pykspa | 94297af35450e94c09bbc9a6216363c4c8a11a6a50169ca8c9cec594595aacc3

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	yafov.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	yafov.exe

Pykspa
Pykspa is a worm spreads via Skype uses DGA and it's written in C++.
worm pykspa
Pykspa family
pykspa

UAC bypass 3 TTPs 20 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	whljbuilgrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	yafov.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	yafov.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	yafov.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	whljbuilgrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	yafov.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	yafov.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	whljbuilgrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	whljbuilgrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	whljbuilgrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	whljbuilgrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	whljbuilgrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	yafov.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	whljbuilgrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	yafov.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	whljbuilgrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	whljbuilgrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	yafov.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	whljbuilgrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	whljbuilgrv.exe

Detect Pykspa worm 2 IoCs

worm

resource	yara_rule
behavioral2/files/0x000c00000001ed72-4.dat	family_pykspa
behavioral2/files/0x000500000001e904-85.dat	family_pykspa

Adds policy Run key to start application 2 TTPs 25 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\cirepwgtz = "viyskypjwjfvehec.exe"	yafov.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jmscko = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jausogbzqhhbovwyvhfw.exe"	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\cirepwgtz = "wmfcxoifvlkdpvvwsda.exe"	whljbuilgrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	yafov.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zflpwgp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bvphcaxumdgbpxzcanpjd.exe"	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jmscko = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lasoiyrncrphsxwwrb.exe"	yafov.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yhqxhugszf = "ofwldysmbpphsxwwrb.exe"	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jmscko = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cqhcvkcxlzwnxbzys.exe"	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\cirepwgtz = "jausogbzqhhbovwyvhfw.exe"	yafov.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jmscko = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wmfcxoifvlkdpvvwsda.exe"	yafov.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jmscko = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cqhcvkcxlzwnxbzys.exe"	whljbuilgrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\cirepwgtz = "yqlkhawvnfgbpxzcanmez.exe"	yafov.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jmscko = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lasoiyrncrphsxwwrb.exe"	whljbuilgrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\cirepwgtz = "viyskypjwjfvehec.exe"	whljbuilgrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	yafov.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\cirepwgtz = "lasoiyrncrphsxwwrb.exe"	yafov.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\cirepwgtz = "jausogbzqhhbovwyvhfw.exe"	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yhqxhugszf = "zrjzsojeujkdpvvwsdd.exe"	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\cirepwgtz = "lasoiyrncrphsxwwrb.exe"	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jmscko = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cqhcvkcxlzwnxbzys.exe"	yafov.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	whljbuilgrv.exe

Disables RegEdit via registry modification 8 IoCs

defense_evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	yafov.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	yafov.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	yafov.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	whljbuilgrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	whljbuilgrv.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	whljbuilgrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	whljbuilgrv.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	yafov.exe

Checks computer location settings 2 TTPs 35 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	wmfcxoifvlkdpvvwsda.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	jausogbzqhhbovwyvhfw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	jausogbzqhhbovwyvhfw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	cqhcvkcxlzwnxbzys.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	viyskypjwjfvehec.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	wmfcxoifvlkdpvvwsda.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	lasoiyrncrphsxwwrb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	lasoiyrncrphsxwwrb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	cqhcvkcxlzwnxbzys.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	whljbuilgrv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	wmfcxoifvlkdpvvwsda.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	wmfcxoifvlkdpvvwsda.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	wmfcxoifvlkdpvvwsda.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	cqhcvkcxlzwnxbzys.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	cqhcvkcxlzwnxbzys.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	viyskypjwjfvehec.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	viyskypjwjfvehec.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	whljbuilgrv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	cqhcvkcxlzwnxbzys.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	yqlkhawvnfgbpxzcanmez.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	JaffaCakes118_90f643f9363aa893d0880b9a33cfe3d0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	jausogbzqhhbovwyvhfw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	yqlkhawvnfgbpxzcanmez.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	cqhcvkcxlzwnxbzys.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	yqlkhawvnfgbpxzcanmez.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	jausogbzqhhbovwyvhfw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	lasoiyrncrphsxwwrb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	viyskypjwjfvehec.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	viyskypjwjfvehec.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	wmfcxoifvlkdpvvwsda.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	cqhcvkcxlzwnxbzys.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	yqlkhawvnfgbpxzcanmez.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	wmfcxoifvlkdpvvwsda.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	cqhcvkcxlzwnxbzys.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	lasoiyrncrphsxwwrb.exe

Executes dropped EXE 64 IoCs

pid	Process
4612	whljbuilgrv.exe
4820	yqlkhawvnfgbpxzcanmez.exe
4264	wmfcxoifvlkdpvvwsda.exe
1220	cqhcvkcxlzwnxbzys.exe
676	lasoiyrncrphsxwwrb.exe
744	viyskypjwjfvehec.exe
1248	cqhcvkcxlzwnxbzys.exe
3252	whljbuilgrv.exe
3220	whljbuilgrv.exe
3936	viyskypjwjfvehec.exe
4064	whljbuilgrv.exe
4660	wmfcxoifvlkdpvvwsda.exe
1532	whljbuilgrv.exe
1328	yafov.exe
548	yafov.exe
4964	cqhcvkcxlzwnxbzys.exe
1032	yqlkhawvnfgbpxzcanmez.exe
4608	jausogbzqhhbovwyvhfw.exe
1684	whljbuilgrv.exe
216	yqlkhawvnfgbpxzcanmez.exe
4796	wmfcxoifvlkdpvvwsda.exe
4672	yqlkhawvnfgbpxzcanmez.exe
4644	whljbuilgrv.exe
3496	viyskypjwjfvehec.exe
4652	viyskypjwjfvehec.exe
3676	wmfcxoifvlkdpvvwsda.exe
3432	viyskypjwjfvehec.exe
2072	wmfcxoifvlkdpvvwsda.exe
3264	wmfcxoifvlkdpvvwsda.exe
384	lasoiyrncrphsxwwrb.exe
4124	cqhcvkcxlzwnxbzys.exe
844	wmfcxoifvlkdpvvwsda.exe
3452	viyskypjwjfvehec.exe
3408	whljbuilgrv.exe
972	whljbuilgrv.exe
2312	whljbuilgrv.exe
880	whljbuilgrv.exe
4608	whljbuilgrv.exe
3660	whljbuilgrv.exe
2552	yqlkhawvnfgbpxzcanmez.exe
2548	jausogbzqhhbovwyvhfw.exe
4732	lasoiyrncrphsxwwrb.exe
3868	whljbuilgrv.exe
2776	wmfcxoifvlkdpvvwsda.exe
4536	jausogbzqhhbovwyvhfw.exe
3888	viyskypjwjfvehec.exe
1848	whljbuilgrv.exe
1768	whljbuilgrv.exe
2248	wmfcxoifvlkdpvvwsda.exe
3564	lasoiyrncrphsxwwrb.exe
1784	whljbuilgrv.exe
852	whljbuilgrv.exe
700	yqlkhawvnfgbpxzcanmez.exe
4608	lasoiyrncrphsxwwrb.exe
4656	cqhcvkcxlzwnxbzys.exe
5024	whljbuilgrv.exe
600	cqhcvkcxlzwnxbzys.exe
5204	whljbuilgrv.exe
5256	jausogbzqhhbovwyvhfw.exe
5296	whljbuilgrv.exe
5600	cqhcvkcxlzwnxbzys.exe
5656	viyskypjwjfvehec.exe
5700	yqlkhawvnfgbpxzcanmez.exe
5776	whljbuilgrv.exe

Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs

defense_evasion

Safe Mode Boot

T1562.009

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager	yafov.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys	yafov.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc	yafov.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power	yafov.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys	yafov.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc	yafov.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

defense_evasion persistence privilege_escalation

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\qyjylugvdlc = "wmfcxoifvlkdpvvwsda.exe ."	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nwiymwjzirjv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cqhcvkcxlzwnxbzys.exe ."	whljbuilgrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\qyjylugvdlc = "viyskypjwjfvehec.exe ."	yafov.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nwiymwjzirjv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\viyskypjwjfvehec.exe ."	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wahsbgo = "yqlkhawvnfgbpxzcanmez.exe"	whljbuilgrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vcmamuftah = "viyskypjwjfvehec.exe"	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nwiymwjzirjv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\viyskypjwjfvehec.exe ."	whljbuilgrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vcmamuftah = "wmfcxoifvlkdpvvwsda.exe"	whljbuilgrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tdnvguhucjc = "ofwldysmbpphsxwwrb.exe"	whljbuilgrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wahsbgo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\viyskypjwjfvehec.exe"	whljbuilgrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vcmamuftah = "yqlkhawvnfgbpxzcanmez.exe"	yafov.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mwjapaofpzsfl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\viyskypjwjfvehec.exe"	yafov.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mwjapaofpzsfl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jausogbzqhhbovwyvhfw.exe"	whljbuilgrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\qyjylugvdlc = "yqlkhawvnfgbpxzcanmez.exe ."	yafov.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wahsbgo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cqhcvkcxlzwnxbzys.exe"	whljbuilgrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\lqykuajv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cqhcvkcxlzwnxbzys.exe ."	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lqykuajv = "jausogbzqhhbovwyvhfw.exe ."	yafov.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vcmamuftah = "wmfcxoifvlkdpvvwsda.exe"	yafov.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\fnvbkwhsy = "fvlzqkdwkxwnxbzys.exe ."	whljbuilgrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\qbmvhwkyhpjv = "zrjzsojeujkdpvvwsdd.exe ."	whljbuilgrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\qbmvhwkyhpjv = "ofwldysmbpphsxwwrb.exe ."	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qdqbpgwmxhdryz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zrjzsojeujkdpvvwsdd.exe"	whljbuilgrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vcmamuftah = "cqhcvkcxlzwnxbzys.exe"	whljbuilgrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\lqykuajv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lasoiyrncrphsxwwrb.exe ."	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mwjapaofpzsfl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yqlkhawvnfgbpxzcanmez.exe"	yafov.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wahsbgo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\viyskypjwjfvehec.exe"	yafov.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\qyjylugvdlc = "wmfcxoifvlkdpvvwsda.exe ."	yafov.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wahsbgo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jausogbzqhhbovwyvhfw.exe"	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mwjapaofpzsfl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\viyskypjwjfvehec.exe"	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wahsbgo = "cqhcvkcxlzwnxbzys.exe"	yafov.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wahsbgo = "yqlkhawvnfgbpxzcanmez.exe"	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mwjapaofpzsfl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jausogbzqhhbovwyvhfw.exe"	whljbuilgrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\lqykuajv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\viyskypjwjfvehec.exe ."	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wahsbgo = "yqlkhawvnfgbpxzcanmez.exe"	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mwjapaofpzsfl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jausogbzqhhbovwyvhfw.exe"	yafov.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lqykuajv = "wmfcxoifvlkdpvvwsda.exe ."	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mwjapaofpzsfl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wmfcxoifvlkdpvvwsda.exe"	yafov.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vcmamuftah = "lasoiyrncrphsxwwrb.exe"	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wahsbgo = "lasoiyrncrphsxwwrb.exe"	yafov.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mwjapaofpzsfl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lasoiyrncrphsxwwrb.exe"	whljbuilgrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\lqykuajv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wmfcxoifvlkdpvvwsda.exe ."	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lqykuajv = "yqlkhawvnfgbpxzcanmez.exe ."	yafov.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\qyjylugvdlc = "jausogbzqhhbovwyvhfw.exe ."	whljbuilgrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\qyjylugvdlc = "jausogbzqhhbovwyvhfw.exe ."	yafov.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qdqbpgwmxhdryz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fvlzqkdwkxwnxbzys.exe"	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lqykuajv = "cqhcvkcxlzwnxbzys.exe ."	yafov.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wahsbgo = "viyskypjwjfvehec.exe"	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\fnvbkwhsy = "bvphcaxumdgbpxzcanpjd.exe ."	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pbnxkapeoxsfl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ofwldysmbpphsxwwrb.exe ."	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wahsbgo = "yqlkhawvnfgbpxzcanmez.exe"	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nwiymwjzirjv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wmfcxoifvlkdpvvwsda.exe ."	yafov.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wahsbgo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cqhcvkcxlzwnxbzys.exe"	yafov.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\lqykuajv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wmfcxoifvlkdpvvwsda.exe ."	yafov.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tdnvguhucjc = "mfypjgcypfhbovwyvhib.exe"	whljbuilgrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ovchpaku = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bvphcaxumdgbpxzcanpjd.exe"	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nwiymwjzirjv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cqhcvkcxlzwnxbzys.exe ."	yafov.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\lqykuajv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cqhcvkcxlzwnxbzys.exe ."	yafov.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wahsbgo = "yqlkhawvnfgbpxzcanmez.exe"	yafov.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\lqykuajv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lasoiyrncrphsxwwrb.exe ."	yafov.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lqykuajv = "jausogbzqhhbovwyvhfw.exe ."	whljbuilgrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\lqykuajv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cqhcvkcxlzwnxbzys.exe ."	yafov.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lqykuajv = "cqhcvkcxlzwnxbzys.exe ."	whljbuilgrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\qyjylugvdlc = "yqlkhawvnfgbpxzcanmez.exe ."	whljbuilgrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nwiymwjzirjv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lasoiyrncrphsxwwrb.exe ."	whljbuilgrv.exe

Checks whether UAC is enabled 1 TTPs 16 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	whljbuilgrv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	whljbuilgrv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	whljbuilgrv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	whljbuilgrv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	whljbuilgrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	yafov.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	yafov.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	whljbuilgrv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	whljbuilgrv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	yafov.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	whljbuilgrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	whljbuilgrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	yafov.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	whljbuilgrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	whljbuilgrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	whljbuilgrv.exe

Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 4 IoCs

Possible Turn off User Account Control's privilege elevation for standard users.

Executable Installer File Permissions Weakness

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	whljbuilgrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	yafov.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	yafov.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	whljbuilgrv.exe

Looks up external IP address via web service 7 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
31	whatismyipaddress.com
34	www.whatismyip.ca
37	whatismyip.everdot.org
42	whatismyip.everdot.org
43	www.showmyipaddress.com
47	whatismyip.everdot.org
49	www.whatismyip.ca

