exe	zhjqv.exe
File opened for modification	C:\Windows\zxpmheroodgbpxzcannld.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\mhwqicmgdpphsxwwrb.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\zxpmheroodgbpxzcannld.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\mhwqicmgdpphsxwwrb.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\wpcukckcxhfvehec.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\xtjexsdywjkdpvvwsdb.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\qpigcaomndhdsbeihvwvom.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\xtjexsdywjkdpvvwsdb.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\mhwqicmgdpphsxwwrb.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\qpigcaomndhdsbeihvwvom.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\wpcukckcxhfvehec.exe	zhjqv.exe
File opened for modification	C:\Windows\qpigcaomndhdsbeihvwvom.exe	zhjqv.exe
File opened for modification	C:\Windows\wpcukckcxhfvehec.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\wpcukckcxhfvehec.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\qpigcaomndhdsbeihvwvom.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\mhwqicmgdpphsxwwrb.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\xtjexsdywjkdpvvwsdb.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\zxpmheroodgbpxzcannld.exe	zhjqv.exe
File opened for modification	C:\Windows\khyuokwsrfhbovwyvhgd.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\wpcukckcxhfvehec.exe	whljbuilgrv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xtjexsdywjkdpvvwsdb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xtjexsdywjkdpvvwsdb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zxpmheroodgbpxzcannld.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	khyuokwsrfhbovwyvhgd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dxlevoxqmxwnxbzys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_90ac8e58b702c30eb1b23a50795b14c5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	whljbuilgrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mhwqicmgdpphsxwwrb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wpcukckcxhfvehec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	khyuokwsrfhbovwyvhgd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zxpmheroodgbpxzcannld.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	khyuokwsrfhbovwyvhgd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xtjexsdywjkdpvvwsdb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dxlevoxqmxwnxbzys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wpcukckcxhfvehec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xtjexsdywjkdpvvwsdb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zxpmheroodgbpxzcannld.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wpcukckcxhfvehec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xtjexsdywjkdpvvwsdb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mhwqicmgdpphsxwwrb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xtjexsdywjkdpvvwsdb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mhwqicmgdpphsxwwrb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xtjexsdywjkdpvvwsdb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xtjexsdywjkdpvvwsdb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xtjexsdywjkdpvvwsdb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xtjexsdywjkdpvvwsdb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wpcukckcxhfvehec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zxpmheroodgbpxzcannld.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wpcukckcxhfvehec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zhjqv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wpcukckcxhfvehec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dxlevoxqmxwnxbzys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	khyuokwsrfhbovwyvhgd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zxpmheroodgbpxzcannld.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dxlevoxqmxwnxbzys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xtjexsdywjkdpvvwsdb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xtjexsdywjkdpvvwsdb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	khyuokwsrfhbovwyvhgd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xtjexsdywjkdpvvwsdb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dxlevoxqmxwnxbzys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	khyuokwsrfhbovwyvhgd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wpcukckcxhfvehec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wpcukckcxhfvehec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xtjexsdywjkdpvvwsdb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zxpmheroodgbpxzcannld.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wpcukckcxhfvehec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zxpmheroodgbpxzcannld.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zxpmheroodgbpxzcannld.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dxlevoxqmxwnxbzys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xtjexsdywjkdpvvwsdb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	khyuokwsrfhbovwyvhgd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mhwqicmgdpphsxwwrb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xtjexsdywjkdpvvwsdb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	khyuokwsrfhbovwyvhgd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dxlevoxqmxwnxbzys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mhwqicmgdpphsxwwrb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wpcukckcxhfvehec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dxlevoxqmxwnxbzys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	khyuokwsrfhbovwyvhgd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dxlevoxqmxwnxbzys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xtjexsdywjkdpvvwsdb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wpcukckcxhfvehec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	khyuokwsrfhbovwyvhgd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xtjexsdywjkdpvvwsdb.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

pid	Process
4208	JaffaCakes118_90ac8e58b702c30eb1b23a50795b14c5.exe
4208	JaffaCakes118_90ac8e58b702c30eb1b23a50795b14c5.exe
4208	JaffaCakes118_90ac8e58b702c30eb1b23a50795b14c5.exe
4208	JaffaCakes118_90ac8e58b702c30eb1b23a50795b14c5.exe
4208	JaffaCakes118_90ac8e58b702c30eb1b23a50795b14c5.exe
4208	JaffaCakes118_90ac8e58b702c30eb1b23a50795b14c5.exe
4208	JaffaCakes118_90ac8e58b702c30eb1b23a50795b14c5.exe
4208	JaffaCakes118_90ac8e58b702c30eb1b23a50795b14c5.exe
4208	JaffaCakes118_90ac8e58b702c30eb1b23a50795b14c5.exe
4208	JaffaCakes118_90ac8e58b702c30eb1b23a50795b14c5.exe
4208	JaffaCakes118_90ac8e58b702c30eb1b23a50795b14c5.exe
4208	JaffaCakes118_90ac8e58b702c30eb1b23a50795b14c5.exe
4208	JaffaCakes118_90ac8e58b702c30eb1b23a50795b14c5.exe
4208	JaffaCakes118_90ac8e58b702c30eb1b23a50795b14c5.exe
4208	JaffaCakes118_90ac8e58b702c30eb1b23a50795b14c5.exe
4208	JaffaCakes118_90ac8e58b702c30eb1b23a50795b14c5.exe
2816	zhjqv.exe
2816	zhjqv.exe
4208	JaffaCakes118_90ac8e58b702c30eb1b23a50795b14c5.exe
4208	JaffaCakes118_90ac8e58b702c30eb1b23a50795b14c5.exe
4208	JaffaCakes118_90ac8e58b702c30eb1b23a50795b14c5.exe
4208	JaffaCakes118_90ac8e58b702c30eb1b23a50795b14c5.exe
4208	JaffaCakes118_90ac8e58b702c30eb1b23a50795b14c5.exe
4208	JaffaCakes118_90ac8e58b702c30eb1b23a50795b14c5.exe
4208	JaffaCakes118_90ac8e58b702c30eb1b23a50795b14c5.exe
4208	JaffaCakes118_90ac8e58b702c30eb1b23a50795b14c5.exe
4208	JaffaCakes118_90ac8e58b702c30eb1b23a50795b14c5.exe
4208	JaffaCakes118_90ac8e58b702c30eb1b23a50795b14c5.exe
4208	JaffaCakes118_90ac8e58b702c30eb1b23a50795b14c5.exe
4208	JaffaCakes118_90ac8e58b702c30eb1b23a50795b14c5.exe
4208	JaffaCakes118_90ac8e58b702c30eb1b23a50795b14c5.exe
4208	JaffaCakes118_90ac8e58b702c30eb1b23a50795b14c5.exe
4208	JaffaCakes118_90ac8e58b702c30eb1b23a50795b14c5.exe
4208	JaffaCakes118_90ac8e58b702c30eb1b23a50795b14c5.exe
4208	JaffaCakes118_90ac8e58b702c30eb1b23a50795b14c5.exe
4208	JaffaCakes118_90ac8e58b702c30eb1b23a50795b14c5.exe
4208	JaffaCakes118_90ac8e58b702c30eb1b23a50795b14c5.exe
4208	JaffaCakes118_90ac8e58b702c30eb1b23a50795b14c5.exe
4208	JaffaCakes118_90ac8e58b702c30eb1b23a50795b14c5.exe
4208	JaffaCakes118_90ac8e58b702c30eb1b23a50795b14c5.exe
4208	JaffaCakes118_90ac8e58b702c30eb1b23a50795b14c5.exe
4208	JaffaCakes118_90ac8e58b702c30eb1b23a50795b14c5.exe
4208	JaffaCakes118_90ac8e58b702c30eb1b23a50795b14c5.exe
4208	JaffaCakes118_90ac8e58b702c30eb1b23a50795b14c5.exe
4208	JaffaCakes118_90ac8e58b702c30eb1b23a50795b14c5.exe
4208	JaffaCakes118_90ac8e58b702c30eb1b23a50795b14c5.exe
4208	JaffaCakes118_90ac8e58b702c30eb1b23a50795b14c5.exe
4208	JaffaCakes118_90ac8e58b702c30eb1b23a50795b14c5.exe
4208	JaffaCakes118_90ac8e58b702c30eb1b23a50795b14c5.exe
4208	JaffaCakes118_90ac8e58b702c30eb1b23a50795b14c5.exe
4208	JaffaCakes118_90ac8e58b702c30eb1b23a50795b14c5.exe
4208	JaffaCakes118_90ac8e58b702c30eb1b23a50795b14c5.exe
4208	JaffaCakes118_90ac8e58b702c30eb1b23a50795b14c5.exe
4208	JaffaCakes118_90ac8e58b702c30eb1b23a50795b14c5.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2816	zhjqv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4208 wrote to memory of 1792	4208	JaffaCakes118_90ac8e58b702c30eb1b23a50795b14c5.exe	91
PID 4208 wrote to memory of 1792	4208	JaffaCakes118_90ac8e58b702c30eb1b23a50795b14c5.exe	91
PID 4208 wrote to memory of 1792	4208	JaffaCakes118_90ac8e58b702c30eb1b23a50795b14c5.exe	91
PID 3676 wrote to memory of 3988	3676	cmd.exe	95
PID 3676 wrote to memory of 3988	3676	cmd.exe	95
PID 3676 wrote to memory of 3988	3676	cmd.exe	95
PID 1620 wrote to memory of 4672	1620	cmd.exe	98
PID 1620 wrote to memory of 4672	1620	cmd.exe	98
PID 1620 wrote to memory of 4672	1620	cmd.exe	98
PID 4672 wrote to memory of 3476	4672	khyuokwsrfhbovwyvhgd.exe	102
PID 4672 wrote to memory of 3476	4672	khyuokwsrfhbovwyvhgd.exe	102
PID 4672 wrote to memory of 3476	4672	khyuokwsrfhbovwyvhgd.exe	102
PID 1784 wrote to memory of 4216	1784	cmd.exe	104
PID 1784 wrote to memory of 4216	1784	cmd.exe	104
PID 1784 wrote to memory of 4216	1784	cmd.exe	104
PID 3088 wrote to memory of 2832	3088	cmd.exe	108
PID 3088 wrote to memory of 2832	3088	cmd.exe	108
PID 3088 wrote to memory of 2832	3088	cmd.exe	108
PID 3964 wrote to memory of 3216	3964	cmd.exe	110
PID 3964 wrote to memory of 3216	3964	cmd.exe	110
PID 3964 wrote to memory of 3216	3964	cmd.exe	110
PID 2832 wrote to memory of 2416	2832	xtjexsdywjkdpvvwsdb.exe	282
PID 2832 wrote to memory of 2416	2832	xtjexsdywjkdpvvwsdb.exe	282
PID 2832 wrote to memory of 2416	2832	xtjexsdywjkdpvvwsdb.exe	282
PID 4308 wrote to memory of 2576	4308	cmd.exe	112
PID 4308 wrote to memory of 2576	4308	cmd.exe	112
PID 4308 wrote to memory of 2576	4308	cmd.exe	112
PID 2576 wrote to memory of 4120	2576	xtjexsdywjkdpvvwsdb.exe	151
PID 2576 wrote to memory of 4120	2576	xtjexsdywjkdpvvwsdb.exe	151
PID 2576 wrote to memory of 4120	2576	xtjexsdywjkdpvvwsdb.exe	151
PID 976 wrote to memory of 3140	976	cmd.exe	118
PID 976 wrote to memory of 3140	976	cmd.exe	118
PID 976 wrote to memory of 3140	976	cmd.exe	118
PID 4388 wrote to memory of 1896	4388	cmd.exe	119
PID 4388 wrote to memory of 1896	4388	cmd.exe	119
PID 4388 wrote to memory of 1896	4388	cmd.exe	119
PID 1896 wrote to memory of 2372	1896	xtjexsdywjkdpvvwsdb.exe	348
PID 1896 wrote to memory of 2372	1896	xtjexsdywjkdpvvwsdb.exe	348
PID 1896 wrote to memory of 2372	1896	xtjexsdywjkdpvvwsdb.exe	348
PID 1792 wrote to memory of 2816	1792	whljbuilgrv.exe	122
PID 1792 wrote to memory of 2816	1792	whljbuilgrv.exe	122
PID 1792 wrote to memory of 2816	1792	whljbuilgrv.exe	122
PID 1792 wrote to memory of 3296	1792	whljbuilgrv.exe	124
PID 1792 wrote to memory of 3296	1792	whljbuilgrv.exe	124
PID 1792 wrote to memory of 3296	1792	whljbuilgrv.exe	124
PID 3988 wrote to memory of 3888	3988	cmd.exe	338
PID 3988 wrote to memory of 3888	3988	cmd.exe	338
PID 3988 wrote to memory of 3888	3988	cmd.exe	338
PID 4472 wrote to memory of 1876	4472	cmd.exe	130
PID 4472 wrote to memory of 1876	4472	cmd.exe	130
PID 4472 wrote to memory of 1876	4472	cmd.exe	130
PID 4116 wrote to memory of 3096	4116	cmd.exe	139
PID 4116 wrote to memory of 3096	4116	cmd.exe	139
PID 4116 wrote to memory of 3096	4116	cmd.exe	139
PID 4716 wrote to memory of 1120	4716	cmd.exe	351
PID 4716 wrote to memory of 1120	4716	cmd.exe	351
PID 4716 wrote to memory of 1120	4716	cmd.exe	351
PID 3096 wrote to memory of 4772	3096	khyuokwsrfhbovwyvhgd.exe	169
PID 3096 wrote to memory of 4772	3096	khyuokwsrfhbovwyvhgd.exe	169
PID 3096 wrote to memory of 4772	3096	khyuokwsrfhbovwyvhgd.exe	169
PID 1520 wrote to memory of 3432	1520	cmd.exe	335
PID 1520 wrote to memory of 3432	1520	cmd.exe	335
PID 1520 wrote to memory of 3432	1520	cmd.exe	335
PID 1120 wrote to memory of 4980	1120	dxlevoxqmxwnxbzys.exe	340

System policy modification 1 TTPs 54 IoCs

defense_evasion

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	whljbuilgrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	whljbuilgrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	zhjqv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	zhjqv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	whljbuilgrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	zhjqv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	zhjqv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	zhjqv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	whljbuilgrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	whljbuilgrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	whljbuilgrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	whljbuilgrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	zhjqv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	whljbuilgrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	whljbuilgrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	whljbuilgrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	whljbuilgrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	zhjqv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	zhjqv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	zhjqv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	whljbuilgrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	whljbuilgrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	whljbuilgrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	zhjqv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	zhjqv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	zhjqv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	whljbuilgrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	whljbuilgrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	whljbuilgrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	whljbuilgrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	zhjqv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	zhjqv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	zhjqv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	whljbuilgrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	whljbuilgrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	whljbuilgrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	whljbuilgrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	zhjqv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	zhjqv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	zhjqv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	whljbuilgrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	whljbuilgrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	zhjqv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	zhjqv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	whljbuilgrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	whljbuilgrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	whljbuilgrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	whljbuilgrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	zhjqv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	zhjqv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	zhjqv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	zhjqv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	whljbuilgrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	whljbuilgrv.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_90ac8e58b702c30eb1b23a50795b14c5.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_90ac8e58b702c30eb1b23a50795b14c5.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4208
- C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
  "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\jaffacakes118_90ac8e58b702c30eb1b23a50795b14c5.exe*"
  2⤵
  - Modifies WinLogon for persistence
  - UAC bypass
  - Adds policy Run key to start application
  - Disables RegEdit via registry modification
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Hijack Execution Flow: Executable Installer File Permissions Weakness
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1792
- - C:\Users\Admin\AppData\Local\Temp\zhjqv.exe
    "C:\Users\Admin\AppData\Local\Temp\zhjqv.exe" "-C:\Users\Admin\AppData\Local\Temp\wpcukckcxhfvehec.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Impair Defenses: Safe Mode Boot
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Hijack Execution Flow: Executable Installer File Permissions Weakness
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:2816
- - C:\Users\Admin\AppData\Local\Temp\zhjqv.exe
    "C:\Users\Admin\AppData\Local\Temp\zhjqv.exe" "-C:\Users\Admin\AppData\Local\Temp\wpcukckcxhfvehec.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Hijack Execution Flow: Executable Installer File Permissions Weakness
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:3296

