pykspa | 886a6b6fdd213f3b992336fccc96d5afdf409a859575e1a689c4cf506bbe074a

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	orxakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	orxakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	abqgjobtkla.exe

Pykspa
Pykspa is a worm spreads via Skype uses DGA and it's written in C++.
worm pykspa
Pykspa family
pykspa

UAC bypass 3 TTPs 21 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	orxakp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	orxakp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	orxakp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	orxakp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	orxakp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	orxakp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	orxakp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	orxakp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe

Detect Pykspa worm 2 IoCs

worm

resource	yara_rule
behavioral2/files/0x000a00000002405f-4.dat	family_pykspa
behavioral2/files/0x000a00000002412b-83.dat	family_pykspa

Adds policy Run key to start application 2 TTPs 39 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hnwcpxfnc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hvmavlbroyahcyhsl.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hnwcpxfnc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\brkaxphzykoxusdqllf.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hnwcpxfnc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ofzqohattglvtsesopkb.exe"	abqgjobtkla.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	abqgjobtkla.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hnwcpxfnc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qfxmizqhfqtbxueqkj.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sbnwmxitlqnp = "hvmavlbroyahcyhsl.exe"	orxakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hnwcpxfnc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\andqkzodzijpjemw.exe"	orxakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hnwcpxfnc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hvmavlbroyahcyhsl.exe"	abqgjobtkla.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hnwcpxfnc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ofzqohattglvtsesopkb.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sbnwmxitlqnp = "ofzqohattglvtsesopkb.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sbnwmxitlqnp = "dvqihbvpqekvuuhwtvrje.exe"	orxakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sbnwmxitlqnp = "dvqihbvpqekvuuhwtvrje.exe"	orxakp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	orxakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hnwcpxfnc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ofzqohattglvtsesopkb.exe"	orxakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sbnwmxitlqnp = "hvmavlbroyahcyhsl.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sbnwmxitlqnp = "ofzqohattglvtsesopkb.exe"	abqgjobtkla.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sbnwmxitlqnp = "brkaxphzykoxusdqllf.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sbnwmxitlqnp = "dvqihbvpqekvuuhwtvrje.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sbnwmxitlqnp = "andqkzodzijpjemw.exe"	orxakp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hnwcpxfnc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\brkaxphzykoxusdqllf.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sbnwmxitlqnp = "brkaxphzykoxusdqllf.exe"	abqgjobtkla.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	abqgjobtkla.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	abqgjobtkla.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hnwcpxfnc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dvqihbvpqekvuuhwtvrje.exe"	orxakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sbnwmxitlqnp = "qfxmizqhfqtbxueqkj.exe"	orxakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hnwcpxfnc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\andqkzodzijpjemw.exe"	orxakp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sbnwmxitlqnp = "qfxmizqhfqtbxueqkj.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hnwcpxfnc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ofzqohattglvtsesopkb.exe"	abqgjobtkla.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	orxakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sbnwmxitlqnp = "dvqihbvpqekvuuhwtvrje.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hnwcpxfnc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dvqihbvpqekvuuhwtvrje.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sbnwmxitlqnp = "ofzqohattglvtsesopkb.exe"	orxakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sbnwmxitlqnp = "andqkzodzijpjemw.exe"	abqgjobtkla.exe

Disables RegEdit via registry modification 6 IoCs

defense_evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	abqgjobtkla.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	orxakp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	orxakp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	orxakp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	orxakp.exe

Checks computer location settings 2 TTPs 55 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	hvmavlbroyahcyhsl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	hvmavlbroyahcyhsl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	qfxmizqhfqtbxueqkj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	qfxmizqhfqtbxueqkj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	dvqihbvpqekvuuhwtvrje.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	ofzqohattglvtsesopkb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	dvqihbvpqekvuuhwtvrje.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	qfxmizqhfqtbxueqkj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	brkaxphzykoxusdqllf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	ofzqohattglvtsesopkb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	andqkzodzijpjemw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	qfxmizqhfqtbxueqkj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	qfxmizqhfqtbxueqkj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	brkaxphzykoxusdqllf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	andqkzodzijpjemw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	dvqihbvpqekvuuhwtvrje.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	andqkzodzijpjemw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	brkaxphzykoxusdqllf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	hvmavlbroyahcyhsl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	qfxmizqhfqtbxueqkj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	qfxmizqhfqtbxueqkj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	andqkzodzijpjemw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	qfxmizqhfqtbxueqkj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	andqkzodzijpjemw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	brkaxphzykoxusdqllf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	ofzqohattglvtsesopkb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	brkaxphzykoxusdqllf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	qfxmizqhfqtbxueqkj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	ofzqohattglvtsesopkb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	brkaxphzykoxusdqllf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	abqgjobtkla.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	ofzqohattglvtsesopkb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	andqkzodzijpjemw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	hvmavlbroyahcyhsl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	dvqihbvpqekvuuhwtvrje.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	dvqihbvpqekvuuhwtvrje.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	dvqihbvpqekvuuhwtvrje.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	JaffaCakes118_90de3ac81eff9a54a44eb7aca77d1737.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	brkaxphzykoxusdqllf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	qfxmizqhfqtbxueqkj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	andqkzodzijpjemw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	dvqihbvpqekvuuhwtvrje.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	qfxmizqhfqtbxueqkj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	hvmavlbroyahcyhsl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	hvmavlbroyahcyhsl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	andqkzodzijpjemw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	hvmavlbroyahcyhsl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	qfxmizqhfqtbxueqkj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	dvqihbvpqekvuuhwtvrje.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	andqkzodzijpjemw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	dvqihbvpqekvuuhwtvrje.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	andqkzodzijpjemw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	brkaxphzykoxusdqllf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	qfxmizqhfqtbxueqkj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	andqkzodzijpjemw.exe

Executes dropped EXE 64 IoCs

pid	Process
2204	abqgjobtkla.exe
4852	dvqihbvpqekvuuhwtvrje.exe
3600	brkaxphzykoxusdqllf.exe
1424	qfxmizqhfqtbxueqkj.exe
4976	hvmavlbroyahcyhsl.exe
2924	hvmavlbroyahcyhsl.exe
4052	abqgjobtkla.exe
4120	abqgjobtkla.exe
2520	qfxmizqhfqtbxueqkj.exe
1744	abqgjobtkla.exe
3884	ofzqohattglvtsesopkb.exe
4428	ofzqohattglvtsesopkb.exe
4136	orxakp.exe
4956	abqgjobtkla.exe
2680	orxakp.exe
4308	qfxmizqhfqtbxueqkj.exe
452	andqkzodzijpjemw.exe
2148	brkaxphzykoxusdqllf.exe
372	abqgjobtkla.exe
4620	ofzqohattglvtsesopkb.exe
1676	qfxmizqhfqtbxueqkj.exe
2240	qfxmizqhfqtbxueqkj.exe
4428	abqgjobtkla.exe
4812	qfxmizqhfqtbxueqkj.exe
4836	andqkzodzijpjemw.exe
3540	dvqihbvpqekvuuhwtvrje.exe
4848	abqgjobtkla.exe
3760	qfxmizqhfqtbxueqkj.exe
3228	andqkzodzijpjemw.exe
4740	abqgjobtkla.exe
3076	abqgjobtkla.exe
4204	hvmavlbroyahcyhsl.exe
1740	qfxmizqhfqtbxueqkj.exe
2812	qfxmizqhfqtbxueqkj.exe
4812	dvqihbvpqekvuuhwtvrje.exe
4456	brkaxphzykoxusdqllf.exe
2732	andqkzodzijpjemw.exe
3444	dvqihbvpqekvuuhwtvrje.exe
1480	abqgjobtkla.exe
744	abqgjobtkla.exe
2160	abqgjobtkla.exe
4520	qfxmizqhfqtbxueqkj.exe
2144	qfxmizqhfqtbxueqkj.exe
1816	andqkzodzijpjemw.exe
3280	abqgjobtkla.exe
804	andqkzodzijpjemw.exe
1880	abqgjobtkla.exe
5088	hvmavlbroyahcyhsl.exe
3164	dvqihbvpqekvuuhwtvrje.exe
548	abqgjobtkla.exe
3452	abqgjobtkla.exe
664	andqkzodzijpjemw.exe
4168	andqkzodzijpjemw.exe
4456	abqgjobtkla.exe
3228	andqkzodzijpjemw.exe
4304	brkaxphzykoxusdqllf.exe
4428	abqgjobtkla.exe
1316	ofzqohattglvtsesopkb.exe
1992	qfxmizqhfqtbxueqkj.exe
2468	hvmavlbroyahcyhsl.exe
2280	hvmavlbroyahcyhsl.exe
4408	brkaxphzykoxusdqllf.exe
2356	abqgjobtkla.exe
1520	abqgjobtkla.exe

Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs

defense_evasion

Safe Mode Boot

T1562.009

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc	orxakp.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager	orxakp.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys	orxakp.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc	orxakp.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power	orxakp.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys	orxakp.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

defense_evasion persistence privilege_escalation

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\vdowlvfpgkg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dvqihbvpqekvuuhwtvrje.exe ."	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vdowlvfpgkg = "brkaxphzykoxusdqllf.exe ."	abqgjobtkla.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\sdrcuhuhbihldw = "hvmavlbroyahcyhsl.exe ."	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vdowlvfpgkg = "andqkzodzijpjemw.exe ."	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vdowlvfpgkg = "brkaxphzykoxusdqllf.exe ."	orxakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vhwibpdrmuuzsmt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\brkaxphzykoxusdqllf.exe ."	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ahrymvendg = "ofzqohattglvtsesopkb.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ahrymvendg = "dvqihbvpqekvuuhwtvrje.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rboypbnzsywzq = "andqkzodzijpjemw.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vdowlvfpgkg = "andqkzodzijpjemw.exe ."	abqgjobtkla.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\sdrcuhuhbihldw = "ofzqohattglvtsesopkb.exe ."	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vdowlvfpgkg = "hvmavlbroyahcyhsl.exe ."	orxakp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ahrymvendg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\andqkzodzijpjemw.exe"	orxakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vhwibpdrmuuzsmt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\andqkzodzijpjemw.exe ."	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vhwibpdrmuuzsmt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qfxmizqhfqtbxueqkj.exe ."	abqgjobtkla.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\sdrcuhuhbihldw = "qfxmizqhfqtbxueqkj.exe ."	abqgjobtkla.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rboypbnzsywzq = "andqkzodzijpjemw.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\andqkzodzijpjemw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qfxmizqhfqtbxueqkj.exe"	orxakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ahrymvendg = "brkaxphzykoxusdqllf.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\vdowlvfpgkg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qfxmizqhfqtbxueqkj.exe ."	abqgjobtkla.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\vdowlvfpgkg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qfxmizqhfqtbxueqkj.exe ."	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ahrymvendg = "qfxmizqhfqtbxueqkj.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\sdrcuhuhbihldw = "qfxmizqhfqtbxueqkj.exe ."	abqgjobtkla.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\sdrcuhuhbihldw = "brkaxphzykoxusdqllf.exe ."	orxakp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\sdrcuhuhbihldw = "andqkzodzijpjemw.exe ."	orxakp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\vdowlvfpgkg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dvqihbvpqekvuuhwtvrje.exe ."	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\andqkzodzijpjemw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hvmavlbroyahcyhsl.exe"	orxakp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rboypbnzsywzq = "hvmavlbroyahcyhsl.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\andqkzodzijpjemw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hvmavlbroyahcyhsl.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ahrymvendg = "qfxmizqhfqtbxueqkj.exe"	orxakp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\sdrcuhuhbihldw = "dvqihbvpqekvuuhwtvrje.exe ."	orxakp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rboypbnzsywzq = "hvmavlbroyahcyhsl.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vhwibpdrmuuzsmt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\andqkzodzijpjemw.exe ."	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vdowlvfpgkg = "qfxmizqhfqtbxueqkj.exe ."	abqgjobtkla.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\vdowlvfpgkg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ofzqohattglvtsesopkb.exe ."	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\andqkzodzijpjemw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qfxmizqhfqtbxueqkj.exe"	orxakp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\sdrcuhuhbihldw = "brkaxphzykoxusdqllf.exe ."	abqgjobtkla.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\vdowlvfpgkg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\andqkzodzijpjemw.exe ."	orxakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\andqkzodzijpjemw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qfxmizqhfqtbxueqkj.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\andqkzodzijpjemw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ofzqohattglvtsesopkb.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vdowlvfpgkg = "dvqihbvpqekvuuhwtvrje.exe ."	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vhwibpdrmuuzsmt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\andqkzodzijpjemw.exe ."	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ahrymvendg = "dvqihbvpqekvuuhwtvrje.exe"	orxakp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ahrymvendg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hvmavlbroyahcyhsl.exe"	orxakp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ahrymvendg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qfxmizqhfqtbxueqkj.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ahrymvendg = "hvmavlbroyahcyhsl.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ahrymvendg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\brkaxphzykoxusdqllf.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\vdowlvfpgkg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\brkaxphzykoxusdqllf.exe ."	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ahrymvendg = "andqkzodzijpjemw.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\andqkzodzijpjemw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hvmavlbroyahcyhsl.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rboypbnzsywzq = "ofzqohattglvtsesopkb.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\andqkzodzijpjemw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hvmavlbroyahcyhsl.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vhwibpdrmuuzsmt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\brkaxphzykoxusdqllf.exe ."	orxakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vdowlvfpgkg = "dvqihbvpqekvuuhwtvrje.exe ."	abqgjobtkla.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\sdrcuhuhbihldw = "dvqihbvpqekvuuhwtvrje.exe ."	abqgjobtkla.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ahrymvendg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dvqihbvpqekvuuhwtvrje.exe"	orxakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\andqkzodzijpjemw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qfxmizqhfqtbxueqkj.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rboypbnzsywzq = "qfxmizqhfqtbxueqkj.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ahrymvendg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qfxmizqhfqtbxueqkj.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ahrymvendg = "hvmavlbroyahcyhsl.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vhwibpdrmuuzsmt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hvmavlbroyahcyhsl.exe ."	abqgjobtkla.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ahrymvendg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qfxmizqhfqtbxueqkj.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vdowlvfpgkg = "brkaxphzykoxusdqllf.exe ."	abqgjobtkla.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ahrymvendg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ofzqohattglvtsesopkb.exe"	abqgjobtkla.exe

Checks whether UAC is enabled 1 TTPs 24 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	orxakp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	orxakp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	abqgjobtkla.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	orxakp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	abqgjobtkla.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	orxakp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	abqgjobtkla.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe

Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 3 IoCs

Possible Turn off User Account Control's privilege elevation for standard users.

Executable Installer File Permissions Weakness

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	orxakp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	orxakp.exe

Looks up external IP address via web service 8 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
39	whatismyip.everdot.org
43	whatismyip.everdot.org
56	www.whatismyip.ca
24	www.showmyipaddress.com
27	www.whatismyip.ca
28	whatismyip.everdot.org
29	whatismyipaddress.com
35	www.whatismyip.ca