Drops file in System32 directory 53 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\cqhcvkcxlzwnxbzys.exe	yafov.exe
File opened for modification	C:\Windows\SysWOW64\yqlkhawvnfgbpxzcanmez.exe	yafov.exe
File opened for modification	C:\Windows\SysWOW64\wmfcxoifvlkdpvvwsda.exe	yafov.exe
File opened for modification	C:\Windows\SysWOW64\jausogbzqhhbovwyvhfw.exe	yafov.exe
File opened for modification	C:\Windows\SysWOW64\awvyzwwzvrwvnzfmofied.hee	yafov.exe
File opened for modification	C:\Windows\SysWOW64\jausogbzqhhbovwyvhfw.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\SysWOW64\lasoiyrncrphsxwwrb.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\SysWOW64\lasoiyrncrphsxwwrb.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\SysWOW64\pieecwttmfhdsbeihvvokk.exe	yafov.exe
File opened for modification	C:\Windows\SysWOW64\viyskypjwjfvehec.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\SysWOW64\yqlkhawvnfgbpxzcanmez.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\SysWOW64\pieecwttmfhdsbeihvvokk.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\SysWOW64\wmfcxoifvlkdpvvwsda.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\SysWOW64\viyskypjwjfvehec.exe	yafov.exe
File opened for modification	C:\Windows\SysWOW64\lasoiyrncrphsxwwrb.exe	yafov.exe
File opened for modification	C:\Windows\SysWOW64\cqhcvkcxlzwnxbzys.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\SysWOW64\lasoiyrncrphsxwwrb.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\SysWOW64\viyskypjwjfvehec.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\SysWOW64\cqhcvkcxlzwnxbzys.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\SysWOW64\yqlkhawvnfgbpxzcanmez.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\SysWOW64\jausogbzqhhbovwyvhfw.exe	yafov.exe
File opened for modification	C:\Windows\SysWOW64\pieecwttmfhdsbeihvvokk.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\SysWOW64\wmfcxoifvlkdpvvwsda.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\SysWOW64\jausogbzqhhbovwyvhfw.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\SysWOW64\lasoiyrncrphsxwwrb.exe	whljbuilgrv.exe
File created	C:\Windows\SysWOW64\vcmamuftahxhkhyqdftakyksdryfvfif.obd	yafov.exe
File opened for modification	C:\Windows\SysWOW64\yqlkhawvnfgbpxzcanmez.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\SysWOW64\cqhcvkcxlzwnxbzys.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\SysWOW64\yqlkhawvnfgbpxzcanmez.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\SysWOW64\wmfcxoifvlkdpvvwsda.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\SysWOW64\viyskypjwjfvehec.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\SysWOW64\cqhcvkcxlzwnxbzys.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\SysWOW64\lasoiyrncrphsxwwrb.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\SysWOW64\yqlkhawvnfgbpxzcanmez.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\SysWOW64\pieecwttmfhdsbeihvvokk.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\SysWOW64\viyskypjwjfvehec.exe	yafov.exe
File opened for modification	C:\Windows\SysWOW64\cqhcvkcxlzwnxbzys.exe	yafov.exe
File opened for modification	C:\Windows\SysWOW64\wmfcxoifvlkdpvvwsda.exe	yafov.exe
File opened for modification	C:\Windows\SysWOW64\jausogbzqhhbovwyvhfw.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\SysWOW64\lasoiyrncrphsxwwrb.exe	yafov.exe
File opened for modification	C:\Windows\SysWOW64\yqlkhawvnfgbpxzcanmez.exe	yafov.exe
File created	C:\Windows\SysWOW64\awvyzwwzvrwvnzfmofied.hee	yafov.exe
File opened for modification	C:\Windows\SysWOW64\viyskypjwjfvehec.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\SysWOW64\vcmamuftahxhkhyqdftakyksdryfvfif.obd	yafov.exe
File opened for modification	C:\Windows\SysWOW64\pieecwttmfhdsbeihvvokk.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\SysWOW64\wmfcxoifvlkdpvvwsda.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\SysWOW64\pieecwttmfhdsbeihvvokk.exe	yafov.exe
File opened for modification	C:\Windows\SysWOW64\wmfcxoifvlkdpvvwsda.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\SysWOW64\jausogbzqhhbovwyvhfw.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\SysWOW64\viyskypjwjfvehec.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\SysWOW64\pieecwttmfhdsbeihvvokk.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\SysWOW64\cqhcvkcxlzwnxbzys.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\SysWOW64\jausogbzqhhbovwyvhfw.exe	whljbuilgrv.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\vcmamuftahxhkhyqdftakyksdryfvfif.obd	yafov.exe
File created	C:\Program Files (x86)\vcmamuftahxhkhyqdftakyksdryfvfif.obd	yafov.exe
File opened for modification	C:\Program Files (x86)\awvyzwwzvrwvnzfmofied.hee	yafov.exe
File created	C:\Program Files (x86)\awvyzwwzvrwvnzfmofied.hee	yafov.exe