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zxpmheroodgbpxzcannld.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:3676
- C:\Windows\zxpmheroodgbpxzcannld.exe
  zxpmheroodgbpxzcannld.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c khyuokwsrfhbovwyvhgd.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:1620
- C:\Windows\khyuokwsrfhbovwyvhgd.exe
  khyuokwsrfhbovwyvhgd.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4672
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\khyuokwsrfhbovwyvhgd.exe*."
    3⤵
    - Executes dropped EXE
    PID:3476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mhwqicmgdpphsxwwrb.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:1784
- C:\Windows\mhwqicmgdpphsxwwrb.exe
  mhwqicmgdpphsxwwrb.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xtjexsdywjkdpvvwsdb.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:3088
- C:\Windows\xtjexsdywjkdpvvwsdb.exe
  xtjexsdywjkdpvvwsdb.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2832
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\xtjexsdywjkdpvvwsdb.exe*."
    3⤵
    - Executes dropped EXE
    PID:2416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dxlevoxqmxwnxbzys.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:3964
- C:\Users\Admin\AppData\Local\Temp\dxlevoxqmxwnxbzys.exe
  C:\Users\Admin\AppData\Local\Temp\dxlevoxqmxwnxbzys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xtjexsdywjkdpvvwsdb.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:4308
- C:\Users\Admin\AppData\Local\Temp\xtjexsdywjkdpvvwsdb.exe
  C:\Users\Admin\AppData\Local\Temp\xtjexsdywjkdpvvwsdb.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2576
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\xtjexsdywjkdpvvwsdb.exe*."
    3⤵
    - Executes dropped EXE
    PID:4120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhwqicmgdpphsxwwrb.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:976
- C:\Users\Admin\AppData\Local\Temp\mhwqicmgdpphsxwwrb.exe
  C:\Users\Admin\AppData\Local\Temp\mhwqicmgdpphsxwwrb.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xtjexsdywjkdpvvwsdb.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:4388
- C:\Users\Admin\AppData\Local\Temp\xtjexsdywjkdpvvwsdb.exe
  C:\Users\Admin\AppData\Local\Temp\xtjexsdywjkdpvvwsdb.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1896
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\xtjexsdywjkdpvvwsdb.exe*."
    3⤵
    - Executes dropped EXE
    PID:2372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zxpmheroodgbpxzcannld.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:3988
- C:\Windows\zxpmheroodgbpxzcannld.exe
  zxpmheroodgbpxzcannld.exe
  2⤵
  - Executes dropped EXE
  PID:3888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wpcukckcxhfvehec.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4472
- C:\Windows\wpcukckcxhfvehec.exe
  wpcukckcxhfvehec.exe
  2⤵
  - Executes dropped EXE
  PID:1876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c khyuokwsrfhbovwyvhgd.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:4116
- C:\Windows\khyuokwsrfhbovwyvhgd.exe
  khyuokwsrfhbovwyvhgd.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3096
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\khyuokwsrfhbovwyvhgd.exe*."
    3⤵
    - Executes dropped EXE
    PID:4772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dxlevoxqmxwnxbzys.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:4716
- C:\Windows\dxlevoxqmxwnxbzys.exe
  dxlevoxqmxwnxbzys.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1120
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\dxlevoxqmxwnxbzys.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:4980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mhwqicmgdpphsxwwrb.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:1520
- C:\Windows\mhwqicmgdpphsxwwrb.exe
  mhwqicmgdpphsxwwrb.exe
  2⤵
  - Executes dropped EXE
  PID:3432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dxlevoxqmxwnxbzys.exe
1⤵
PID:2324
- C:\Windows\dxlevoxqmxwnxbzys.exe
  dxlevoxqmxwnxbzys.exe
  2⤵
  - Executes dropped EXE
  PID:4792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wpcukckcxhfvehec.exe .
1⤵
PID:876
- C:\Windows\wpcukckcxhfvehec.exe
  wpcukckcxhfvehec.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3260
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\wpcukckcxhfvehec.exe*."
    3⤵
    - Executes dropped EXE
    PID:1312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wpcukckcxhfvehec.exe .
1⤵
PID:2436
- C:\Windows\wpcukckcxhfvehec.exe
  wpcukckcxhfvehec.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3652
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\wpcukckcxhfvehec.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:1244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xtjexsdywjkdpvvwsdb.exe
1⤵
PID:4488
- C:\Users\Admin\AppData\Local\Temp\xtjexsdywjkdpvvwsdb.exe
  C:\Users\Admin\AppData\Local\Temp\xtjexsdywjkdpvvwsdb.exe
  2⤵
  - Executes dropped EXE
  PID:4900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dxlevoxqmxwnxbzys.exe
1⤵
PID:3456
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4120
- C:\Users\Admin\AppData\Local\Temp\dxlevoxqmxwnxbzys.exe
  C:\Users\Admin\AppData\Local\Temp\dxlevoxqmxwnxbzys.exe
  2⤵
  - Executes dropped EXE
  PID:2936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhwqicmgdpphsxwwrb.exe .
1⤵
PID:3712
- C:\Users\Admin\AppData\Local\Temp\mhwqicmgdpphsxwwrb.exe
  C:\Users\Admin\AppData\Local\Temp\mhwqicmgdpphsxwwrb.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4536
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\mhwqicmgdpphsxwwrb.exe*."
    3⤵
    - Executes dropped EXE
    PID:2308

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xtjexsdywjkdpvvwsdb.exe .
1⤵
PID:3516
- C:\Users\Admin\AppData\Local\Temp\xtjexsdywjkdpvvwsdb.exe
  C:\Users\Admin\AppData\Local\Temp\xtjexsdywjkdpvvwsdb.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:392
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\xtjexsdywjkdpvvwsdb.exe*."
    3⤵
    - Executes dropped EXE
    PID:3004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\khyuokwsrfhbovwyvhgd.exe
1⤵
PID:4932
- C:\Users\Admin\AppData\Local\Temp\khyuokwsrfhbovwyvhgd.exe
  C:\Users\Admin\AppData\Local\Temp\khyuokwsrfhbovwyvhgd.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zxpmheroodgbpxzcannld.exe
1⤵
PID:756
- C:\Users\Admin\AppData\Local\Temp\zxpmheroodgbpxzcannld.exe
  C:\Users\Admin\AppData\Local\Temp\zxpmheroodgbpxzcannld.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wpcukckcxhfvehec.exe .
1⤵
PID:400
- C:\Users\Admin\AppData\Local\Temp\wpcukckcxhfvehec.exe
  C:\Users\Admin\AppData\Local\Temp\wpcukckcxhfvehec.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4724
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\wpcukckcxhfvehec.exe*."
    3⤵
    - Executes dropped EXE
    PID:2916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xtjexsdywjkdpvvwsdb.exe .
1⤵
PID:4528
- C:\Users\Admin\AppData\Local\Temp\xtjexsdywjkdpvvwsdb.exe
  C:\Users\Admin\AppData\Local\Temp\xtjexsdywjkdpvvwsdb.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3504
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\xtjexsdywjkdpvvwsdb.exe*."
    3⤵
    - Executes dropped EXE
    PID:3232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c khyuokwsrfhbovwyvhgd.exe
1⤵
PID:4772
- C:\Windows\khyuokwsrfhbovwyvhgd.exe
  khyuokwsrfhbovwyvhgd.exe
  2⤵
  - Executes dropped EXE
  PID:2600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xtjexsdywjkdpvvwsdb.exe .
1⤵
PID:2040
- C:\Windows\xtjexsdywjkdpvvwsdb.exe
  xtjexsdywjkdpvvwsdb.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2280
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\xtjexsdywjkdpvvwsdb.exe*."
    3⤵
    - Executes dropped EXE
    PID:4476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wpcukckcxhfvehec.exe
1⤵
PID:1604
- C:\Windows\wpcukckcxhfvehec.exe
  wpcukckcxhfvehec.exe
  2⤵
  - Executes dropped EXE
  PID:2300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wpcukckcxhfvehec.exe .
1⤵
PID:2480
- C:\Windows\wpcukckcxhfvehec.exe
  wpcukckcxhfvehec.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3560
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\wpcukckcxhfvehec.exe*."
    3⤵
    - Executes dropped EXE
    PID:3960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhwqicmgdpphsxwwrb.exe
1⤵
PID:2392
- C:\Users\Admin\AppData\Local\Temp\mhwqicmgdpphsxwwrb.exe
  C:\Users\Admin\AppData\Local\Temp\mhwqicmgdpphsxwwrb.exe
  2⤵
  - Executes dropped EXE
  PID:1368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xtjexsdywjkdpvvwsdb.exe .
1⤵
PID:1256
- C:\Users\Admin\AppData\Local\Temp\xtjexsdywjkdpvvwsdb.exe
  C:\Users\Admin\AppData\Local\Temp\xtjexsdywjkdpvvwsdb.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4820
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\xtjexsdywjkdpvvwsdb.exe*."
    3⤵
    - Executes dropped EXE
    PID:3236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zxpmheroodgbpxzcannld.exe
1⤵
PID:2184
- C:\Users\Admin\AppData\Local\Temp\zxpmheroodgbpxzcannld.exe
  C:\Users\Admin\AppData\Local\Temp\zxpmheroodgbpxzcannld.exe
  2⤵
  - Executes dropped EXE
  PID:3448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\khyuokwsrfhbovwyvhgd.exe .
1⤵
PID:4784
- C:\Users\Admin\AppData\Local\Temp\khyuokwsrfhbovwyvhgd.exe
  C:\Users\Admin\AppData\Local\Temp\khyuokwsrfhbovwyvhgd.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4388
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\khyuokwsrfhbovwyvhgd.exe*."
    3⤵
    - Executes dropped EXE
    PID:3456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mhwqicmgdpphsxwwrb.exe
1⤵
PID:1872
- C:\Windows\mhwqicmgdpphsxwwrb.exe
  mhwqicmgdpphsxwwrb.exe
  2⤵
  - Executes dropped EXE
  PID:1956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c khyuokwsrfhbovwyvhgd.exe .
1⤵
PID:3636
- C:\Windows\khyuokwsrfhbovwyvhgd.exe
  khyuokwsrfhbovwyvhgd.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4724
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\khyuokwsrfhbovwyvhgd.exe*."
    3⤵
    - Executes dropped EXE
    PID:3464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wpcukckcxhfvehec.exe
1⤵
PID:4716
- C:\Windows\wpcukckcxhfvehec.exe
  wpcukckcxhfvehec.exe
  2⤵
  - Executes dropped EXE
  PID:3816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c khyuokwsrfhbovwyvhgd.exe
1⤵
PID:400
- C:\Windows\khyuokwsrfhbovwyvhgd.exe
  khyuokwsrfhbovwyvhgd.exe
  2⤵
  - Executes dropped EXE
  PID:1384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wpcukckcxhfvehec.exe .
1⤵
PID:2624
- C:\Windows\wpcukckcxhfvehec.exe
  wpcukckcxhfvehec.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3172
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\wpcukckcxhfvehec.exe*."
    3⤵
    - Executes dropped EXE
    PID:4352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c khyuokwsrfhbovwyvhgd.exe
1⤵
PID:784
- C:\Windows\khyuokwsrfhbovwyvhgd.exe
  khyuokwsrfhbovwyvhgd.exe
  2⤵
  - Executes dropped EXE
  PID:3572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\khyuokwsrfhbovwyvhgd.exe
1⤵
PID:3232
- C:\Users\Admin\AppData\Local\Temp\khyuokwsrfhbovwyvhgd.exe
  C:\Users\Admin\AppData\Local\Temp\khyuokwsrfhbovwyvhgd.exe
  2⤵
  - Executes dropped EXE
  PID:2848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xtjexsdywjkdpvvwsdb.exe .
1⤵
PID:1924
- C:\Users\Admin\AppData\Local\Temp\xtjexsdywjkdpvvwsdb.exe
  C:\Users\Admin\AppData\Local\Temp\xtjexsdywjkdpvvwsdb.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3908
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\xtjexsdywjkdpvvwsdb.exe*."
    3⤵
    PID:2480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zxpmheroodgbpxzcannld.exe .
1⤵
PID:3516
- C:\Windows\zxpmheroodgbpxzcannld.exe
  zxpmheroodgbpxzcannld.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2532
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\zxpmheroodgbpxzcannld.exe*."
    3⤵
    - Executes dropped EXE
    PID:3056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mhwqicmgdpphsxwwrb.exe .
1⤵
PID:4676
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2308
- C:\Windows\mhwqicmgdpphsxwwrb.exe
  mhwqicmgdpphsxwwrb.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1432
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\mhwqicmgdpphsxwwrb.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:2848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c khyuokwsrfhbovwyvhgd.exe
1⤵
PID:696
- C:\Windows\khyuokwsrfhbovwyvhgd.exe
  khyuokwsrfhbovwyvhgd.exe
  2⤵
  - Executes dropped EXE
  PID:1536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dxlevoxqmxwnxbzys.exe
1⤵
PID:3452
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3560
- C:\Windows\dxlevoxqmxwnxbzys.exe
  dxlevoxqmxwnxbzys.exe
  2⤵
  PID:4820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xtjexsdywjkdpvvwsdb.exe .
1⤵
PID:3088
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3960
- C:\Windows\xtjexsdywjkdpvvwsdb.exe
  xtjexsdywjkdpvvwsdb.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1928
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\xtjexsdywjkdpvvwsdb.exe*."
    3⤵
    PID:696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wpcukckcxhfvehec.exe
1⤵
PID:1060
- C:\Users\Admin\AppData\Local\Temp\wpcukckcxhfvehec.exe
  C:\Users\Admin\AppData\Local\Temp\wpcukckcxhfvehec.exe
  2⤵
  PID:772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wpcukckcxhfvehec.exe
1⤵
PID:4848
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3260
- C:\Users\Admin\AppData\Local\Temp\wpcukckcxhfvehec.exe
  C:\Users\Admin\AppData\Local\Temp\wpcukckcxhfvehec.exe
  2⤵
  PID:1736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xtjexsdywjkdpvvwsdb.exe .
1⤵
PID:1700
- C:\Windows\xtjexsdywjkdpvvwsdb.exe
  xtjexsdywjkdpvvwsdb.exe .
  2⤵
  - Checks computer location settings
  PID:1284
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\xtjexsdywjkdpvvwsdb.exe*."
    3⤵
    PID:1608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\khyuokwsrfhbovwyvhgd.exe .
1⤵
PID:3412
- C:\Users\Admin\AppData\Local\Temp\khyuokwsrfhbovwyvhgd.exe
  C:\Users\Admin\AppData\Local\Temp\khyuokwsrfhbovwyvhgd.exe .
  2⤵
  - Checks computer location settings
  PID:1624
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\khyuokwsrfhbovwyvhgd.exe*."
    3⤵
    PID:3516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xtjexsdywjkdpvvwsdb.exe .
1⤵
PID:2020
- C:\Users\Admin\AppData\Local\Temp\xtjexsdywjkdpvvwsdb.exe
  C:\Users\Admin\AppData\Local\Temp\xtjexsdywjkdpvvwsdb.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1052
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\xtjexsdywjkdpvvwsdb.exe*."
    3⤵
    PID:4156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zxpmheroodgbpxzcannld.exe
1⤵
PID:3728
- C:\Users\Admin\AppData\Local\Temp\zxpmheroodgbpxzcannld.exe
  C:\Users\Admin\AppData\Local\Temp\zxpmheroodgbpxzcannld.exe
  2⤵
  PID:2416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dxlevoxqmxwnxbzys.exe .
1⤵
PID:1408
- C:\Users\Admin\AppData\Local\Temp\dxlevoxqmxwnxbzys.exe
  C:\Users\Admin\AppData\Local\Temp\dxlevoxqmxwnxbzys.exe .
  2⤵
  - Checks computer location settings
  PID:1976
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\dxlevoxqmxwnxbzys.exe*."
    3⤵
    PID:3996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zxpmheroodgbpxzcannld.exe
1⤵
PID:1364
- C:\Users\Admin\AppData\Local\Temp\zxpmheroodgbpxzcannld.exe
  C:\Users\Admin\AppData\Local\Temp\zxpmheroodgbpxzcannld.exe
  2⤵
  PID:4588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dxlevoxqmxwnxbzys.exe .
1⤵
PID:1728
- C:\Users\Admin\AppData\Local\Temp\dxlevoxqmxwnxbzys.exe
  C:\Users\Admin\AppData\Local\Temp\dxlevoxqmxwnxbzys.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:2460
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\dxlevoxqmxwnxbzys.exe*."
    3⤵
    PID:5012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhwqicmgdpphsxwwrb.exe
1⤵
PID:784
- C:\Users\Admin\AppData\Local\Temp\mhwqicmgdpphsxwwrb.exe
  C:\Users\Admin\AppData\Local\Temp\mhwqicmgdpphsxwwrb.exe
  2⤵
  PID:3716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dxlevoxqmxwnxbzys.exe .
1⤵
PID:2440
- C:\Users\Admin\AppData\Local\Temp\dxlevoxqmxwnxbzys.exe
  C:\Users\Admin\AppData\Local\Temp\dxlevoxqmxwnxbzys.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:3200
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\dxlevoxqmxwnxbzys.exe*."
    3⤵
    PID:1224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dxlevoxqmxwnxbzys.exe
1⤵
PID:1696
- C:\Windows\dxlevoxqmxwnxbzys.exe
  dxlevoxqmxwnxbzys.exe
  2⤵
  PID:876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zxpmheroodgbpxzcannld.exe .
1⤵
PID:1592
- C:\Windows\zxpmheroodgbpxzcannld.exe
  zxpmheroodgbpxzcannld.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:3644
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\zxpmheroodgbpxzcannld.exe*."
    3⤵
    PID:2040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wpcukckcxhfvehec.exe
1⤵
PID:1256
- C:\Windows\wpcukckcxhfvehec.exe
  wpcukckcxhfvehec.exe
  2⤵
  PID:4560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wpcukckcxhfvehec.exe .
1⤵
PID:4480
- C:\Windows\wpcukckcxhfvehec.exe
  wpcukckcxhfvehec.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1928
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\wpcukckcxhfvehec.exe*."
    3⤵
    PID:3980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dxlevoxqmxwnxbzys.exe
1⤵
PID:3652
- C:\Users\Admin\AppData\Local\Temp\dxlevoxqmxwnxbzys.exe
  C:\Users\Admin\AppData\Local\Temp\dxlevoxqmxwnxbzys.exe
  2⤵
  PID:2832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xtjexsdywjkdpvvwsdb.exe .
1⤵
PID:5028
- C:\Users\Admin\AppData\Local\Temp\xtjexsdywjkdpvvwsdb.exe
  C:\Users\Admin\AppData\Local\Temp\xtjexsdywjkdpvvwsdb.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:3656
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\xtjexsdywjkdpvvwsdb.exe*."
    3⤵
    PID:4488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\khyuokwsrfhbovwyvhgd.exe
1⤵
PID:3676
- C:\Users\Admin\AppData\Local\Temp\khyuokwsrfhbovwyvhgd.exe
  C:\Users\Admin\AppData\Local\Temp\khyuokwsrfhbovwyvhgd.exe
  2⤵
  PID:3916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xtjexsdywjkdpvvwsdb.exe .
1⤵
PID:3492
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3716
- C:\Users\Admin\AppData\Local\Temp\xtjexsdywjkdpvvwsdb.exe
  C:\Users\Admin\AppData\Local\Temp\xtjexsdywjkdpvvwsdb.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:2796
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\xtjexsdywjkdpvvwsdb.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:4644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c khyuokwsrfhbovwyvhgd.exe
1⤵
PID:2264
- C:\Windows\khyuokwsrfhbovwyvhgd.exe
  khyuokwsrfhbovwyvhgd.exe
  2⤵
  PID:1312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zxpmheroodgbpxzcannld.exe .
1⤵
PID:784
- C:\Windows\zxpmheroodgbpxzcannld.exe
  zxpmheroodgbpxzcannld.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1792
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\zxpmheroodgbpxzcannld.exe*."
    3⤵
    PID:3004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mhwqicmgdpphsxwwrb.exe
1⤵
PID:5032
- C:\Windows\mhwqicmgdpphsxwwrb.exe
  mhwqicmgdpphsxwwrb.exe
  2⤵
  PID:1036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c khyuokwsrfhbovwyvhgd.exe .
1⤵
PID:400
- C:\Windows\khyuokwsrfhbovwyvhgd.exe
  khyuokwsrfhbovwyvhgd.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:368
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\khyuokwsrfhbovwyvhgd.exe*."
    3⤵
    PID:4848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\khyuokwsrfhbovwyvhgd.exe
1⤵
PID:3432
- C:\Users\Admin\AppData\Local\Temp\khyuokwsrfhbovwyvhgd.exe
  C:\Users\Admin\AppData\Local\Temp\khyuokwsrfhbovwyvhgd.exe
  2⤵
  PID:4980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zxpmheroodgbpxzcannld.exe .
1⤵
PID:3888
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4900
- C:\Users\Admin\AppData\Local\Temp\zxpmheroodgbpxzcannld.exe
  C:\Users\Admin\AppData\Local\Temp\zxpmheroodgbpxzcannld.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4808
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\zxpmheroodgbpxzcannld.exe*."
    3⤵
    PID:4456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\khyuokwsrfhbovwyvhgd.exe
1⤵
PID:520
- C:\Users\Admin\AppData\Local\Temp\khyuokwsrfhbovwyvhgd.exe
  C:\Users\Admin\AppData\Local\Temp\khyuokwsrfhbovwyvhgd.exe
  2⤵
  PID:2372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wpcukckcxhfvehec.exe .
1⤵
PID:788
- C:\Users\Admin\AppData\Local\Temp\wpcukckcxhfvehec.exe
  C:\Users\Admin\AppData\Local\Temp\wpcukckcxhfvehec.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:3688
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\wpcukckcxhfvehec.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:3456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zxpmheroodgbpxzcannld.exe
1⤵
PID:1120
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1244
- C:\Windows\zxpmheroodgbpxzcannld.exe
  zxpmheroodgbpxzcannld.exe
  2⤵
  PID:4792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c khyuokwsrfhbovwyvhgd.exe .
1⤵
PID:1700
- C:\Windows\khyuokwsrfhbovwyvhgd.exe
  khyuokwsrfhbovwyvhgd.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:2544
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\khyuokwsrfhbovwyvhgd.exe*."
    3⤵
    PID:5076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mhwqicmgdpphsxwwrb.exe
1⤵
PID:3120
- C:\Windows\mhwqicmgdpphsxwwrb.exe
  mhwqicmgdpphsxwwrb.exe
  2⤵
  PID:4036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wpcukckcxhfvehec.exe .
1⤵
PID:1620
- C:\Windows\wpcukckcxhfvehec.exe
  wpcukckcxhfvehec.exe .
  2⤵
  - Checks computer location settings
  PID:4176
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\wpcukckcxhfvehec.exe*."
    3⤵
    PID:1792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dxlevoxqmxwnxbzys.exe
1⤵
PID:1088
- C:\Users\Admin\AppData\Local\Temp\dxlevoxqmxwnxbzys.exe
  C:\Users\Admin\AppData\Local\Temp\dxlevoxqmxwnxbzys.exe
  2⤵
  PID:2300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zxpmheroodgbpxzcannld.exe .
1⤵
PID:4392
- C:\Users\Admin\AppData\Local\Temp\zxpmheroodgbpxzcannld.exe
  C:\Users\Admin\AppData\Local\Temp\zxpmheroodgbpxzcannld.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4148
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\zxpmheroodgbpxzcannld.exe*."
    3⤵
    PID:2460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\khyuokwsrfhbovwyvhgd.exe
1⤵
PID:4704
- C:\Users\Admin\AppData\Local\Temp\khyuokwsrfhbovwyvhgd.exe
  C:\Users\Admin\AppData\Local\Temp\khyuokwsrfhbovwyvhgd.exe
  2⤵
  PID:1592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wpcukckcxhfvehec.exe .
1⤵
PID:5032
- C:\Users\Admin\AppData\Local\Temp\wpcukckcxhfvehec.exe
  C:\Users\Admin\AppData\Local\Temp\wpcukckcxhfvehec.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:3056
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\wpcukckcxhfvehec.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:4716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xtjexsdywjkdpvvwsdb.exe
1⤵
PID:4560
- C:\Windows\xtjexsdywjkdpvvwsdb.exe
  xtjexsdywjkdpvvwsdb.exe
  2⤵
  PID:3116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xtjexsdywjkdpvvwsdb.exe .
1⤵
PID:1624
- C:\Windows\xtjexsdywjkdpvvwsdb.exe
  xtjexsdywjkdpvvwsdb.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:2096
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\xtjexsdywjkdpvvwsdb.exe*."
    3⤵
    PID:4460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zxpmheroodgbpxzcannld.exe
1⤵
PID:3412
- C:\Windows\zxpmheroodgbpxzcannld.exe
  zxpmheroodgbpxzcannld.exe
  2⤵
  PID:4548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xtjexsdywjkdpvvwsdb.exe .
1⤵
PID:2760
- C:\Windows\xtjexsdywjkdpvvwsdb.exe
  xtjexsdywjkdpvvwsdb.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1520
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\xtjexsdywjkdpvvwsdb.exe*."
    3⤵
    PID:3640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dxlevoxqmxwnxbzys.exe
1⤵
PID:4308
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3652
- C:\Users\Admin\AppData\Local\Temp\dxlevoxqmxwnxbzys.exe
  C:\Users\Admin\AppData\Local\Temp\dxlevoxqmxwnxbzys.exe
  2⤵
  PID:4488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wpcukckcxhfvehec.exe .
1⤵
PID:5084
- C:\Users\Admin\AppData\Local\Temp\wpcukckcxhfvehec.exe
  C:\Users\Admin\AppData\Local\Temp\wpcukckcxhfvehec.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4992
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\wpcukckcxhfvehec.exe*."
    3⤵
    PID:1752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dxlevoxqmxwnxbzys.exe
1⤵
PID:1576
- C:\Users\Admin\AppData\Local\Temp\dxlevoxqmxwnxbzys.exe
  C:\Users\Admin\AppData\Local\Temp\dxlevoxqmxwnxbzys.exe
  2⤵
  PID:3988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhwqicmgdpphsxwwrb.exe .
1⤵
PID:1872
- C:\Users\Admin\AppData\Local\Temp\mhwqicmgdpphsxwwrb.exe
  C:\Users\Admin\AppData\Local\Temp\mhwqicmgdpphsxwwrb.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1588
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\mhwqicmgdpphsxwwrb.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:4408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c khyuokwsrfhbovwyvhgd.exe
1⤵
PID:1088
- C:\Windows\khyuokwsrfhbovwyvhgd.exe
  khyuokwsrfhbovwyvhgd.exe
  2⤵
  PID:2924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xtjexsdywjkdpvvwsdb.exe .
1⤵
PID:5100
- C:\Windows\xtjexsdywjkdpvvwsdb.exe
  xtjexsdywjkdpvvwsdb.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1184
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\xtjexsdywjkdpvvwsdb.exe*."
    3⤵
    PID:1620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zxpmheroodgbpxzcannld.exe
1⤵
PID:2460
- C:\Windows\zxpmheroodgbpxzcannld.exe
  zxpmheroodgbpxzcannld.exe
  2⤵
  PID:4032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c khyuokwsrfhbovwyvhgd.exe .
1⤵
PID:3840
- C:\Windows\khyuokwsrfhbovwyvhgd.exe
  khyuokwsrfhbovwyvhgd.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4384
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\khyuokwsrfhbovwyvhgd.exe*."
    3⤵
    PID:4944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhwqicmgdpphsxwwrb.exe
1⤵
PID:3908
- C:\Users\Admin\AppData\Local\Temp\mhwqicmgdpphsxwwrb.exe
  C:\Users\Admin\AppData\Local\Temp\mhwqicmgdpphsxwwrb.exe
  2⤵
  PID:400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dxlevoxqmxwnxbzys.exe .
1⤵
PID:976
- C:\Users\Admin\AppData\Local\Temp\dxlevoxqmxwnxbzys.exe
  C:\Users\Admin\AppData\Local\Temp\dxlevoxqmxwnxbzys.exe .
  2⤵
  - Checks computer location settings
  PID:2416
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\dxlevoxqmxwnxbzys.exe*."
    3⤵
    PID:2280