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\ofzqohattglvtsesopkb.exe	abqgjobtkla.exe
File created	C:\Windows\SysWOW64\dvqihbvpqekvuuhwtvrje.exe	abqgjobtkla.exe
File created	C:\Windows\SysWOW64\hvmavlbroyahcyhsl.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\dvqihbvpqekvuuhwtvrje.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\brkaxphzykoxusdqllf.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\dvqihbvpqekvuuhwtvrje.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\brkaxphzykoxusdqllf.exe	abqgjobtkla.exe
File created	C:\Windows\SysWOW64\brkaxphzykoxusdqllf.exe	abqgjobtkla.exe
File created	C:\Windows\SysWOW64\ofzqohattglvtsesopkb.exe	abqgjobtkla.exe
File created	C:\Windows\SysWOW64\andqkzodzijpjemw.exe	abqgjobtkla.exe
File created	C:\Windows\SysWOW64\unjccxsnpelxxymcadatpi.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\hvmavlbroyahcyhsl.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\unjccxsnpelxxymcadatpi.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\unjccxsnpelxxymcadatpi.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\andqkzodzijpjemw.exe	abqgjobtkla.exe
File created	C:\Windows\SysWOW64\qfxmizqhfqtbxueqkj.exe	abqgjobtkla.exe
File created	C:\Windows\SysWOW64\ofzqohattglvtsesopkb.exe	orxakp.exe
File opened for modification	C:\Windows\SysWOW64\andqkzodzijpjemw.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\unjccxsnpelxxymcadatpi.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\ofzqohattglvtsesopkb.exe	abqgjobtkla.exe
File created	C:\Windows\SysWOW64\ofzqohattglvtsesopkb.exe	abqgjobtkla.exe
File created	C:\Windows\SysWOW64\dvqihbvpqekvuuhwtvrje.exe	abqgjobtkla.exe
File created	C:\Windows\SysWOW64\unjccxsnpelxxymcadatpi.exe	abqgjobtkla.exe
File created	C:\Windows\SysWOW64\ihjiopqrzuhzfmgcgpsrtsyz.bje	orxakp.exe
File created	C:\Windows\SysWOW64\qfxmizqhfqtbxueqkj.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\qfxmizqhfqtbxueqkj.exe	abqgjobtkla.exe
File created	C:\Windows\SysWOW64\hvmavlbroyahcyhsl.exe	abqgjobtkla.exe
File created	C:\Windows\SysWOW64\hvmavlbroyahcyhsl.exe	abqgjobtkla.exe
File created	C:\Windows\SysWOW64\unjccxsnpelxxymcadatpi.exe	abqgjobtkla.exe
File created	C:\Windows\SysWOW64\andqkzodzijpjemw.exe	orxakp.exe
File created	C:\Windows\SysWOW64\ofzqohattglvtsesopkb.exe	abqgjobtkla.exe
File created	C:\Windows\SysWOW64\brkaxphzykoxusdqllf.exe	orxakp.exe
File opened for modification	C:\Windows\SysWOW64\ofzqohattglvtsesopkb.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\unjccxsnpelxxymcadatpi.exe	abqgjobtkla.exe
File created	C:\Windows\SysWOW64\qfxmizqhfqtbxueqkj.exe	abqgjobtkla.exe
File created	C:\Windows\SysWOW64\ofzqohattglvtsesopkb.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\dvqihbvpqekvuuhwtvrje.exe	abqgjobtkla.exe
File created	C:\Windows\SysWOW64\qfxmizqhfqtbxueqkj.exe	abqgjobtkla.exe
File created	C:\Windows\SysWOW64\ofzqohattglvtsesopkb.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\dvqihbvpqekvuuhwtvrje.exe	abqgjobtkla.exe
File created	C:\Windows\SysWOW64\brkaxphzykoxusdqllf.exe	abqgjobtkla.exe
File created	C:\Windows\SysWOW64\andqkzodzijpjemw.exe	abqgjobtkla.exe
File created	C:\Windows\SysWOW64\andqkzodzijpjemw.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\ihjiopqrzuhzfmgcgpsrtsyz.bje	orxakp.exe
File opened for modification	C:\Windows\SysWOW64\dvqihbvpqekvuuhwtvrje.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\qfxmizqhfqtbxueqkj.exe	orxakp.exe
File opened for modification	C:\Windows\SysWOW64\brkaxphzykoxusdqllf.exe	abqgjobtkla.exe
File created	C:\Windows\SysWOW64\hvmavlbroyahcyhsl.exe	abqgjobtkla.exe
File created	C:\Windows\SysWOW64\brkaxphzykoxusdqllf.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\andqkzodzijpjemw.exe	abqgjobtkla.exe
File created	C:\Windows\SysWOW64\dvqihbvpqekvuuhwtvrje.exe	abqgjobtkla.exe
File created	C:\Windows\SysWOW64\brkaxphzykoxusdqllf.exe	abqgjobtkla.exe
File created	C:\Windows\SysWOW64\unjccxsnpelxxymcadatpi.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\hvmavlbroyahcyhsl.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\ofzqohattglvtsesopkb.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\hvmavlbroyahcyhsl.exe	abqgjobtkla.exe
File created	C:\Windows\SysWOW64\qfxmizqhfqtbxueqkj.exe	abqgjobtkla.exe
File created	C:\Windows\SysWOW64\unjccxsnpelxxymcadatpi.exe	abqgjobtkla.exe
File created	C:\Windows\SysWOW64\qfxmizqhfqtbxueqkj.exe	orxakp.exe
File opened for modification	C:\Windows\SysWOW64\unjccxsnpelxxymcadatpi.exe	abqgjobtkla.exe
File created	C:\Windows\SysWOW64\hvmavlbroyahcyhsl.exe	orxakp.exe
File created	C:\Windows\SysWOW64\hvmavlbroyahcyhsl.exe	abqgjobtkla.exe
File created	C:\Windows\SysWOW64\hvmavlbroyahcyhsl.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\qfxmizqhfqtbxueqkj.exe	abqgjobtkla.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\ihjiopqrzuhzfmgcgpsrtsyz.bje	orxakp.exe
File created	C:\Program Files (x86)\ihjiopqrzuhzfmgcgpsrtsyz.bje	orxakp.exe
File opened for modification	C:\Program Files (x86)\rboypbnzsywzqinujdrboypbnzsywzqinuj.rbo	orxakp.exe
File created	C:\Program Files (x86)\rboypbnzsywzqinujdrboypbnzsywzqinuj.rbo	orxakp.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\qfxmizqhfqtbxueqkj.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\brkaxphzykoxusdqllf.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\ofzqohattglvtsesopkb.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\brkaxphzykoxusdqllf.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\andqkzodzijpjemw.exe	orxakp.exe
File opened for modification	C:\Windows\andqkzodzijpjemw.exe	orxakp.exe
File opened for modification	C:\Windows\hvmavlbroyahcyhsl.exe	orxakp.exe
File opened for modification	C:\Windows\qfxmizqhfqtbxueqkj.exe	orxakp.exe
File opened for modification	C:\Windows\brkaxphzykoxusdqllf.exe	orxakp.exe
File created	C:\Windows\qfxmizqhfqtbxueqkj.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\rboypbnzsywzqinujdrboypbnzsywzqinuj.rbo	orxakp.exe
File opened for modification	C:\Windows\dvqihbvpqekvuuhwtvrje.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\unjccxsnpelxxymcadatpi.exe	abqgjobtkla.exe
File created	C:\Windows\brkaxphzykoxusdqllf.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\dvqihbvpqekvuuhwtvrje.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\ofzqohattglvtsesopkb.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\andqkzodzijpjemw.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\ofzqohattglvtsesopkb.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\brkaxphzykoxusdqllf.exe	abqgjobtkla.exe
File created	C:\Windows\hvmavlbroyahcyhsl.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\ofzqohattglvtsesopkb.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\brkaxphzykoxusdqllf.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\dvqihbvpqekvuuhwtvrje.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\qfxmizqhfqtbxueqkj.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\unjccxsnpelxxymcadatpi.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\qfxmizqhfqtbxueqkj.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\dvqihbvpqekvuuhwtvrje.exe	abqgjobtkla.exe
File created	C:\Windows\ofzqohattglvtsesopkb.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\andqkzodzijpjemw.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\hvmavlbroyahcyhsl.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\andqkzodzijpjemw.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\hvmavlbroyahcyhsl.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\andqkzodzijpjemw.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\hvmavlbroyahcyhsl.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\qfxmizqhfqtbxueqkj.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\qfxmizqhfqtbxueqkj.exe	abqgjobtkla.exe
File created	C:\Windows\rboypbnzsywzqinujdrboypbnzsywzqinuj.rbo	orxakp.exe
File opened for modification	C:\Windows\andqkzodzijpjemw.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\unjccxsnpelxxymcadatpi.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\unjccxsnpelxxymcadatpi.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\brkaxphzykoxusdqllf.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\dvqihbvpqekvuuhwtvrje.exe	abqgjobtkla.exe
File created	C:\Windows\brkaxphzykoxusdqllf.exe	abqgjobtkla.exe
File created	C:\Windows\unjccxsnpelxxymcadatpi.exe	abqgjobtkla.exe
File created	C:\Windows\ofzqohattglvtsesopkb.exe	orxakp.exe
File opened for modification	C:\Windows\qfxmizqhfqtbxueqkj.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\hvmavlbroyahcyhsl.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\ofzqohattglvtsesopkb.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\ofzqohattglvtsesopkb.exe	orxakp.exe
File opened for modification	C:\Windows\andqkzodzijpjemw.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\brkaxphzykoxusdqllf.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\ofzqohattglvtsesopkb.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\andqkzodzijpjemw.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\hvmavlbroyahcyhsl.exe	abqgjobtkla.exe
File created	C:\Windows\qfxmizqhfqtbxueqkj.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\unjccxsnpelxxymcadatpi.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\hvmavlbroyahcyhsl.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\ofzqohattglvtsesopkb.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\dvqihbvpqekvuuhwtvrje.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\unjccxsnpelxxymcadatpi.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\unjccxsnpelxxymcadatpi.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\hvmavlbroyahcyhsl.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\brkaxphzykoxusdqllf.exe	orxakp.exe
File opened for modification	C:\Windows\unjccxsnpelxxymcadatpi.exe	orxakp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	brkaxphzykoxusdqllf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	andqkzodzijpjemw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	andqkzodzijpjemw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	brkaxphzykoxusdqllf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dvqihbvpqekvuuhwtvrje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dvqihbvpqekvuuhwtvrje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ofzqohattglvtsesopkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hvmavlbroyahcyhsl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qfxmizqhfqtbxueqkj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qfxmizqhfqtbxueqkj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dvqihbvpqekvuuhwtvrje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dvqihbvpqekvuuhwtvrje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	brkaxphzykoxusdqllf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qfxmizqhfqtbxueqkj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dvqihbvpqekvuuhwtvrje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ofzqohattglvtsesopkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	brkaxphzykoxusdqllf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	andqkzodzijpjemw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dvqihbvpqekvuuhwtvrje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hvmavlbroyahcyhsl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qfxmizqhfqtbxueqkj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	andqkzodzijpjemw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	andqkzodzijpjemw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	andqkzodzijpjemw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qfxmizqhfqtbxueqkj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hvmavlbroyahcyhsl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	brkaxphzykoxusdqllf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hvmavlbroyahcyhsl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hvmavlbroyahcyhsl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dvqihbvpqekvuuhwtvrje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ofzqohattglvtsesopkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qfxmizqhfqtbxueqkj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qfxmizqhfqtbxueqkj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	brkaxphzykoxusdqllf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qfxmizqhfqtbxueqkj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hvmavlbroyahcyhsl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	abqgjobtkla.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dvqihbvpqekvuuhwtvrje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ofzqohattglvtsesopkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	brkaxphzykoxusdqllf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	andqkzodzijpjemw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	andqkzodzijpjemw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hvmavlbroyahcyhsl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qfxmizqhfqtbxueqkj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dvqihbvpqekvuuhwtvrje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qfxmizqhfqtbxueqkj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ofzqohattglvtsesopkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	brkaxphzykoxusdqllf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_90de3ac81eff9a54a44eb7aca77d1737.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hvmavlbroyahcyhsl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ofzqohattglvtsesopkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ofzqohattglvtsesopkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dvqihbvpqekvuuhwtvrje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qfxmizqhfqtbxueqkj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qfxmizqhfqtbxueqkj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	orxakp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dvqihbvpqekvuuhwtvrje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qfxmizqhfqtbxueqkj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	andqkzodzijpjemw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	andqkzodzijpjemw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qfxmizqhfqtbxueqkj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	andqkzodzijpjemw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	andqkzodzijpjemw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	brkaxphzykoxusdqllf.exe

Suspicious behavior: EnumeratesProcesses 56 IoCs

pid	Process
2288	JaffaCakes118_90de3ac81eff9a54a44eb7aca77d1737.exe
2288	JaffaCakes118_90de3ac81eff9a54a44eb7aca77d1737.exe
2288	JaffaCakes118_90de3ac81eff9a54a44eb7aca77d1737.exe
2288	JaffaCakes118_90de3ac81eff9a54a44eb7aca77d1737.exe
2288	JaffaCakes118_90de3ac81eff9a54a44eb7aca77d1737.exe
2288	JaffaCakes118_90de3ac81eff9a54a44eb7aca77d1737.exe
2288	JaffaCakes118_90de3ac81eff9a54a44eb7aca77d1737.exe
2288	JaffaCakes118_90de3ac81eff9a54a44eb7aca77d1737.exe
2288	JaffaCakes118_90de3ac81eff9a54a44eb7aca77d1737.exe
2288	JaffaCakes118_90de3ac81eff9a54a44eb7aca77d1737.exe
2288	JaffaCakes118_90de3ac81eff9a54a44eb7aca77d1737.exe
2288	JaffaCakes118_90de3ac81eff9a54a44eb7aca77d1737.exe
2288	JaffaCakes118_90de3ac81eff9a54a44eb7aca77d1737.exe
2288	JaffaCakes118_90de3ac81eff9a54a44eb7aca77d1737.exe
2288	JaffaCakes118_90de3ac81eff9a54a44eb7aca77d1737.exe
2288	JaffaCakes118_90de3ac81eff9a54a44eb7aca77d1737.exe
2288	JaffaCakes118_90de3ac81eff9a54a44eb7aca77d1737.exe
2288	JaffaCakes118_90de3ac81eff9a54a44eb7aca77d1737.exe
4136	orxakp.exe
4136	orxakp.exe
2288	JaffaCakes118_90de3ac81eff9a54a44eb7aca77d1737.exe
2288	JaffaCakes118_90de3ac81eff9a54a44eb7aca77d1737.exe
2288	JaffaCakes118_90de3ac81eff9a54a44eb7aca77d1737.exe
2288	JaffaCakes118_90de3ac81eff9a54a44eb7aca77d1737.exe
2288	JaffaCakes118_90de3ac81eff9a54a44eb7aca77d1737.exe
2288	JaffaCakes118_90de3ac81eff9a54a44eb7aca77d1737.exe
2288	JaffaCakes118_90de3ac81eff9a54a44eb7aca77d1737.exe
2288	JaffaCakes118_90de3ac81eff9a54a44eb7aca77d1737.exe
2288	JaffaCakes118_90de3ac81eff9a54a44eb7aca77d1737.exe
2288	JaffaCakes118_90de3ac81eff9a54a44eb7aca77d1737.exe
2288	JaffaCakes118_90de3ac81eff9a54a44eb7aca77d1737.exe
2288	JaffaCakes118_90de3ac81eff9a54a44eb7aca77d1737.exe
2288	JaffaCakes118_90de3ac81eff9a54a44eb7aca77d1737.exe
2288	JaffaCakes118_90de3ac81eff9a54a44eb7aca77d1737.exe
2288	JaffaCakes118_90de3ac81eff9a54a44eb7aca77d1737.exe
2288	JaffaCakes118_90de3ac81eff9a54a44eb7aca77d1737.exe
2288	JaffaCakes118_90de3ac81eff9a54a44eb7aca77d1737.exe
2288	JaffaCakes118_90de3ac81eff9a54a44eb7aca77d1737.exe
2288	JaffaCakes118_90de3ac81eff9a54a44eb7aca77d1737.exe
2288	JaffaCakes118_90de3ac81eff9a54a44eb7aca77d1737.exe
2288	JaffaCakes118_90de3ac81eff9a54a44eb7aca77d1737.exe
2288	JaffaCakes118_90de3ac81eff9a54a44eb7aca77d1737.exe
2288	JaffaCakes118_90de3ac81eff9a54a44eb7aca77d1737.exe
2288	JaffaCakes118_90de3ac81eff9a54a44eb7aca77d1737.exe
2288	JaffaCakes118_90de3ac81eff9a54a44eb7aca77d1737.exe
2288	JaffaCakes118_90de3ac81eff9a54a44eb7aca77d1737.exe
2288	JaffaCakes118_90de3ac81eff9a54a44eb7aca77d1737.exe
2288	JaffaCakes118_90de3ac81eff9a54a44eb7aca77d1737.exe
4136	orxakp.exe
4136	orxakp.exe
2288	JaffaCakes118_90de3ac81eff9a54a44eb7aca77d1737.exe
2288	JaffaCakes118_90de3ac81eff9a54a44eb7aca77d1737.exe
2288	JaffaCakes118_90de3ac81eff9a54a44eb7aca77d1737.exe
2288	JaffaCakes118_90de3ac81eff9a54a44eb7aca77d1737.exe
2288	JaffaCakes118_90de3ac81eff9a54a44eb7aca77d1737.exe
2288	JaffaCakes118_90de3ac81eff9a54a44eb7aca77d1737.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4136	orxakp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2288 wrote to memory of 2204	2288	JaffaCakes118_90de3ac81eff9a54a44eb7aca77d1737.exe	89
PID 2288 wrote to memory of 2204	2288	JaffaCakes118_90de3ac81eff9a54a44eb7aca77d1737.exe	89
PID 2288 wrote to memory of 2204	2288	JaffaCakes118_90de3ac81eff9a54a44eb7aca77d1737.exe	89
PID 4456 wrote to memory of 4852	4456	cmd.exe	92
PID 4456 wrote to memory of 4852	4456	cmd.exe	92
PID 4456 wrote to memory of 4852	4456	cmd.exe	92
PID 3384 wrote to memory of 3600	3384	cmd.exe	96
PID 3384 wrote to memory of 3600	3384	cmd.exe	96
PID 3384 wrote to memory of 3600	3384	cmd.exe	96
PID 4800 wrote to memory of 1424	4800	cmd.exe	102
PID 4800 wrote to memory of 1424	4800	cmd.exe	102
PID 4800 wrote to memory of 1424	4800	cmd.exe	102
PID 752 wrote to memory of 4976	752	cmd.exe	105
PID 752 wrote to memory of 4976	752	cmd.exe	105
PID 752 wrote to memory of 4976	752	cmd.exe	105
PID 2360 wrote to memory of 2924	2360	cmd.exe	251
PID 2360 wrote to memory of 2924	2360	cmd.exe	251
PID 2360 wrote to memory of 2924	2360	cmd.exe	251
PID 4976 wrote to memory of 4052	4976	hvmavlbroyahcyhsl.exe	108
PID 4976 wrote to memory of 4052	4976	hvmavlbroyahcyhsl.exe	108
PID 4976 wrote to memory of 4052	4976	hvmavlbroyahcyhsl.exe	108
PID 3600 wrote to memory of 4120	3600	brkaxphzykoxusdqllf.exe	110
PID 3600 wrote to memory of 4120	3600	brkaxphzykoxusdqllf.exe	110
PID 3600 wrote to memory of 4120	3600	brkaxphzykoxusdqllf.exe	110
PID 1036 wrote to memory of 2520	1036	cmd.exe	291
PID 1036 wrote to memory of 2520	1036	cmd.exe	291
PID 1036 wrote to memory of 2520	1036	cmd.exe	291
PID 2520 wrote to memory of 1744	2520	qfxmizqhfqtbxueqkj.exe	114
PID 2520 wrote to memory of 1744	2520	qfxmizqhfqtbxueqkj.exe	114
PID 2520 wrote to memory of 1744	2520	qfxmizqhfqtbxueqkj.exe	114
PID 3468 wrote to memory of 3884	3468	cmd.exe	115
PID 3468 wrote to memory of 3884	3468	cmd.exe	115
PID 3468 wrote to memory of 3884	3468	cmd.exe	115
PID 4872 wrote to memory of 4428	4872	cmd.exe	227
PID 4872 wrote to memory of 4428	4872	cmd.exe	227
PID 4872 wrote to memory of 4428	4872	cmd.exe	227
PID 2204 wrote to memory of 4136	2204	abqgjobtkla.exe	117
PID 2204 wrote to memory of 4136	2204	abqgjobtkla.exe	117
PID 2204 wrote to memory of 4136	2204	abqgjobtkla.exe	117
PID 4428 wrote to memory of 4956	4428	ofzqohattglvtsesopkb.exe	118
PID 4428 wrote to memory of 4956	4428	ofzqohattglvtsesopkb.exe	118
PID 4428 wrote to memory of 4956	4428	ofzqohattglvtsesopkb.exe	118
PID 2204 wrote to memory of 2680	2204	abqgjobtkla.exe	120
PID 2204 wrote to memory of 2680	2204	abqgjobtkla.exe	120
PID 2204 wrote to memory of 2680	2204	abqgjobtkla.exe	120
PID 4492 wrote to memory of 4308	4492	cmd.exe	127
PID 4492 wrote to memory of 4308	4492	cmd.exe	127
PID 4492 wrote to memory of 4308	4492	cmd.exe	127
PID 1128 wrote to memory of 452	1128	cmd.exe	131
PID 1128 wrote to memory of 452	1128	cmd.exe	131
PID 1128 wrote to memory of 452	1128	cmd.exe	131
PID 4540 wrote to memory of 2148	4540	cmd.exe	253
PID 4540 wrote to memory of 2148	4540	cmd.exe	253
PID 4540 wrote to memory of 2148	4540	cmd.exe	253
PID 2148 wrote to memory of 372	2148	brkaxphzykoxusdqllf.exe	358
PID 2148 wrote to memory of 372	2148	brkaxphzykoxusdqllf.exe	358
PID 2148 wrote to memory of 372	2148	brkaxphzykoxusdqllf.exe	358
PID 3408 wrote to memory of 4620	3408	cmd.exe	349
PID 3408 wrote to memory of 4620	3408	cmd.exe	349
PID 3408 wrote to memory of 4620	3408	cmd.exe	349
PID 2932 wrote to memory of 1676	2932	cmd.exe	246
PID 2932 wrote to memory of 1676	2932	cmd.exe	246
PID 2932 wrote to memory of 1676	2932	cmd.exe	246
PID 3128 wrote to memory of 2240	3128	cmd.exe	154