Drops file in Windows directory 53 IoCs

description	ioc	Process
File opened for modification	C:\Windows\wmfcxoifvlkdpvvwsda.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\pieecwttmfhdsbeihvvokk.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\lasoiyrncrphsxwwrb.exe	yafov.exe
File opened for modification	C:\Windows\wmfcxoifvlkdpvvwsda.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\viyskypjwjfvehec.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\wmfcxoifvlkdpvvwsda.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\viyskypjwjfvehec.exe	yafov.exe
File opened for modification	C:\Windows\pieecwttmfhdsbeihvvokk.exe	yafov.exe
File created	C:\Windows\vcmamuftahxhkhyqdftakyksdryfvfif.obd	yafov.exe
File opened for modification	C:\Windows\pieecwttmfhdsbeihvvokk.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\cqhcvkcxlzwnxbzys.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\lasoiyrncrphsxwwrb.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\pieecwttmfhdsbeihvvokk.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\wmfcxoifvlkdpvvwsda.exe	yafov.exe
File opened for modification	C:\Windows\wmfcxoifvlkdpvvwsda.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\yqlkhawvnfgbpxzcanmez.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\cqhcvkcxlzwnxbzys.exe	yafov.exe
File opened for modification	C:\Windows\viyskypjwjfvehec.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\cqhcvkcxlzwnxbzys.exe	yafov.exe
File opened for modification	C:\Windows\wmfcxoifvlkdpvvwsda.exe	yafov.exe
File opened for modification	C:\Windows\jausogbzqhhbovwyvhfw.exe	yafov.exe
File opened for modification	C:\Windows\awvyzwwzvrwvnzfmofied.hee	yafov.exe
File opened for modification	C:\Windows\cqhcvkcxlzwnxbzys.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\cqhcvkcxlzwnxbzys.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\yqlkhawvnfgbpxzcanmez.exe	yafov.exe
File opened for modification	C:\Windows\yqlkhawvnfgbpxzcanmez.exe	yafov.exe
File created	C:\Windows\awvyzwwzvrwvnzfmofied.hee	yafov.exe
File opened for modification	C:\Windows\vcmamuftahxhkhyqdftakyksdryfvfif.obd	yafov.exe
File opened for modification	C:\Windows\jausogbzqhhbovwyvhfw.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\yqlkhawvnfgbpxzcanmez.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\lasoiyrncrphsxwwrb.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\jausogbzqhhbovwyvhfw.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\cqhcvkcxlzwnxbzys.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\jausogbzqhhbovwyvhfw.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\pieecwttmfhdsbeihvvokk.exe	yafov.exe
File opened for modification	C:\Windows\viyskypjwjfvehec.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\viyskypjwjfvehec.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\yqlkhawvnfgbpxzcanmez.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\cqhcvkcxlzwnxbzys.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\jausogbzqhhbovwyvhfw.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\lasoiyrncrphsxwwrb.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\wmfcxoifvlkdpvvwsda.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\yqlkhawvnfgbpxzcanmez.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\pieecwttmfhdsbeihvvokk.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\pieecwttmfhdsbeihvvokk.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\viyskypjwjfvehec.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\lasoiyrncrphsxwwrb.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\lasoiyrncrphsxwwrb.exe	yafov.exe
File opened for modification	C:\Windows\yqlkhawvnfgbpxzcanmez.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\viyskypjwjfvehec.exe	yafov.exe
File opened for modification	C:\Windows\jausogbzqhhbovwyvhfw.exe	yafov.exe
File opened for modification	C:\Windows\jausogbzqhhbovwyvhfw.exe	whljbuilgrv.exe
File opened for modification	C:\Windows\lasoiyrncrphsxwwrb.exe	whljbuilgrv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 53 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	viyskypjwjfvehec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jausogbzqhhbovwyvhfw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fvlzqkdwkxwnxbzys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zrjzsojeujkdpvvwsdd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jausogbzqhhbovwyvhfw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cqhcvkcxlzwnxbzys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	whljbuilgrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yqlkhawvnfgbpxzcanmez.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmfcxoifvlkdpvvwsda.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jausogbzqhhbovwyvhfw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mfypjgcypfhbovwyvhib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yqlkhawvnfgbpxzcanmez.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmfcxoifvlkdpvvwsda.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	viyskypjwjfvehec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lasoiyrncrphsxwwrb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmfcxoifvlkdpvvwsda.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	viyskypjwjfvehec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	whljbuilgrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cqhcvkcxlzwnxbzys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yqlkhawvnfgbpxzcanmez.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yqlkhawvnfgbpxzcanmez.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmfcxoifvlkdpvvwsda.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	viyskypjwjfvehec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmfcxoifvlkdpvvwsda.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmfcxoifvlkdpvvwsda.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fvlzqkdwkxwnxbzys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cqhcvkcxlzwnxbzys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bvphcaxumdgbpxzcanpjd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_90f643f9363aa893d0880b9a33cfe3d0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yafov.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	viyskypjwjfvehec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cqhcvkcxlzwnxbzys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ofwldysmbpphsxwwrb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ofwldysmbpphsxwwrb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	viyskypjwjfvehec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cqhcvkcxlzwnxbzys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yqlkhawvnfgbpxzcanmez.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cqhcvkcxlzwnxbzys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jausogbzqhhbovwyvhfw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bvphcaxumdgbpxzcanpjd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mfypjgcypfhbovwyvhib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jausogbzqhhbovwyvhfw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zflpwgp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cqhcvkcxlzwnxbzys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lasoiyrncrphsxwwrb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cqhcvkcxlzwnxbzys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cqhcvkcxlzwnxbzys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lasoiyrncrphsxwwrb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bvphcaxumdgbpxzcanpjd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mfypjgcypfhbovwyvhib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yqlkhawvnfgbpxzcanmez.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmfcxoifvlkdpvvwsda.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lasoiyrncrphsxwwrb.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
2044	JaffaCakes118_90f643f9363aa893d0880b9a33cfe3d0.exe
2044	JaffaCakes118_90f643f9363aa893d0880b9a33cfe3d0.exe
2044	JaffaCakes118_90f643f9363aa893d0880b9a33cfe3d0.exe
2044	JaffaCakes118_90f643f9363aa893d0880b9a33cfe3d0.exe
2044	JaffaCakes118_90f643f9363aa893d0880b9a33cfe3d0.exe
2044	JaffaCakes118_90f643f9363aa893d0880b9a33cfe3d0.exe
2044	JaffaCakes118_90f643f9363aa893d0880b9a33cfe3d0.exe
2044	JaffaCakes118_90f643f9363aa893d0880b9a33cfe3d0.exe
2044	JaffaCakes118_90f643f9363aa893d0880b9a33cfe3d0.exe
2044	JaffaCakes118_90f643f9363aa893d0880b9a33cfe3d0.exe
2044	JaffaCakes118_90f643f9363aa893d0880b9a33cfe3d0.exe
2044	JaffaCakes118_90f643f9363aa893d0880b9a33cfe3d0.exe
2044	JaffaCakes118_90f643f9363aa893d0880b9a33cfe3d0.exe
2044	JaffaCakes118_90f643f9363aa893d0880b9a33cfe3d0.exe
2044	JaffaCakes118_90f643f9363aa893d0880b9a33cfe3d0.exe
2044	JaffaCakes118_90f643f9363aa893d0880b9a33cfe3d0.exe
1328	yafov.exe
1328	yafov.exe
2044	JaffaCakes118_90f643f9363aa893d0880b9a33cfe3d0.exe
2044	JaffaCakes118_90f643f9363aa893d0880b9a33cfe3d0.exe
2044	JaffaCakes118_90f643f9363aa893d0880b9a33cfe3d0.exe
2044	JaffaCakes118_90f643f9363aa893d0880b9a33cfe3d0.exe
2044	JaffaCakes118_90f643f9363aa893d0880b9a33cfe3d0.exe
2044	JaffaCakes118_90f643f9363aa893d0880b9a33cfe3d0.exe
2044	JaffaCakes118_90f643f9363aa893d0880b9a33cfe3d0.exe
2044	JaffaCakes118_90f643f9363aa893d0880b9a33cfe3d0.exe
2044	JaffaCakes118_90f643f9363aa893d0880b9a33cfe3d0.exe
2044	JaffaCakes118_90f643f9363aa893d0880b9a33cfe3d0.exe
2044	JaffaCakes118_90f643f9363aa893d0880b9a33cfe3d0.exe
2044	JaffaCakes118_90f643f9363aa893d0880b9a33cfe3d0.exe
2044	JaffaCakes118_90f643f9363aa893d0880b9a33cfe3d0.exe
2044	JaffaCakes118_90f643f9363aa893d0880b9a33cfe3d0.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1328	yafov.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2044 wrote to memory of 4612	2044	JaffaCakes118_90f643f9363aa893d0880b9a33cfe3d0.exe	88
PID 2044 wrote to memory of 4612	2044	JaffaCakes118_90f643f9363aa893d0880b9a33cfe3d0.exe	88
PID 2044 wrote to memory of 4612	2044	JaffaCakes118_90f643f9363aa893d0880b9a33cfe3d0.exe	88
PID 2692 wrote to memory of 4820	2692	cmd.exe	91
PID 2692 wrote to memory of 4820	2692	cmd.exe	91
PID 2692 wrote to memory of 4820	2692	cmd.exe	91
PID 3264 wrote to memory of 4264	3264	cmd.exe	94
PID 3264 wrote to memory of 4264	3264	cmd.exe	94
PID 3264 wrote to memory of 4264	3264	cmd.exe	94
PID 3788 wrote to memory of 1220	3788	cmd.exe	99
PID 3788 wrote to memory of 1220	3788	cmd.exe	99
PID 3788 wrote to memory of 1220	3788	cmd.exe	99
PID 2732 wrote to memory of 676	2732	cmd.exe	102
PID 2732 wrote to memory of 676	2732	cmd.exe	102
PID 2732 wrote to memory of 676	2732	cmd.exe	102
PID 4204 wrote to memory of 744	4204	cmd.exe	105
PID 4204 wrote to memory of 744	4204	cmd.exe	105
PID 4204 wrote to memory of 744	4204	cmd.exe	105
PID 1672 wrote to memory of 1248	1672	cmd.exe	106
PID 1672 wrote to memory of 1248	1672	cmd.exe	106
PID 1672 wrote to memory of 1248	1672	cmd.exe	106
PID 4264 wrote to memory of 3252	4264	wmfcxoifvlkdpvvwsda.exe	309
PID 4264 wrote to memory of 3252	4264	wmfcxoifvlkdpvvwsda.exe	309
PID 4264 wrote to memory of 3252	4264	wmfcxoifvlkdpvvwsda.exe	309
PID 676 wrote to memory of 3220	676	lasoiyrncrphsxwwrb.exe	361
PID 676 wrote to memory of 3220	676	lasoiyrncrphsxwwrb.exe	361
PID 676 wrote to memory of 3220	676	lasoiyrncrphsxwwrb.exe	361
PID 384 wrote to memory of 3936	384	cmd.exe	113
PID 384 wrote to memory of 3936	384	cmd.exe	113
PID 384 wrote to memory of 3936	384	cmd.exe	113
PID 1248 wrote to memory of 4064	1248	cqhcvkcxlzwnxbzys.exe	179
PID 1248 wrote to memory of 4064	1248	cqhcvkcxlzwnxbzys.exe	179
PID 1248 wrote to memory of 4064	1248	cqhcvkcxlzwnxbzys.exe	179
PID 764 wrote to memory of 4660	764	cmd.exe	115
PID 764 wrote to memory of 4660	764	cmd.exe	115
PID 764 wrote to memory of 4660	764	cmd.exe	115
PID 4660 wrote to memory of 1532	4660	wmfcxoifvlkdpvvwsda.exe	118
PID 4660 wrote to memory of 1532	4660	wmfcxoifvlkdpvvwsda.exe	118
PID 4660 wrote to memory of 1532	4660	wmfcxoifvlkdpvvwsda.exe	118
PID 4612 wrote to memory of 1328	4612	whljbuilgrv.exe	119
PID 4612 wrote to memory of 1328	4612	whljbuilgrv.exe	119
PID 4612 wrote to memory of 1328	4612	whljbuilgrv.exe	119
PID 4612 wrote to memory of 548	4612	whljbuilgrv.exe	120
PID 4612 wrote to memory of 548	4612	whljbuilgrv.exe	120
PID 4612 wrote to memory of 548	4612	whljbuilgrv.exe	120
PID 3088 wrote to memory of 4964	3088	cmd.exe	344
PID 3088 wrote to memory of 4964	3088	cmd.exe	344
PID 3088 wrote to memory of 4964	3088	cmd.exe	344
PID 3948 wrote to memory of 1032	3948	cmd.exe	132
PID 3948 wrote to memory of 1032	3948	cmd.exe	132
PID 3948 wrote to memory of 1032	3948	cmd.exe	132
PID 2748 wrote to memory of 4608	2748	cmd.exe	248
PID 2748 wrote to memory of 4608	2748	cmd.exe	248
PID 2748 wrote to memory of 4608	2748	cmd.exe	248
PID 4608 wrote to memory of 1684	4608	jausogbzqhhbovwyvhfw.exe	150
PID 4608 wrote to memory of 1684	4608	jausogbzqhhbovwyvhfw.exe	150
PID 4608 wrote to memory of 1684	4608	jausogbzqhhbovwyvhfw.exe	150
PID 3092 wrote to memory of 216	3092	cmd.exe	151
PID 3092 wrote to memory of 216	3092	cmd.exe	151
PID 3092 wrote to memory of 216	3092	cmd.exe	151
PID 4204 wrote to memory of 4796	4204	cmd.exe	160
PID 4204 wrote to memory of 4796	4204	cmd.exe	160
PID 4204 wrote to memory of 4796	4204	cmd.exe	160
PID 3576 wrote to memory of 4672	3576	cmd.exe	552