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhwqicmgdpphsxwwrb.exe
1⤵
PID:1144
- C:\Users\Admin\AppData\Local\Temp\mhwqicmgdpphsxwwrb.exe
  C:\Users\Admin\AppData\Local\Temp\mhwqicmgdpphsxwwrb.exe
  2⤵
  PID:4548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dxlevoxqmxwnxbzys.exe .
1⤵
PID:2096
- C:\Users\Admin\AppData\Local\Temp\dxlevoxqmxwnxbzys.exe
  C:\Users\Admin\AppData\Local\Temp\dxlevoxqmxwnxbzys.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:3664
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\dxlevoxqmxwnxbzys.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:3412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c khyuokwsrfhbovwyvhgd.exe
1⤵
PID:1520
- C:\Windows\khyuokwsrfhbovwyvhgd.exe
  khyuokwsrfhbovwyvhgd.exe
  2⤵
  PID:3996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zxpmheroodgbpxzcannld.exe .
1⤵
PID:2832
- C:\Windows\zxpmheroodgbpxzcannld.exe
  zxpmheroodgbpxzcannld.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:3236
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\zxpmheroodgbpxzcannld.exe*."
    3⤵
    PID:2544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zxpmheroodgbpxzcannld.exe
1⤵
PID:4120
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2916
- C:\Windows\zxpmheroodgbpxzcannld.exe
  zxpmheroodgbpxzcannld.exe
  2⤵
  PID:5028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dxlevoxqmxwnxbzys.exe .
1⤵
PID:3500
- C:\Windows\dxlevoxqmxwnxbzys.exe
  dxlevoxqmxwnxbzys.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:3436
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\dxlevoxqmxwnxbzys.exe*."
    3⤵
    PID:4148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xtjexsdywjkdpvvwsdb.exe
1⤵
PID:3676
- C:\Windows\xtjexsdywjkdpvvwsdb.exe
  xtjexsdywjkdpvvwsdb.exe
  2⤵
  PID:1884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xtjexsdywjkdpvvwsdb.exe
1⤵
PID:3120
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3916
- C:\Users\Admin\AppData\Local\Temp\xtjexsdywjkdpvvwsdb.exe
  C:\Users\Admin\AppData\Local\Temp\xtjexsdywjkdpvvwsdb.exe
  2⤵
  PID:4704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c khyuokwsrfhbovwyvhgd.exe
1⤵
PID:3720
- C:\Windows\khyuokwsrfhbovwyvhgd.exe
  khyuokwsrfhbovwyvhgd.exe
  2⤵
  PID:3476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xtjexsdywjkdpvvwsdb.exe .
1⤵
PID:3580
- C:\Users\Admin\AppData\Local\Temp\xtjexsdywjkdpvvwsdb.exe
  C:\Users\Admin\AppData\Local\Temp\xtjexsdywjkdpvvwsdb.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:2776
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\xtjexsdywjkdpvvwsdb.exe*."
    3⤵
    PID:4496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dxlevoxqmxwnxbzys.exe .
1⤵
PID:4392
- C:\Windows\dxlevoxqmxwnxbzys.exe
  dxlevoxqmxwnxbzys.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3052
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\dxlevoxqmxwnxbzys.exe*."
    3⤵
    PID:2600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xtjexsdywjkdpvvwsdb.exe .
1⤵
PID:3004
- C:\Windows\xtjexsdywjkdpvvwsdb.exe
  xtjexsdywjkdpvvwsdb.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4456
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\xtjexsdywjkdpvvwsdb.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:4580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wpcukckcxhfvehec.exe
1⤵
PID:1284
- C:\Windows\wpcukckcxhfvehec.exe
  wpcukckcxhfvehec.exe
  2⤵
  PID:1672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xtjexsdywjkdpvvwsdb.exe
1⤵
PID:2488
- C:\Users\Admin\AppData\Local\Temp\xtjexsdywjkdpvvwsdb.exe
  C:\Users\Admin\AppData\Local\Temp\xtjexsdywjkdpvvwsdb.exe
  2⤵
  PID:2096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xtjexsdywjkdpvvwsdb.exe .
1⤵
PID:1532
- C:\Windows\xtjexsdywjkdpvvwsdb.exe
  xtjexsdywjkdpvvwsdb.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:2132
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\xtjexsdywjkdpvvwsdb.exe*."
    3⤵
    PID:3720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mhwqicmgdpphsxwwrb.exe
1⤵
PID:3704
- C:\Windows\mhwqicmgdpphsxwwrb.exe
  mhwqicmgdpphsxwwrb.exe
  2⤵
  PID:3656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xtjexsdywjkdpvvwsdb.exe .
1⤵
PID:4588
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2280
- C:\Users\Admin\AppData\Local\Temp\xtjexsdywjkdpvvwsdb.exe
  C:\Users\Admin\AppData\Local\Temp\xtjexsdywjkdpvvwsdb.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:3828
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\xtjexsdywjkdpvvwsdb.exe*."
    3⤵
    PID:4216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xtjexsdywjkdpvvwsdb.exe
1⤵
PID:2184
- C:\Users\Admin\AppData\Local\Temp\xtjexsdywjkdpvvwsdb.exe
  C:\Users\Admin\AppData\Local\Temp\xtjexsdywjkdpvvwsdb.exe
  2⤵
  PID:4804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xtjexsdywjkdpvvwsdb.exe .
1⤵
PID:320
- C:\Windows\xtjexsdywjkdpvvwsdb.exe
  xtjexsdywjkdpvvwsdb.exe .
  2⤵
  - Checks computer location settings
  PID:3660
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\xtjexsdywjkdpvvwsdb.exe*."
    3⤵
    PID:4528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xtjexsdywjkdpvvwsdb.exe .
1⤵
PID:4464
- C:\Users\Admin\AppData\Local\Temp\xtjexsdywjkdpvvwsdb.exe
  C:\Users\Admin\AppData\Local\Temp\xtjexsdywjkdpvvwsdb.exe .
  2⤵
  - Checks computer location settings
  PID:1588
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\xtjexsdywjkdpvvwsdb.exe*."
    3⤵
    PID:784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dxlevoxqmxwnxbzys.exe
1⤵
PID:456
- C:\Users\Admin\AppData\Local\Temp\dxlevoxqmxwnxbzys.exe
  C:\Users\Admin\AppData\Local\Temp\dxlevoxqmxwnxbzys.exe
  2⤵
  PID:4560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dxlevoxqmxwnxbzys.exe .
1⤵
PID:3012
- C:\Users\Admin\AppData\Local\Temp\dxlevoxqmxwnxbzys.exe
  C:\Users\Admin\AppData\Local\Temp\dxlevoxqmxwnxbzys.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1872
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\dxlevoxqmxwnxbzys.exe*."
    3⤵
    PID:4184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dxlevoxqmxwnxbzys.exe
1⤵
PID:3728
- C:\Users\Admin\AppData\Local\Temp\dxlevoxqmxwnxbzys.exe
  C:\Users\Admin\AppData\Local\Temp\dxlevoxqmxwnxbzys.exe
  2⤵
  PID:2440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\khyuokwsrfhbovwyvhgd.exe .
1⤵
PID:1992
- C:\Users\Admin\AppData\Local\Temp\khyuokwsrfhbovwyvhgd.exe
  C:\Users\Admin\AppData\Local\Temp\khyuokwsrfhbovwyvhgd.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:536
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\khyuokwsrfhbovwyvhgd.exe*."
    3⤵
    PID:4032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\khyuokwsrfhbovwyvhgd.exe
1⤵
PID:1688
- C:\Users\Admin\AppData\Local\Temp\khyuokwsrfhbovwyvhgd.exe
  C:\Users\Admin\AppData\Local\Temp\khyuokwsrfhbovwyvhgd.exe
  2⤵
  PID:2912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wpcukckcxhfvehec.exe .
1⤵
PID:2344
- C:\Users\Admin\AppData\Local\Temp\wpcukckcxhfvehec.exe
  C:\Users\Admin\AppData\Local\Temp\wpcukckcxhfvehec.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:2096
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\wpcukckcxhfvehec.exe*."
    3⤵
    PID:4036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wpcukckcxhfvehec.exe
1⤵
PID:1932
- C:\Windows\wpcukckcxhfvehec.exe
  wpcukckcxhfvehec.exe
  2⤵
  PID:1256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dxlevoxqmxwnxbzys.exe .
1⤵
PID:3816
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3232
- C:\Windows\dxlevoxqmxwnxbzys.exe
  dxlevoxqmxwnxbzys.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1996
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\dxlevoxqmxwnxbzys.exe*."
    3⤵
    PID:1088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mhwqicmgdpphsxwwrb.exe
1⤵
PID:1924
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3004
- C:\Windows\mhwqicmgdpphsxwwrb.exe
  mhwqicmgdpphsxwwrb.exe
  2⤵
  PID:3384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c khyuokwsrfhbovwyvhgd.exe .
1⤵
PID:1604
- C:\Windows\khyuokwsrfhbovwyvhgd.exe
  khyuokwsrfhbovwyvhgd.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:2576
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\khyuokwsrfhbovwyvhgd.exe*."
    3⤵
    PID:4412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xtjexsdywjkdpvvwsdb.exe
1⤵
PID:3600
- C:\Users\Admin\AppData\Local\Temp\xtjexsdywjkdpvvwsdb.exe
  C:\Users\Admin\AppData\Local\Temp\xtjexsdywjkdpvvwsdb.exe
  2⤵
  PID:4932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wpcukckcxhfvehec.exe .
1⤵
PID:2184
- C:\Users\Admin\AppData\Local\Temp\wpcukckcxhfvehec.exe
  C:\Users\Admin\AppData\Local\Temp\wpcukckcxhfvehec.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4596
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\wpcukckcxhfvehec.exe*."
    3⤵
    PID:4480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhwqicmgdpphsxwwrb.exe
1⤵
PID:2912
- C:\Users\Admin\AppData\Local\Temp\mhwqicmgdpphsxwwrb.exe
  C:\Users\Admin\AppData\Local\Temp\mhwqicmgdpphsxwwrb.exe
  2⤵
  PID:4456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wpcukckcxhfvehec.exe .
1⤵
PID:1256
- C:\Users\Admin\AppData\Local\Temp\wpcukckcxhfvehec.exe
  C:\Users\Admin\AppData\Local\Temp\wpcukckcxhfvehec.exe .
  2⤵
  PID:4352
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\wpcukckcxhfvehec.exe*."
    3⤵
    PID:2964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wpcukckcxhfvehec.exe
1⤵
PID:1728
- C:\Windows\wpcukckcxhfvehec.exe
  wpcukckcxhfvehec.exe
  2⤵
  PID:2040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wpcukckcxhfvehec.exe .
1⤵
PID:2544
- C:\Windows\wpcukckcxhfvehec.exe
  wpcukckcxhfvehec.exe .
  2⤵
  PID:3952
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\wpcukckcxhfvehec.exe*."
    3⤵
    PID:2876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zxpmheroodgbpxzcannld.exe
1⤵
PID:2404
- C:\Windows\zxpmheroodgbpxzcannld.exe
  zxpmheroodgbpxzcannld.exe
  2⤵
  PID:1872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mhwqicmgdpphsxwwrb.exe .
1⤵
PID:4084
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2460
- C:\Windows\mhwqicmgdpphsxwwrb.exe
  mhwqicmgdpphsxwwrb.exe .
  2⤵
  PID:1520
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\mhwqicmgdpphsxwwrb.exe*."
    3⤵
    PID:5016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dxlevoxqmxwnxbzys.exe
1⤵
PID:4772
- C:\Users\Admin\AppData\Local\Temp\dxlevoxqmxwnxbzys.exe
  C:\Users\Admin\AppData\Local\Temp\dxlevoxqmxwnxbzys.exe
  2⤵
  PID:3828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhwqicmgdpphsxwwrb.exe .
1⤵
PID:3912
- C:\Users\Admin\AppData\Local\Temp\mhwqicmgdpphsxwwrb.exe
  C:\Users\Admin\AppData\Local\Temp\mhwqicmgdpphsxwwrb.exe .
  2⤵
  PID:1120
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\mhwqicmgdpphsxwwrb.exe*."
    3⤵
    PID:1732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\khyuokwsrfhbovwyvhgd.exe
1⤵
PID:4900
- C:\Users\Admin\AppData\Local\Temp\khyuokwsrfhbovwyvhgd.exe
  C:\Users\Admin\AppData\Local\Temp\khyuokwsrfhbovwyvhgd.exe
  2⤵
  PID:784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wpcukckcxhfvehec.exe .
1⤵
PID:660
- C:\Users\Admin\AppData\Local\Temp\wpcukckcxhfvehec.exe
  C:\Users\Admin\AppData\Local\Temp\wpcukckcxhfvehec.exe .
  2⤵
  PID:4800
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\wpcukckcxhfvehec.exe*."
    3⤵
    PID:3228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c khyuokwsrfhbovwyvhgd.exe
1⤵
PID:3492
- C:\Windows\khyuokwsrfhbovwyvhgd.exe
  khyuokwsrfhbovwyvhgd.exe
  2⤵
  PID:3500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wpcukckcxhfvehec.exe .
1⤵
PID:2416
- C:\Windows\wpcukckcxhfvehec.exe
  wpcukckcxhfvehec.exe .
  2⤵
  PID:768
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\wpcukckcxhfvehec.exe*."
    3⤵
    PID:4888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dxlevoxqmxwnxbzys.exe
1⤵
PID:4688
- C:\Windows\dxlevoxqmxwnxbzys.exe
  dxlevoxqmxwnxbzys.exe
  2⤵
  PID:2020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xtjexsdywjkdpvvwsdb.exe .
1⤵
PID:2924
- C:\Windows\xtjexsdywjkdpvvwsdb.exe
  xtjexsdywjkdpvvwsdb.exe .
  2⤵
  PID:4036
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\xtjexsdywjkdpvvwsdb.exe*."
    3⤵
    PID:4032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dxlevoxqmxwnxbzys.exe
1⤵
PID:4408
- C:\Users\Admin\AppData\Local\Temp\dxlevoxqmxwnxbzys.exe
  C:\Users\Admin\AppData\Local\Temp\dxlevoxqmxwnxbzys.exe
  2⤵
  PID:916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xtjexsdywjkdpvvwsdb.exe .
1⤵
PID:2848
- C:\Users\Admin\AppData\Local\Temp\xtjexsdywjkdpvvwsdb.exe
  C:\Users\Admin\AppData\Local\Temp\xtjexsdywjkdpvvwsdb.exe .
  2⤵
  PID:1700
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\xtjexsdywjkdpvvwsdb.exe*."
    3⤵
    PID:4976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dxlevoxqmxwnxbzys.exe
1⤵
PID:2832
- C:\Users\Admin\AppData\Local\Temp\dxlevoxqmxwnxbzys.exe
  C:\Users\Admin\AppData\Local\Temp\dxlevoxqmxwnxbzys.exe
  2⤵
  PID:5100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhwqicmgdpphsxwwrb.exe .
1⤵
PID:1872
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2544
- C:\Users\Admin\AppData\Local\Temp\mhwqicmgdpphsxwwrb.exe
  C:\Users\Admin\AppData\Local\Temp\mhwqicmgdpphsxwwrb.exe .
  2⤵
  PID:2352
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\mhwqicmgdpphsxwwrb.exe*."
    3⤵
    PID:1400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zxpmheroodgbpxzcannld.exe
1⤵
PID:4308
- C:\Windows\zxpmheroodgbpxzcannld.exe
  zxpmheroodgbpxzcannld.exe
  2⤵
  PID:648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mhwqicmgdpphsxwwrb.exe .
1⤵
PID:4084
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3464
- C:\Windows\mhwqicmgdpphsxwwrb.exe
  mhwqicmgdpphsxwwrb.exe .
  2⤵
  PID:1732
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\mhwqicmgdpphsxwwrb.exe*."
    3⤵
    PID:4460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xtjexsdywjkdpvvwsdb.exe
1⤵
PID:4412
- C:\Windows\xtjexsdywjkdpvvwsdb.exe
  xtjexsdywjkdpvvwsdb.exe
  2⤵
  PID:1296