System policy modification 1 TTPs 54 IoCs

defense_evasion

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	orxakp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	abqgjobtkla.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	orxakp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	orxakp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	abqgjobtkla.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	orxakp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	orxakp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	orxakp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	orxakp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	abqgjobtkla.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	orxakp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	orxakp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	orxakp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	orxakp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	orxakp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	orxakp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	orxakp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	orxakp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	orxakp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	orxakp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	orxakp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	orxakp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	orxakp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	orxakp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	orxakp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	orxakp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	orxakp.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_90de3ac81eff9a54a44eb7aca77d1737.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_90de3ac81eff9a54a44eb7aca77d1737.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2288
- C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
  "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\jaffacakes118_90de3ac81eff9a54a44eb7aca77d1737.exe*"
  2⤵
  - Modifies WinLogon for persistence
  - UAC bypass
  - Adds policy Run key to start application
  - Disables RegEdit via registry modification
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Hijack Execution Flow: Executable Installer File Permissions Weakness
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2204
- - C:\Users\Admin\AppData\Local\Temp\orxakp.exe
    "C:\Users\Admin\AppData\Local\Temp\orxakp.exe" "-c:\users\admin\appdata\local\temp\jaffacakes118_90de3ac81eff9a54a44eb7aca77d1737.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Impair Defenses: Safe Mode Boot
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Hijack Execution Flow: Executable Installer File Permissions Weakness
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:4136
- - C:\Users\Admin\AppData\Local\Temp\orxakp.exe
    "C:\Users\Admin\AppData\Local\Temp\orxakp.exe" "-c:\users\admin\appdata\local\temp\jaffacakes118_90de3ac81eff9a54a44eb7aca77d1737.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Hijack Execution Flow: Executable Installer File Permissions Weakness
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:2680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dvqihbvpqekvuuhwtvrje.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4456
- C:\Windows\dvqihbvpqekvuuhwtvrje.exe
  dvqihbvpqekvuuhwtvrje.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c brkaxphzykoxusdqllf.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:3384
- C:\Windows\brkaxphzykoxusdqllf.exe
  brkaxphzykoxusdqllf.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3600
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\brkaxphzykoxusdqllf.exe*."
    3⤵
    - Executes dropped EXE
    PID:4120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c qfxmizqhfqtbxueqkj.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4800
- C:\Windows\qfxmizqhfqtbxueqkj.exe
  qfxmizqhfqtbxueqkj.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hvmavlbroyahcyhsl.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:752
- C:\Windows\hvmavlbroyahcyhsl.exe
  hvmavlbroyahcyhsl.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4976
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\hvmavlbroyahcyhsl.exe*."
    3⤵
    - Executes dropped EXE
    PID:4052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hvmavlbroyahcyhsl.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2360
- C:\Users\Admin\AppData\Local\Temp\hvmavlbroyahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\hvmavlbroyahcyhsl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qfxmizqhfqtbxueqkj.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:1036
- C:\Users\Admin\AppData\Local\Temp\qfxmizqhfqtbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\qfxmizqhfqtbxueqkj.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2520
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\qfxmizqhfqtbxueqkj.exe*."
    3⤵
    - Executes dropped EXE
    PID:1744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ofzqohattglvtsesopkb.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:3468
- C:\Users\Admin\AppData\Local\Temp\ofzqohattglvtsesopkb.exe
  C:\Users\Admin\AppData\Local\Temp\ofzqohattglvtsesopkb.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ofzqohattglvtsesopkb.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:4872
- C:\Users\Admin\AppData\Local\Temp\ofzqohattglvtsesopkb.exe
  C:\Users\Admin\AppData\Local\Temp\ofzqohattglvtsesopkb.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4428
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\ofzqohattglvtsesopkb.exe*."
    3⤵
    - Executes dropped EXE
    PID:4956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c qfxmizqhfqtbxueqkj.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4492
- C:\Windows\qfxmizqhfqtbxueqkj.exe
  qfxmizqhfqtbxueqkj.exe
  2⤵
  - Executes dropped EXE
  PID:4308

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c andqkzodzijpjemw.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:1128
- C:\Windows\andqkzodzijpjemw.exe
  andqkzodzijpjemw.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c brkaxphzykoxusdqllf.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:4540
- C:\Windows\brkaxphzykoxusdqllf.exe
  brkaxphzykoxusdqllf.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2148
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\brkaxphzykoxusdqllf.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c qfxmizqhfqtbxueqkj.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:2932
- C:\Windows\qfxmizqhfqtbxueqkj.exe
  qfxmizqhfqtbxueqkj.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1676
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\qfxmizqhfqtbxueqkj.exe*."
    3⤵
    - Executes dropped EXE
    PID:4428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ofzqohattglvtsesopkb.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:3408
- C:\Windows\ofzqohattglvtsesopkb.exe
  ofzqohattglvtsesopkb.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c qfxmizqhfqtbxueqkj.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:3128
- C:\Windows\qfxmizqhfqtbxueqkj.exe
  qfxmizqhfqtbxueqkj.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2240
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\qfxmizqhfqtbxueqkj.exe*."
    3⤵
    - Executes dropped EXE
    PID:4848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c qfxmizqhfqtbxueqkj.exe
1⤵
PID:3012
- C:\Windows\qfxmizqhfqtbxueqkj.exe
  qfxmizqhfqtbxueqkj.exe
  2⤵
  - Executes dropped EXE
  PID:4812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qfxmizqhfqtbxueqkj.exe
1⤵
PID:3948
- C:\Users\Admin\AppData\Local\Temp\qfxmizqhfqtbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\qfxmizqhfqtbxueqkj.exe
  2⤵
  - Executes dropped EXE
  PID:3760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c andqkzodzijpjemw.exe .
1⤵
PID:552
- C:\Windows\andqkzodzijpjemw.exe
  andqkzodzijpjemw.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4836
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\andqkzodzijpjemw.exe*."
    3⤵
    - Executes dropped EXE
    PID:3076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\andqkzodzijpjemw.exe .
1⤵
PID:4652
- C:\Users\Admin\AppData\Local\Temp\andqkzodzijpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\andqkzodzijpjemw.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3228
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\andqkzodzijpjemw.exe*."
    3⤵
    - Executes dropped EXE
    PID:4740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dvqihbvpqekvuuhwtvrje.exe
1⤵
PID:1772
- C:\Users\Admin\AppData\Local\Temp\dvqihbvpqekvuuhwtvrje.exe
  C:\Users\Admin\AppData\Local\Temp\dvqihbvpqekvuuhwtvrje.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qfxmizqhfqtbxueqkj.exe .
1⤵
PID:2312
- C:\Users\Admin\AppData\Local\Temp\qfxmizqhfqtbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\qfxmizqhfqtbxueqkj.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1740
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\qfxmizqhfqtbxueqkj.exe*."
    3⤵
    - Executes dropped EXE
    PID:744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dvqihbvpqekvuuhwtvrje.exe
1⤵
PID:4352
- C:\Users\Admin\AppData\Local\Temp\dvqihbvpqekvuuhwtvrje.exe
  C:\Users\Admin\AppData\Local\Temp\dvqihbvpqekvuuhwtvrje.exe
  2⤵
  - Executes dropped EXE
  PID:4812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brkaxphzykoxusdqllf.exe .
1⤵
PID:940
- C:\Users\Admin\AppData\Local\Temp\brkaxphzykoxusdqllf.exe
  C:\Users\Admin\AppData\Local\Temp\brkaxphzykoxusdqllf.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4456
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\brkaxphzykoxusdqllf.exe*."
    3⤵
    - Executes dropped EXE
    PID:2160

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qfxmizqhfqtbxueqkj.exe
1⤵
PID:5112
- C:\Users\Admin\AppData\Local\Temp\qfxmizqhfqtbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\qfxmizqhfqtbxueqkj.exe
  2⤵
  - Executes dropped EXE
  PID:2812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\andqkzodzijpjemw.exe .
1⤵
PID:4644
- C:\Users\Admin\AppData\Local\Temp\andqkzodzijpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\andqkzodzijpjemw.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2732
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\andqkzodzijpjemw.exe*."
    3⤵
    - Executes dropped EXE
    PID:1480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hvmavlbroyahcyhsl.exe
1⤵
PID:3996
- C:\Windows\hvmavlbroyahcyhsl.exe
  hvmavlbroyahcyhsl.exe
  2⤵
  - Executes dropped EXE
  PID:4204

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dvqihbvpqekvuuhwtvrje.exe .
1⤵
PID:2908
- C:\Windows\dvqihbvpqekvuuhwtvrje.exe
  dvqihbvpqekvuuhwtvrje.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3444
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\dvqihbvpqekvuuhwtvrje.exe*."
    3⤵
    - Executes dropped EXE
    PID:3280

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c andqkzodzijpjemw.exe
1⤵
PID:2576
- C:\Windows\andqkzodzijpjemw.exe
  andqkzodzijpjemw.exe
  2⤵
  - Executes dropped EXE
  PID:1816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c qfxmizqhfqtbxueqkj.exe .
1⤵
PID:1680
- C:\Windows\qfxmizqhfqtbxueqkj.exe
  qfxmizqhfqtbxueqkj.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4520
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\qfxmizqhfqtbxueqkj.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:1880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qfxmizqhfqtbxueqkj.exe
1⤵
PID:808
- C:\Users\Admin\AppData\Local\Temp\qfxmizqhfqtbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\qfxmizqhfqtbxueqkj.exe
  2⤵
  - Executes dropped EXE
  PID:2144

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\andqkzodzijpjemw.exe .
1⤵
PID:5048
- C:\Users\Admin\AppData\Local\Temp\andqkzodzijpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\andqkzodzijpjemw.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:804
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\andqkzodzijpjemw.exe*."
    3⤵
    - Executes dropped EXE
    PID:548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hvmavlbroyahcyhsl.exe
1⤵
PID:828
- C:\Users\Admin\AppData\Local\Temp\hvmavlbroyahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\hvmavlbroyahcyhsl.exe
  2⤵
  - Executes dropped EXE
  PID:5088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dvqihbvpqekvuuhwtvrje.exe .
1⤵
PID:4732
- C:\Users\Admin\AppData\Local\Temp\dvqihbvpqekvuuhwtvrje.exe
  C:\Users\Admin\AppData\Local\Temp\dvqihbvpqekvuuhwtvrje.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3164
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\dvqihbvpqekvuuhwtvrje.exe*."
    3⤵
    - Executes dropped EXE
    PID:3452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c andqkzodzijpjemw.exe
1⤵
PID:3316
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2732
- C:\Windows\andqkzodzijpjemw.exe
  andqkzodzijpjemw.exe
  2⤵
  - Executes dropped EXE
  PID:664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c andqkzodzijpjemw.exe .
1⤵
PID:628
- C:\Windows\andqkzodzijpjemw.exe
  andqkzodzijpjemw.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4168
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\andqkzodzijpjemw.exe*."
    3⤵
    - Executes dropped EXE
    PID:4456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c andqkzodzijpjemw.exe
1⤵
PID:3764
- C:\Windows\andqkzodzijpjemw.exe
  andqkzodzijpjemw.exe
  2⤵
  - Executes dropped EXE
  PID:3228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c brkaxphzykoxusdqllf.exe .
1⤵
PID:3876
- C:\Windows\brkaxphzykoxusdqllf.exe
  brkaxphzykoxusdqllf.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4304
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\brkaxphzykoxusdqllf.exe*."
    3⤵
    - Executes dropped EXE
    PID:4428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ofzqohattglvtsesopkb.exe
1⤵
PID:4820
- C:\Windows\ofzqohattglvtsesopkb.exe
  ofzqohattglvtsesopkb.exe
  2⤵
  - Executes dropped EXE
  PID:1316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qfxmizqhfqtbxueqkj.exe
1⤵
PID:2624
- C:\Users\Admin\AppData\Local\Temp\qfxmizqhfqtbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\qfxmizqhfqtbxueqkj.exe
  2⤵
  - Executes dropped EXE
  PID:1992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hvmavlbroyahcyhsl.exe .
1⤵
PID:2684
- C:\Users\Admin\AppData\Local\Temp\hvmavlbroyahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\hvmavlbroyahcyhsl.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2468
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\hvmavlbroyahcyhsl.exe*."
    3⤵
    - Executes dropped EXE
    PID:2356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hvmavlbroyahcyhsl.exe .
1⤵
PID:3448
- C:\Windows\hvmavlbroyahcyhsl.exe
  hvmavlbroyahcyhsl.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2280
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\hvmavlbroyahcyhsl.exe*."
    3⤵
    - Executes dropped EXE
    PID:1520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c brkaxphzykoxusdqllf.exe
1⤵
PID:4472
- C:\Windows\brkaxphzykoxusdqllf.exe
  brkaxphzykoxusdqllf.exe
  2⤵
  - Executes dropped EXE
  PID:4408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c brkaxphzykoxusdqllf.exe .
1⤵
PID:2368
- C:\Windows\brkaxphzykoxusdqllf.exe
  brkaxphzykoxusdqllf.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:2924
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\brkaxphzykoxusdqllf.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:1684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qfxmizqhfqtbxueqkj.exe
1⤵
PID:468
- C:\Users\Admin\AppData\Local\Temp\qfxmizqhfqtbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\qfxmizqhfqtbxueqkj.exe
  2⤵
  PID:4600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c brkaxphzykoxusdqllf.exe
1⤵
PID:4004
- C:\Windows\brkaxphzykoxusdqllf.exe
  brkaxphzykoxusdqllf.exe
  2⤵
  PID:4056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hvmavlbroyahcyhsl.exe .
1⤵
PID:3948
- C:\Windows\hvmavlbroyahcyhsl.exe
  hvmavlbroyahcyhsl.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:848
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\hvmavlbroyahcyhsl.exe*."
    3⤵
    PID:2304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hvmavlbroyahcyhsl.exe .
1⤵
PID:1676
- C:\Users\Admin\AppData\Local\Temp\hvmavlbroyahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\hvmavlbroyahcyhsl.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:720
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\hvmavlbroyahcyhsl.exe*."
    3⤵
    PID:4572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hvmavlbroyahcyhsl.exe
1⤵
PID:4652
- C:\Users\Admin\AppData\Local\Temp\hvmavlbroyahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\hvmavlbroyahcyhsl.exe
  2⤵
  PID:4960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c brkaxphzykoxusdqllf.exe
1⤵
PID:2148
- C:\Windows\brkaxphzykoxusdqllf.exe
  brkaxphzykoxusdqllf.exe
  2⤵
  PID:3856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ofzqohattglvtsesopkb.exe .
1⤵
PID:1480
- C:\Users\Admin\AppData\Local\Temp\ofzqohattglvtsesopkb.exe
  C:\Users\Admin\AppData\Local\Temp\ofzqohattglvtsesopkb.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4316
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\ofzqohattglvtsesopkb.exe*."
    3⤵
    PID:2060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dvqihbvpqekvuuhwtvrje.exe .
1⤵
PID:2932
- C:\Windows\dvqihbvpqekvuuhwtvrje.exe
  dvqihbvpqekvuuhwtvrje.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4368
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\dvqihbvpqekvuuhwtvrje.exe*."
    3⤵
    PID:2880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qfxmizqhfqtbxueqkj.exe
1⤵
PID:2740
- C:\Users\Admin\AppData\Local\Temp\qfxmizqhfqtbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\qfxmizqhfqtbxueqkj.exe
  2⤵
  PID:1372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hvmavlbroyahcyhsl.exe .
1⤵
PID:1568
- C:\Users\Admin\AppData\Local\Temp\hvmavlbroyahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\hvmavlbroyahcyhsl.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4088
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\hvmavlbroyahcyhsl.exe*."
    3⤵
    PID:632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dvqihbvpqekvuuhwtvrje.exe
1⤵
PID:808
- C:\Users\Admin\AppData\Local\Temp\dvqihbvpqekvuuhwtvrje.exe
  C:\Users\Admin\AppData\Local\Temp\dvqihbvpqekvuuhwtvrje.exe
  2⤵
  PID:2520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ofzqohattglvtsesopkb.exe .
1⤵
PID:3444
- C:\Users\Admin\AppData\Local\Temp\ofzqohattglvtsesopkb.exe
  C:\Users\Admin\AppData\Local\Temp\ofzqohattglvtsesopkb.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4556
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\ofzqohattglvtsesopkb.exe*."
    3⤵
    PID:1216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\andqkzodzijpjemw.exe
1⤵
PID:372
- C:\Users\Admin\AppData\Local\Temp\andqkzodzijpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\andqkzodzijpjemw.exe
  2⤵
  PID:4452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c brkaxphzykoxusdqllf.exe
1⤵
PID:4076
- C:\Windows\brkaxphzykoxusdqllf.exe
  brkaxphzykoxusdqllf.exe
  2⤵
  PID:1380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\andqkzodzijpjemw.exe .
1⤵
PID:2576
- C:\Users\Admin\AppData\Local\Temp\andqkzodzijpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\andqkzodzijpjemw.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4352
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\andqkzodzijpjemw.exe*."
    3⤵
    PID:1320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c andqkzodzijpjemw.exe .
1⤵
PID:3676
- C:\Windows\andqkzodzijpjemw.exe
  andqkzodzijpjemw.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4872
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\andqkzodzijpjemw.exe*."
    3⤵
    PID:4060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hvmavlbroyahcyhsl.exe
1⤵
PID:848
- C:\Windows\hvmavlbroyahcyhsl.exe
  hvmavlbroyahcyhsl.exe
  2⤵
  PID:3508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c qfxmizqhfqtbxueqkj.exe .
1⤵
PID:3276
- C:\Windows\qfxmizqhfqtbxueqkj.exe
  qfxmizqhfqtbxueqkj.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1740
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\qfxmizqhfqtbxueqkj.exe*."
    3⤵
    PID:3452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ofzqohattglvtsesopkb.exe
1⤵
PID:3068
- C:\Users\Admin\AppData\Local\Temp\ofzqohattglvtsesopkb.exe
  C:\Users\Admin\AppData\Local\Temp\ofzqohattglvtsesopkb.exe
  2⤵
  PID:2360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\andqkzodzijpjemw.exe .
1⤵
PID:1064
- C:\Users\Admin\AppData\Local\Temp\andqkzodzijpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\andqkzodzijpjemw.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4620
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\andqkzodzijpjemw.exe*."
    3⤵
    PID:3468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qfxmizqhfqtbxueqkj.exe
1⤵
PID:4476
- C:\Users\Admin\AppData\Local\Temp\qfxmizqhfqtbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\qfxmizqhfqtbxueqkj.exe
  2⤵
  PID:4088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dvqihbvpqekvuuhwtvrje.exe .
1⤵
PID:4368
- C:\Users\Admin\AppData\Local\Temp\dvqihbvpqekvuuhwtvrje.exe
  C:\Users\Admin\AppData\Local\Temp\dvqihbvpqekvuuhwtvrje.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4432
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\dvqihbvpqekvuuhwtvrje.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c qfxmizqhfqtbxueqkj.exe
1⤵
PID:2384
- C:\Windows\qfxmizqhfqtbxueqkj.exe
  qfxmizqhfqtbxueqkj.exe
  2⤵
  PID:1508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hvmavlbroyahcyhsl.exe .
1⤵
PID:2628
- C:\Windows\hvmavlbroyahcyhsl.exe
  hvmavlbroyahcyhsl.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:3076
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\hvmavlbroyahcyhsl.exe*."
    3⤵
    PID:4032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c qfxmizqhfqtbxueqkj.exe
1⤵
PID:4052
- C:\Windows\qfxmizqhfqtbxueqkj.exe
  qfxmizqhfqtbxueqkj.exe
  2⤵
  PID:2972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dvqihbvpqekvuuhwtvrje.exe .
1⤵
PID:5088
- C:\Windows\dvqihbvpqekvuuhwtvrje.exe
  dvqihbvpqekvuuhwtvrje.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4352
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\dvqihbvpqekvuuhwtvrje.exe*."
    3⤵
    PID:2216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ofzqohattglvtsesopkb.exe
1⤵
PID:4544
- C:\Users\Admin\AppData\Local\Temp\ofzqohattglvtsesopkb.exe
  C:\Users\Admin\AppData\Local\Temp\ofzqohattglvtsesopkb.exe
  2⤵
  PID:3744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qfxmizqhfqtbxueqkj.exe .
1⤵
PID:4932
- C:\Users\Admin\AppData\Local\Temp\qfxmizqhfqtbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\qfxmizqhfqtbxueqkj.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:5072
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\qfxmizqhfqtbxueqkj.exe*."
    3⤵
    PID:8