System policy modification 1 TTPs 56 IoCs

defense_evasion

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	whljbuilgrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	whljbuilgrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	whljbuilgrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	whljbuilgrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	whljbuilgrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	whljbuilgrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	whljbuilgrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	yafov.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	yafov.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	whljbuilgrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	whljbuilgrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	whljbuilgrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	whljbuilgrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	whljbuilgrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	yafov.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	whljbuilgrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	whljbuilgrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	whljbuilgrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	whljbuilgrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	whljbuilgrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	yafov.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	yafov.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	yafov.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	yafov.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	yafov.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	whljbuilgrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	whljbuilgrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	yafov.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	yafov.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	yafov.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	whljbuilgrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	whljbuilgrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	whljbuilgrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	yafov.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	yafov.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	whljbuilgrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	yafov.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	whljbuilgrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	whljbuilgrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	yafov.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	yafov.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	yafov.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	whljbuilgrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	whljbuilgrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	yafov.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	whljbuilgrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	yafov.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	yafov.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	yafov.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	whljbuilgrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	whljbuilgrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	whljbuilgrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	whljbuilgrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	yafov.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	yafov.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	yafov.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_90f643f9363aa893d0880b9a33cfe3d0.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_90f643f9363aa893d0880b9a33cfe3d0.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2044
- C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
  "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\jaffacakes118_90f643f9363aa893d0880b9a33cfe3d0.exe*"
  2⤵
  - Modifies WinLogon for persistence
  - UAC bypass
  - Adds policy Run key to start application
  - Disables RegEdit via registry modification
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Hijack Execution Flow: Executable Installer File Permissions Weakness
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:4612
- - C:\Users\Admin\AppData\Local\Temp\yafov.exe
    "C:\Users\Admin\AppData\Local\Temp\yafov.exe" "-C:\Users\Admin\AppData\Local\Temp\viyskypjwjfvehec.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Impair Defenses: Safe Mode Boot
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Hijack Execution Flow: Executable Installer File Permissions Weakness
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:1328
- - C:\Users\Admin\AppData\Local\Temp\yafov.exe
    "C:\Users\Admin\AppData\Local\Temp\yafov.exe" "-C:\Users\Admin\AppData\Local\Temp\viyskypjwjfvehec.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Hijack Execution Flow: Executable Installer File Permissions Weakness
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yqlkhawvnfgbpxzcanmez.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2692
- C:\Windows\yqlkhawvnfgbpxzcanmez.exe
  yqlkhawvnfgbpxzcanmez.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmfcxoifvlkdpvvwsda.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:3264
- C:\Windows\wmfcxoifvlkdpvvwsda.exe
  wmfcxoifvlkdpvvwsda.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4264
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\wmfcxoifvlkdpvvwsda.exe*."
    3⤵
    - Executes dropped EXE
    PID:3252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cqhcvkcxlzwnxbzys.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:3788
- C:\Windows\cqhcvkcxlzwnxbzys.exe
  cqhcvkcxlzwnxbzys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c lasoiyrncrphsxwwrb.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:2732
- C:\Windows\lasoiyrncrphsxwwrb.exe
  lasoiyrncrphsxwwrb.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:676
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\lasoiyrncrphsxwwrb.exe*."
    3⤵
    - Executes dropped EXE
    PID:3220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\viyskypjwjfvehec.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4204
- C:\Users\Admin\AppData\Local\Temp\viyskypjwjfvehec.exe
  C:\Users\Admin\AppData\Local\Temp\viyskypjwjfvehec.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cqhcvkcxlzwnxbzys.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:1672
- C:\Users\Admin\AppData\Local\Temp\cqhcvkcxlzwnxbzys.exe
  C:\Users\Admin\AppData\Local\Temp\cqhcvkcxlzwnxbzys.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1248
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\cqhcvkcxlzwnxbzys.exe*."
    3⤵
    - Executes dropped EXE
    PID:4064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\viyskypjwjfvehec.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:384
- C:\Users\Admin\AppData\Local\Temp\viyskypjwjfvehec.exe
  C:\Users\Admin\AppData\Local\Temp\viyskypjwjfvehec.exe
  2⤵
  - Executes dropped EXE
  PID:3936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wmfcxoifvlkdpvvwsda.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:764
- C:\Users\Admin\AppData\Local\Temp\wmfcxoifvlkdpvvwsda.exe
  C:\Users\Admin\AppData\Local\Temp\wmfcxoifvlkdpvvwsda.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4660
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\wmfcxoifvlkdpvvwsda.exe*."
    3⤵
    - Executes dropped EXE
    PID:1532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yqlkhawvnfgbpxzcanmez.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:3948
- C:\Windows\yqlkhawvnfgbpxzcanmez.exe
  yqlkhawvnfgbpxzcanmez.exe
  2⤵
  - Executes dropped EXE
  PID:1032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cqhcvkcxlzwnxbzys.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:3088
- C:\Windows\cqhcvkcxlzwnxbzys.exe
  cqhcvkcxlzwnxbzys.exe
  2⤵
  - Executes dropped EXE
  PID:4964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jausogbzqhhbovwyvhfw.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:2748
- C:\Windows\jausogbzqhhbovwyvhfw.exe
  jausogbzqhhbovwyvhfw.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4608
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\jausogbzqhhbovwyvhfw.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:1684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yqlkhawvnfgbpxzcanmez.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:3092
- C:\Windows\yqlkhawvnfgbpxzcanmez.exe
  yqlkhawvnfgbpxzcanmez.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:216
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\yqlkhawvnfgbpxzcanmez.exe*."
    3⤵
    - Executes dropped EXE
    PID:4644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmfcxoifvlkdpvvwsda.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4204
- C:\Windows\wmfcxoifvlkdpvvwsda.exe
  wmfcxoifvlkdpvvwsda.exe
  2⤵
  - Executes dropped EXE
  PID:4796

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yqlkhawvnfgbpxzcanmez.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:3576
- C:\Windows\yqlkhawvnfgbpxzcanmez.exe
  yqlkhawvnfgbpxzcanmez.exe
  2⤵
  - Executes dropped EXE
  PID:4672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c viyskypjwjfvehec.exe .
1⤵
PID:4264
- C:\Windows\viyskypjwjfvehec.exe
  viyskypjwjfvehec.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3496
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\viyskypjwjfvehec.exe*."
    3⤵
    - Executes dropped EXE
    PID:3408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmfcxoifvlkdpvvwsda.exe .
1⤵
PID:1060
- C:\Windows\wmfcxoifvlkdpvvwsda.exe
  wmfcxoifvlkdpvvwsda.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3264
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\wmfcxoifvlkdpvvwsda.exe*."
    3⤵
    - Executes dropped EXE
    PID:880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wmfcxoifvlkdpvvwsda.exe
1⤵
PID:3188
- C:\Users\Admin\AppData\Local\Temp\wmfcxoifvlkdpvvwsda.exe
  C:\Users\Admin\AppData\Local\Temp\wmfcxoifvlkdpvvwsda.exe
  2⤵
  - Executes dropped EXE
  PID:2072