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dxlevoxqmxwnxbzys.exe .
1⤵
PID:4588
- C:\Windows\dxlevoxqmxwnxbzys.exe
  dxlevoxqmxwnxbzys.exe .
  2⤵
  PID:4800
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\dxlevoxqmxwnxbzys.exe*."
    3⤵
    PID:4536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\khyuokwsrfhbovwyvhgd.exe
1⤵
PID:1592
- C:\Users\Admin\AppData\Local\Temp\khyuokwsrfhbovwyvhgd.exe
  C:\Users\Admin\AppData\Local\Temp\khyuokwsrfhbovwyvhgd.exe
  2⤵
  PID:4488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xtjexsdywjkdpvvwsdb.exe .
1⤵
PID:2300
- C:\Users\Admin\AppData\Local\Temp\xtjexsdywjkdpvvwsdb.exe
  C:\Users\Admin\AppData\Local\Temp\xtjexsdywjkdpvvwsdb.exe .
  2⤵
  PID:1928
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\xtjexsdywjkdpvvwsdb.exe*."
    3⤵
    PID:3052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhwqicmgdpphsxwwrb.exe
1⤵
PID:3704
- C:\Users\Admin\AppData\Local\Temp\mhwqicmgdpphsxwwrb.exe
  C:\Users\Admin\AppData\Local\Temp\mhwqicmgdpphsxwwrb.exe
  2⤵
  PID:4384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\khyuokwsrfhbovwyvhgd.exe .
1⤵
PID:5076
- C:\Users\Admin\AppData\Local\Temp\khyuokwsrfhbovwyvhgd.exe
  C:\Users\Admin\AppData\Local\Temp\khyuokwsrfhbovwyvhgd.exe .
  2⤵
  PID:3448
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\khyuokwsrfhbovwyvhgd.exe*."
    3⤵
    PID:4784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xtjexsdywjkdpvvwsdb.exe
1⤵
PID:520
- C:\Windows\xtjexsdywjkdpvvwsdb.exe
  xtjexsdywjkdpvvwsdb.exe
  2⤵
  PID:4352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dxlevoxqmxwnxbzys.exe .
1⤵
PID:3580
- C:\Windows\dxlevoxqmxwnxbzys.exe
  dxlevoxqmxwnxbzys.exe .
  2⤵
  PID:2396
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\dxlevoxqmxwnxbzys.exe*."
    3⤵
    PID:5100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wpcukckcxhfvehec.exe
1⤵
PID:1964
- C:\Windows\wpcukckcxhfvehec.exe
  wpcukckcxhfvehec.exe
  2⤵
  PID:3684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zxpmheroodgbpxzcannld.exe .
1⤵
PID:1384
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:400
- C:\Windows\zxpmheroodgbpxzcannld.exe
  zxpmheroodgbpxzcannld.exe .
  2⤵
  PID:2576
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\zxpmheroodgbpxzcannld.exe*."
    3⤵
    PID:1120

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xtjexsdywjkdpvvwsdb.exe
1⤵
PID:1624
- C:\Users\Admin\AppData\Local\Temp\xtjexsdywjkdpvvwsdb.exe
  C:\Users\Admin\AppData\Local\Temp\xtjexsdywjkdpvvwsdb.exe
  2⤵
  PID:5064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zxpmheroodgbpxzcannld.exe .
1⤵
PID:3168
- C:\Users\Admin\AppData\Local\Temp\zxpmheroodgbpxzcannld.exe
  C:\Users\Admin\AppData\Local\Temp\zxpmheroodgbpxzcannld.exe .
  2⤵
  PID:4388
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\zxpmheroodgbpxzcannld.exe*."
    3⤵
    PID:660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xtjexsdywjkdpvvwsdb.exe
1⤵
PID:4496
- C:\Users\Admin\AppData\Local\Temp\xtjexsdywjkdpvvwsdb.exe
  C:\Users\Admin\AppData\Local\Temp\xtjexsdywjkdpvvwsdb.exe
  2⤵
  PID:4940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dxlevoxqmxwnxbzys.exe .
1⤵
PID:3896
- C:\Users\Admin\AppData\Local\Temp\dxlevoxqmxwnxbzys.exe
  C:\Users\Admin\AppData\Local\Temp\dxlevoxqmxwnxbzys.exe .
  2⤵
  PID:2080
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\dxlevoxqmxwnxbzys.exe*."
    3⤵
    PID:3436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wpcukckcxhfvehec.exe
1⤵
PID:3056
- C:\Windows\wpcukckcxhfvehec.exe
  wpcukckcxhfvehec.exe
  2⤵
  PID:3656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c khyuokwsrfhbovwyvhgd.exe .
1⤵
PID:3216
- C:\Windows\khyuokwsrfhbovwyvhgd.exe
  khyuokwsrfhbovwyvhgd.exe .
  2⤵
  PID:3908
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\khyuokwsrfhbovwyvhgd.exe*."
    3⤵
    PID:4684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wpcukckcxhfvehec.exe
1⤵
PID:4032
- C:\Windows\wpcukckcxhfvehec.exe
  wpcukckcxhfvehec.exe
  2⤵
  PID:2372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dxlevoxqmxwnxbzys.exe .
1⤵
PID:3384
- C:\Windows\dxlevoxqmxwnxbzys.exe
  dxlevoxqmxwnxbzys.exe .
  2⤵
  PID:2352
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\dxlevoxqmxwnxbzys.exe*."
    3⤵
    PID:2176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xtjexsdywjkdpvvwsdb.exe
1⤵
PID:1700
- C:\Users\Admin\AppData\Local\Temp\xtjexsdywjkdpvvwsdb.exe
  C:\Users\Admin\AppData\Local\Temp\xtjexsdywjkdpvvwsdb.exe
  2⤵
  PID:648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\khyuokwsrfhbovwyvhgd.exe .
1⤵
PID:1884
- C:\Users\Admin\AppData\Local\Temp\khyuokwsrfhbovwyvhgd.exe
  C:\Users\Admin\AppData\Local\Temp\khyuokwsrfhbovwyvhgd.exe .
  2⤵
  PID:4148
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\khyuokwsrfhbovwyvhgd.exe*."
    3⤵
    PID:536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zxpmheroodgbpxzcannld.exe
1⤵
PID:856
- C:\Users\Admin\AppData\Local\Temp\zxpmheroodgbpxzcannld.exe
  C:\Users\Admin\AppData\Local\Temp\zxpmheroodgbpxzcannld.exe
  2⤵
  PID:1732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhwqicmgdpphsxwwrb.exe .
1⤵
PID:3200
- C:\Users\Admin\AppData\Local\Temp\mhwqicmgdpphsxwwrb.exe
  C:\Users\Admin\AppData\Local\Temp\mhwqicmgdpphsxwwrb.exe .
  2⤵
  PID:1604
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\mhwqicmgdpphsxwwrb.exe*."
    3⤵
    PID:1592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wpcukckcxhfvehec.exe
1⤵
PID:3872
- C:\Windows\wpcukckcxhfvehec.exe
  wpcukckcxhfvehec.exe
  2⤵
  PID:1932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wpcukckcxhfvehec.exe
1⤵
PID:1928
- C:\Windows\wpcukckcxhfvehec.exe
  wpcukckcxhfvehec.exe
  2⤵
  PID:2316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xtjexsdywjkdpvvwsdb.exe .
1⤵
PID:892
- C:\Windows\xtjexsdywjkdpvvwsdb.exe
  xtjexsdywjkdpvvwsdb.exe .
  2⤵
  PID:2020
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\xtjexsdywjkdpvvwsdb.exe*."
    3⤵
    PID:4352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xtjexsdywjkdpvvwsdb.exe .
1⤵
PID:4688
- C:\Windows\xtjexsdywjkdpvvwsdb.exe
  xtjexsdywjkdpvvwsdb.exe .
  2⤵
  PID:3384
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\xtjexsdywjkdpvvwsdb.exe*."
    3⤵
    PID:2776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mhwqicmgdpphsxwwrb.exe
1⤵
PID:3432
- C:\Windows\mhwqicmgdpphsxwwrb.exe
  mhwqicmgdpphsxwwrb.exe
  2⤵
  PID:1700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zxpmheroodgbpxzcannld.exe .
1⤵
PID:916
- C:\Windows\zxpmheroodgbpxzcannld.exe
  zxpmheroodgbpxzcannld.exe .
  2⤵
  PID:4020
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\zxpmheroodgbpxzcannld.exe*."
    3⤵
    PID:2848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zxpmheroodgbpxzcannld.exe
1⤵
PID:3172
- C:\Windows\zxpmheroodgbpxzcannld.exe
  zxpmheroodgbpxzcannld.exe
  2⤵
  PID:2652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xtjexsdywjkdpvvwsdb.exe
1⤵
PID:116
- C:\Windows\xtjexsdywjkdpvvwsdb.exe
  xtjexsdywjkdpvvwsdb.exe
  2⤵
  PID:2740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\khyuokwsrfhbovwyvhgd.exe
1⤵
PID:4004
- C:\Users\Admin\AppData\Local\Temp\khyuokwsrfhbovwyvhgd.exe
  C:\Users\Admin\AppData\Local\Temp\khyuokwsrfhbovwyvhgd.exe
  2⤵
  PID:4980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zxpmheroodgbpxzcannld.exe .
1⤵
PID:2176
- C:\Users\Admin\AppData\Local\Temp\zxpmheroodgbpxzcannld.exe
  C:\Users\Admin\AppData\Local\Temp\zxpmheroodgbpxzcannld.exe .
  2⤵
  PID:892
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\zxpmheroodgbpxzcannld.exe*."
    3⤵
    PID:5012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mhwqicmgdpphsxwwrb.exe .
1⤵
PID:4156
- C:\Windows\mhwqicmgdpphsxwwrb.exe
  mhwqicmgdpphsxwwrb.exe .
  2⤵
  PID:4520
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\mhwqicmgdpphsxwwrb.exe*."
    3⤵
    PID:3116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wpcukckcxhfvehec.exe .
1⤵
PID:2964
- C:\Windows\wpcukckcxhfvehec.exe
  wpcukckcxhfvehec.exe .
  2⤵
  PID:2776
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\wpcukckcxhfvehec.exe*."
    3⤵
    PID:3220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xtjexsdywjkdpvvwsdb.exe
1⤵
PID:4028
- C:\Users\Admin\AppData\Local\Temp\xtjexsdywjkdpvvwsdb.exe
  C:\Users\Admin\AppData\Local\Temp\xtjexsdywjkdpvvwsdb.exe
  2⤵
  PID:1312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhwqicmgdpphsxwwrb.exe .
1⤵
PID:3688
- C:\Users\Admin\AppData\Local\Temp\mhwqicmgdpphsxwwrb.exe
  C:\Users\Admin\AppData\Local\Temp\mhwqicmgdpphsxwwrb.exe .
  2⤵
  PID:2392
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\mhwqicmgdpphsxwwrb.exe*."
    3⤵
    PID:116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\khyuokwsrfhbovwyvhgd.exe
1⤵
PID:2996
- C:\Users\Admin\AppData\Local\Temp\khyuokwsrfhbovwyvhgd.exe
  C:\Users\Admin\AppData\Local\Temp\khyuokwsrfhbovwyvhgd.exe
  2⤵
  PID:4432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mhwqicmgdpphsxwwrb.exe
1⤵
PID:1932
- C:\Windows\mhwqicmgdpphsxwwrb.exe
  mhwqicmgdpphsxwwrb.exe
  2⤵
  PID:3220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xtjexsdywjkdpvvwsdb.exe .
1⤵
PID:2304
- C:\Windows\xtjexsdywjkdpvvwsdb.exe
  xtjexsdywjkdpvvwsdb.exe .
  2⤵
  PID:4592
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\xtjexsdywjkdpvvwsdb.exe*."
    3⤵
    PID:2324