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qfxmizqhfqtbxueqkj.exe
1⤵
PID:1352
- C:\Users\Admin\AppData\Local\Temp\qfxmizqhfqtbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\qfxmizqhfqtbxueqkj.exe
  2⤵
  PID:1788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dvqihbvpqekvuuhwtvrje.exe .
1⤵
PID:4120
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3760
- C:\Users\Admin\AppData\Local\Temp\dvqihbvpqekvuuhwtvrje.exe
  C:\Users\Admin\AppData\Local\Temp\dvqihbvpqekvuuhwtvrje.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:3904
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\dvqihbvpqekvuuhwtvrje.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:2760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c brkaxphzykoxusdqllf.exe
1⤵
PID:2332
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4620
- C:\Windows\brkaxphzykoxusdqllf.exe
  brkaxphzykoxusdqllf.exe
  2⤵
  PID:224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dvqihbvpqekvuuhwtvrje.exe .
1⤵
PID:1800
- C:\Windows\dvqihbvpqekvuuhwtvrje.exe
  dvqihbvpqekvuuhwtvrje.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:2204
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\dvqihbvpqekvuuhwtvrje.exe*."
    3⤵
    PID:2740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hvmavlbroyahcyhsl.exe
1⤵
PID:2520
- C:\Windows\hvmavlbroyahcyhsl.exe
  hvmavlbroyahcyhsl.exe
  2⤵
  PID:4368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dvqihbvpqekvuuhwtvrje.exe .
1⤵
PID:372
- C:\Windows\dvqihbvpqekvuuhwtvrje.exe
  dvqihbvpqekvuuhwtvrje.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:2600
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\dvqihbvpqekvuuhwtvrje.exe*."
    3⤵
    PID:3232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hvmavlbroyahcyhsl.exe
1⤵
PID:2304
- C:\Users\Admin\AppData\Local\Temp\hvmavlbroyahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\hvmavlbroyahcyhsl.exe
  2⤵
  PID:1460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\andqkzodzijpjemw.exe .
1⤵
PID:380
- C:\Users\Admin\AppData\Local\Temp\andqkzodzijpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\andqkzodzijpjemw.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:3264
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\andqkzodzijpjemw.exe*."
    3⤵
    PID:4420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\andqkzodzijpjemw.exe
1⤵
PID:4052
- C:\Users\Admin\AppData\Local\Temp\andqkzodzijpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\andqkzodzijpjemw.exe
  2⤵
  PID:3444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qfxmizqhfqtbxueqkj.exe .
1⤵
PID:4812
- C:\Users\Admin\AppData\Local\Temp\qfxmizqhfqtbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\qfxmizqhfqtbxueqkj.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4028
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\qfxmizqhfqtbxueqkj.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:3656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hvmavlbroyahcyhsl.exe
1⤵
PID:3800
- C:\Windows\hvmavlbroyahcyhsl.exe
  hvmavlbroyahcyhsl.exe
  2⤵
  PID:3660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c qfxmizqhfqtbxueqkj.exe .
1⤵
PID:5088
- C:\Windows\qfxmizqhfqtbxueqkj.exe
  qfxmizqhfqtbxueqkj.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:828
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\qfxmizqhfqtbxueqkj.exe*."
    3⤵
    PID:4732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dvqihbvpqekvuuhwtvrje.exe
1⤵
PID:4572
- C:\Windows\dvqihbvpqekvuuhwtvrje.exe
  dvqihbvpqekvuuhwtvrje.exe
  2⤵
  PID:3020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ofzqohattglvtsesopkb.exe .
1⤵
PID:4540
- C:\Windows\ofzqohattglvtsesopkb.exe
  ofzqohattglvtsesopkb.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:3220
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\ofzqohattglvtsesopkb.exe*."
    3⤵
    PID:664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brkaxphzykoxusdqllf.exe
1⤵
PID:3452
- C:\Users\Admin\AppData\Local\Temp\brkaxphzykoxusdqllf.exe
  C:\Users\Admin\AppData\Local\Temp\brkaxphzykoxusdqllf.exe
  2⤵
  PID:2448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brkaxphzykoxusdqllf.exe .
1⤵
PID:544
- C:\Users\Admin\AppData\Local\Temp\brkaxphzykoxusdqllf.exe
  C:\Users\Admin\AppData\Local\Temp\brkaxphzykoxusdqllf.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4056
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\brkaxphzykoxusdqllf.exe*."
    3⤵
    PID:2160

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brkaxphzykoxusdqllf.exe
1⤵
PID:632
- C:\Users\Admin\AppData\Local\Temp\brkaxphzykoxusdqllf.exe
  C:\Users\Admin\AppData\Local\Temp\brkaxphzykoxusdqllf.exe
  2⤵
  PID:1340

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brkaxphzykoxusdqllf.exe .
1⤵
PID:4088
- C:\Users\Admin\AppData\Local\Temp\brkaxphzykoxusdqllf.exe
  C:\Users\Admin\AppData\Local\Temp\brkaxphzykoxusdqllf.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:216
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\brkaxphzykoxusdqllf.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:3076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ofzqohattglvtsesopkb.exe
1⤵
PID:2728
- C:\Windows\ofzqohattglvtsesopkb.exe
  ofzqohattglvtsesopkb.exe
  2⤵
  PID:1508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c qfxmizqhfqtbxueqkj.exe .
1⤵
PID:4308
- C:\Windows\qfxmizqhfqtbxueqkj.exe
  qfxmizqhfqtbxueqkj.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1600
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\qfxmizqhfqtbxueqkj.exe*."
    3⤵
    PID:4744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ofzqohattglvtsesopkb.exe
1⤵
PID:380
- C:\Windows\ofzqohattglvtsesopkb.exe
  ofzqohattglvtsesopkb.exe
  2⤵
  PID:3744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c qfxmizqhfqtbxueqkj.exe .
1⤵
PID:1320
- C:\Windows\qfxmizqhfqtbxueqkj.exe
  qfxmizqhfqtbxueqkj.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:2684
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\qfxmizqhfqtbxueqkj.exe*."
    3⤵
    PID:884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hvmavlbroyahcyhsl.exe
1⤵
PID:848
- C:\Users\Admin\AppData\Local\Temp\hvmavlbroyahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\hvmavlbroyahcyhsl.exe
  2⤵
  PID:4964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\andqkzodzijpjemw.exe .
1⤵
PID:4936
- C:\Users\Admin\AppData\Local\Temp\andqkzodzijpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\andqkzodzijpjemw.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:3544
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\andqkzodzijpjemw.exe*."
    3⤵
    PID:3800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hvmavlbroyahcyhsl.exe
1⤵
PID:4520
- C:\Users\Admin\AppData\Local\Temp\hvmavlbroyahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\hvmavlbroyahcyhsl.exe
  2⤵
  PID:1788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\andqkzodzijpjemw.exe .
1⤵
PID:2576
- C:\Users\Admin\AppData\Local\Temp\andqkzodzijpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\andqkzodzijpjemw.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:3580
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\andqkzodzijpjemw.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:2452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c andqkzodzijpjemw.exe
1⤵
PID:1616
- C:\Windows\andqkzodzijpjemw.exe
  andqkzodzijpjemw.exe
  2⤵
  PID:4652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c brkaxphzykoxusdqllf.exe .
1⤵
PID:3148
- C:\Windows\brkaxphzykoxusdqllf.exe
  brkaxphzykoxusdqllf.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4620
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\brkaxphzykoxusdqllf.exe*."
    3⤵
    PID:2160

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c brkaxphzykoxusdqllf.exe
1⤵
PID:2740
- C:\Windows\brkaxphzykoxusdqllf.exe
  brkaxphzykoxusdqllf.exe
  2⤵
  PID:2916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ofzqohattglvtsesopkb.exe .
1⤵
PID:1340
- C:\Windows\ofzqohattglvtsesopkb.exe
  ofzqohattglvtsesopkb.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:628
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\ofzqohattglvtsesopkb.exe*."
    3⤵
    PID:2552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brkaxphzykoxusdqllf.exe
1⤵
PID:1044
- C:\Users\Admin\AppData\Local\Temp\brkaxphzykoxusdqllf.exe
  C:\Users\Admin\AppData\Local\Temp\brkaxphzykoxusdqllf.exe
  2⤵
  PID:2640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qfxmizqhfqtbxueqkj.exe .
1⤵
PID:2932
- C:\Users\Admin\AppData\Local\Temp\qfxmizqhfqtbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\qfxmizqhfqtbxueqkj.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:232
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\qfxmizqhfqtbxueqkj.exe*."
    3⤵
    PID:1816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dvqihbvpqekvuuhwtvrje.exe
1⤵
PID:2608
- C:\Users\Admin\AppData\Local\Temp\dvqihbvpqekvuuhwtvrje.exe
  C:\Users\Admin\AppData\Local\Temp\dvqihbvpqekvuuhwtvrje.exe
  2⤵
  PID:928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dvqihbvpqekvuuhwtvrje.exe
1⤵
PID:1600
- C:\Windows\dvqihbvpqekvuuhwtvrje.exe
  dvqihbvpqekvuuhwtvrje.exe
  2⤵
  PID:3132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qfxmizqhfqtbxueqkj.exe .
1⤵
PID:3164
- C:\Users\Admin\AppData\Local\Temp\qfxmizqhfqtbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\qfxmizqhfqtbxueqkj.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:380
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\qfxmizqhfqtbxueqkj.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:2832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dvqihbvpqekvuuhwtvrje.exe .
1⤵
PID:3304
- C:\Windows\dvqihbvpqekvuuhwtvrje.exe
  dvqihbvpqekvuuhwtvrje.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:5112
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\dvqihbvpqekvuuhwtvrje.exe*."
    3⤵
    PID:828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c qfxmizqhfqtbxueqkj.exe
1⤵
PID:2368
- C:\Windows\qfxmizqhfqtbxueqkj.exe
  qfxmizqhfqtbxueqkj.exe
  2⤵
  PID:4680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ofzqohattglvtsesopkb.exe
1⤵
PID:2188
- C:\Windows\ofzqohattglvtsesopkb.exe
  ofzqohattglvtsesopkb.exe
  2⤵
  PID:4652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c qfxmizqhfqtbxueqkj.exe .
1⤵
PID:5100
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4812
- C:\Windows\qfxmizqhfqtbxueqkj.exe
  qfxmizqhfqtbxueqkj.exe .
  2⤵
  PID:2356
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\qfxmizqhfqtbxueqkj.exe*."
    3⤵
    PID:4972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c brkaxphzykoxusdqllf.exe .
1⤵
PID:2812
- C:\Windows\brkaxphzykoxusdqllf.exe
  brkaxphzykoxusdqllf.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1708
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\brkaxphzykoxusdqllf.exe*."
    3⤵
    PID:1508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ofzqohattglvtsesopkb.exe
1⤵
PID:1460
- C:\Users\Admin\AppData\Local\Temp\ofzqohattglvtsesopkb.exe
  C:\Users\Admin\AppData\Local\Temp\ofzqohattglvtsesopkb.exe
  2⤵
  PID:1680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dvqihbvpqekvuuhwtvrje.exe
1⤵
PID:4060
- C:\Windows\dvqihbvpqekvuuhwtvrje.exe
  dvqihbvpqekvuuhwtvrje.exe
  2⤵
  PID:3740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brkaxphzykoxusdqllf.exe .
1⤵
PID:4908
- C:\Users\Admin\AppData\Local\Temp\brkaxphzykoxusdqllf.exe
  C:\Users\Admin\AppData\Local\Temp\brkaxphzykoxusdqllf.exe .
  2⤵
  PID:548
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\brkaxphzykoxusdqllf.exe*."
    3⤵
    PID:2468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c brkaxphzykoxusdqllf.exe .
1⤵
PID:4972
- C:\Windows\brkaxphzykoxusdqllf.exe
  brkaxphzykoxusdqllf.exe .
  2⤵
  PID:2880
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\brkaxphzykoxusdqllf.exe*."
    3⤵
    PID:4872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\andqkzodzijpjemw.exe
1⤵
PID:544
- C:\Users\Admin\AppData\Local\Temp\andqkzodzijpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\andqkzodzijpjemw.exe
  2⤵
  PID:3256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c andqkzodzijpjemw.exe
1⤵
PID:2312
- C:\Windows\andqkzodzijpjemw.exe
  andqkzodzijpjemw.exe
  2⤵
  PID:3336

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brkaxphzykoxusdqllf.exe .
1⤵
PID:3176
- C:\Users\Admin\AppData\Local\Temp\brkaxphzykoxusdqllf.exe
  C:\Users\Admin\AppData\Local\Temp\brkaxphzykoxusdqllf.exe .
  2⤵
  PID:208
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\brkaxphzykoxusdqllf.exe*."
    3⤵
    PID:3952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hvmavlbroyahcyhsl.exe
1⤵
PID:3540
- C:\Users\Admin\AppData\Local\Temp\hvmavlbroyahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\hvmavlbroyahcyhsl.exe
  2⤵
  PID:2900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c andqkzodzijpjemw.exe .
1⤵
PID:4368
- C:\Windows\andqkzodzijpjemw.exe
  andqkzodzijpjemw.exe .
  2⤵
  PID:4752
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\andqkzodzijpjemw.exe*."
    3⤵
    PID:1184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\andqkzodzijpjemw.exe .
1⤵
PID:2484
- C:\Users\Admin\AppData\Local\Temp\andqkzodzijpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\andqkzodzijpjemw.exe .
  2⤵
  PID:4292
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\andqkzodzijpjemw.exe*."
    3⤵
    PID:1820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ofzqohattglvtsesopkb.exe
1⤵
PID:1772
- C:\Windows\ofzqohattglvtsesopkb.exe
  ofzqohattglvtsesopkb.exe
  2⤵
  PID:1460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qfxmizqhfqtbxueqkj.exe
1⤵
PID:1968
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:744
- C:\Users\Admin\AppData\Local\Temp\qfxmizqhfqtbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\qfxmizqhfqtbxueqkj.exe
  2⤵
  PID:664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\andqkzodzijpjemw.exe .
1⤵
PID:4744
- C:\Users\Admin\AppData\Local\Temp\andqkzodzijpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\andqkzodzijpjemw.exe .
  2⤵
  PID:3104
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\andqkzodzijpjemw.exe*."
    3⤵
    PID:3116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hvmavlbroyahcyhsl.exe .
1⤵
PID:4048
- C:\Windows\hvmavlbroyahcyhsl.exe
  hvmavlbroyahcyhsl.exe .
  2⤵
  PID:808
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\hvmavlbroyahcyhsl.exe*."
    3⤵
    PID:1788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ofzqohattglvtsesopkb.exe
1⤵
PID:3616
- C:\Users\Admin\AppData\Local\Temp\ofzqohattglvtsesopkb.exe
  C:\Users\Admin\AppData\Local\Temp\ofzqohattglvtsesopkb.exe
  2⤵
  PID:2976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brkaxphzykoxusdqllf.exe .
1⤵
PID:4416
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:848
- C:\Users\Admin\AppData\Local\Temp\brkaxphzykoxusdqllf.exe
  C:\Users\Admin\AppData\Local\Temp\brkaxphzykoxusdqllf.exe .
  2⤵
  PID:3336
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\brkaxphzykoxusdqllf.exe*."
    3⤵
    PID:3996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qfxmizqhfqtbxueqkj.exe
1⤵
PID:536
- C:\Users\Admin\AppData\Local\Temp\qfxmizqhfqtbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\qfxmizqhfqtbxueqkj.exe
  2⤵
  PID:4288

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ofzqohattglvtsesopkb.exe .
1⤵
PID:4932
- C:\Users\Admin\AppData\Local\Temp\ofzqohattglvtsesopkb.exe
  C:\Users\Admin\AppData\Local\Temp\ofzqohattglvtsesopkb.exe .
  2⤵
  PID:3600
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\ofzqohattglvtsesopkb.exe*."
    3⤵
    PID:3148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c andqkzodzijpjemw.exe
1⤵
PID:4728
- C:\Windows\andqkzodzijpjemw.exe
  andqkzodzijpjemw.exe
  2⤵
  PID:688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dvqihbvpqekvuuhwtvrje.exe .
1⤵
PID:2360
- C:\Windows\dvqihbvpqekvuuhwtvrje.exe
  dvqihbvpqekvuuhwtvrje.exe .
  2⤵
  PID:3956
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\dvqihbvpqekvuuhwtvrje.exe*."
    3⤵
    PID:4088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c andqkzodzijpjemw.exe
1⤵
PID:4616
- C:\Windows\andqkzodzijpjemw.exe
  andqkzodzijpjemw.exe
  2⤵
  PID:5076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ofzqohattglvtsesopkb.exe .
1⤵
PID:4420
- C:\Windows\ofzqohattglvtsesopkb.exe
  ofzqohattglvtsesopkb.exe .
  2⤵
  PID:3264
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\ofzqohattglvtsesopkb.exe*."
    3⤵
    PID:2448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ofzqohattglvtsesopkb.exe
1⤵
PID:2600
- C:\Users\Admin\AppData\Local\Temp\ofzqohattglvtsesopkb.exe
  C:\Users\Admin\AppData\Local\Temp\ofzqohattglvtsesopkb.exe
  2⤵
  PID:4740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hvmavlbroyahcyhsl.exe .
1⤵
PID:3756
- C:\Users\Admin\AppData\Local\Temp\hvmavlbroyahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\hvmavlbroyahcyhsl.exe .
  2⤵
  PID:3932
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\hvmavlbroyahcyhsl.exe*."
    3⤵
    PID:8