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\viyskypjwjfvehec.exe
1⤵
PID:4100
- C:\Users\Admin\AppData\Local\Temp\viyskypjwjfvehec.exe
  C:\Users\Admin\AppData\Local\Temp\viyskypjwjfvehec.exe
  2⤵
  - Executes dropped EXE
  PID:3432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wmfcxoifvlkdpvvwsda.exe .
1⤵
PID:3192
- C:\Users\Admin\AppData\Local\Temp\wmfcxoifvlkdpvvwsda.exe
  C:\Users\Admin\AppData\Local\Temp\wmfcxoifvlkdpvvwsda.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3676
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\wmfcxoifvlkdpvvwsda.exe*."
    3⤵
    - Executes dropped EXE
    PID:2312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\viyskypjwjfvehec.exe .
1⤵
PID:4580
- C:\Users\Admin\AppData\Local\Temp\viyskypjwjfvehec.exe
  C:\Users\Admin\AppData\Local\Temp\viyskypjwjfvehec.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4652
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\viyskypjwjfvehec.exe*."
    3⤵
    - Executes dropped EXE
    PID:972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\viyskypjwjfvehec.exe
1⤵
PID:4648
- C:\Users\Admin\AppData\Local\Temp\viyskypjwjfvehec.exe
  C:\Users\Admin\AppData\Local\Temp\viyskypjwjfvehec.exe
  2⤵
  - Executes dropped EXE
  PID:3452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cqhcvkcxlzwnxbzys.exe
1⤵
PID:1448
- C:\Users\Admin\AppData\Local\Temp\cqhcvkcxlzwnxbzys.exe
  C:\Users\Admin\AppData\Local\Temp\cqhcvkcxlzwnxbzys.exe
  2⤵
  - Executes dropped EXE
  PID:4124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lasoiyrncrphsxwwrb.exe .
1⤵
PID:1096
- C:\Users\Admin\AppData\Local\Temp\lasoiyrncrphsxwwrb.exe
  C:\Users\Admin\AppData\Local\Temp\lasoiyrncrphsxwwrb.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:384
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\lasoiyrncrphsxwwrb.exe*."
    3⤵
    - Executes dropped EXE
    PID:4608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wmfcxoifvlkdpvvwsda.exe .
1⤵
PID:1424
- C:\Users\Admin\AppData\Local\Temp\wmfcxoifvlkdpvvwsda.exe
  C:\Users\Admin\AppData\Local\Temp\wmfcxoifvlkdpvvwsda.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:844
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\wmfcxoifvlkdpvvwsda.exe*."
    3⤵
    - Executes dropped EXE
    PID:3660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yqlkhawvnfgbpxzcanmez.exe
1⤵
PID:3672
- C:\Windows\yqlkhawvnfgbpxzcanmez.exe
  yqlkhawvnfgbpxzcanmez.exe
  2⤵
  - Executes dropped EXE
  PID:2552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jausogbzqhhbovwyvhfw.exe .
1⤵
PID:1996
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4064
- C:\Windows\jausogbzqhhbovwyvhfw.exe
  jausogbzqhhbovwyvhfw.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2548
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\jausogbzqhhbovwyvhfw.exe*."
    3⤵
    - Executes dropped EXE
    PID:3868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c lasoiyrncrphsxwwrb.exe
1⤵
PID:1108
- C:\Windows\lasoiyrncrphsxwwrb.exe
  lasoiyrncrphsxwwrb.exe
  2⤵
  - Executes dropped EXE
  PID:4732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmfcxoifvlkdpvvwsda.exe .
1⤵
PID:4788
- C:\Windows\wmfcxoifvlkdpvvwsda.exe
  wmfcxoifvlkdpvvwsda.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2776
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\wmfcxoifvlkdpvvwsda.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Checks computer location settings
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Hijack Execution Flow: Executable Installer File Permissions Weakness
    - System Location Discovery: System Language Discovery
    - System policy modification
    PID:1848
  - - C:\Users\Admin\AppData\Local\Temp\zflpwgp.exe
      "C:\Users\Admin\AppData\Local\Temp\zflpwgp.exe" "-C:\Users\Admin\AppData\Local\Temp\yncpfyqivhfvehec.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2592
  - - C:\Users\Admin\AppData\Local\Temp\zflpwgp.exe
      "C:\Users\Admin\AppData\Local\Temp\zflpwgp.exe" "-C:\Users\Admin\AppData\Local\Temp\yncpfyqivhfvehec.exe"
      4⤵
      PID:2368
  - - C:\Users\Admin\AppData\Local\Temp\zflpwgp.exe
      "C:\Users\Admin\AppData\Local\Temp\zflpwgp.exe" "-C:\Users\Admin\AppData\Local\Temp\yncpfyqivhfvehec.exe"
      4⤵
      PID:2864
  - - C:\Users\Admin\AppData\Local\Temp\zflpwgp.exe
      "C:\Users\Admin\AppData\Local\Temp\zflpwgp.exe" "-C:\Users\Admin\AppData\Local\Temp\yncpfyqivhfvehec.exe"
      4⤵
      PID:2860
  - - C:\Users\Admin\AppData\Local\Temp\zflpwgp.exe
      "C:\Users\Admin\AppData\Local\Temp\zflpwgp.exe" "-C:\Users\Admin\AppData\Local\Temp\yncpfyqivhfvehec.exe"
      4⤵
      PID:5364
  - - C:\Users\Admin\AppData\Local\Temp\zflpwgp.exe
      "C:\Users\Admin\AppData\Local\Temp\zflpwgp.exe" "-C:\Users\Admin\AppData\Local\Temp\yncpfyqivhfvehec.exe"
      4⤵
      PID:5508
  - - C:\Users\Admin\AppData\Local\Temp\zflpwgp.exe
      "C:\Users\Admin\AppData\Local\Temp\zflpwgp.exe" "-C:\Users\Admin\AppData\Local\Temp\yncpfyqivhfvehec.exe"
      4⤵
      PID:5368
  - - C:\Users\Admin\AppData\Local\Temp\zflpwgp.exe
      "C:\Users\Admin\AppData\Local\Temp\zflpwgp.exe" "-C:\Users\Admin\AppData\Local\Temp\yncpfyqivhfvehec.exe"
      4⤵
      PID:1728
  - - C:\Users\Admin\AppData\Local\Temp\zflpwgp.exe
      "C:\Users\Admin\AppData\Local\Temp\zflpwgp.exe" "-C:\Users\Admin\AppData\Local\Temp\yncpfyqivhfvehec.exe"
      4⤵
      PID:5876
  - - C:\Users\Admin\AppData\Local\Temp\zflpwgp.exe
      "C:\Users\Admin\AppData\Local\Temp\zflpwgp.exe" "-C:\Users\Admin\AppData\Local\Temp\yncpfyqivhfvehec.exe"
      4⤵
      PID:5648
  - - C:\Users\Admin\AppData\Local\Temp\zflpwgp.exe
      "C:\Users\Admin\AppData\Local\Temp\zflpwgp.exe" "-C:\Users\Admin\AppData\Local\Temp\yncpfyqivhfvehec.exe"
      4⤵
      PID:1888
  - - C:\Users\Admin\AppData\Local\Temp\zflpwgp.exe
      "C:\Users\Admin\AppData\Local\Temp\zflpwgp.exe" "-C:\Users\Admin\AppData\Local\Temp\yncpfyqivhfvehec.exe"
      4⤵
      PID:6112
  - - C:\Users\Admin\AppData\Local\Temp\zflpwgp.exe
      "C:\Users\Admin\AppData\Local\Temp\zflpwgp.exe" "-C:\Users\Admin\AppData\Local\Temp\yncpfyqivhfvehec.exe"
      4⤵
      PID:5620
  - - C:\Users\Admin\AppData\Local\Temp\zflpwgp.exe
      "C:\Users\Admin\AppData\Local\Temp\zflpwgp.exe" "-C:\Users\Admin\AppData\Local\Temp\yncpfyqivhfvehec.exe"
      4⤵
      PID:4868
  - - C:\Users\Admin\AppData\Local\Temp\zflpwgp.exe
      "C:\Users\Admin\AppData\Local\Temp\zflpwgp.exe" "-C:\Users\Admin\AppData\Local\Temp\yncpfyqivhfvehec.exe"
      4⤵
      PID:5484
  - - C:\Users\Admin\AppData\Local\Temp\zflpwgp.exe
      "C:\Users\Admin\AppData\Local\Temp\zflpwgp.exe" "-C:\Users\Admin\AppData\Local\Temp\yncpfyqivhfvehec.exe"
      4⤵
      PID:4828
  - - C:\Users\Admin\AppData\Local\Temp\zflpwgp.exe
      "C:\Users\Admin\AppData\Local\Temp\zflpwgp.exe" "-C:\Users\Admin\AppData\Local\Temp\yncpfyqivhfvehec.exe"
      4⤵
      PID:1680
  - - C:\Users\Admin\AppData\Local\Temp\zflpwgp.exe
      "C:\Users\Admin\AppData\Local\Temp\zflpwgp.exe" "-C:\Users\Admin\AppData\Local\Temp\yncpfyqivhfvehec.exe"
      4⤵
      PID:2112
  - - C:\Users\Admin\AppData\Local\Temp\zflpwgp.exe
      "C:\Users\Admin\AppData\Local\Temp\zflpwgp.exe" "-C:\Users\Admin\AppData\Local\Temp\yncpfyqivhfvehec.exe"
      4⤵
      PID:3040
  - - C:\Users\Admin\AppData\Local\Temp\zflpwgp.exe
      "C:\Users\Admin\AppData\Local\Temp\zflpwgp.exe" "-C:\Users\Admin\AppData\Local\Temp\yncpfyqivhfvehec.exe"
      4⤵
      PID:3004
  - - C:\Users\Admin\AppData\Local\Temp\zflpwgp.exe
      "C:\Users\Admin\AppData\Local\Temp\zflpwgp.exe" "-C:\Users\Admin\AppData\Local\Temp\yncpfyqivhfvehec.exe"
      4⤵
      PID:5240
  - - C:\Users\Admin\AppData\Local\Temp\zflpwgp.exe
      "C:\Users\Admin\AppData\Local\Temp\zflpwgp.exe" "-C:\Users\Admin\AppData\Local\Temp\yncpfyqivhfvehec.exe"
      4⤵
      PID:1152
  - - C:\Users\Admin\AppData\Local\Temp\zflpwgp.exe
      "C:\Users\Admin\AppData\Local\Temp\zflpwgp.exe" "-C:\Users\Admin\AppData\Local\Temp\yncpfyqivhfvehec.exe"
      4⤵
      PID:1620
  - - C:\Users\Admin\AppData\Local\Temp\zflpwgp.exe
      "C:\Users\Admin\AppData\Local\Temp\zflpwgp.exe" "-C:\Users\Admin\AppData\Local\Temp\yncpfyqivhfvehec.exe"
      4⤵
      PID:5508