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhwqicmgdpphsxwwrb.exe .
1⤵
PID:3516
- C:\Users\Admin\AppData\Local\Temp\mhwqicmgdpphsxwwrb.exe
  C:\Users\Admin\AppData\Local\Temp\mhwqicmgdpphsxwwrb.exe .
  2⤵
  PID:1312
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\mhwqicmgdpphsxwwrb.exe*."
    3⤵
    PID:4832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zxpmheroodgbpxzcannld.exe
1⤵
PID:3896
- C:\Users\Admin\AppData\Local\Temp\zxpmheroodgbpxzcannld.exe
  C:\Users\Admin\AppData\Local\Temp\zxpmheroodgbpxzcannld.exe
  2⤵
  PID:3344

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhwqicmgdpphsxwwrb.exe
1⤵
PID:4784
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2480
- C:\Users\Admin\AppData\Local\Temp\mhwqicmgdpphsxwwrb.exe
  C:\Users\Admin\AppData\Local\Temp\mhwqicmgdpphsxwwrb.exe
  2⤵
  PID:4004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dxlevoxqmxwnxbzys.exe .
1⤵
PID:4476
- C:\Users\Admin\AppData\Local\Temp\dxlevoxqmxwnxbzys.exe
  C:\Users\Admin\AppData\Local\Temp\dxlevoxqmxwnxbzys.exe .
  2⤵
  PID:2740
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\dxlevoxqmxwnxbzys.exe*."
    3⤵
    PID:1604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xtjexsdywjkdpvvwsdb.exe .
1⤵
PID:3500
- C:\Users\Admin\AppData\Local\Temp\xtjexsdywjkdpvvwsdb.exe
  C:\Users\Admin\AppData\Local\Temp\xtjexsdywjkdpvvwsdb.exe .
  2⤵
  PID:1224
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\xtjexsdywjkdpvvwsdb.exe*."
    3⤵
    PID:2404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xtjexsdywjkdpvvwsdb.exe
1⤵
PID:4792
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3572
- C:\Users\Admin\AppData\Local\Temp\xtjexsdywjkdpvvwsdb.exe
  C:\Users\Admin\AppData\Local\Temp\xtjexsdywjkdpvvwsdb.exe
  2⤵
  PID:916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\khyuokwsrfhbovwyvhgd.exe .
1⤵
PID:3644
- C:\Users\Admin\AppData\Local\Temp\khyuokwsrfhbovwyvhgd.exe
  C:\Users\Admin\AppData\Local\Temp\khyuokwsrfhbovwyvhgd.exe .
  2⤵
  PID:1620
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\khyuokwsrfhbovwyvhgd.exe*."
    3⤵
    PID:3004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dxlevoxqmxwnxbzys.exe
1⤵
PID:1060
- C:\Windows\dxlevoxqmxwnxbzys.exe
  dxlevoxqmxwnxbzys.exe
  2⤵
  PID:4352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dxlevoxqmxwnxbzys.exe .
1⤵
PID:1700
- C:\Windows\dxlevoxqmxwnxbzys.exe
  dxlevoxqmxwnxbzys.exe .
  2⤵
  PID:4148
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\dxlevoxqmxwnxbzys.exe*."
    3⤵
    PID:3724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xtjexsdywjkdpvvwsdb.exe
1⤵
PID:4184
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2040
- C:\Windows\xtjexsdywjkdpvvwsdb.exe
  xtjexsdywjkdpvvwsdb.exe
  2⤵
  PID:368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wpcukckcxhfvehec.exe .
1⤵
PID:2392
- C:\Windows\wpcukckcxhfvehec.exe
  wpcukckcxhfvehec.exe .
  2⤵
  PID:4336
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\wpcukckcxhfvehec.exe*."
    3⤵
    PID:2184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zxpmheroodgbpxzcannld.exe
1⤵
PID:4688
- C:\Users\Admin\AppData\Local\Temp\zxpmheroodgbpxzcannld.exe
  C:\Users\Admin\AppData\Local\Temp\zxpmheroodgbpxzcannld.exe
  2⤵
  PID:3216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wpcukckcxhfvehec.exe .
1⤵
PID:2324
- C:\Users\Admin\AppData\Local\Temp\wpcukckcxhfvehec.exe
  C:\Users\Admin\AppData\Local\Temp\wpcukckcxhfvehec.exe .
  2⤵
  PID:3480
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\wpcukckcxhfvehec.exe*."
    3⤵
    PID:3432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xtjexsdywjkdpvvwsdb.exe
1⤵
PID:2924
- C:\Users\Admin\AppData\Local\Temp\xtjexsdywjkdpvvwsdb.exe
  C:\Users\Admin\AppData\Local\Temp\xtjexsdywjkdpvvwsdb.exe
  2⤵
  PID:1604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhwqicmgdpphsxwwrb.exe .
1⤵
PID:2304
- C:\Users\Admin\AppData\Local\Temp\mhwqicmgdpphsxwwrb.exe
  C:\Users\Admin\AppData\Local\Temp\mhwqicmgdpphsxwwrb.exe .
  2⤵
  PID:2372
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\mhwqicmgdpphsxwwrb.exe*."
    3⤵
    PID:3172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c khyuokwsrfhbovwyvhgd.exe
1⤵
PID:1052
- C:\Windows\khyuokwsrfhbovwyvhgd.exe
  khyuokwsrfhbovwyvhgd.exe
  2⤵
  PID:2340

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dxlevoxqmxwnxbzys.exe .
1⤵
PID:3712
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4156
- C:\Windows\dxlevoxqmxwnxbzys.exe
  dxlevoxqmxwnxbzys.exe .
  2⤵
  PID:3436
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\dxlevoxqmxwnxbzys.exe*."
    3⤵
    PID:3184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zxpmheroodgbpxzcannld.exe
1⤵
PID:468
- C:\Windows\zxpmheroodgbpxzcannld.exe
  zxpmheroodgbpxzcannld.exe
  2⤵
  PID:3940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mhwqicmgdpphsxwwrb.exe .
1⤵
PID:2776
- C:\Windows\mhwqicmgdpphsxwwrb.exe
  mhwqicmgdpphsxwwrb.exe .
  2⤵
  PID:3664
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\mhwqicmgdpphsxwwrb.exe*."
    3⤵
    PID:4596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhwqicmgdpphsxwwrb.exe
1⤵
PID:1224
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3908
- C:\Users\Admin\AppData\Local\Temp\mhwqicmgdpphsxwwrb.exe
  C:\Users\Admin\AppData\Local\Temp\mhwqicmgdpphsxwwrb.exe
  2⤵
  PID:2396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wpcukckcxhfvehec.exe .
1⤵
PID:2356
- C:\Users\Admin\AppData\Local\Temp\wpcukckcxhfvehec.exe
  C:\Users\Admin\AppData\Local\Temp\wpcukckcxhfvehec.exe .
  2⤵
  PID:916
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\wpcukckcxhfvehec.exe*."
    3⤵
    PID:2740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xtjexsdywjkdpvvwsdb.exe
1⤵
PID:4300
- C:\Users\Admin\AppData\Local\Temp\xtjexsdywjkdpvvwsdb.exe
  C:\Users\Admin\AppData\Local\Temp\xtjexsdywjkdpvvwsdb.exe
  2⤵
  PID:4832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zxpmheroodgbpxzcannld.exe .
1⤵
PID:3312
- C:\Users\Admin\AppData\Local\Temp\zxpmheroodgbpxzcannld.exe
  C:\Users\Admin\AppData\Local\Temp\zxpmheroodgbpxzcannld.exe .
  2⤵
  PID:2652
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\zxpmheroodgbpxzcannld.exe*."
    3⤵
    PID:4036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wpcukckcxhfvehec.exe
1⤵
PID:4748
- C:\Windows\wpcukckcxhfvehec.exe
  wpcukckcxhfvehec.exe
  2⤵
  PID:4600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xtjexsdywjkdpvvwsdb.exe .
1⤵
PID:856
- C:\Windows\xtjexsdywjkdpvvwsdb.exe
  xtjexsdywjkdpvvwsdb.exe .
  2⤵
  PID:3236
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\xtjexsdywjkdpvvwsdb.exe*."
    3⤵
    PID:4816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wpcukckcxhfvehec.exe
1⤵
PID:976
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4992
- C:\Windows\wpcukckcxhfvehec.exe
  wpcukckcxhfvehec.exe
  2⤵
  PID:4592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mhwqicmgdpphsxwwrb.exe .
1⤵
PID:3500
- C:\Windows\mhwqicmgdpphsxwwrb.exe
  mhwqicmgdpphsxwwrb.exe .
  2⤵
  PID:4184
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\mhwqicmgdpphsxwwrb.exe*."
    3⤵
    PID:3600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dxlevoxqmxwnxbzys.exe
1⤵
PID:4800
- C:\Users\Admin\AppData\Local\Temp\dxlevoxqmxwnxbzys.exe
  C:\Users\Admin\AppData\Local\Temp\dxlevoxqmxwnxbzys.exe
  2⤵
  PID:3056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\khyuokwsrfhbovwyvhgd.exe .
1⤵
PID:4588
- C:\Users\Admin\AppData\Local\Temp\khyuokwsrfhbovwyvhgd.exe
  C:\Users\Admin\AppData\Local\Temp\khyuokwsrfhbovwyvhgd.exe .
  2⤵
  PID:1244
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\khyuokwsrfhbovwyvhgd.exe*."
    3⤵
    PID:2328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhwqicmgdpphsxwwrb.exe
1⤵
PID:4408
- C:\Users\Admin\AppData\Local\Temp\mhwqicmgdpphsxwwrb.exe
  C:\Users\Admin\AppData\Local\Temp\mhwqicmgdpphsxwwrb.exe
  2⤵
  PID:3412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zxpmheroodgbpxzcannld.exe .
1⤵
PID:2924
- C:\Users\Admin\AppData\Local\Temp\zxpmheroodgbpxzcannld.exe
  C:\Users\Admin\AppData\Local\Temp\zxpmheroodgbpxzcannld.exe .
  2⤵
  PID:4852
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\zxpmheroodgbpxzcannld.exe*."
    3⤵
    PID:3356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c khyuokwsrfhbovwyvhgd.exe
1⤵
PID:1924
- C:\Windows\khyuokwsrfhbovwyvhgd.exe
  khyuokwsrfhbovwyvhgd.exe
  2⤵
  PID:3236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mhwqicmgdpphsxwwrb.exe .
1⤵
PID:3888
- C:\Windows\mhwqicmgdpphsxwwrb.exe
  mhwqicmgdpphsxwwrb.exe .
  2⤵
  PID:2416
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\mhwqicmgdpphsxwwrb.exe*."
    3⤵
    PID:4580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zxpmheroodgbpxzcannld.exe
1⤵
PID:3096
- C:\Windows\zxpmheroodgbpxzcannld.exe
  zxpmheroodgbpxzcannld.exe
  2⤵
  PID:1704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mhwqicmgdpphsxwwrb.exe .
1⤵
PID:1492
- C:\Windows\mhwqicmgdpphsxwwrb.exe
  mhwqicmgdpphsxwwrb.exe .
  2⤵
  PID:1312
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\mhwqicmgdpphsxwwrb.exe*."
    3⤵
    PID:3600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\khyuokwsrfhbovwyvhgd.exe
1⤵
PID:232
- C:\Users\Admin\AppData\Local\Temp\khyuokwsrfhbovwyvhgd.exe
  C:\Users\Admin\AppData\Local\Temp\khyuokwsrfhbovwyvhgd.exe
  2⤵
  PID:2776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wpcukckcxhfvehec.exe .
1⤵
PID:1696
- C:\Users\Admin\AppData\Local\Temp\wpcukckcxhfvehec.exe
  C:\Users\Admin\AppData\Local\Temp\wpcukckcxhfvehec.exe .
  2⤵
  PID:3492
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\wpcukckcxhfvehec.exe*."
    3⤵
    PID:3000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xtjexsdywjkdpvvwsdb.exe
1⤵
PID:4300
- C:\Users\Admin\AppData\Local\Temp\xtjexsdywjkdpvvwsdb.exe
  C:\Users\Admin\AppData\Local\Temp\xtjexsdywjkdpvvwsdb.exe
  2⤵
  PID:2316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wpcukckcxhfvehec.exe .
1⤵
PID:4052
- C:\Users\Admin\AppData\Local\Temp\wpcukckcxhfvehec.exe
  C:\Users\Admin\AppData\Local\Temp\wpcukckcxhfvehec.exe .
  2⤵
  PID:4032
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\wpcukckcxhfvehec.exe*."
    3⤵
    PID:2372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zxpmheroodgbpxzcannld.exe
1⤵
PID:3456
- C:\Windows\zxpmheroodgbpxzcannld.exe
  zxpmheroodgbpxzcannld.exe
  2⤵
  PID:4748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c khyuokwsrfhbovwyvhgd.exe .
1⤵
PID:2176
- C:\Windows\khyuokwsrfhbovwyvhgd.exe
  khyuokwsrfhbovwyvhgd.exe .
  2⤵
  PID:4816
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\khyuokwsrfhbovwyvhgd.exe*."
    3⤵
    PID:856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zxpmheroodgbpxzcannld.exe
1⤵
PID:1884
- C:\Windows\zxpmheroodgbpxzcannld.exe
  zxpmheroodgbpxzcannld.exe
  2⤵
  PID:3724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xtjexsdywjkdpvvwsdb.exe .
1⤵
PID:3464
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:772
- C:\Windows\xtjexsdywjkdpvvwsdb.exe
  xtjexsdywjkdpvvwsdb.exe .
  2⤵
  PID:3600
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\xtjexsdywjkdpvvwsdb.exe*."
    3⤵
    PID:3664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wpcukckcxhfvehec.exe
1⤵
PID:1600
- C:\Users\Admin\AppData\Local\Temp\wpcukckcxhfvehec.exe
  C:\Users\Admin\AppData\Local\Temp\wpcukckcxhfvehec.exe
  2⤵
  PID:2116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xtjexsdywjkdpvvwsdb.exe .
1⤵
PID:3056
- C:\Users\Admin\AppData\Local\Temp\xtjexsdywjkdpvvwsdb.exe
  C:\Users\Admin\AppData\Local\Temp\xtjexsdywjkdpvvwsdb.exe .
  2⤵
  PID:756
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\xtjexsdywjkdpvvwsdb.exe*."
    3⤵
    PID:1696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dxlevoxqmxwnxbzys.exe
1⤵
PID:2436
- C:\Users\Admin\AppData\Local\Temp\dxlevoxqmxwnxbzys.exe
  C:\Users\Admin\AppData\Local\Temp\dxlevoxqmxwnxbzys.exe
  2⤵
  PID:1256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xtjexsdywjkdpvvwsdb.exe .
1⤵
PID:1532
- C:\Users\Admin\AppData\Local\Temp\xtjexsdywjkdpvvwsdb.exe
  C:\Users\Admin\AppData\Local\Temp\xtjexsdywjkdpvvwsdb.exe .
  2⤵
  PID:4880
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\xtjexsdywjkdpvvwsdb.exe*."
    3⤵
    PID:3644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wpcukckcxhfvehec.exe
1⤵
PID:2096
- C:\Windows\wpcukckcxhfvehec.exe
  wpcukckcxhfvehec.exe
  2⤵
  PID:536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xtjexsdywjkdpvvwsdb.exe .
1⤵
PID:4056
- C:\Windows\xtjexsdywjkdpvvwsdb.exe
  xtjexsdywjkdpvvwsdb.exe .
  2⤵
  PID:3828
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\xtjexsdywjkdpvvwsdb.exe*."
    3⤵
    PID:4464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wpcukckcxhfvehec.exe
1⤵
PID:1752
- C:\Windows\wpcukckcxhfvehec.exe
  wpcukckcxhfvehec.exe
  2⤵
  PID:1792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xtjexsdywjkdpvvwsdb.exe .
1⤵
PID:4084
- C:\Windows\xtjexsdywjkdpvvwsdb.exe
  xtjexsdywjkdpvvwsdb.exe .
  2⤵
  PID:320
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\xtjexsdywjkdpvvwsdb.exe*."
    3⤵
    PID:1752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c khyuokwsrfhbovwyvhgd.exe
1⤵
PID:3704
- C:\Windows\khyuokwsrfhbovwyvhgd.exe
  khyuokwsrfhbovwyvhgd.exe
  2⤵
  PID:2760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dxlevoxqmxwnxbzys.exe
1⤵
PID:4932
- C:\Windows\dxlevoxqmxwnxbzys.exe
  dxlevoxqmxwnxbzys.exe
  2⤵
  PID:6084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xtjexsdywjkdpvvwsdb.exe .
1⤵
PID:4148
- C:\Windows\xtjexsdywjkdpvvwsdb.exe
  xtjexsdywjkdpvvwsdb.exe .
  2⤵
  PID:2888
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\xtjexsdywjkdpvvwsdb.exe*."
    3⤵
    PID:3116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zxpmheroodgbpxzcannld.exe
1⤵
PID:768
- C:\Windows\zxpmheroodgbpxzcannld.exe
  zxpmheroodgbpxzcannld.exe
  2⤵
  PID:2760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xtjexsdywjkdpvvwsdb.exe
1⤵
PID:1688
- C:\Users\Admin\AppData\Local\Temp\xtjexsdywjkdpvvwsdb.exe
  C:\Users\Admin\AppData\Local\Temp\xtjexsdywjkdpvvwsdb.exe
  2⤵
  PID:3280