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qfxmizqhfqtbxueqkj.exe
1⤵
PID:2424
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4304
- C:\Users\Admin\AppData\Local\Temp\qfxmizqhfqtbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\qfxmizqhfqtbxueqkj.exe
  2⤵
  PID:2812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qfxmizqhfqtbxueqkj.exe .
1⤵
PID:4836
- C:\Users\Admin\AppData\Local\Temp\qfxmizqhfqtbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\qfxmizqhfqtbxueqkj.exe .
  2⤵
  PID:548
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\qfxmizqhfqtbxueqkj.exe*."
    3⤵
    PID:4652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c qfxmizqhfqtbxueqkj.exe
1⤵
PID:5048
- C:\Windows\qfxmizqhfqtbxueqkj.exe
  qfxmizqhfqtbxueqkj.exe
  2⤵
  PID:4416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c brkaxphzykoxusdqllf.exe .
1⤵
PID:3904
- C:\Windows\brkaxphzykoxusdqllf.exe
  brkaxphzykoxusdqllf.exe .
  2⤵
  PID:4680
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\brkaxphzykoxusdqllf.exe*."
    3⤵
    PID:4572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hvmavlbroyahcyhsl.exe
1⤵
PID:624
- C:\Windows\hvmavlbroyahcyhsl.exe
  hvmavlbroyahcyhsl.exe
  2⤵
  PID:4668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dvqihbvpqekvuuhwtvrje.exe .
1⤵
PID:644
- C:\Windows\dvqihbvpqekvuuhwtvrje.exe
  dvqihbvpqekvuuhwtvrje.exe .
  2⤵
  PID:4812
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\dvqihbvpqekvuuhwtvrje.exe*."
    3⤵
    PID:1940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qfxmizqhfqtbxueqkj.exe
1⤵
PID:5052
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3076
- C:\Users\Admin\AppData\Local\Temp\qfxmizqhfqtbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\qfxmizqhfqtbxueqkj.exe
  2⤵
  PID:5008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qfxmizqhfqtbxueqkj.exe .
1⤵
PID:908
- C:\Users\Admin\AppData\Local\Temp\qfxmizqhfqtbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\qfxmizqhfqtbxueqkj.exe .
  2⤵
  PID:4128
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\qfxmizqhfqtbxueqkj.exe*."
    3⤵
    PID:1036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dvqihbvpqekvuuhwtvrje.exe
1⤵
PID:3444
- C:\Users\Admin\AppData\Local\Temp\dvqihbvpqekvuuhwtvrje.exe
  C:\Users\Admin\AppData\Local\Temp\dvqihbvpqekvuuhwtvrje.exe
  2⤵
  PID:2448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\andqkzodzijpjemw.exe .
1⤵
PID:3068
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1740
- C:\Users\Admin\AppData\Local\Temp\andqkzodzijpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\andqkzodzijpjemw.exe .
  2⤵
  PID:2484
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\andqkzodzijpjemw.exe*."
    3⤵
    PID:3740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c brkaxphzykoxusdqllf.exe
1⤵
PID:2216
- C:\Windows\brkaxphzykoxusdqllf.exe
  brkaxphzykoxusdqllf.exe
  2⤵
  PID:2308

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ofzqohattglvtsesopkb.exe .
1⤵
PID:1076
- C:\Windows\ofzqohattglvtsesopkb.exe
  ofzqohattglvtsesopkb.exe .
  2⤵
  PID:1992
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\ofzqohattglvtsesopkb.exe*."
    3⤵
    PID:4236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c brkaxphzykoxusdqllf.exe
1⤵
PID:3544
- C:\Windows\brkaxphzykoxusdqllf.exe
  brkaxphzykoxusdqllf.exe
  2⤵
  PID:3052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dvqihbvpqekvuuhwtvrje.exe .
1⤵
PID:3280
- C:\Windows\dvqihbvpqekvuuhwtvrje.exe
  dvqihbvpqekvuuhwtvrje.exe .
  2⤵
  PID:2292
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\dvqihbvpqekvuuhwtvrje.exe*."
    3⤵
    PID:2900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qfxmizqhfqtbxueqkj.exe
1⤵
PID:3448
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4432
- C:\Users\Admin\AppData\Local\Temp\qfxmizqhfqtbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\qfxmizqhfqtbxueqkj.exe
  2⤵
  PID:1292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ofzqohattglvtsesopkb.exe .
1⤵
PID:3676
- C:\Users\Admin\AppData\Local\Temp\ofzqohattglvtsesopkb.exe
  C:\Users\Admin\AppData\Local\Temp\ofzqohattglvtsesopkb.exe .
  2⤵
  PID:1064
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\ofzqohattglvtsesopkb.exe*."
    3⤵
    PID:4752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\andqkzodzijpjemw.exe
1⤵
PID:4124
- C:\Users\Admin\AppData\Local\Temp\andqkzodzijpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\andqkzodzijpjemw.exe
  2⤵
  PID:1480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qfxmizqhfqtbxueqkj.exe .
1⤵
PID:664
- C:\Users\Admin\AppData\Local\Temp\qfxmizqhfqtbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\qfxmizqhfqtbxueqkj.exe .
  2⤵
  PID:3656
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\qfxmizqhfqtbxueqkj.exe*."
    3⤵
    PID:4356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hvmavlbroyahcyhsl.exe
1⤵
PID:3552
- C:\Windows\hvmavlbroyahcyhsl.exe
  hvmavlbroyahcyhsl.exe
  2⤵
  PID:4732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c brkaxphzykoxusdqllf.exe .
1⤵
PID:2620
- C:\Windows\brkaxphzykoxusdqllf.exe
  brkaxphzykoxusdqllf.exe .
  2⤵
  PID:4284
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\brkaxphzykoxusdqllf.exe*."
    3⤵
    PID:3400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c andqkzodzijpjemw.exe
1⤵
PID:3756
- C:\Windows\andqkzodzijpjemw.exe
  andqkzodzijpjemw.exe
  2⤵
  PID:2832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c andqkzodzijpjemw.exe .
1⤵
PID:4620
- C:\Windows\andqkzodzijpjemw.exe
  andqkzodzijpjemw.exe .
  2⤵
  PID:4220
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\andqkzodzijpjemw.exe*."
    3⤵
    PID:4352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brkaxphzykoxusdqllf.exe
1⤵
PID:2216
- C:\Users\Admin\AppData\Local\Temp\brkaxphzykoxusdqllf.exe
  C:\Users\Admin\AppData\Local\Temp\brkaxphzykoxusdqllf.exe
  2⤵
  PID:3528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hvmavlbroyahcyhsl.exe .
1⤵
PID:1708
- C:\Users\Admin\AppData\Local\Temp\hvmavlbroyahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\hvmavlbroyahcyhsl.exe .
  2⤵
  PID:2188
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\hvmavlbroyahcyhsl.exe*."
    3⤵
    PID:1564

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\andqkzodzijpjemw.exe
1⤵
PID:2148
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1880
- C:\Users\Admin\AppData\Local\Temp\andqkzodzijpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\andqkzodzijpjemw.exe
  2⤵
  PID:3904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brkaxphzykoxusdqllf.exe .
1⤵
PID:3344
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2356
- C:\Users\Admin\AppData\Local\Temp\brkaxphzykoxusdqllf.exe
  C:\Users\Admin\AppData\Local\Temp\brkaxphzykoxusdqllf.exe .
  2⤵
  PID:2268
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\brkaxphzykoxusdqllf.exe*."
    3⤵
    PID:4964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hvmavlbroyahcyhsl.exe
1⤵
PID:4272
- C:\Windows\hvmavlbroyahcyhsl.exe
  hvmavlbroyahcyhsl.exe
  2⤵
  PID:3656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dvqihbvpqekvuuhwtvrje.exe .
1⤵
PID:3076
- C:\Windows\dvqihbvpqekvuuhwtvrje.exe
  dvqihbvpqekvuuhwtvrje.exe .
  2⤵
  PID:4436
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\dvqihbvpqekvuuhwtvrje.exe*."
    3⤵
    PID:4652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c brkaxphzykoxusdqllf.exe
1⤵
PID:1300
- C:\Windows\brkaxphzykoxusdqllf.exe
  brkaxphzykoxusdqllf.exe
  2⤵
  PID:2624

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
PID:2144

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c qfxmizqhfqtbxueqkj.exe .
1⤵
PID:1788
- C:\Windows\qfxmizqhfqtbxueqkj.exe
  qfxmizqhfqtbxueqkj.exe .
  2⤵
  PID:2280
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\qfxmizqhfqtbxueqkj.exe*."
    3⤵
    PID:1076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\andqkzodzijpjemw.exe
1⤵
PID:4408
- C:\Users\Admin\AppData\Local\Temp\andqkzodzijpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\andqkzodzijpjemw.exe
  2⤵
  PID:548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brkaxphzykoxusdqllf.exe .
1⤵
PID:3304
- C:\Users\Admin\AppData\Local\Temp\brkaxphzykoxusdqllf.exe
  C:\Users\Admin\AppData\Local\Temp\brkaxphzykoxusdqllf.exe .
  2⤵
  PID:2576
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\brkaxphzykoxusdqllf.exe*."
    3⤵
    PID:632

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\andqkzodzijpjemw.exe
1⤵
PID:4492
- C:\Users\Admin\AppData\Local\Temp\andqkzodzijpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\andqkzodzijpjemw.exe
  2⤵
  PID:3352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ofzqohattglvtsesopkb.exe .
1⤵
PID:5036
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4600
- C:\Users\Admin\AppData\Local\Temp\ofzqohattglvtsesopkb.exe
  C:\Users\Admin\AppData\Local\Temp\ofzqohattglvtsesopkb.exe .
  2⤵
  PID:5100
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\ofzqohattglvtsesopkb.exe*."
    3⤵
    PID:4712

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c andqkzodzijpjemw.exe
1⤵
PID:3532
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1816
- C:\Windows\andqkzodzijpjemw.exe
  andqkzodzijpjemw.exe
  2⤵
  PID:1432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c qfxmizqhfqtbxueqkj.exe .
1⤵
PID:2452
- C:\Windows\qfxmizqhfqtbxueqkj.exe
  qfxmizqhfqtbxueqkj.exe .
  2⤵
  PID:3012
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\qfxmizqhfqtbxueqkj.exe*."
    3⤵
    PID:4352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hvmavlbroyahcyhsl.exe
1⤵
PID:4652
- C:\Windows\hvmavlbroyahcyhsl.exe
  hvmavlbroyahcyhsl.exe
  2⤵
  PID:4692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hvmavlbroyahcyhsl.exe
1⤵
PID:2444
- C:\Windows\hvmavlbroyahcyhsl.exe
  hvmavlbroyahcyhsl.exe
  2⤵
  PID:4236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hvmavlbroyahcyhsl.exe
1⤵
PID:2740
- C:\Windows\hvmavlbroyahcyhsl.exe
  hvmavlbroyahcyhsl.exe
  2⤵
  PID:2148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ofzqohattglvtsesopkb.exe .
1⤵
PID:884
- C:\Windows\ofzqohattglvtsesopkb.exe
  ofzqohattglvtsesopkb.exe .
  2⤵
  PID:1524
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\ofzqohattglvtsesopkb.exe*."
    3⤵
    PID:5240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dvqihbvpqekvuuhwtvrje.exe .
1⤵
PID:2916
- C:\Windows\dvqihbvpqekvuuhwtvrje.exe
  dvqihbvpqekvuuhwtvrje.exe .
  2⤵
  PID:4972
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\dvqihbvpqekvuuhwtvrje.exe*."
    3⤵
    PID:2332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ofzqohattglvtsesopkb.exe .
1⤵
PID:4556
- C:\Windows\ofzqohattglvtsesopkb.exe
  ofzqohattglvtsesopkb.exe .
  2⤵
  PID:3764
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\ofzqohattglvtsesopkb.exe*."
    3⤵
    PID:5256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dvqihbvpqekvuuhwtvrje.exe
1⤵
PID:2976
- C:\Users\Admin\AppData\Local\Temp\dvqihbvpqekvuuhwtvrje.exe
  C:\Users\Admin\AppData\Local\Temp\dvqihbvpqekvuuhwtvrje.exe
  2⤵
  PID:1292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dvqihbvpqekvuuhwtvrje.exe
1⤵
PID:3304
- C:\Windows\dvqihbvpqekvuuhwtvrje.exe
  dvqihbvpqekvuuhwtvrje.exe
  2⤵
  PID:3856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dvqihbvpqekvuuhwtvrje.exe
1⤵
PID:3376
- C:\Windows\dvqihbvpqekvuuhwtvrje.exe
  dvqihbvpqekvuuhwtvrje.exe
  2⤵
  PID:5172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dvqihbvpqekvuuhwtvrje.exe .
1⤵
PID:4000
- C:\Users\Admin\AppData\Local\Temp\dvqihbvpqekvuuhwtvrje.exe
  C:\Users\Admin\AppData\Local\Temp\dvqihbvpqekvuuhwtvrje.exe .
  2⤵
  PID:2720
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\dvqihbvpqekvuuhwtvrje.exe*."
    3⤵
    PID:5072

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dvqihbvpqekvuuhwtvrje.exe .
1⤵
PID:5100
- C:\Windows\dvqihbvpqekvuuhwtvrje.exe
  dvqihbvpqekvuuhwtvrje.exe .
  2⤵
  PID:5156
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\dvqihbvpqekvuuhwtvrje.exe*."
    3⤵
    PID:5380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dvqihbvpqekvuuhwtvrje.exe .
1⤵
PID:1452
- C:\Windows\dvqihbvpqekvuuhwtvrje.exe
  dvqihbvpqekvuuhwtvrje.exe .
  2⤵
  PID:5428
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\dvqihbvpqekvuuhwtvrje.exe*."
    3⤵
    PID:5664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qfxmizqhfqtbxueqkj.exe
1⤵
PID:3316
- C:\Users\Admin\AppData\Local\Temp\qfxmizqhfqtbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\qfxmizqhfqtbxueqkj.exe
  2⤵
  PID:5440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qfxmizqhfqtbxueqkj.exe
1⤵
PID:1800
- C:\Users\Admin\AppData\Local\Temp\qfxmizqhfqtbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\qfxmizqhfqtbxueqkj.exe
  2⤵
  PID:5292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dvqihbvpqekvuuhwtvrje.exe
1⤵
PID:4616
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3280
- C:\Users\Admin\AppData\Local\Temp\dvqihbvpqekvuuhwtvrje.exe
  C:\Users\Admin\AppData\Local\Temp\dvqihbvpqekvuuhwtvrje.exe
  2⤵
  PID:5456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\andqkzodzijpjemw.exe .
1⤵
PID:4004
- C:\Users\Admin\AppData\Local\Temp\andqkzodzijpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\andqkzodzijpjemw.exe .
  2⤵
  PID:5420
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\andqkzodzijpjemw.exe*."
    3⤵
    PID:5780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\andqkzodzijpjemw.exe .
1⤵
PID:3948
- C:\Users\Admin\AppData\Local\Temp\andqkzodzijpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\andqkzodzijpjemw.exe .
  2⤵
  PID:5524
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\andqkzodzijpjemw.exe*."
    3⤵
    PID:5788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ofzqohattglvtsesopkb.exe .
1⤵
PID:4988
- C:\Users\Admin\AppData\Local\Temp\ofzqohattglvtsesopkb.exe
  C:\Users\Admin\AppData\Local\Temp\ofzqohattglvtsesopkb.exe .
  2⤵
  PID:5332
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\ofzqohattglvtsesopkb.exe*."
    3⤵
    PID:5636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ofzqohattglvtsesopkb.exe
1⤵
PID:2444
- C:\Users\Admin\AppData\Local\Temp\ofzqohattglvtsesopkb.exe
  C:\Users\Admin\AppData\Local\Temp\ofzqohattglvtsesopkb.exe
  2⤵
  PID:5648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ofzqohattglvtsesopkb.exe
1⤵
PID:3972
- C:\Users\Admin\AppData\Local\Temp\ofzqohattglvtsesopkb.exe
  C:\Users\Admin\AppData\Local\Temp\ofzqohattglvtsesopkb.exe
  2⤵
  PID:5536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\andqkzodzijpjemw.exe .
1⤵
PID:3660
- C:\Users\Admin\AppData\Local\Temp\andqkzodzijpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\andqkzodzijpjemw.exe .
  2⤵
  PID:5628
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\andqkzodzijpjemw.exe*."
    3⤵
    PID:5860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\andqkzodzijpjemw.exe .
1⤵
PID:5132
- C:\Users\Admin\AppData\Local\Temp\andqkzodzijpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\andqkzodzijpjemw.exe .
  2⤵
  PID:5704
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\andqkzodzijpjemw.exe*."
    3⤵
    PID:5876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c brkaxphzykoxusdqllf.exe
1⤵
PID:5760
- C:\Windows\brkaxphzykoxusdqllf.exe
  brkaxphzykoxusdqllf.exe
  2⤵
  PID:5912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c qfxmizqhfqtbxueqkj.exe .
1⤵
PID:5924
- C:\Windows\qfxmizqhfqtbxueqkj.exe
  qfxmizqhfqtbxueqkj.exe .
  2⤵
  PID:5972
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\qfxmizqhfqtbxueqkj.exe*."
    3⤵
    PID:6028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hvmavlbroyahcyhsl.exe
1⤵
PID:6020
- C:\Windows\hvmavlbroyahcyhsl.exe
  hvmavlbroyahcyhsl.exe
  2⤵
  PID:6140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c brkaxphzykoxusdqllf.exe .
1⤵
PID:6100
- C:\Windows\brkaxphzykoxusdqllf.exe
  brkaxphzykoxusdqllf.exe .
  2⤵
  PID:5072
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\brkaxphzykoxusdqllf.exe*."
    3⤵
    PID:3264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dvqihbvpqekvuuhwtvrje.exe
1⤵
PID:2372
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:224
- C:\Users\Admin\AppData\Local\Temp\dvqihbvpqekvuuhwtvrje.exe
  C:\Users\Admin\AppData\Local\Temp\dvqihbvpqekvuuhwtvrje.exe
  2⤵
  PID:2972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brkaxphzykoxusdqllf.exe .
1⤵
PID:5188
- C:\Users\Admin\AppData\Local\Temp\brkaxphzykoxusdqllf.exe
  C:\Users\Admin\AppData\Local\Temp\brkaxphzykoxusdqllf.exe .
  2⤵
  PID:2524
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\brkaxphzykoxusdqllf.exe*."
    3⤵
    PID:5300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dvqihbvpqekvuuhwtvrje.exe
1⤵
PID:5324
- C:\Users\Admin\AppData\Local\Temp\dvqihbvpqekvuuhwtvrje.exe
  C:\Users\Admin\AppData\Local\Temp\dvqihbvpqekvuuhwtvrje.exe
  2⤵
  PID:4000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hvmavlbroyahcyhsl.exe .
1⤵
PID:5284
- C:\Users\Admin\AppData\Local\Temp\hvmavlbroyahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\hvmavlbroyahcyhsl.exe .
  2⤵
  PID:5408
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\hvmavlbroyahcyhsl.exe*."
    3⤵
    PID:4696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ofzqohattglvtsesopkb.exe
1⤵
PID:5484
- C:\Windows\ofzqohattglvtsesopkb.exe
  ofzqohattglvtsesopkb.exe
  2⤵
  PID:4420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dvqihbvpqekvuuhwtvrje.exe .
1⤵
PID:1324
- C:\Windows\dvqihbvpqekvuuhwtvrje.exe
  dvqihbvpqekvuuhwtvrje.exe .
  2⤵
  PID:5580
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\dvqihbvpqekvuuhwtvrje.exe*."
    3⤵
    PID:5100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c brkaxphzykoxusdqllf.exe
1⤵
PID:1772
- C:\Windows\brkaxphzykoxusdqllf.exe
  brkaxphzykoxusdqllf.exe
  2⤵
  PID:5464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c qfxmizqhfqtbxueqkj.exe .
1⤵
PID:5652
- C:\Windows\qfxmizqhfqtbxueqkj.exe
  qfxmizqhfqtbxueqkj.exe .
  2⤵
  PID:5680
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\qfxmizqhfqtbxueqkj.exe*."
    3⤵
    PID:3492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dvqihbvpqekvuuhwtvrje.exe
1⤵
PID:5312
- C:\Users\Admin\AppData\Local\Temp\dvqihbvpqekvuuhwtvrje.exe
  C:\Users\Admin\AppData\Local\Temp\dvqihbvpqekvuuhwtvrje.exe
  2⤵
  PID:5524