  - - C:\Users\Admin\AppData\Local\Temp\zflpwgp.exe
      "C:\Users\Admin\AppData\Local\Temp\zflpwgp.exe" "-C:\Users\Admin\AppData\Local\Temp\yncpfyqivhfvehec.exe"
      4⤵
      PID:1200
  - - C:\Users\Admin\AppData\Local\Temp\zflpwgp.exe
      "C:\Users\Admin\AppData\Local\Temp\zflpwgp.exe" "-C:\Users\Admin\AppData\Local\Temp\yncpfyqivhfvehec.exe"
      4⤵
      PID:5056
  - - C:\Users\Admin\AppData\Local\Temp\zflpwgp.exe
      "C:\Users\Admin\AppData\Local\Temp\zflpwgp.exe" "-C:\Users\Admin\AppData\Local\Temp\yncpfyqivhfvehec.exe"
      4⤵
      PID:4632
  - - C:\Users\Admin\AppData\Local\Temp\zflpwgp.exe
      "C:\Users\Admin\AppData\Local\Temp\zflpwgp.exe" "-C:\Users\Admin\AppData\Local\Temp\yncpfyqivhfvehec.exe"
      4⤵
      PID:5284
  - - C:\Users\Admin\AppData\Local\Temp\zflpwgp.exe
      "C:\Users\Admin\AppData\Local\Temp\zflpwgp.exe" "-C:\Users\Admin\AppData\Local\Temp\yncpfyqivhfvehec.exe"
      4⤵
      PID:6008
  - - C:\Users\Admin\AppData\Local\Temp\zflpwgp.exe
      "C:\Users\Admin\AppData\Local\Temp\zflpwgp.exe" "-C:\Users\Admin\AppData\Local\Temp\yncpfyqivhfvehec.exe"
      4⤵
      PID:3448
  - - C:\Users\Admin\AppData\Local\Temp\zflpwgp.exe
      "C:\Users\Admin\AppData\Local\Temp\zflpwgp.exe" "-C:\Users\Admin\AppData\Local\Temp\yncpfyqivhfvehec.exe"
      4⤵
      PID:764
  - - C:\Users\Admin\AppData\Local\Temp\zflpwgp.exe
      "C:\Users\Admin\AppData\Local\Temp\zflpwgp.exe" "-C:\Users\Admin\AppData\Local\Temp\yncpfyqivhfvehec.exe"
      4⤵
      PID:1948
  - - C:\Users\Admin\AppData\Local\Temp\zflpwgp.exe
      "C:\Users\Admin\AppData\Local\Temp\zflpwgp.exe" "-C:\Users\Admin\AppData\Local\Temp\yncpfyqivhfvehec.exe"
      4⤵
      PID:6116
  - - C:\Users\Admin\AppData\Local\Temp\zflpwgp.exe
      "C:\Users\Admin\AppData\Local\Temp\zflpwgp.exe" "-C:\Users\Admin\AppData\Local\Temp\yncpfyqivhfvehec.exe"
      4⤵
      PID:5336
  - - C:\Users\Admin\AppData\Local\Temp\zflpwgp.exe
      "C:\Users\Admin\AppData\Local\Temp\zflpwgp.exe" "-C:\Users\Admin\AppData\Local\Temp\yncpfyqivhfvehec.exe"
      4⤵
      PID:2072
  - - C:\Users\Admin\AppData\Local\Temp\zflpwgp.exe
      "C:\Users\Admin\AppData\Local\Temp\zflpwgp.exe" "-C:\Users\Admin\AppData\Local\Temp\yncpfyqivhfvehec.exe"
      4⤵
      PID:5344
  - - C:\Users\Admin\AppData\Local\Temp\zflpwgp.exe
      "C:\Users\Admin\AppData\Local\Temp\zflpwgp.exe" "-C:\Users\Admin\AppData\Local\Temp\yncpfyqivhfvehec.exe"
      4⤵
      PID:1924
  - - C:\Users\Admin\AppData\Local\Temp\zflpwgp.exe
      "C:\Users\Admin\AppData\Local\Temp\zflpwgp.exe" "-C:\Users\Admin\AppData\Local\Temp\yncpfyqivhfvehec.exe"
      4⤵
      PID:1720
  - - C:\Users\Admin\AppData\Local\Temp\zflpwgp.exe
      "C:\Users\Admin\AppData\Local\Temp\zflpwgp.exe" "-C:\Users\Admin\AppData\Local\Temp\yncpfyqivhfvehec.exe"
      4⤵
      PID:5000
  - - C:\Users\Admin\AppData\Local\Temp\zflpwgp.exe
      "C:\Users\Admin\AppData\Local\Temp\zflpwgp.exe" "-C:\Users\Admin\AppData\Local\Temp\yncpfyqivhfvehec.exe"
      4⤵
      PID:5344
  - - C:\Users\Admin\AppData\Local\Temp\zflpwgp.exe
      "C:\Users\Admin\AppData\Local\Temp\zflpwgp.exe" "-C:\Users\Admin\AppData\Local\Temp\yncpfyqivhfvehec.exe"
      4⤵
      PID:3080
  - - C:\Users\Admin\AppData\Local\Temp\zflpwgp.exe
      "C:\Users\Admin\AppData\Local\Temp\zflpwgp.exe" "-C:\Users\Admin\AppData\Local\Temp\yncpfyqivhfvehec.exe"
      4⤵
      PID:1660
  - - C:\Users\Admin\AppData\Local\Temp\zflpwgp.exe
      "C:\Users\Admin\AppData\Local\Temp\zflpwgp.exe" "-C:\Users\Admin\AppData\Local\Temp\yncpfyqivhfvehec.exe"
      4⤵
      PID:6084
  - - C:\Users\Admin\AppData\Local\Temp\zflpwgp.exe
      "C:\Users\Admin\AppData\Local\Temp\zflpwgp.exe" "-C:\Users\Admin\AppData\Local\Temp\yncpfyqivhfvehec.exe"
      4⤵
      PID:5036
  - - C:\Users\Admin\AppData\Local\Temp\zflpwgp.exe
      "C:\Users\Admin\AppData\Local\Temp\zflpwgp.exe" "-C:\Users\Admin\AppData\Local\Temp\yncpfyqivhfvehec.exe"
      4⤵
      PID:1924
  - - C:\Users\Admin\AppData\Local\Temp\zflpwgp.exe
      "C:\Users\Admin\AppData\Local\Temp\zflpwgp.exe" "-C:\Users\Admin\AppData\Local\Temp\yncpfyqivhfvehec.exe"
      4⤵
      PID:4880
  - - C:\Users\Admin\AppData\Local\Temp\zflpwgp.exe
      "C:\Users\Admin\AppData\Local\Temp\zflpwgp.exe" "-C:\Users\Admin\AppData\Local\Temp\yncpfyqivhfvehec.exe"
      4⤵
      PID:6060
  - - C:\Users\Admin\AppData\Local\Temp\zflpwgp.exe
      "C:\Users\Admin\AppData\Local\Temp\zflpwgp.exe" "-C:\Users\Admin\AppData\Local\Temp\yncpfyqivhfvehec.exe"
      4⤵
      PID:5688
  - - C:\Users\Admin\AppData\Local\Temp\zflpwgp.exe
      "C:\Users\Admin\AppData\Local\Temp\zflpwgp.exe" "-C:\Users\Admin\AppData\Local\Temp\yncpfyqivhfvehec.exe"
      4⤵
      PID:5312
  - - C:\Users\Admin\AppData\Local\Temp\zflpwgp.exe
      "C:\Users\Admin\AppData\Local\Temp\zflpwgp.exe" "-C:\Users\Admin\AppData\Local\Temp\yncpfyqivhfvehec.exe"
      4⤵
      PID:6020
  - - C:\Users\Admin\AppData\Local\Temp\zflpwgp.exe
      "C:\Users\Admin\AppData\Local\Temp\zflpwgp.exe" "-C:\Users\Admin\AppData\Local\Temp\yncpfyqivhfvehec.exe"
      4⤵
      PID:5548
  - - C:\Users\Admin\AppData\Local\Temp\zflpwgp.exe
      "C:\Users\Admin\AppData\Local\Temp\zflpwgp.exe" "-C:\Users\Admin\AppData\Local\Temp\yncpfyqivhfvehec.exe"
      4⤵
      PID:3936
  - - C:\Users\Admin\AppData\Local\Temp\zflpwgp.exe
      "C:\Users\Admin\AppData\Local\Temp\zflpwgp.exe" "-C:\Users\Admin\AppData\Local\Temp\yncpfyqivhfvehec.exe"
      4⤵
      PID:3592
  - - C:\Users\Admin\AppData\Local\Temp\zflpwgp.exe
      "C:\Users\Admin\AppData\Local\Temp\zflpwgp.exe" "-C:\Users\Admin\AppData\Local\Temp\yncpfyqivhfvehec.exe"
      4⤵
      PID:4268
  - - C:\Users\Admin\AppData\Local\Temp\zflpwgp.exe
      "C:\Users\Admin\AppData\Local\Temp\zflpwgp.exe" "-C:\Users\Admin\AppData\Local\Temp\yncpfyqivhfvehec.exe"
      4⤵
      PID:1380
  - - C:\Users\Admin\AppData\Local\Temp\zflpwgp.exe
      "C:\Users\Admin\AppData\Local\Temp\zflpwgp.exe" "-C:\Users\Admin\AppData\Local\Temp\yncpfyqivhfvehec.exe"
      4⤵
      PID:3052
  - - C:\Users\Admin\AppData\Local\Temp\zflpwgp.exe
      "C:\Users\Admin\AppData\Local\Temp\zflpwgp.exe" "-C:\Users\Admin\AppData\Local\Temp\yncpfyqivhfvehec.exe"
      4⤵
      PID:1472
  - - C:\Users\Admin\AppData\Local\Temp\zflpwgp.exe
      "C:\Users\Admin\AppData\Local\Temp\zflpwgp.exe" "-C:\Users\Admin\AppData\Local\Temp\yncpfyqivhfvehec.exe"
      4⤵
      PID:2736
  - - C:\Users\Admin\AppData\Local\Temp\zflpwgp.exe
      "C:\Users\Admin\AppData\Local\Temp\zflpwgp.exe" "-C:\Users\Admin\AppData\Local\Temp\yncpfyqivhfvehec.exe"
      4⤵
      PID:5812
  - - C:\Users\Admin\AppData\Local\Temp\zflpwgp.exe
      "C:\Users\Admin\AppData\Local\Temp\zflpwgp.exe" "-C:\Users\Admin\AppData\Local\Temp\yncpfyqivhfvehec.exe"
      4⤵
      PID:4596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jausogbzqhhbovwyvhfw.exe
1⤵
PID:1448
- C:\Users\Admin\AppData\Local\Temp\jausogbzqhhbovwyvhfw.exe
  C:\Users\Admin\AppData\Local\Temp\jausogbzqhhbovwyvhfw.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\viyskypjwjfvehec.exe .
1⤵
PID:2280
- C:\Users\Admin\AppData\Local\Temp\viyskypjwjfvehec.exe
  C:\Users\Admin\AppData\Local\Temp\viyskypjwjfvehec.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3888
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\viyskypjwjfvehec.exe*."
    3⤵
    - Executes dropped EXE
    PID:1768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wmfcxoifvlkdpvvwsda.exe
1⤵
PID:3264
- C:\Users\Admin\AppData\Local\Temp\wmfcxoifvlkdpvvwsda.exe
  C:\Users\Admin\AppData\Local\Temp\wmfcxoifvlkdpvvwsda.exe
  2⤵
  - Executes dropped EXE
  PID:2248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lasoiyrncrphsxwwrb.exe .
1⤵
PID:4044
- C:\Users\Admin\AppData\Local\Temp\lasoiyrncrphsxwwrb.exe
  C:\Users\Admin\AppData\Local\Temp\lasoiyrncrphsxwwrb.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3564
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\lasoiyrncrphsxwwrb.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:1784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bvphcaxumdgbpxzcanpjd.exe
1⤵
PID:1936
- C:\Windows\bvphcaxumdgbpxzcanpjd.exe
  bvphcaxumdgbpxzcanpjd.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2144