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zxpmheroodgbpxzcannld.exe .
1⤵
PID:1312
- C:\Windows\zxpmheroodgbpxzcannld.exe
  zxpmheroodgbpxzcannld.exe .
  2⤵
  PID:1592
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\zxpmheroodgbpxzcannld.exe*."
    3⤵
    PID:5336

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wpcukckcxhfvehec.exe .
1⤵
PID:3500
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:696
- C:\Windows\wpcukckcxhfvehec.exe
  wpcukckcxhfvehec.exe .
  2⤵
  PID:2952
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\wpcukckcxhfvehec.exe*."
    3⤵
    PID:5428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dxlevoxqmxwnxbzys.exe .
1⤵
PID:2912
- C:\Users\Admin\AppData\Local\Temp\dxlevoxqmxwnxbzys.exe
  C:\Users\Admin\AppData\Local\Temp\dxlevoxqmxwnxbzys.exe .
  2⤵
  PID:2760
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\dxlevoxqmxwnxbzys.exe*."
    3⤵
    PID:5256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wpcukckcxhfvehec.exe
1⤵
PID:756
- C:\Users\Admin\AppData\Local\Temp\wpcukckcxhfvehec.exe
  C:\Users\Admin\AppData\Local\Temp\wpcukckcxhfvehec.exe
  2⤵
  PID:2888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xtjexsdywjkdpvvwsdb.exe
1⤵
PID:1696
- C:\Windows\xtjexsdywjkdpvvwsdb.exe
  xtjexsdywjkdpvvwsdb.exe
  2⤵
  PID:3060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\khyuokwsrfhbovwyvhgd.exe .
1⤵
PID:3412
- C:\Users\Admin\AppData\Local\Temp\khyuokwsrfhbovwyvhgd.exe
  C:\Users\Admin\AppData\Local\Temp\khyuokwsrfhbovwyvhgd.exe .
  2⤵
  PID:4732
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\khyuokwsrfhbovwyvhgd.exe*."
    3⤵
    PID:5480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zxpmheroodgbpxzcannld.exe .
1⤵
PID:2372
- C:\Windows\zxpmheroodgbpxzcannld.exe
  zxpmheroodgbpxzcannld.exe .
  2⤵
  PID:1976
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\zxpmheroodgbpxzcannld.exe*."
    3⤵
    PID:5548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dxlevoxqmxwnxbzys.exe
1⤵
PID:3824
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4944
- C:\Users\Admin\AppData\Local\Temp\dxlevoxqmxwnxbzys.exe
  C:\Users\Admin\AppData\Local\Temp\dxlevoxqmxwnxbzys.exe
  2⤵
  PID:1688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zxpmheroodgbpxzcannld.exe
1⤵
PID:4300
- C:\Users\Admin\AppData\Local\Temp\zxpmheroodgbpxzcannld.exe
  C:\Users\Admin\AppData\Local\Temp\zxpmheroodgbpxzcannld.exe
  2⤵
  PID:1600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\khyuokwsrfhbovwyvhgd.exe .
1⤵
PID:3660
- C:\Users\Admin\AppData\Local\Temp\khyuokwsrfhbovwyvhgd.exe
  C:\Users\Admin\AppData\Local\Temp\khyuokwsrfhbovwyvhgd.exe .
  2⤵
  PID:5172
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\khyuokwsrfhbovwyvhgd.exe*."
    3⤵
    PID:5656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xtjexsdywjkdpvvwsdb.exe .
1⤵
PID:4804
- C:\Users\Admin\AppData\Local\Temp\xtjexsdywjkdpvvwsdb.exe
  C:\Users\Admin\AppData\Local\Temp\xtjexsdywjkdpvvwsdb.exe .
  2⤵
  PID:5324
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\xtjexsdywjkdpvvwsdb.exe*."
    3⤵
    PID:5684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\khyuokwsrfhbovwyvhgd.exe
1⤵
PID:2340
- C:\Users\Admin\AppData\Local\Temp\khyuokwsrfhbovwyvhgd.exe
  C:\Users\Admin\AppData\Local\Temp\khyuokwsrfhbovwyvhgd.exe
  2⤵
  PID:5212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zxpmheroodgbpxzcannld.exe .
1⤵
PID:1924
- C:\Users\Admin\AppData\Local\Temp\zxpmheroodgbpxzcannld.exe
  C:\Users\Admin\AppData\Local\Temp\zxpmheroodgbpxzcannld.exe .
  2⤵
  PID:4548
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\zxpmheroodgbpxzcannld.exe*."
    3⤵
    PID:5524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\khyuokwsrfhbovwyvhgd.exe
1⤵
PID:2332
- C:\Users\Admin\AppData\Local\Temp\khyuokwsrfhbovwyvhgd.exe
  C:\Users\Admin\AppData\Local\Temp\khyuokwsrfhbovwyvhgd.exe
  2⤵
  PID:5376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zxpmheroodgbpxzcannld.exe .
1⤵
PID:3760
- C:\Users\Admin\AppData\Local\Temp\zxpmheroodgbpxzcannld.exe
  C:\Users\Admin\AppData\Local\Temp\zxpmheroodgbpxzcannld.exe .
  2⤵
  PID:5244
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\zxpmheroodgbpxzcannld.exe*."
    3⤵
    PID:5588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mhwqicmgdpphsxwwrb.exe
1⤵
PID:3096
- C:\Windows\mhwqicmgdpphsxwwrb.exe
  mhwqicmgdpphsxwwrb.exe
  2⤵
  PID:5668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c khyuokwsrfhbovwyvhgd.exe .
1⤵
PID:5272
- C:\Windows\khyuokwsrfhbovwyvhgd.exe
  khyuokwsrfhbovwyvhgd.exe .
  2⤵
  PID:5804
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\khyuokwsrfhbovwyvhgd.exe*."
    3⤵
    PID:5976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zxpmheroodgbpxzcannld.exe
1⤵
PID:5504
- C:\Windows\zxpmheroodgbpxzcannld.exe
  zxpmheroodgbpxzcannld.exe
  2⤵
  PID:5880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mhwqicmgdpphsxwwrb.exe .
1⤵
PID:5604
- C:\Windows\mhwqicmgdpphsxwwrb.exe
  mhwqicmgdpphsxwwrb.exe .
  2⤵
  PID:5856
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\mhwqicmgdpphsxwwrb.exe*."
    3⤵
    PID:6000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhwqicmgdpphsxwwrb.exe
1⤵
PID:5708
- C:\Users\Admin\AppData\Local\Temp\mhwqicmgdpphsxwwrb.exe
  C:\Users\Admin\AppData\Local\Temp\mhwqicmgdpphsxwwrb.exe
  2⤵
  PID:5904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dxlevoxqmxwnxbzys.exe .
1⤵
PID:5796
- C:\Users\Admin\AppData\Local\Temp\dxlevoxqmxwnxbzys.exe
  C:\Users\Admin\AppData\Local\Temp\dxlevoxqmxwnxbzys.exe .
  2⤵
  PID:5968
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\dxlevoxqmxwnxbzys.exe*."
    3⤵
    PID:6136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhwqicmgdpphsxwwrb.exe
1⤵
PID:6028
- C:\Users\Admin\AppData\Local\Temp\mhwqicmgdpphsxwwrb.exe
  C:\Users\Admin\AppData\Local\Temp\mhwqicmgdpphsxwwrb.exe
  2⤵
  PID:3060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dxlevoxqmxwnxbzys.exe .
1⤵
PID:6104
- C:\Users\Admin\AppData\Local\Temp\dxlevoxqmxwnxbzys.exe
  C:\Users\Admin\AppData\Local\Temp\dxlevoxqmxwnxbzys.exe .
  2⤵
  PID:1784
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\dxlevoxqmxwnxbzys.exe*."
    3⤵
    PID:1820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zxpmheroodgbpxzcannld.exe
1⤵
PID:5368
- C:\Windows\zxpmheroodgbpxzcannld.exe
  zxpmheroodgbpxzcannld.exe
  2⤵
  PID:4564

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zxpmheroodgbpxzcannld.exe .
1⤵
PID:2760
- C:\Windows\zxpmheroodgbpxzcannld.exe
  zxpmheroodgbpxzcannld.exe .
  2⤵
  PID:4052
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\zxpmheroodgbpxzcannld.exe*."
    3⤵
    PID:5408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dxlevoxqmxwnxbzys.exe
1⤵
PID:5256
- C:\Windows\dxlevoxqmxwnxbzys.exe
  dxlevoxqmxwnxbzys.exe
  2⤵
  PID:1828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wpcukckcxhfvehec.exe .
1⤵
PID:5132
- C:\Windows\wpcukckcxhfvehec.exe
  wpcukckcxhfvehec.exe .
  2⤵
  PID:2624
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\wpcukckcxhfvehec.exe*."
    3⤵
    PID:2116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zxpmheroodgbpxzcannld.exe
1⤵
PID:5144
- C:\Users\Admin\AppData\Local\Temp\zxpmheroodgbpxzcannld.exe
  C:\Users\Admin\AppData\Local\Temp\zxpmheroodgbpxzcannld.exe
  2⤵
  PID:5536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dxlevoxqmxwnxbzys.exe .
1⤵
PID:5512
- C:\Users\Admin\AppData\Local\Temp\dxlevoxqmxwnxbzys.exe
  C:\Users\Admin\AppData\Local\Temp\dxlevoxqmxwnxbzys.exe .
  2⤵
  PID:5360
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\dxlevoxqmxwnxbzys.exe*."
    3⤵
    PID:1792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhwqicmgdpphsxwwrb.exe
1⤵
PID:5400
- C:\Users\Admin\AppData\Local\Temp\mhwqicmgdpphsxwwrb.exe
  C:\Users\Admin\AppData\Local\Temp\mhwqicmgdpphsxwwrb.exe
  2⤵
  PID:2184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\khyuokwsrfhbovwyvhgd.exe .
1⤵
PID:5248
- C:\Users\Admin\AppData\Local\Temp\khyuokwsrfhbovwyvhgd.exe
  C:\Users\Admin\AppData\Local\Temp\khyuokwsrfhbovwyvhgd.exe .
  2⤵
  PID:2912
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\khyuokwsrfhbovwyvhgd.exe*."
    3⤵
    PID:1872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c khyuokwsrfhbovwyvhgd.exe
1⤵
PID:1312
- C:\Windows\khyuokwsrfhbovwyvhgd.exe
  khyuokwsrfhbovwyvhgd.exe
  2⤵
  PID:5444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zxpmheroodgbpxzcannld.exe .
1⤵
PID:1256
- C:\Windows\zxpmheroodgbpxzcannld.exe
  zxpmheroodgbpxzcannld.exe .
  2⤵
  PID:5656
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\zxpmheroodgbpxzcannld.exe*."
    3⤵
    PID:3644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zxpmheroodgbpxzcannld.exe
1⤵
PID:5312
- C:\Windows\zxpmheroodgbpxzcannld.exe
  zxpmheroodgbpxzcannld.exe
  2⤵
  PID:3412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c khyuokwsrfhbovwyvhgd.exe .
1⤵
PID:3636
- C:\Windows\khyuokwsrfhbovwyvhgd.exe
  khyuokwsrfhbovwyvhgd.exe .
  2⤵
  PID:2372
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\khyuokwsrfhbovwyvhgd.exe*."
    3⤵
    PID:4804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xtjexsdywjkdpvvwsdb.exe
1⤵
PID:3200
- C:\Users\Admin\AppData\Local\Temp\xtjexsdywjkdpvvwsdb.exe
  C:\Users\Admin\AppData\Local\Temp\xtjexsdywjkdpvvwsdb.exe
  2⤵
  PID:1928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xtjexsdywjkdpvvwsdb.exe .
1⤵
PID:5196
- C:\Users\Admin\AppData\Local\Temp\xtjexsdywjkdpvvwsdb.exe
  C:\Users\Admin\AppData\Local\Temp\xtjexsdywjkdpvvwsdb.exe .
  2⤵
  PID:1728
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\xtjexsdywjkdpvvwsdb.exe*."
    3⤵
    PID:5532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\khyuokwsrfhbovwyvhgd.exe
1⤵
PID:5696
- C:\Users\Admin\AppData\Local\Temp\khyuokwsrfhbovwyvhgd.exe
  C:\Users\Admin\AppData\Local\Temp\khyuokwsrfhbovwyvhgd.exe
  2⤵
  PID:5996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wpcukckcxhfvehec.exe .
1⤵
PID:5808
- C:\Users\Admin\AppData\Local\Temp\wpcukckcxhfvehec.exe
  C:\Users\Admin\AppData\Local\Temp\wpcukckcxhfvehec.exe .
  2⤵
  PID:6008
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\wpcukckcxhfvehec.exe*."
    3⤵
    PID:5252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zxpmheroodgbpxzcannld.exe
1⤵
PID:6020
- C:\Windows\zxpmheroodgbpxzcannld.exe
  zxpmheroodgbpxzcannld.exe
  2⤵
  PID:5128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zxpmheroodgbpxzcannld.exe .
1⤵
PID:1564
- C:\Windows\zxpmheroodgbpxzcannld.exe
  zxpmheroodgbpxzcannld.exe .
  2⤵
  PID:6112
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\zxpmheroodgbpxzcannld.exe*."
    3⤵
    PID:5788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xtjexsdywjkdpvvwsdb.exe
1⤵
PID:208
- C:\Windows\xtjexsdywjkdpvvwsdb.exe
  xtjexsdywjkdpvvwsdb.exe
  2⤵
  PID:4148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dxlevoxqmxwnxbzys.exe .
1⤵
PID:5796
- C:\Windows\dxlevoxqmxwnxbzys.exe
  dxlevoxqmxwnxbzys.exe .
  2⤵
  PID:1364
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\dxlevoxqmxwnxbzys.exe*."
    3⤵
    PID:1476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\khyuokwsrfhbovwyvhgd.exe
1⤵
PID:1032
- C:\Users\Admin\AppData\Local\Temp\khyuokwsrfhbovwyvhgd.exe
  C:\Users\Admin\AppData\Local\Temp\khyuokwsrfhbovwyvhgd.exe
  2⤵
  PID:5388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xtjexsdywjkdpvvwsdb.exe .
1⤵
PID:1696
- C:\Users\Admin\AppData\Local\Temp\xtjexsdywjkdpvvwsdb.exe
  C:\Users\Admin\AppData\Local\Temp\xtjexsdywjkdpvvwsdb.exe .
  2⤵
  PID:2092
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\xtjexsdywjkdpvvwsdb.exe*."
    3⤵
    PID:3148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\khyuokwsrfhbovwyvhgd.exe
1⤵
PID:4392
- C:\Users\Admin\AppData\Local\Temp\khyuokwsrfhbovwyvhgd.exe
  C:\Users\Admin\AppData\Local\Temp\khyuokwsrfhbovwyvhgd.exe
  2⤵
  PID:5336