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
PID:4060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hvmavlbroyahcyhsl.exe .
1⤵
PID:5700
- C:\Users\Admin\AppData\Local\Temp\hvmavlbroyahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\hvmavlbroyahcyhsl.exe .
  2⤵
  PID:5148
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\hvmavlbroyahcyhsl.exe*."
    3⤵
    PID:5824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hvmavlbroyahcyhsl.exe
1⤵
PID:5632
- C:\Users\Admin\AppData\Local\Temp\hvmavlbroyahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\hvmavlbroyahcyhsl.exe
  2⤵
  PID:5128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ofzqohattglvtsesopkb.exe .
1⤵
PID:5752
- C:\Users\Admin\AppData\Local\Temp\ofzqohattglvtsesopkb.exe
  C:\Users\Admin\AppData\Local\Temp\ofzqohattglvtsesopkb.exe .
  2⤵
  PID:5708
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\ofzqohattglvtsesopkb.exe*."
    3⤵
    PID:5036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c brkaxphzykoxusdqllf.exe
1⤵
PID:5228
- C:\Windows\brkaxphzykoxusdqllf.exe
  brkaxphzykoxusdqllf.exe
  2⤵
  PID:5364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dvqihbvpqekvuuhwtvrje.exe .
1⤵
PID:5168
- C:\Windows\dvqihbvpqekvuuhwtvrje.exe
  dvqihbvpqekvuuhwtvrje.exe .
  2⤵
  PID:5748
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\dvqihbvpqekvuuhwtvrje.exe*."
    3⤵
    PID:6012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c brkaxphzykoxusdqllf.exe
1⤵
PID:6008
- C:\Windows\brkaxphzykoxusdqllf.exe
  brkaxphzykoxusdqllf.exe
  2⤵
  PID:1556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hvmavlbroyahcyhsl.exe .
1⤵
PID:5968
- C:\Windows\hvmavlbroyahcyhsl.exe
  hvmavlbroyahcyhsl.exe .
  2⤵
  PID:6036
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\hvmavlbroyahcyhsl.exe*."
    3⤵
    PID:2576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qfxmizqhfqtbxueqkj.exe
1⤵
PID:3020
- C:\Users\Admin\AppData\Local\Temp\qfxmizqhfqtbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\qfxmizqhfqtbxueqkj.exe
  2⤵
  PID:5196

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ofzqohattglvtsesopkb.exe .
1⤵
PID:4972
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1320
- C:\Users\Admin\AppData\Local\Temp\ofzqohattglvtsesopkb.exe
  C:\Users\Admin\AppData\Local\Temp\ofzqohattglvtsesopkb.exe .
  2⤵
  PID:1876
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\ofzqohattglvtsesopkb.exe*."
    3⤵
    PID:6100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qfxmizqhfqtbxueqkj.exe
1⤵
PID:6112
- C:\Users\Admin\AppData\Local\Temp\qfxmizqhfqtbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\qfxmizqhfqtbxueqkj.exe
  2⤵
  PID:4980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\andqkzodzijpjemw.exe .
1⤵
PID:2524
- C:\Users\Admin\AppData\Local\Temp\andqkzodzijpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\andqkzodzijpjemw.exe .
  2⤵
  PID:5404
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\andqkzodzijpjemw.exe*."
    3⤵
    PID:4580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c andqkzodzijpjemw.exe
1⤵
PID:5380
- C:\Windows\andqkzodzijpjemw.exe
  andqkzodzijpjemw.exe
  2⤵
  PID:3220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ofzqohattglvtsesopkb.exe .
1⤵
PID:1064
- C:\Windows\ofzqohattglvtsesopkb.exe
  ofzqohattglvtsesopkb.exe .
  2⤵
  PID:884
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\ofzqohattglvtsesopkb.exe*."
    3⤵
    PID:3976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c andqkzodzijpjemw.exe
1⤵
PID:3904
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1992
- C:\Windows\andqkzodzijpjemw.exe
  andqkzodzijpjemw.exe
  2⤵
  PID:2608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ofzqohattglvtsesopkb.exe .
1⤵
PID:736
- C:\Windows\ofzqohattglvtsesopkb.exe
  ofzqohattglvtsesopkb.exe .
  2⤵
  PID:4848
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\ofzqohattglvtsesopkb.exe*."
    3⤵
    PID:5396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hvmavlbroyahcyhsl.exe
1⤵
PID:744
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2304
- C:\Users\Admin\AppData\Local\Temp\hvmavlbroyahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\hvmavlbroyahcyhsl.exe
  2⤵
  PID:2520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brkaxphzykoxusdqllf.exe .
1⤵
PID:5496
- C:\Users\Admin\AppData\Local\Temp\brkaxphzykoxusdqllf.exe
  C:\Users\Admin\AppData\Local\Temp\brkaxphzykoxusdqllf.exe .
  2⤵
  PID:232
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\brkaxphzykoxusdqllf.exe*."
    3⤵
    PID:4436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brkaxphzykoxusdqllf.exe
1⤵
PID:1432
- C:\Users\Admin\AppData\Local\Temp\brkaxphzykoxusdqllf.exe
  C:\Users\Admin\AppData\Local\Temp\brkaxphzykoxusdqllf.exe
  2⤵
  PID:5792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brkaxphzykoxusdqllf.exe .
1⤵
PID:4024
- C:\Users\Admin\AppData\Local\Temp\brkaxphzykoxusdqllf.exe
  C:\Users\Admin\AppData\Local\Temp\brkaxphzykoxusdqllf.exe .
  2⤵
  PID:5608
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\brkaxphzykoxusdqllf.exe*."
    3⤵
    PID:4472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ofzqohattglvtsesopkb.exe
1⤵
PID:5084
- C:\Windows\ofzqohattglvtsesopkb.exe
  ofzqohattglvtsesopkb.exe
  2⤵
  PID:5824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c brkaxphzykoxusdqllf.exe .
1⤵
PID:5272
- C:\Windows\brkaxphzykoxusdqllf.exe
  brkaxphzykoxusdqllf.exe .
  2⤵
  PID:5220
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\brkaxphzykoxusdqllf.exe*."
    3⤵
    PID:1484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c qfxmizqhfqtbxueqkj.exe
1⤵
PID:4696
- C:\Windows\qfxmizqhfqtbxueqkj.exe
  qfxmizqhfqtbxueqkj.exe
  2⤵
  PID:4004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c andqkzodzijpjemw.exe .
1⤵
PID:5844
- C:\Windows\andqkzodzijpjemw.exe
  andqkzodzijpjemw.exe .
  2⤵
  PID:1216
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\andqkzodzijpjemw.exe*."
    3⤵
    PID:5276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ofzqohattglvtsesopkb.exe
1⤵
PID:4128
- C:\Users\Admin\AppData\Local\Temp\ofzqohattglvtsesopkb.exe
  C:\Users\Admin\AppData\Local\Temp\ofzqohattglvtsesopkb.exe
  2⤵
  PID:2204

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\andqkzodzijpjemw.exe .
1⤵
PID:5936
- C:\Users\Admin\AppData\Local\Temp\andqkzodzijpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\andqkzodzijpjemw.exe .
  2⤵
  PID:5760
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\andqkzodzijpjemw.exe*."
    3⤵
    PID:5764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qfxmizqhfqtbxueqkj.exe
1⤵
PID:5748
- C:\Users\Admin\AppData\Local\Temp\qfxmizqhfqtbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\qfxmizqhfqtbxueqkj.exe
  2⤵
  PID:6028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\andqkzodzijpjemw.exe .
1⤵
PID:5812
- C:\Users\Admin\AppData\Local\Temp\andqkzodzijpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\andqkzodzijpjemw.exe .
  2⤵
  PID:5168
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\andqkzodzijpjemw.exe*."
    3⤵
    PID:6064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ofzqohattglvtsesopkb.exe
1⤵
PID:3264
- C:\Windows\ofzqohattglvtsesopkb.exe
  ofzqohattglvtsesopkb.exe
  2⤵
  PID:2648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ofzqohattglvtsesopkb.exe
1⤵
PID:6092
- C:\Windows\ofzqohattglvtsesopkb.exe
  ofzqohattglvtsesopkb.exe
  2⤵
  PID:5208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c qfxmizqhfqtbxueqkj.exe .
1⤵
PID:908
- C:\Windows\qfxmizqhfqtbxueqkj.exe
  qfxmizqhfqtbxueqkj.exe .
  2⤵
  PID:5292
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\qfxmizqhfqtbxueqkj.exe*."
    3⤵
    PID:3304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ofzqohattglvtsesopkb.exe .
1⤵
PID:2424
- C:\Windows\ofzqohattglvtsesopkb.exe
  ofzqohattglvtsesopkb.exe .
  2⤵
  PID:5216
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\ofzqohattglvtsesopkb.exe*."
    3⤵
    PID:5380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dvqihbvpqekvuuhwtvrje.exe
1⤵
PID:4676
- C:\Windows\dvqihbvpqekvuuhwtvrje.exe
  dvqihbvpqekvuuhwtvrje.exe
  2⤵
  PID:2760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c brkaxphzykoxusdqllf.exe .
1⤵
PID:5204
- C:\Windows\brkaxphzykoxusdqllf.exe
  brkaxphzykoxusdqllf.exe .
  2⤵
  PID:2832
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\brkaxphzykoxusdqllf.exe*."
    3⤵
    PID:3756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c brkaxphzykoxusdqllf.exe
1⤵
PID:4644
- C:\Windows\brkaxphzykoxusdqllf.exe
  brkaxphzykoxusdqllf.exe
  2⤵
  PID:5784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hvmavlbroyahcyhsl.exe
1⤵
PID:5324
- C:\Windows\hvmavlbroyahcyhsl.exe
  hvmavlbroyahcyhsl.exe
  2⤵
  PID:5524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dvqihbvpqekvuuhwtvrje.exe
1⤵
PID:1600
- C:\Users\Admin\AppData\Local\Temp\dvqihbvpqekvuuhwtvrje.exe
  C:\Users\Admin\AppData\Local\Temp\dvqihbvpqekvuuhwtvrje.exe
  2⤵
  PID:5740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hvmavlbroyahcyhsl.exe .
1⤵
PID:5340
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2280
- C:\Windows\hvmavlbroyahcyhsl.exe
  hvmavlbroyahcyhsl.exe .
  2⤵
  PID:2600
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\hvmavlbroyahcyhsl.exe*."
    3⤵
    PID:5704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c brkaxphzykoxusdqllf.exe .
1⤵
PID:5444
- C:\Windows\brkaxphzykoxusdqllf.exe
  brkaxphzykoxusdqllf.exe .
  2⤵
  PID:5368
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\brkaxphzykoxusdqllf.exe*."
    3⤵
    PID:552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hvmavlbroyahcyhsl.exe .
1⤵
PID:1316
- C:\Users\Admin\AppData\Local\Temp\hvmavlbroyahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\hvmavlbroyahcyhsl.exe .
  2⤵
  PID:4188
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\hvmavlbroyahcyhsl.exe*."
    3⤵
    PID:5360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ofzqohattglvtsesopkb.exe
1⤵
PID:2812
- C:\Users\Admin\AppData\Local\Temp\ofzqohattglvtsesopkb.exe
  C:\Users\Admin\AppData\Local\Temp\ofzqohattglvtsesopkb.exe
  2⤵
  PID:5900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dvqihbvpqekvuuhwtvrje.exe .
1⤵
PID:2260
- C:\Users\Admin\AppData\Local\Temp\dvqihbvpqekvuuhwtvrje.exe
  C:\Users\Admin\AppData\Local\Temp\dvqihbvpqekvuuhwtvrje.exe .
  2⤵
  PID:5276
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\dvqihbvpqekvuuhwtvrje.exe*."
    3⤵
    PID:5236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hvmavlbroyahcyhsl.exe
1⤵
PID:5616
- C:\Windows\hvmavlbroyahcyhsl.exe
  hvmavlbroyahcyhsl.exe
  2⤵
  PID:548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ofzqohattglvtsesopkb.exe .
1⤵
PID:372
- C:\Windows\ofzqohattglvtsesopkb.exe
  ofzqohattglvtsesopkb.exe .
  2⤵
  PID:5868
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\ofzqohattglvtsesopkb.exe*."
    3⤵
    PID:3848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dvqihbvpqekvuuhwtvrje.exe
1⤵
PID:1676
- C:\Users\Admin\AppData\Local\Temp\dvqihbvpqekvuuhwtvrje.exe
  C:\Users\Admin\AppData\Local\Temp\dvqihbvpqekvuuhwtvrje.exe
  2⤵
  PID:4128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dvqihbvpqekvuuhwtvrje.exe
1⤵
PID:5532
- C:\Users\Admin\AppData\Local\Temp\dvqihbvpqekvuuhwtvrje.exe
  C:\Users\Admin\AppData\Local\Temp\dvqihbvpqekvuuhwtvrje.exe
  2⤵
  PID:632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qfxmizqhfqtbxueqkj.exe .
1⤵
PID:5516
- C:\Users\Admin\AppData\Local\Temp\qfxmizqhfqtbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\qfxmizqhfqtbxueqkj.exe .
  2⤵
  PID:740
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\qfxmizqhfqtbxueqkj.exe*."
    3⤵
    PID:6048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qfxmizqhfqtbxueqkj.exe
1⤵
PID:3528
- C:\Users\Admin\AppData\Local\Temp\qfxmizqhfqtbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\qfxmizqhfqtbxueqkj.exe
  2⤵
  PID:6028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ofzqohattglvtsesopkb.exe .
1⤵
PID:5716
- C:\Users\Admin\AppData\Local\Temp\ofzqohattglvtsesopkb.exe
  C:\Users\Admin\AppData\Local\Temp\ofzqohattglvtsesopkb.exe .
  2⤵
  PID:6116
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\ofzqohattglvtsesopkb.exe*."
    3⤵
    PID:1980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hvmavlbroyahcyhsl.exe .
1⤵
PID:5696
- C:\Users\Admin\AppData\Local\Temp\hvmavlbroyahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\hvmavlbroyahcyhsl.exe .
  2⤵
  PID:5852
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\hvmavlbroyahcyhsl.exe*."
    3⤵
    PID:6120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brkaxphzykoxusdqllf.exe
1⤵
PID:5824
- C:\Users\Admin\AppData\Local\Temp\brkaxphzykoxusdqllf.exe
  C:\Users\Admin\AppData\Local\Temp\brkaxphzykoxusdqllf.exe
  2⤵
  PID:6140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dvqihbvpqekvuuhwtvrje.exe .
1⤵
PID:2264
- C:\Users\Admin\AppData\Local\Temp\dvqihbvpqekvuuhwtvrje.exe
  C:\Users\Admin\AppData\Local\Temp\dvqihbvpqekvuuhwtvrje.exe .
  2⤵
  PID:5192
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\dvqihbvpqekvuuhwtvrje.exe*."
    3⤵
    PID:1300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c qfxmizqhfqtbxueqkj.exe
1⤵
PID:6056
- C:\Windows\qfxmizqhfqtbxueqkj.exe
  qfxmizqhfqtbxueqkj.exe
  2⤵
  PID:2740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c qfxmizqhfqtbxueqkj.exe .
1⤵
PID:3264
- C:\Windows\qfxmizqhfqtbxueqkj.exe
  qfxmizqhfqtbxueqkj.exe .
  2⤵
  PID:5184
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\qfxmizqhfqtbxueqkj.exe*."
    3⤵
    PID:6136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c qfxmizqhfqtbxueqkj.exe
1⤵
PID:5676
- C:\Windows\qfxmizqhfqtbxueqkj.exe
  qfxmizqhfqtbxueqkj.exe
  2⤵
  PID:1588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c brkaxphzykoxusdqllf.exe .
1⤵
PID:8
- C:\Windows\brkaxphzykoxusdqllf.exe
  brkaxphzykoxusdqllf.exe .
  2⤵
  PID:2880
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\brkaxphzykoxusdqllf.exe*."
    3⤵
    PID:4540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hvmavlbroyahcyhsl.exe
1⤵
PID:1772
- C:\Users\Admin\AppData\Local\Temp\hvmavlbroyahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\hvmavlbroyahcyhsl.exe
  2⤵
  PID:5348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hvmavlbroyahcyhsl.exe .
1⤵
PID:4064
- C:\Users\Admin\AppData\Local\Temp\hvmavlbroyahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\hvmavlbroyahcyhsl.exe .
  2⤵
  PID:5544
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\hvmavlbroyahcyhsl.exe*."
    3⤵
    PID:5384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hvmavlbroyahcyhsl.exe
1⤵
PID:1700
- C:\Users\Admin\AppData\Local\Temp\hvmavlbroyahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\hvmavlbroyahcyhsl.exe
  2⤵
  PID:1600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dvqihbvpqekvuuhwtvrje.exe .
1⤵
PID:2160
- C:\Users\Admin\AppData\Local\Temp\dvqihbvpqekvuuhwtvrje.exe
  C:\Users\Admin\AppData\Local\Temp\dvqihbvpqekvuuhwtvrje.exe .
  2⤵
  PID:5904
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\dvqihbvpqekvuuhwtvrje.exe*."
    3⤵
    PID:4696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ofzqohattglvtsesopkb.exe
1⤵
PID:5940
- C:\Windows\ofzqohattglvtsesopkb.exe
  ofzqohattglvtsesopkb.exe
  2⤵
  PID:4804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dvqihbvpqekvuuhwtvrje.exe .
1⤵
PID:5708
- C:\Windows\dvqihbvpqekvuuhwtvrje.exe
  dvqihbvpqekvuuhwtvrje.exe .
  2⤵
  PID:3976
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\dvqihbvpqekvuuhwtvrje.exe*."
    3⤵
    PID:808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c brkaxphzykoxusdqllf.exe
1⤵
PID:5360
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4652
- C:\Windows\brkaxphzykoxusdqllf.exe
  brkaxphzykoxusdqllf.exe
  2⤵
  PID:5856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ofzqohattglvtsesopkb.exe .
1⤵
PID:6028
- C:\Windows\ofzqohattglvtsesopkb.exe
  ofzqohattglvtsesopkb.exe .
  2⤵
  PID:4056
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\ofzqohattglvtsesopkb.exe*."
    3⤵
    PID:4052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ofzqohattglvtsesopkb.exe
1⤵
PID:5588
- C:\Users\Admin\AppData\Local\Temp\ofzqohattglvtsesopkb.exe
  C:\Users\Admin\AppData\Local\Temp\ofzqohattglvtsesopkb.exe
  2⤵
  PID:5576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hvmavlbroyahcyhsl.exe .
1⤵
PID:2312
- C:\Users\Admin\AppData\Local\Temp\hvmavlbroyahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\hvmavlbroyahcyhsl.exe .
  2⤵
  PID:6036
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\hvmavlbroyahcyhsl.exe*."
    3⤵
    PID:3904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hvmavlbroyahcyhsl.exe
1⤵
PID:4220
- C:\Users\Admin\AppData\Local\Temp\hvmavlbroyahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\hvmavlbroyahcyhsl.exe
  2⤵
  PID:3528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brkaxphzykoxusdqllf.exe .
1⤵
PID:5652
- C:\Users\Admin\AppData\Local\Temp\brkaxphzykoxusdqllf.exe
  C:\Users\Admin\AppData\Local\Temp\brkaxphzykoxusdqllf.exe .
  2⤵
  PID:5824
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\brkaxphzykoxusdqllf.exe*."
    3⤵
    PID:6012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c andqkzodzijpjemw.exe
1⤵
PID:2216
- C:\Windows\andqkzodzijpjemw.exe
  andqkzodzijpjemw.exe
  2⤵
  PID:6120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ofzqohattglvtsesopkb.exe .
1⤵
PID:5336
- C:\Windows\ofzqohattglvtsesopkb.exe
  ofzqohattglvtsesopkb.exe .
  2⤵
  PID:1876
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\ofzqohattglvtsesopkb.exe*."
    3⤵
    PID:1980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c qfxmizqhfqtbxueqkj.exe
1⤵
PID:5584
- C:\Windows\qfxmizqhfqtbxueqkj.exe
  qfxmizqhfqtbxueqkj.exe
  2⤵
  PID:5432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ofzqohattglvtsesopkb.exe .
1⤵
PID:4700
- C:\Windows\ofzqohattglvtsesopkb.exe
  ofzqohattglvtsesopkb.exe .
  2⤵
  PID:432
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\ofzqohattglvtsesopkb.exe*."
    3⤵
    PID:5812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\andqkzodzijpjemw.exe
1⤵
PID:3448
- C:\Users\Admin\AppData\Local\Temp\andqkzodzijpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\andqkzodzijpjemw.exe
  2⤵
  PID:5176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brkaxphzykoxusdqllf.exe .
1⤵
PID:5224
- C:\Users\Admin\AppData\Local\Temp\brkaxphzykoxusdqllf.exe
  C:\Users\Admin\AppData\Local\Temp\brkaxphzykoxusdqllf.exe .
  2⤵
  PID:4316
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\brkaxphzykoxusdqllf.exe*."
    3⤵
    PID:5216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dvqihbvpqekvuuhwtvrje.exe
1⤵
PID:112
- C:\Users\Admin\AppData\Local\Temp\dvqihbvpqekvuuhwtvrje.exe
  C:\Users\Admin\AppData\Local\Temp\dvqihbvpqekvuuhwtvrje.exe
  2⤵
  PID:1936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\andqkzodzijpjemw.exe .
1⤵
PID:1292
- C:\Users\Admin\AppData\Local\Temp\andqkzodzijpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\andqkzodzijpjemw.exe .
  2⤵
  PID:6108
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\andqkzodzijpjemw.exe*."
    3⤵
    PID:5256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dvqihbvpqekvuuhwtvrje.exe
1⤵
PID:8
- C:\Windows\dvqihbvpqekvuuhwtvrje.exe
  dvqihbvpqekvuuhwtvrje.exe
  2⤵
  PID:1988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dvqihbvpqekvuuhwtvrje.exe .
1⤵
PID:5780
- C:\Windows\dvqihbvpqekvuuhwtvrje.exe
  dvqihbvpqekvuuhwtvrje.exe .
  2⤵
  PID:412
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\dvqihbvpqekvuuhwtvrje.exe*."
    3⤵
    PID:6064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dvqihbvpqekvuuhwtvrje.exe
1⤵
PID:5052
- C:\Windows\dvqihbvpqekvuuhwtvrje.exe
  dvqihbvpqekvuuhwtvrje.exe
  2⤵
  PID:5440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hvmavlbroyahcyhsl.exe .
1⤵
PID:5404
- C:\Windows\hvmavlbroyahcyhsl.exe
  hvmavlbroyahcyhsl.exe .
  2⤵
  PID:5728
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\hvmavlbroyahcyhsl.exe*."
    3⤵
    PID:5144

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dvqihbvpqekvuuhwtvrje.exe
1⤵
PID:5148
- C:\Users\Admin\AppData\Local\Temp\dvqihbvpqekvuuhwtvrje.exe
  C:\Users\Admin\AppData\Local\Temp\dvqihbvpqekvuuhwtvrje.exe
  2⤵
  PID:4304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dvqihbvpqekvuuhwtvrje.exe .
1⤵
PID:5244
- C:\Users\Admin\AppData\Local\Temp\dvqihbvpqekvuuhwtvrje.exe
  C:\Users\Admin\AppData\Local\Temp\dvqihbvpqekvuuhwtvrje.exe .
  2⤵
  PID:5996
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\dvqihbvpqekvuuhwtvrje.exe*."
    3⤵
    PID:212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qfxmizqhfqtbxueqkj.exe
1⤵
PID:3932
- C:\Users\Admin\AppData\Local\Temp\qfxmizqhfqtbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\qfxmizqhfqtbxueqkj.exe
  2⤵
  PID:64

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\andqkzodzijpjemw.exe .
1⤵
PID:5616
- C:\Users\Admin\AppData\Local\Temp\andqkzodzijpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\andqkzodzijpjemw.exe .
  2⤵
  PID:6040
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\andqkzodzijpjemw.exe*."
    3⤵
    PID:5840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dvqihbvpqekvuuhwtvrje.exe
1⤵
PID:4836
- C:\Windows\dvqihbvpqekvuuhwtvrje.exe
  dvqihbvpqekvuuhwtvrje.exe
  2⤵
  PID:1064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c qfxmizqhfqtbxueqkj.exe .
1⤵
PID:4576
- C:\Windows\qfxmizqhfqtbxueqkj.exe
  qfxmizqhfqtbxueqkj.exe .
  2⤵
  PID:5396
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\qfxmizqhfqtbxueqkj.exe*."
    3⤵
    PID:2312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c andqkzodzijpjemw.exe
1⤵
PID:1084
- C:\Windows\andqkzodzijpjemw.exe
  andqkzodzijpjemw.exe
  2⤵
  PID:5732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c qfxmizqhfqtbxueqkj.exe .
1⤵
PID:2684
- C:\Windows\qfxmizqhfqtbxueqkj.exe
  qfxmizqhfqtbxueqkj.exe .
  2⤵
  PID:4272
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\qfxmizqhfqtbxueqkj.exe*."
    3⤵
    PID:740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hvmavlbroyahcyhsl.exe
1⤵
PID:4220
- C:\Users\Admin\AppData\Local\Temp\hvmavlbroyahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\hvmavlbroyahcyhsl.exe
  2⤵
  PID:3996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hvmavlbroyahcyhsl.exe .
1⤵
PID:5824
- C:\Users\Admin\AppData\Local\Temp\hvmavlbroyahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\hvmavlbroyahcyhsl.exe .
  2⤵
  PID:2756
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\hvmavlbroyahcyhsl.exe*."
    3⤵
    PID:6048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qfxmizqhfqtbxueqkj.exe
1⤵
PID:2260
- C:\Users\Admin\AppData\Local\Temp\qfxmizqhfqtbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\qfxmizqhfqtbxueqkj.exe
  2⤵
  PID:1616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qfxmizqhfqtbxueqkj.exe .
1⤵
PID:5452
- C:\Users\Admin\AppData\Local\Temp\qfxmizqhfqtbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\qfxmizqhfqtbxueqkj.exe .
  2⤵
  PID:5960
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\qfxmizqhfqtbxueqkj.exe*."
    3⤵
    PID:5212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dvqihbvpqekvuuhwtvrje.exe
1⤵
PID:3348
- C:\Windows\dvqihbvpqekvuuhwtvrje.exe
  dvqihbvpqekvuuhwtvrje.exe
  2⤵
  PID:3448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c brkaxphzykoxusdqllf.exe
1⤵
PID:5300
- C:\Windows\brkaxphzykoxusdqllf.exe
  brkaxphzykoxusdqllf.exe
  2⤵
  PID:5376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c andqkzodzijpjemw.exe .
1⤵
PID:5320
- C:\Windows\andqkzodzijpjemw.exe
  andqkzodzijpjemw.exe .
  2⤵
  PID:5680
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\andqkzodzijpjemw.exe*."
    3⤵
    PID:2728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dvqihbvpqekvuuhwtvrje.exe .
1⤵
PID:5528
- C:\Windows\dvqihbvpqekvuuhwtvrje.exe
  dvqihbvpqekvuuhwtvrje.exe .
  2⤵
  PID:5184
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\dvqihbvpqekvuuhwtvrje.exe*."
    3⤵
    PID:3980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c brkaxphzykoxusdqllf.exe
1⤵
PID:2620
- C:\Windows\brkaxphzykoxusdqllf.exe
  brkaxphzykoxusdqllf.exe
  2⤵
  PID:5456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dvqihbvpqekvuuhwtvrje.exe
1⤵
PID:5540
- C:\Windows\dvqihbvpqekvuuhwtvrje.exe
  dvqihbvpqekvuuhwtvrje.exe
  2⤵
  PID:2204

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c andqkzodzijpjemw.exe
1⤵
PID:6104
- C:\Windows\andqkzodzijpjemw.exe
  andqkzodzijpjemw.exe
  2⤵
  PID:5436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c brkaxphzykoxusdqllf.exe .
1⤵
PID:5636
- C:\Windows\brkaxphzykoxusdqllf.exe
  brkaxphzykoxusdqllf.exe .
  2⤵
  PID:1840
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\brkaxphzykoxusdqllf.exe*."
    3⤵
    PID:2108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c qfxmizqhfqtbxueqkj.exe .
1⤵
PID:60
- C:\Windows\qfxmizqhfqtbxueqkj.exe
  qfxmizqhfqtbxueqkj.exe .
  2⤵
  PID:3852
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\qfxmizqhfqtbxueqkj.exe*."
    3⤵
    PID:4436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c brkaxphzykoxusdqllf.exe .
1⤵
PID:2880
- C:\Windows\brkaxphzykoxusdqllf.exe
  brkaxphzykoxusdqllf.exe .
  2⤵
  PID:5964
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\brkaxphzykoxusdqllf.exe*."
    3⤵
    PID:2268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brkaxphzykoxusdqllf.exe
1⤵
PID:5308
- C:\Users\Admin\AppData\Local\Temp\brkaxphzykoxusdqllf.exe
  C:\Users\Admin\AppData\Local\Temp\brkaxphzykoxusdqllf.exe
  2⤵
  PID:4668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hvmavlbroyahcyhsl.exe
1⤵
PID:5288
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4352
- C:\Users\Admin\AppData\Local\Temp\hvmavlbroyahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\hvmavlbroyahcyhsl.exe
  2⤵
  PID:3232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hvmavlbroyahcyhsl.exe .
1⤵
PID:8
- C:\Users\Admin\AppData\Local\Temp\hvmavlbroyahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\hvmavlbroyahcyhsl.exe .
  2⤵
  PID:2676
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\hvmavlbroyahcyhsl.exe*."
    3⤵
    PID:2500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hvmavlbroyahcyhsl.exe
1⤵
PID:5312
- C:\Windows\hvmavlbroyahcyhsl.exe
  hvmavlbroyahcyhsl.exe
  2⤵
  PID:5364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ofzqohattglvtsesopkb.exe .
1⤵
PID:3468
- C:\Users\Admin\AppData\Local\Temp\ofzqohattglvtsesopkb.exe
  C:\Users\Admin\AppData\Local\Temp\ofzqohattglvtsesopkb.exe .
  2⤵
  PID:5508
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\ofzqohattglvtsesopkb.exe*."
    3⤵
    PID:3856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c brkaxphzykoxusdqllf.exe .
1⤵
PID:1816
- C:\Windows\brkaxphzykoxusdqllf.exe
  brkaxphzykoxusdqllf.exe .
  2⤵
  PID:2400
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\brkaxphzykoxusdqllf.exe*."
    3⤵
    PID:2684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brkaxphzykoxusdqllf.exe
1⤵
PID:5728
- C:\Users\Admin\AppData\Local\Temp\brkaxphzykoxusdqllf.exe
  C:\Users\Admin\AppData\Local\Temp\brkaxphzykoxusdqllf.exe
  2⤵
  PID:632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dvqihbvpqekvuuhwtvrje.exe
1⤵
PID:1640
- C:\Users\Admin\AppData\Local\Temp\dvqihbvpqekvuuhwtvrje.exe
  C:\Users\Admin\AppData\Local\Temp\dvqihbvpqekvuuhwtvrje.exe
  2⤵
  PID:1632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ofzqohattglvtsesopkb.exe .
1⤵
PID:4952
- C:\Users\Admin\AppData\Local\Temp\ofzqohattglvtsesopkb.exe
  C:\Users\Admin\AppData\Local\Temp\ofzqohattglvtsesopkb.exe .
  2⤵
  PID:1084
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\ofzqohattglvtsesopkb.exe*."
    3⤵
    PID:6092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hvmavlbroyahcyhsl.exe
1⤵
PID:2600
- C:\Users\Admin\AppData\Local\Temp\hvmavlbroyahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\hvmavlbroyahcyhsl.exe
  2⤵
  PID:3996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dvqihbvpqekvuuhwtvrje.exe .
1⤵
PID:5820
- C:\Users\Admin\AppData\Local\Temp\dvqihbvpqekvuuhwtvrje.exe
  C:\Users\Admin\AppData\Local\Temp\dvqihbvpqekvuuhwtvrje.exe .
  2⤵
  PID:5024
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\dvqihbvpqekvuuhwtvrje.exe*."
    3⤵
    PID:4868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\andqkzodzijpjemw.exe .
1⤵
PID:720
- C:\Users\Admin\AppData\Local\Temp\andqkzodzijpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\andqkzodzijpjemw.exe .
  2⤵
  PID:6020
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\andqkzodzijpjemw.exe*."
    3⤵
    PID:5984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dvqihbvpqekvuuhwtvrje.exe
1⤵
PID:6040
- C:\Users\Admin\AppData\Local\Temp\dvqihbvpqekvuuhwtvrje.exe
  C:\Users\Admin\AppData\Local\Temp\dvqihbvpqekvuuhwtvrje.exe
  2⤵
  PID:5048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\andqkzodzijpjemw.exe .
1⤵
PID:5472
- C:\Users\Admin\AppData\Local\Temp\andqkzodzijpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\andqkzodzijpjemw.exe .
  2⤵
  PID:3012
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\andqkzodzijpjemw.exe*."
    3⤵
    PID:5452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ofzqohattglvtsesopkb.exe
1⤵
PID:2756
- C:\Windows\ofzqohattglvtsesopkb.exe
  ofzqohattglvtsesopkb.exe
  2⤵
  PID:6128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c andqkzodzijpjemw.exe .
1⤵
PID:5908
- C:\Windows\andqkzodzijpjemw.exe
  andqkzodzijpjemw.exe .
  2⤵
  PID:2340
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\andqkzodzijpjemw.exe*."
    3⤵
    PID:3432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c brkaxphzykoxusdqllf.exe
1⤵
PID:1036
- C:\Windows\brkaxphzykoxusdqllf.exe
  brkaxphzykoxusdqllf.exe
  2⤵
  PID:5720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c brkaxphzykoxusdqllf.exe .
1⤵
PID:5416
- C:\Windows\brkaxphzykoxusdqllf.exe
  brkaxphzykoxusdqllf.exe .
  2⤵
  PID:316
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\brkaxphzykoxusdqllf.exe*."
    3⤵
    PID:6064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dvqihbvpqekvuuhwtvrje.exe
1⤵
PID:3740
- C:\Users\Admin\AppData\Local\Temp\dvqihbvpqekvuuhwtvrje.exe
  C:\Users\Admin\AppData\Local\Temp\dvqihbvpqekvuuhwtvrje.exe
  2⤵
  PID:1460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\andqkzodzijpjemw.exe .
1⤵
PID:3276
- C:\Users\Admin\AppData\Local\Temp\andqkzodzijpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\andqkzodzijpjemw.exe .
  2⤵
  PID:5456
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\andqkzodzijpjemw.exe*."
    3⤵
    PID:772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\andqkzodzijpjemw.exe
1⤵
PID:5436
- C:\Users\Admin\AppData\Local\Temp\andqkzodzijpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\andqkzodzijpjemw.exe
  2⤵
  PID:2740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ofzqohattglvtsesopkb.exe .
1⤵
PID:5600
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4316
- C:\Users\Admin\AppData\Local\Temp\ofzqohattglvtsesopkb.exe
  C:\Users\Admin\AppData\Local\Temp\ofzqohattglvtsesopkb.exe .
  2⤵
  PID:5224
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\ofzqohattglvtsesopkb.exe*."
    3⤵
    PID:628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c qfxmizqhfqtbxueqkj.exe
1⤵
PID:2424
- C:\Windows\qfxmizqhfqtbxueqkj.exe
  qfxmizqhfqtbxueqkj.exe
  2⤵
  PID:5256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hvmavlbroyahcyhsl.exe .
1⤵
PID:2520
- C:\Windows\hvmavlbroyahcyhsl.exe
  hvmavlbroyahcyhsl.exe .
  2⤵
  PID:2812
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\hvmavlbroyahcyhsl.exe*."
    3⤵
    PID:2552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c brkaxphzykoxusdqllf.exe
1⤵
PID:3620
- C:\Windows\brkaxphzykoxusdqllf.exe
  brkaxphzykoxusdqllf.exe
  2⤵
  PID:6076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dvqihbvpqekvuuhwtvrje.exe .
1⤵
PID:5460
- C:\Windows\dvqihbvpqekvuuhwtvrje.exe
  dvqihbvpqekvuuhwtvrje.exe .
  2⤵
  PID:1484
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\dvqihbvpqekvuuhwtvrje.exe*."
    3⤵
    PID:3344