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wpcukckcxhfvehec.exe .
1⤵
PID:5520
- C:\Users\Admin\AppData\Local\Temp\wpcukckcxhfvehec.exe
  C:\Users\Admin\AppData\Local\Temp\wpcukckcxhfvehec.exe .
  2⤵
  PID:2140
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\wpcukckcxhfvehec.exe*."
    3⤵
    PID:3436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dxlevoxqmxwnxbzys.exe
1⤵
PID:5348
- C:\Windows\dxlevoxqmxwnxbzys.exe
  dxlevoxqmxwnxbzys.exe
  2⤵
  PID:5428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wpcukckcxhfvehec.exe .
1⤵
PID:3728
- C:\Windows\wpcukckcxhfvehec.exe
  wpcukckcxhfvehec.exe .
  2⤵
  PID:4548
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\wpcukckcxhfvehec.exe*."
    3⤵
    PID:2340

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mhwqicmgdpphsxwwrb.exe
1⤵
PID:5236
- C:\Windows\mhwqicmgdpphsxwwrb.exe
  mhwqicmgdpphsxwwrb.exe
  2⤵
  PID:5588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xtjexsdywjkdpvvwsdb.exe .
1⤵
PID:5468
- C:\Windows\xtjexsdywjkdpvvwsdb.exe
  xtjexsdywjkdpvvwsdb.exe .
  2⤵
  PID:5592
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\xtjexsdywjkdpvvwsdb.exe*."
    3⤵
    PID:5364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhwqicmgdpphsxwwrb.exe
1⤵
PID:2132
- C:\Users\Admin\AppData\Local\Temp\mhwqicmgdpphsxwwrb.exe
  C:\Users\Admin\AppData\Local\Temp\mhwqicmgdpphsxwwrb.exe
  2⤵
  PID:3456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zxpmheroodgbpxzcannld.exe .
1⤵
PID:2356
- C:\Users\Admin\AppData\Local\Temp\zxpmheroodgbpxzcannld.exe
  C:\Users\Admin\AppData\Local\Temp\zxpmheroodgbpxzcannld.exe .
  2⤵
  PID:5064
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\zxpmheroodgbpxzcannld.exe*."
    3⤵
    PID:232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhwqicmgdpphsxwwrb.exe
1⤵
PID:3760
- C:\Users\Admin\AppData\Local\Temp\mhwqicmgdpphsxwwrb.exe
  C:\Users\Admin\AppData\Local\Temp\mhwqicmgdpphsxwwrb.exe
  2⤵
  PID:4748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhwqicmgdpphsxwwrb.exe .
1⤵
PID:5772
- C:\Users\Admin\AppData\Local\Temp\mhwqicmgdpphsxwwrb.exe
  C:\Users\Admin\AppData\Local\Temp\mhwqicmgdpphsxwwrb.exe .
  2⤵
  PID:3560
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\mhwqicmgdpphsxwwrb.exe*."
    3⤵
    PID:1516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zxpmheroodgbpxzcannld.exe
1⤵
PID:5300
- C:\Windows\zxpmheroodgbpxzcannld.exe
  zxpmheroodgbpxzcannld.exe
  2⤵
  PID:5492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zxpmheroodgbpxzcannld.exe .
1⤵
PID:5904
- C:\Windows\zxpmheroodgbpxzcannld.exe
  zxpmheroodgbpxzcannld.exe .
  2⤵
  PID:3884
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\zxpmheroodgbpxzcannld.exe*."
    3⤵
    PID:6056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dxlevoxqmxwnxbzys.exe
1⤵
PID:5200
- C:\Windows\dxlevoxqmxwnxbzys.exe
  dxlevoxqmxwnxbzys.exe
  2⤵
  PID:2324

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wpcukckcxhfvehec.exe .
1⤵
PID:5708
- C:\Windows\wpcukckcxhfvehec.exe
  wpcukckcxhfvehec.exe .
  2⤵
  PID:5276
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\wpcukckcxhfvehec.exe*."
    3⤵
    PID:6044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dxlevoxqmxwnxbzys.exe
1⤵
PID:4384
- C:\Users\Admin\AppData\Local\Temp\dxlevoxqmxwnxbzys.exe
  C:\Users\Admin\AppData\Local\Temp\dxlevoxqmxwnxbzys.exe
  2⤵
  PID:4184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zxpmheroodgbpxzcannld.exe
1⤵
PID:5944
- C:\Windows\zxpmheroodgbpxzcannld.exe
  zxpmheroodgbpxzcannld.exe
  2⤵
  PID:6076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\khyuokwsrfhbovwyvhgd.exe .
1⤵
PID:5808
- C:\Users\Admin\AppData\Local\Temp\khyuokwsrfhbovwyvhgd.exe
  C:\Users\Admin\AppData\Local\Temp\khyuokwsrfhbovwyvhgd.exe .
  2⤵
  PID:6024
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\khyuokwsrfhbovwyvhgd.exe*."
    3⤵
    PID:2936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c khyuokwsrfhbovwyvhgd.exe .
1⤵
PID:6048
- C:\Windows\khyuokwsrfhbovwyvhgd.exe
  khyuokwsrfhbovwyvhgd.exe .
  2⤵
  PID:4148
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\khyuokwsrfhbovwyvhgd.exe*."
    3⤵
    PID:4468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mhwqicmgdpphsxwwrb.exe
1⤵
PID:1784
- C:\Windows\mhwqicmgdpphsxwwrb.exe
  mhwqicmgdpphsxwwrb.exe
  2⤵
  PID:4220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\khyuokwsrfhbovwyvhgd.exe
1⤵
PID:468
- C:\Users\Admin\AppData\Local\Temp\khyuokwsrfhbovwyvhgd.exe
  C:\Users\Admin\AppData\Local\Temp\khyuokwsrfhbovwyvhgd.exe
  2⤵
  PID:4588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dxlevoxqmxwnxbzys.exe
1⤵
PID:208
- C:\Windows\dxlevoxqmxwnxbzys.exe
  dxlevoxqmxwnxbzys.exe
  2⤵
  PID:5180

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wpcukckcxhfvehec.exe .
1⤵
PID:5240
- C:\Users\Admin\AppData\Local\Temp\wpcukckcxhfvehec.exe
  C:\Users\Admin\AppData\Local\Temp\wpcukckcxhfvehec.exe .
  2⤵
  PID:4724
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\wpcukckcxhfvehec.exe*."
    3⤵
    PID:5236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c khyuokwsrfhbovwyvhgd.exe .
1⤵
PID:1364
- C:\Windows\khyuokwsrfhbovwyvhgd.exe
  khyuokwsrfhbovwyvhgd.exe .
  2⤵
  PID:1244
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\khyuokwsrfhbovwyvhgd.exe*."
    3⤵
    PID:5908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c khyuokwsrfhbovwyvhgd.exe .
1⤵
PID:2576
- C:\Windows\khyuokwsrfhbovwyvhgd.exe
  khyuokwsrfhbovwyvhgd.exe .
  2⤵
  PID:4016
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\khyuokwsrfhbovwyvhgd.exe*."
    3⤵
    PID:3436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dxlevoxqmxwnxbzys.exe
1⤵
PID:4888
- C:\Users\Admin\AppData\Local\Temp\dxlevoxqmxwnxbzys.exe
  C:\Users\Admin\AppData\Local\Temp\dxlevoxqmxwnxbzys.exe
  2⤵
  PID:3656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dxlevoxqmxwnxbzys.exe .
1⤵
PID:5280
- C:\Users\Admin\AppData\Local\Temp\dxlevoxqmxwnxbzys.exe
  C:\Users\Admin\AppData\Local\Temp\dxlevoxqmxwnxbzys.exe .
  2⤵
  PID:5468
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\dxlevoxqmxwnxbzys.exe*."
    3⤵
    PID:4432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dxlevoxqmxwnxbzys.exe
1⤵
PID:3384
- C:\Windows\dxlevoxqmxwnxbzys.exe
  dxlevoxqmxwnxbzys.exe
  2⤵
  PID:5700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dxlevoxqmxwnxbzys.exe .
1⤵
PID:3004
- C:\Windows\dxlevoxqmxwnxbzys.exe
  dxlevoxqmxwnxbzys.exe .
  2⤵
  PID:4352
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\dxlevoxqmxwnxbzys.exe*."
    3⤵
    PID:5684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xtjexsdywjkdpvvwsdb.exe
1⤵
PID:4024
- C:\Users\Admin\AppData\Local\Temp\xtjexsdywjkdpvvwsdb.exe
  C:\Users\Admin\AppData\Local\Temp\xtjexsdywjkdpvvwsdb.exe
  2⤵
  PID:3760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wpcukckcxhfvehec.exe
1⤵
PID:4864
- C:\Users\Admin\AppData\Local\Temp\wpcukckcxhfvehec.exe
  C:\Users\Admin\AppData\Local\Temp\wpcukckcxhfvehec.exe
  2⤵
  PID:4032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wpcukckcxhfvehec.exe .
1⤵
PID:5184
- C:\Users\Admin\AppData\Local\Temp\wpcukckcxhfvehec.exe
  C:\Users\Admin\AppData\Local\Temp\wpcukckcxhfvehec.exe .
  2⤵
  PID:5444
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\wpcukckcxhfvehec.exe*."
    3⤵
    PID:4180

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xtjexsdywjkdpvvwsdb.exe .
1⤵
PID:4084
- C:\Users\Admin\AppData\Local\Temp\xtjexsdywjkdpvvwsdb.exe
  C:\Users\Admin\AppData\Local\Temp\xtjexsdywjkdpvvwsdb.exe .
  2⤵
  PID:2852
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\xtjexsdywjkdpvvwsdb.exe*."
    3⤵
    PID:3832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xtjexsdywjkdpvvwsdb.exe
1⤵
PID:1284
- C:\Users\Admin\AppData\Local\Temp\xtjexsdywjkdpvvwsdb.exe
  C:\Users\Admin\AppData\Local\Temp\xtjexsdywjkdpvvwsdb.exe
  2⤵
  PID:5704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\khyuokwsrfhbovwyvhgd.exe .
1⤵
PID:5660
- C:\Users\Admin\AppData\Local\Temp\khyuokwsrfhbovwyvhgd.exe
  C:\Users\Admin\AppData\Local\Temp\khyuokwsrfhbovwyvhgd.exe .
  2⤵
  PID:5504
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\khyuokwsrfhbovwyvhgd.exe*."
    3⤵
    PID:3460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mhwqicmgdpphsxwwrb.exe
1⤵
PID:3000
- C:\Windows\mhwqicmgdpphsxwwrb.exe
  mhwqicmgdpphsxwwrb.exe
  2⤵
  PID:5800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mhwqicmgdpphsxwwrb.exe .
1⤵
PID:5716
- C:\Windows\mhwqicmgdpphsxwwrb.exe
  mhwqicmgdpphsxwwrb.exe .
  2⤵
  PID:2176
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\mhwqicmgdpphsxwwrb.exe*."
    3⤵
    PID:6084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mhwqicmgdpphsxwwrb.exe
1⤵
PID:5924
- C:\Windows\mhwqicmgdpphsxwwrb.exe
  mhwqicmgdpphsxwwrb.exe
  2⤵
  PID:1752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c khyuokwsrfhbovwyvhgd.exe .
1⤵
PID:5492
- C:\Windows\khyuokwsrfhbovwyvhgd.exe
  khyuokwsrfhbovwyvhgd.exe .
  2⤵
  PID:1600
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\khyuokwsrfhbovwyvhgd.exe*."
    3⤵
    PID:5600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zxpmheroodgbpxzcannld.exe
1⤵
PID:4956
- C:\Users\Admin\AppData\Local\Temp\zxpmheroodgbpxzcannld.exe
  C:\Users\Admin\AppData\Local\Temp\zxpmheroodgbpxzcannld.exe
  2⤵
  PID:5128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhwqicmgdpphsxwwrb.exe .
1⤵
PID:5996
- C:\Users\Admin\AppData\Local\Temp\mhwqicmgdpphsxwwrb.exe
  C:\Users\Admin\AppData\Local\Temp\mhwqicmgdpphsxwwrb.exe .
  2⤵
  PID:5648
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\mhwqicmgdpphsxwwrb.exe*."
    3⤵
    PID:6076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xtjexsdywjkdpvvwsdb.exe
1⤵
PID:320
- C:\Users\Admin\AppData\Local\Temp\xtjexsdywjkdpvvwsdb.exe
  C:\Users\Admin\AppData\Local\Temp\xtjexsdywjkdpvvwsdb.exe
  2⤵
  PID:5964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhwqicmgdpphsxwwrb.exe .
1⤵
PID:5696
- C:\Users\Admin\AppData\Local\Temp\mhwqicmgdpphsxwwrb.exe
  C:\Users\Admin\AppData\Local\Temp\mhwqicmgdpphsxwwrb.exe .
  2⤵
  PID:420
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\mhwqicmgdpphsxwwrb.exe*."
    3⤵
    PID:644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c khyuokwsrfhbovwyvhgd.exe
1⤵
PID:5608
- C:\Windows\khyuokwsrfhbovwyvhgd.exe
  khyuokwsrfhbovwyvhgd.exe
  2⤵
  PID:5160

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wpcukckcxhfvehec.exe .
1⤵
PID:1604
- C:\Windows\wpcukckcxhfvehec.exe
  wpcukckcxhfvehec.exe .
  2⤵
  PID:6124
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\wpcukckcxhfvehec.exe*."
    3⤵
    PID:5400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xtjexsdywjkdpvvwsdb.exe
1⤵
PID:3960
- C:\Windows\xtjexsdywjkdpvvwsdb.exe
  xtjexsdywjkdpvvwsdb.exe
  2⤵
  PID:5700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xtjexsdywjkdpvvwsdb.exe .
1⤵
PID:5264
- C:\Windows\xtjexsdywjkdpvvwsdb.exe
  xtjexsdywjkdpvvwsdb.exe .
  2⤵
  PID:1256
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\xtjexsdywjkdpvvwsdb.exe*."
    3⤵
    PID:3096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wpcukckcxhfvehec.exe
1⤵
PID:468
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1224
- C:\Users\Admin\AppData\Local\Temp\wpcukckcxhfvehec.exe
  C:\Users\Admin\AppData\Local\Temp\wpcukckcxhfvehec.exe
  2⤵
  PID:5244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhwqicmgdpphsxwwrb.exe .
1⤵
PID:5692
- C:\Users\Admin\AppData\Local\Temp\mhwqicmgdpphsxwwrb.exe
  C:\Users\Admin\AppData\Local\Temp\mhwqicmgdpphsxwwrb.exe .
  2⤵
  PID:4352
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\mhwqicmgdpphsxwwrb.exe*."
    3⤵
    PID:5248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xtjexsdywjkdpvvwsdb.exe
1⤵
PID:3704
- C:\Users\Admin\AppData\Local\Temp\xtjexsdywjkdpvvwsdb.exe
  C:\Users\Admin\AppData\Local\Temp\xtjexsdywjkdpvvwsdb.exe
  2⤵
  PID:5136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wpcukckcxhfvehec.exe .
1⤵
PID:2356
- C:\Users\Admin\AppData\Local\Temp\wpcukckcxhfvehec.exe
  C:\Users\Admin\AppData\Local\Temp\wpcukckcxhfvehec.exe .
  2⤵
  PID:4596
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\wpcukckcxhfvehec.exe*."
    3⤵
    PID:1312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dxlevoxqmxwnxbzys.exe
1⤵
PID:5560
- C:\Windows\dxlevoxqmxwnxbzys.exe
  dxlevoxqmxwnxbzys.exe
  2⤵
  PID:4024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xtjexsdywjkdpvvwsdb.exe .
1⤵
PID:3004
- C:\Windows\xtjexsdywjkdpvvwsdb.exe
  xtjexsdywjkdpvvwsdb.exe .
  2⤵
  PID:4800
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\xtjexsdywjkdpvvwsdb.exe*."
    3⤵
    PID:5556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zxpmheroodgbpxzcannld.exe
1⤵
PID:5344
- C:\Windows\zxpmheroodgbpxzcannld.exe
  zxpmheroodgbpxzcannld.exe
  2⤵
  PID:4840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xtjexsdywjkdpvvwsdb.exe .
1⤵
PID:2080
- C:\Windows\xtjexsdywjkdpvvwsdb.exe
  xtjexsdywjkdpvvwsdb.exe .
  2⤵
  PID:3432
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\xtjexsdywjkdpvvwsdb.exe*."
    3⤵
    PID:5960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zxpmheroodgbpxzcannld.exe
1⤵
PID:4548
- C:\Users\Admin\AppData\Local\Temp\zxpmheroodgbpxzcannld.exe
  C:\Users\Admin\AppData\Local\Temp\zxpmheroodgbpxzcannld.exe
  2⤵
  PID:4920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dxlevoxqmxwnxbzys.exe .
1⤵
PID:4864
- C:\Users\Admin\AppData\Local\Temp\dxlevoxqmxwnxbzys.exe
  C:\Users\Admin\AppData\Local\Temp\dxlevoxqmxwnxbzys.exe .
  2⤵
  PID:4084
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\dxlevoxqmxwnxbzys.exe*."
    3⤵
    PID:5128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xtjexsdywjkdpvvwsdb.exe
1⤵
PID:5592
- C:\Users\Admin\AppData\Local\Temp\xtjexsdywjkdpvvwsdb.exe
  C:\Users\Admin\AppData\Local\Temp\xtjexsdywjkdpvvwsdb.exe
  2⤵
  PID:6008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhwqicmgdpphsxwwrb.exe .
1⤵
PID:6056
- C:\Users\Admin\AppData\Local\Temp\mhwqicmgdpphsxwwrb.exe
  C:\Users\Admin\AppData\Local\Temp\mhwqicmgdpphsxwwrb.exe .
  2⤵
  PID:4184
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\mhwqicmgdpphsxwwrb.exe*."
    3⤵
    PID:6088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c khyuokwsrfhbovwyvhgd.exe
1⤵
PID:5740
- C:\Windows\khyuokwsrfhbovwyvhgd.exe
  khyuokwsrfhbovwyvhgd.exe
  2⤵
  PID:4020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dxlevoxqmxwnxbzys.exe .
1⤵
PID:4684
- C:\Windows\dxlevoxqmxwnxbzys.exe
  dxlevoxqmxwnxbzys.exe .
  2⤵
  PID:5072
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\dxlevoxqmxwnxbzys.exe*."
    3⤵
    PID:6104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mhwqicmgdpphsxwwrb.exe
1⤵
PID:5156
- C:\Windows\mhwqicmgdpphsxwwrb.exe
  mhwqicmgdpphsxwwrb.exe
  2⤵
  PID:460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dxlevoxqmxwnxbzys.exe .
1⤵
PID:3000
- C:\Windows\dxlevoxqmxwnxbzys.exe
  dxlevoxqmxwnxbzys.exe .
  2⤵
  PID:5940
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\dxlevoxqmxwnxbzys.exe*."
    3⤵
    PID:3912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xtjexsdywjkdpvvwsdb.exe
1⤵
PID:2936
- C:\Users\Admin\AppData\Local\Temp\xtjexsdywjkdpvvwsdb.exe
  C:\Users\Admin\AppData\Local\Temp\xtjexsdywjkdpvvwsdb.exe
  2⤵
  PID:4280