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dvqihbvpqekvuuhwtvrje.exe
1⤵
PID:5252
- C:\Users\Admin\AppData\Local\Temp\dvqihbvpqekvuuhwtvrje.exe
  C:\Users\Admin\AppData\Local\Temp\dvqihbvpqekvuuhwtvrje.exe
  2⤵
  PID:3756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ofzqohattglvtsesopkb.exe .
1⤵
PID:5852
- C:\Users\Admin\AppData\Local\Temp\ofzqohattglvtsesopkb.exe
  C:\Users\Admin\AppData\Local\Temp\ofzqohattglvtsesopkb.exe .
  2⤵
  PID:5544
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\ofzqohattglvtsesopkb.exe*."
    3⤵
    PID:4988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qfxmizqhfqtbxueqkj.exe
1⤵
PID:5972
- C:\Users\Admin\AppData\Local\Temp\qfxmizqhfqtbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\qfxmizqhfqtbxueqkj.exe
  2⤵
  PID:5896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\andqkzodzijpjemw.exe .
1⤵
PID:6016
- C:\Users\Admin\AppData\Local\Temp\andqkzodzijpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\andqkzodzijpjemw.exe .
  2⤵
  PID:5420
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\andqkzodzijpjemw.exe*."
    3⤵
    PID:6080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c andqkzodzijpjemw.exe
1⤵
PID:4236
- C:\Windows\andqkzodzijpjemw.exe
  andqkzodzijpjemw.exe
  2⤵
  PID:3508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ofzqohattglvtsesopkb.exe .
1⤵
PID:5904
- C:\Windows\ofzqohattglvtsesopkb.exe
  ofzqohattglvtsesopkb.exe .
  2⤵
  PID:548
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\ofzqohattglvtsesopkb.exe*."
    3⤵
    PID:1600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c brkaxphzykoxusdqllf.exe
1⤵
PID:3020
- C:\Windows\brkaxphzykoxusdqllf.exe
  brkaxphzykoxusdqllf.exe
  2⤵
  PID:4692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ofzqohattglvtsesopkb.exe .
1⤵
PID:3316
- C:\Windows\ofzqohattglvtsesopkb.exe
  ofzqohattglvtsesopkb.exe .
  2⤵
  PID:4744
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\ofzqohattglvtsesopkb.exe*."
    3⤵
    PID:5932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brkaxphzykoxusdqllf.exe
1⤵
PID:5948
- C:\Users\Admin\AppData\Local\Temp\brkaxphzykoxusdqllf.exe
  C:\Users\Admin\AppData\Local\Temp\brkaxphzykoxusdqllf.exe
  2⤵
  PID:5468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\andqkzodzijpjemw.exe .
1⤵
PID:4064
- C:\Users\Admin\AppData\Local\Temp\andqkzodzijpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\andqkzodzijpjemw.exe .
  2⤵
  PID:5860
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\andqkzodzijpjemw.exe*."
    3⤵
    PID:3012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dvqihbvpqekvuuhwtvrje.exe
1⤵
PID:808
- C:\Users\Admin\AppData\Local\Temp\dvqihbvpqekvuuhwtvrje.exe
  C:\Users\Admin\AppData\Local\Temp\dvqihbvpqekvuuhwtvrje.exe
  2⤵
  PID:5584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\andqkzodzijpjemw.exe .
1⤵
PID:1440
- C:\Users\Admin\AppData\Local\Temp\andqkzodzijpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\andqkzodzijpjemw.exe .
  2⤵
  PID:5220
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\andqkzodzijpjemw.exe*."
    3⤵
    PID:5884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c qfxmizqhfqtbxueqkj.exe
1⤵
PID:1352
- C:\Windows\qfxmizqhfqtbxueqkj.exe
  qfxmizqhfqtbxueqkj.exe
  2⤵
  PID:1980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c brkaxphzykoxusdqllf.exe .
1⤵
PID:3456
- C:\Windows\brkaxphzykoxusdqllf.exe
  brkaxphzykoxusdqllf.exe .
  2⤵
  PID:6132
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\brkaxphzykoxusdqllf.exe*."
    3⤵
    PID:3348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dvqihbvpqekvuuhwtvrje.exe
1⤵
PID:1796
- C:\Windows\dvqihbvpqekvuuhwtvrje.exe
  dvqihbvpqekvuuhwtvrje.exe
  2⤵
  PID:2876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hvmavlbroyahcyhsl.exe .
1⤵
PID:5744
- C:\Windows\hvmavlbroyahcyhsl.exe
  hvmavlbroyahcyhsl.exe .
  2⤵
  PID:4544
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\hvmavlbroyahcyhsl.exe*."
    3⤵
    PID:5224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ofzqohattglvtsesopkb.exe
1⤵
PID:772
- C:\Users\Admin\AppData\Local\Temp\ofzqohattglvtsesopkb.exe
  C:\Users\Admin\AppData\Local\Temp\ofzqohattglvtsesopkb.exe
  2⤵
  PID:5716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brkaxphzykoxusdqllf.exe .
1⤵
PID:5368
- C:\Users\Admin\AppData\Local\Temp\brkaxphzykoxusdqllf.exe
  C:\Users\Admin\AppData\Local\Temp\brkaxphzykoxusdqllf.exe .
  2⤵
  PID:3408
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\brkaxphzykoxusdqllf.exe*."
    3⤵
    PID:6104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ofzqohattglvtsesopkb.exe
1⤵
PID:5784
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3264
- C:\Users\Admin\AppData\Local\Temp\ofzqohattglvtsesopkb.exe
  C:\Users\Admin\AppData\Local\Temp\ofzqohattglvtsesopkb.exe
  2⤵
  PID:5980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qfxmizqhfqtbxueqkj.exe .
1⤵
PID:5256
- C:\Users\Admin\AppData\Local\Temp\qfxmizqhfqtbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\qfxmizqhfqtbxueqkj.exe .
  2⤵
  PID:4108
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\qfxmizqhfqtbxueqkj.exe*."
    3⤵
    PID:2812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c brkaxphzykoxusdqllf.exe
1⤵
PID:5936
- C:\Windows\brkaxphzykoxusdqllf.exe
  brkaxphzykoxusdqllf.exe
  2⤵
  PID:3552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dvqihbvpqekvuuhwtvrje.exe .
1⤵
PID:4436
- C:\Windows\dvqihbvpqekvuuhwtvrje.exe
  dvqihbvpqekvuuhwtvrje.exe .
  2⤵
  PID:5636
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\dvqihbvpqekvuuhwtvrje.exe*."
    3⤵
    PID:3148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c qfxmizqhfqtbxueqkj.exe
1⤵
PID:3580
- C:\Windows\qfxmizqhfqtbxueqkj.exe
  qfxmizqhfqtbxueqkj.exe
  2⤵
  PID:3996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c brkaxphzykoxusdqllf.exe .
1⤵
PID:5308
- C:\Windows\brkaxphzykoxusdqllf.exe
  brkaxphzykoxusdqllf.exe .
  2⤵
  PID:5852
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\brkaxphzykoxusdqllf.exe*."
    3⤵
    PID:1988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hvmavlbroyahcyhsl.exe
1⤵
PID:5348
- C:\Users\Admin\AppData\Local\Temp\hvmavlbroyahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\hvmavlbroyahcyhsl.exe
  2⤵
  PID:628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ofzqohattglvtsesopkb.exe .
1⤵
PID:1248
- C:\Users\Admin\AppData\Local\Temp\ofzqohattglvtsesopkb.exe
  C:\Users\Admin\AppData\Local\Temp\ofzqohattglvtsesopkb.exe .
  2⤵
  PID:4032
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\ofzqohattglvtsesopkb.exe*."
    3⤵
    PID:2684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dvqihbvpqekvuuhwtvrje.exe
1⤵
PID:5244
- C:\Users\Admin\AppData\Local\Temp\dvqihbvpqekvuuhwtvrje.exe
  C:\Users\Admin\AppData\Local\Temp\dvqihbvpqekvuuhwtvrje.exe
  2⤵
  PID:3508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dvqihbvpqekvuuhwtvrje.exe .
1⤵
PID:2368
- C:\Users\Admin\AppData\Local\Temp\dvqihbvpqekvuuhwtvrje.exe
  C:\Users\Admin\AppData\Local\Temp\dvqihbvpqekvuuhwtvrje.exe .
  2⤵
  PID:5652
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\dvqihbvpqekvuuhwtvrje.exe*."
    3⤵
    PID:3176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dvqihbvpqekvuuhwtvrje.exe
1⤵
PID:232
- C:\Windows\dvqihbvpqekvuuhwtvrje.exe
  dvqihbvpqekvuuhwtvrje.exe
  2⤵
  PID:1816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c andqkzodzijpjemw.exe .
1⤵
PID:4004
- C:\Windows\andqkzodzijpjemw.exe
  andqkzodzijpjemw.exe .
  2⤵
  PID:1788
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\andqkzodzijpjemw.exe*."
    3⤵
    PID:5316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dvqihbvpqekvuuhwtvrje.exe
1⤵
PID:1568
- C:\Windows\dvqihbvpqekvuuhwtvrje.exe
  dvqihbvpqekvuuhwtvrje.exe
  2⤵
  PID:5836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c brkaxphzykoxusdqllf.exe .
1⤵
PID:1804
- C:\Windows\brkaxphzykoxusdqllf.exe
  brkaxphzykoxusdqllf.exe .
  2⤵
  PID:5928
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\brkaxphzykoxusdqllf.exe*."
    3⤵
    PID:1992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dvqihbvpqekvuuhwtvrje.exe
1⤵
PID:6116
- C:\Windows\dvqihbvpqekvuuhwtvrje.exe
  dvqihbvpqekvuuhwtvrje.exe
  2⤵
  PID:808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dvqihbvpqekvuuhwtvrje.exe
1⤵
PID:2280
- C:\Users\Admin\AppData\Local\Temp\dvqihbvpqekvuuhwtvrje.exe
  C:\Users\Admin\AppData\Local\Temp\dvqihbvpqekvuuhwtvrje.exe
  2⤵
  PID:3236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c andqkzodzijpjemw.exe .
1⤵
PID:372
- C:\Windows\andqkzodzijpjemw.exe
  andqkzodzijpjemw.exe .
  2⤵
  PID:432
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\andqkzodzijpjemw.exe*."
    3⤵
    PID:3104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dvqihbvpqekvuuhwtvrje.exe .
1⤵
PID:6080
- C:\Users\Admin\AppData\Local\Temp\dvqihbvpqekvuuhwtvrje.exe
  C:\Users\Admin\AppData\Local\Temp\dvqihbvpqekvuuhwtvrje.exe .
  2⤵
  PID:6056
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\dvqihbvpqekvuuhwtvrje.exe*."
    3⤵
    PID:4416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c qfxmizqhfqtbxueqkj.exe
1⤵
PID:1880
- C:\Windows\qfxmizqhfqtbxueqkj.exe
  qfxmizqhfqtbxueqkj.exe
  2⤵
  PID:2876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c qfxmizqhfqtbxueqkj.exe
1⤵
PID:2712
- C:\Windows\qfxmizqhfqtbxueqkj.exe
  qfxmizqhfqtbxueqkj.exe
  2⤵
  PID:1588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hvmavlbroyahcyhsl.exe
1⤵
PID:2760
- C:\Users\Admin\AppData\Local\Temp\hvmavlbroyahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\hvmavlbroyahcyhsl.exe
  2⤵
  PID:3944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dvqihbvpqekvuuhwtvrje.exe .
1⤵
PID:6132
- C:\Windows\dvqihbvpqekvuuhwtvrje.exe
  dvqihbvpqekvuuhwtvrje.exe .
  2⤵
  PID:2424
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\dvqihbvpqekvuuhwtvrje.exe*."
    3⤵
    PID:5288

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\andqkzodzijpjemw.exe
1⤵
PID:5612
- C:\Users\Admin\AppData\Local\Temp\andqkzodzijpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\andqkzodzijpjemw.exe
  2⤵
  PID:5656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dvqihbvpqekvuuhwtvrje.exe .
1⤵
PID:6064
- C:\Users\Admin\AppData\Local\Temp\dvqihbvpqekvuuhwtvrje.exe
  C:\Users\Admin\AppData\Local\Temp\dvqihbvpqekvuuhwtvrje.exe .
  2⤵
  PID:4108
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\dvqihbvpqekvuuhwtvrje.exe*."
    3⤵
    PID:4472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ofzqohattglvtsesopkb.exe .
1⤵
PID:5344
- C:\Windows\ofzqohattglvtsesopkb.exe
  ofzqohattglvtsesopkb.exe .
  2⤵
  PID:6128
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\ofzqohattglvtsesopkb.exe*."
    3⤵
    PID:5132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qfxmizqhfqtbxueqkj.exe .
1⤵
PID:6136
- C:\Users\Admin\AppData\Local\Temp\qfxmizqhfqtbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\qfxmizqhfqtbxueqkj.exe .
  2⤵
  PID:5424
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\qfxmizqhfqtbxueqkj.exe*."
    3⤵
    PID:3848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dvqihbvpqekvuuhwtvrje.exe
1⤵
PID:4316
- C:\Windows\dvqihbvpqekvuuhwtvrje.exe
  dvqihbvpqekvuuhwtvrje.exe
  2⤵
  PID:4352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dvqihbvpqekvuuhwtvrje.exe .
1⤵
PID:4908
- C:\Windows\dvqihbvpqekvuuhwtvrje.exe
  dvqihbvpqekvuuhwtvrje.exe .
  2⤵
  PID:4436
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\dvqihbvpqekvuuhwtvrje.exe*."
    3⤵
    PID:6112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qfxmizqhfqtbxueqkj.exe
1⤵
PID:5032
- C:\Users\Admin\AppData\Local\Temp\qfxmizqhfqtbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\qfxmizqhfqtbxueqkj.exe
  2⤵
  PID:2400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hvmavlbroyahcyhsl.exe
1⤵
PID:6000
- C:\Users\Admin\AppData\Local\Temp\hvmavlbroyahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\hvmavlbroyahcyhsl.exe
  2⤵
  PID:2304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qfxmizqhfqtbxueqkj.exe .
1⤵
PID:1840
- C:\Users\Admin\AppData\Local\Temp\qfxmizqhfqtbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\qfxmizqhfqtbxueqkj.exe .
  2⤵
  PID:2880
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\qfxmizqhfqtbxueqkj.exe*."
    3⤵
    PID:5244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brkaxphzykoxusdqllf.exe .
1⤵
PID:3620
- C:\Users\Admin\AppData\Local\Temp\brkaxphzykoxusdqllf.exe
  C:\Users\Admin\AppData\Local\Temp\brkaxphzykoxusdqllf.exe .
  2⤵
  PID:3856
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\brkaxphzykoxusdqllf.exe*."
    3⤵
    PID:5432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dvqihbvpqekvuuhwtvrje.exe
1⤵
PID:5172
- C:\Users\Admin\AppData\Local\Temp\dvqihbvpqekvuuhwtvrje.exe
  C:\Users\Admin\AppData\Local\Temp\dvqihbvpqekvuuhwtvrje.exe
  2⤵
  PID:4656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hvmavlbroyahcyhsl.exe .
1⤵
PID:3864
- C:\Users\Admin\AppData\Local\Temp\hvmavlbroyahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\hvmavlbroyahcyhsl.exe .
  2⤵
  PID:5684
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\hvmavlbroyahcyhsl.exe*."
    3⤵
    PID:4040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c andqkzodzijpjemw.exe
1⤵
PID:5620
- C:\Windows\andqkzodzijpjemw.exe
  andqkzodzijpjemw.exe
  2⤵
  PID:2332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c qfxmizqhfqtbxueqkj.exe .
1⤵
PID:5596
- C:\Windows\qfxmizqhfqtbxueqkj.exe
  qfxmizqhfqtbxueqkj.exe .
  2⤵
  PID:4428
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\qfxmizqhfqtbxueqkj.exe*."
    3⤵
    PID:5428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c andqkzodzijpjemw.exe
1⤵
PID:2624
- C:\Windows\andqkzodzijpjemw.exe
  andqkzodzijpjemw.exe
  2⤵
  PID:5856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dvqihbvpqekvuuhwtvrje.exe .
1⤵
PID:5112
- C:\Windows\dvqihbvpqekvuuhwtvrje.exe
  dvqihbvpqekvuuhwtvrje.exe .
  2⤵
  PID:1604
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\dvqihbvpqekvuuhwtvrje.exe*."
    3⤵
    PID:1184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qfxmizqhfqtbxueqkj.exe
1⤵
PID:412
- C:\Users\Admin\AppData\Local\Temp\qfxmizqhfqtbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\qfxmizqhfqtbxueqkj.exe
  2⤵
  PID:1568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\andqkzodzijpjemw.exe .
1⤵
PID:5188
- C:\Users\Admin\AppData\Local\Temp\andqkzodzijpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\andqkzodzijpjemw.exe .
  2⤵
  PID:1800
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\andqkzodzijpjemw.exe*."
    3⤵
    PID:4064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dvqihbvpqekvuuhwtvrje.exe
1⤵
PID:4268
- C:\Users\Admin\AppData\Local\Temp\dvqihbvpqekvuuhwtvrje.exe
  C:\Users\Admin\AppData\Local\Temp\dvqihbvpqekvuuhwtvrje.exe
  2⤵
  PID:5312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dvqihbvpqekvuuhwtvrje.exe .
1⤵
PID:1992
- C:\Users\Admin\AppData\Local\Temp\dvqihbvpqekvuuhwtvrje.exe
  C:\Users\Admin\AppData\Local\Temp\dvqihbvpqekvuuhwtvrje.exe .
  2⤵
  PID:4024
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\dvqihbvpqekvuuhwtvrje.exe*."
    3⤵
    PID:2732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c andqkzodzijpjemw.exe
1⤵
PID:112
- C:\Windows\andqkzodzijpjemw.exe
  andqkzodzijpjemw.exe
  2⤵
  PID:5940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c andqkzodzijpjemw.exe .
1⤵
PID:1440
- C:\Windows\andqkzodzijpjemw.exe
  andqkzodzijpjemw.exe .
  2⤵
  PID:372
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\andqkzodzijpjemw.exe*."
    3⤵
    PID:5676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dvqihbvpqekvuuhwtvrje.exe
1⤵
PID:5920
- C:\Windows\dvqihbvpqekvuuhwtvrje.exe
  dvqihbvpqekvuuhwtvrje.exe
  2⤵
  PID:4676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c brkaxphzykoxusdqllf.exe .
1⤵
PID:1480
- C:\Windows\brkaxphzykoxusdqllf.exe
  brkaxphzykoxusdqllf.exe .
  2⤵
  PID:5704
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\brkaxphzykoxusdqllf.exe*."
    3⤵
    PID:1292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\andqkzodzijpjemw.exe
1⤵
PID:5504
- C:\Users\Admin\AppData\Local\Temp\andqkzodzijpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\andqkzodzijpjemw.exe
  2⤵
  PID:2424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hvmavlbroyahcyhsl.exe .
1⤵
PID:5208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Winlogon Helper DLL

T1547.004

Hijack Execution Flow

T1574

Executable Installer File Permissions Weakness

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Winlogon Helper DLL

T1547.004

Hijack Execution Flow

T1574

Executable Installer File Permissions Weakness

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hijack Execution Flow

T1574

Executable Installer File Permissions Weakness

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Safe Mode Boot

T1562.009

Modify Registry