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xtjexsdywjkdpvvwsdb.exe .
1⤵
PID:3232
- C:\Users\Admin\AppData\Local\Temp\xtjexsdywjkdpvvwsdb.exe
  C:\Users\Admin\AppData\Local\Temp\xtjexsdywjkdpvvwsdb.exe .
  2⤵
  PID:4696
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\xtjexsdywjkdpvvwsdb.exe*."
    3⤵
    PID:5808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xtjexsdywjkdpvvwsdb.exe
1⤵
PID:848
- C:\Users\Admin\AppData\Local\Temp\xtjexsdywjkdpvvwsdb.exe
  C:\Users\Admin\AppData\Local\Temp\xtjexsdywjkdpvvwsdb.exe
  2⤵
  PID:4528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zxpmheroodgbpxzcannld.exe .
1⤵
PID:2320
- C:\Users\Admin\AppData\Local\Temp\zxpmheroodgbpxzcannld.exe
  C:\Users\Admin\AppData\Local\Temp\zxpmheroodgbpxzcannld.exe .
  2⤵
  PID:5700
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\zxpmheroodgbpxzcannld.exe*."
    3⤵
    PID:5360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wpcukckcxhfvehec.exe
1⤵
PID:6032
- C:\Windows\wpcukckcxhfvehec.exe
  wpcukckcxhfvehec.exe
  2⤵
  PID:1284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mhwqicmgdpphsxwwrb.exe .
1⤵
PID:3456
- C:\Windows\mhwqicmgdpphsxwwrb.exe
  mhwqicmgdpphsxwwrb.exe .
  2⤵
  PID:1224
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\mhwqicmgdpphsxwwrb.exe*."
    3⤵
    PID:3412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zxpmheroodgbpxzcannld.exe
1⤵
PID:5012
- C:\Windows\zxpmheroodgbpxzcannld.exe
  zxpmheroodgbpxzcannld.exe
  2⤵
  PID:5084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mhwqicmgdpphsxwwrb.exe .
1⤵
PID:5264
- C:\Windows\mhwqicmgdpphsxwwrb.exe
  mhwqicmgdpphsxwwrb.exe .
  2⤵
  PID:5692
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\mhwqicmgdpphsxwwrb.exe*."
    3⤵
    PID:3560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\khyuokwsrfhbovwyvhgd.exe
1⤵
PID:3384
- C:\Users\Admin\AppData\Local\Temp\khyuokwsrfhbovwyvhgd.exe
  C:\Users\Admin\AppData\Local\Temp\khyuokwsrfhbovwyvhgd.exe
  2⤵
  PID:4644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wpcukckcxhfvehec.exe .
1⤵
PID:692
- C:\Users\Admin\AppData\Local\Temp\wpcukckcxhfvehec.exe
  C:\Users\Admin\AppData\Local\Temp\wpcukckcxhfvehec.exe .
  2⤵
  PID:5484
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\wpcukckcxhfvehec.exe*."
    3⤵
    PID:4432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xtjexsdywjkdpvvwsdb.exe
1⤵
PID:3980
- C:\Users\Admin\AppData\Local\Temp\xtjexsdywjkdpvvwsdb.exe
  C:\Users\Admin\AppData\Local\Temp\xtjexsdywjkdpvvwsdb.exe
  2⤵
  PID:2740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zxpmheroodgbpxzcannld.exe .
1⤵
PID:5908
- C:\Users\Admin\AppData\Local\Temp\zxpmheroodgbpxzcannld.exe
  C:\Users\Admin\AppData\Local\Temp\zxpmheroodgbpxzcannld.exe .
  2⤵
  PID:1700
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\zxpmheroodgbpxzcannld.exe*."
    3⤵
    PID:5488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xtjexsdywjkdpvvwsdb.exe
1⤵
PID:1988
- C:\Windows\xtjexsdywjkdpvvwsdb.exe
  xtjexsdywjkdpvvwsdb.exe
  2⤵
  PID:4964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wpcukckcxhfvehec.exe .
1⤵
PID:5332
- C:\Windows\wpcukckcxhfvehec.exe
  wpcukckcxhfvehec.exe .
  2⤵
  PID:4552
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\wpcukckcxhfvehec.exe*."
    3⤵
    PID:5548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zxpmheroodgbpxzcannld.exe
1⤵
PID:5204
- C:\Windows\zxpmheroodgbpxzcannld.exe
  zxpmheroodgbpxzcannld.exe
  2⤵
  PID:3660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c khyuokwsrfhbovwyvhgd.exe .
1⤵
PID:5664
- C:\Windows\khyuokwsrfhbovwyvhgd.exe
  khyuokwsrfhbovwyvhgd.exe .
  2⤵
  PID:4156
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\khyuokwsrfhbovwyvhgd.exe*."
    3⤵
    PID:5780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dxlevoxqmxwnxbzys.exe
1⤵
PID:5184
- C:\Users\Admin\AppData\Local\Temp\dxlevoxqmxwnxbzys.exe
  C:\Users\Admin\AppData\Local\Temp\dxlevoxqmxwnxbzys.exe
  2⤵
  PID:5784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wpcukckcxhfvehec.exe .
1⤵
PID:5632
- C:\Users\Admin\AppData\Local\Temp\wpcukckcxhfvehec.exe
  C:\Users\Admin\AppData\Local\Temp\wpcukckcxhfvehec.exe .
  2⤵
  PID:5724
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\wpcukckcxhfvehec.exe*."
    3⤵
    PID:5660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xtjexsdywjkdpvvwsdb.exe
1⤵
PID:2944
- C:\Users\Admin\AppData\Local\Temp\xtjexsdywjkdpvvwsdb.exe
  C:\Users\Admin\AppData\Local\Temp\xtjexsdywjkdpvvwsdb.exe
  2⤵
  PID:6092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c khyuokwsrfhbovwyvhgd.exe
1⤵
PID:5948
- C:\Windows\khyuokwsrfhbovwyvhgd.exe
  khyuokwsrfhbovwyvhgd.exe
  2⤵
  PID:1620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhwqicmgdpphsxwwrb.exe .
1⤵
PID:6056
- C:\Users\Admin\AppData\Local\Temp\mhwqicmgdpphsxwwrb.exe
  C:\Users\Admin\AppData\Local\Temp\mhwqicmgdpphsxwwrb.exe .
  2⤵
  PID:5300
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\mhwqicmgdpphsxwwrb.exe*."
    3⤵
    PID:5352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zxpmheroodgbpxzcannld.exe .
1⤵
PID:5988
- C:\Windows\zxpmheroodgbpxzcannld.exe
  zxpmheroodgbpxzcannld.exe .
  2⤵
  PID:2924
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\zxpmheroodgbpxzcannld.exe*."
    3⤵
    PID:4216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dxlevoxqmxwnxbzys.exe
1⤵
PID:456
- C:\Windows\dxlevoxqmxwnxbzys.exe
  dxlevoxqmxwnxbzys.exe
  2⤵
  PID:5572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wpcukckcxhfvehec.exe
1⤵
PID:5880
- C:\Windows\wpcukckcxhfvehec.exe
  wpcukckcxhfvehec.exe
  2⤵
  PID:1784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zxpmheroodgbpxzcannld.exe .
1⤵
PID:6132
- C:\Windows\zxpmheroodgbpxzcannld.exe
  zxpmheroodgbpxzcannld.exe .
  2⤵
  PID:208
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\zxpmheroodgbpxzcannld.exe*."
    3⤵
    PID:232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wpcukckcxhfvehec.exe .
1⤵
PID:5840
- C:\Windows\wpcukckcxhfvehec.exe
  wpcukckcxhfvehec.exe .
  2⤵
  PID:5644
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\wpcukckcxhfvehec.exe*."
    3⤵
    PID:4716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\khyuokwsrfhbovwyvhgd.exe
1⤵
PID:4672
- C:\Users\Admin\AppData\Local\Temp\khyuokwsrfhbovwyvhgd.exe
  C:\Users\Admin\AppData\Local\Temp\khyuokwsrfhbovwyvhgd.exe
  2⤵
  PID:3216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xtjexsdywjkdpvvwsdb.exe
1⤵
PID:4116
- C:\Windows\xtjexsdywjkdpvvwsdb.exe
  xtjexsdywjkdpvvwsdb.exe
  2⤵
  PID:6064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wpcukckcxhfvehec.exe .
1⤵
PID:976
- C:\Users\Admin\AppData\Local\Temp\wpcukckcxhfvehec.exe
  C:\Users\Admin\AppData\Local\Temp\wpcukckcxhfvehec.exe .
  2⤵
  PID:5756
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\wpcukckcxhfvehec.exe*."
    3⤵
    PID:5400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mhwqicmgdpphsxwwrb.exe .
1⤵
PID:5608
- C:\Windows\mhwqicmgdpphsxwwrb.exe
  mhwqicmgdpphsxwwrb.exe .
  2⤵
  PID:6096
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\mhwqicmgdpphsxwwrb.exe*."
    3⤵
    PID:5336

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xtjexsdywjkdpvvwsdb.exe
1⤵
PID:4300
- C:\Users\Admin\AppData\Local\Temp\xtjexsdywjkdpvvwsdb.exe
  C:\Users\Admin\AppData\Local\Temp\xtjexsdywjkdpvvwsdb.exe
  2⤵
  PID:2000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\khyuokwsrfhbovwyvhgd.exe .
1⤵
PID:3988
- C:\Users\Admin\AppData\Local\Temp\khyuokwsrfhbovwyvhgd.exe
  C:\Users\Admin\AppData\Local\Temp\khyuokwsrfhbovwyvhgd.exe .
  2⤵
  PID:3280
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\khyuokwsrfhbovwyvhgd.exe*."
    3⤵
    PID:1976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\khyuokwsrfhbovwyvhgd.exe
1⤵
PID:5284
- C:\Users\Admin\AppData\Local\Temp\khyuokwsrfhbovwyvhgd.exe
  C:\Users\Admin\AppData\Local\Temp\khyuokwsrfhbovwyvhgd.exe
  2⤵
  PID:368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dxlevoxqmxwnxbzys.exe
1⤵
PID:4352
- C:\Windows\dxlevoxqmxwnxbzys.exe
  dxlevoxqmxwnxbzys.exe
  2⤵
  PID:2996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dxlevoxqmxwnxbzys.exe .
1⤵
PID:3760
- C:\Users\Admin\AppData\Local\Temp\dxlevoxqmxwnxbzys.exe
  C:\Users\Admin\AppData\Local\Temp\dxlevoxqmxwnxbzys.exe .
  2⤵
  PID:5312
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\dxlevoxqmxwnxbzys.exe*."
    3⤵
    PID:5892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zxpmheroodgbpxzcannld.exe .
1⤵
PID:5836
- C:\Windows\zxpmheroodgbpxzcannld.exe
  zxpmheroodgbpxzcannld.exe .
  2⤵
  PID:5964
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\zxpmheroodgbpxzcannld.exe*."
    3⤵
    PID:5752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xtjexsdywjkdpvvwsdb.exe
1⤵
PID:520
- C:\Users\Admin\AppData\Local\Temp\xtjexsdywjkdpvvwsdb.exe
  C:\Users\Admin\AppData\Local\Temp\xtjexsdywjkdpvvwsdb.exe
  2⤵
  PID:5548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dxlevoxqmxwnxbzys.exe .
1⤵
PID:5516
- C:\Users\Admin\AppData\Local\Temp\dxlevoxqmxwnxbzys.exe
  C:\Users\Admin\AppData\Local\Temp\dxlevoxqmxwnxbzys.exe .
  2⤵
  PID:5512
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\dxlevoxqmxwnxbzys.exe*."
    3⤵
    PID:5204

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mhwqicmgdpphsxwwrb.exe
1⤵
PID:1996
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2372
- C:\Windows\mhwqicmgdpphsxwwrb.exe
  mhwqicmgdpphsxwwrb.exe
  2⤵
  PID:3168

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c khyuokwsrfhbovwyvhgd.exe .
1⤵
PID:5360
- C:\Windows\khyuokwsrfhbovwyvhgd.exe
  khyuokwsrfhbovwyvhgd.exe .
  2⤵
  PID:4480
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\khyuokwsrfhbovwyvhgd.exe*."
    3⤵
    PID:3504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xtjexsdywjkdpvvwsdb.exe
1⤵
PID:2412
- C:\Users\Admin\AppData\Local\Temp\xtjexsdywjkdpvvwsdb.exe
  C:\Users\Admin\AppData\Local\Temp\xtjexsdywjkdpvvwsdb.exe
  2⤵
  PID:5744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhwqicmgdpphsxwwrb.exe .
1⤵
PID:4800
- C:\Users\Admin\AppData\Local\Temp\mhwqicmgdpphsxwwrb.exe
  C:\Users\Admin\AppData\Local\Temp\mhwqicmgdpphsxwwrb.exe .
  2⤵
  PID:5428
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\mhwqicmgdpphsxwwrb.exe*."
    3⤵
    PID:3116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhwqicmgdpphsxwwrb.exe
1⤵
PID:5980
- C:\Users\Admin\AppData\Local\Temp\mhwqicmgdpphsxwwrb.exe
  C:\Users\Admin\AppData\Local\Temp\mhwqicmgdpphsxwwrb.exe
  2⤵
  PID:5436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wpcukckcxhfvehec.exe .
1⤵
PID:5624
- C:\Users\Admin\AppData\Local\Temp\wpcukckcxhfvehec.exe
  C:\Users\Admin\AppData\Local\Temp\wpcukckcxhfvehec.exe .
  2⤵
  PID:5832
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\wpcukckcxhfvehec.exe*."
    3⤵
    PID:5272

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wpcukckcxhfvehec.exe
1⤵
PID:3312
- C:\Windows\wpcukckcxhfvehec.exe
  wpcukckcxhfvehec.exe
  2⤵
  PID:5572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mhwqicmgdpphsxwwrb.exe .
1⤵
PID:5924
- C:\Windows\mhwqicmgdpphsxwwrb.exe
  mhwqicmgdpphsxwwrb.exe .
  2⤵
  PID:5676
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\mhwqicmgdpphsxwwrb.exe*."
    3⤵
    PID:5100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xtjexsdywjkdpvvwsdb.exe
1⤵
PID:5916
- C:\Windows\xtjexsdywjkdpvvwsdb.exe
  xtjexsdywjkdpvvwsdb.exe
  2⤵
  PID:5740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zxpmheroodgbpxzcannld.exe .
1⤵
PID:6104
- C:\Windows\zxpmheroodgbpxzcannld.exe
  zxpmheroodgbpxzcannld.exe .
  2⤵
  PID:3056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xtjexsdywjkdpvvwsdb.exe
1⤵
PID:4464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Winlogon Helper DLL

T1547.004

Hijack Execution Flow

T1574

Executable Installer File Permissions Weakness

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Winlogon Helper DLL

T1547.004

Hijack Execution Flow

T1574

Executable Installer File Permissions Weakness

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hijack Execution Flow

T1574

Executable Installer File Permissions Weakness

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Safe Mode Boot

T1562.009

Modify Registry