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fvlzqkdwkxwnxbzys.exe .
1⤵
PID:3092
- C:\Windows\fvlzqkdwkxwnxbzys.exe
  fvlzqkdwkxwnxbzys.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:652
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\fvlzqkdwkxwnxbzys.exe*."
    3⤵
    - Executes dropped EXE
    PID:852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mfypjgcypfhbovwyvhib.exe
1⤵
PID:4864
- C:\Windows\mfypjgcypfhbovwyvhib.exe
  mfypjgcypfhbovwyvhib.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yqlkhawvnfgbpxzcanmez.exe
1⤵
PID:776
- C:\Windows\yqlkhawvnfgbpxzcanmez.exe
  yqlkhawvnfgbpxzcanmez.exe
  2⤵
  - Executes dropped EXE
  PID:700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zrjzsojeujkdpvvwsdd.exe .
1⤵
PID:4116
- C:\Windows\zrjzsojeujkdpvvwsdd.exe
  zrjzsojeujkdpvvwsdd.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3080
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\zrjzsojeujkdpvvwsdd.exe*."
    3⤵
    - Executes dropped EXE
    PID:5024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c lasoiyrncrphsxwwrb.exe
1⤵
PID:3988
- C:\Windows\lasoiyrncrphsxwwrb.exe
  lasoiyrncrphsxwwrb.exe
  2⤵
  - Executes dropped EXE
  PID:4608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cqhcvkcxlzwnxbzys.exe
1⤵
PID:3048
- C:\Windows\cqhcvkcxlzwnxbzys.exe
  cqhcvkcxlzwnxbzys.exe
  2⤵
  - Executes dropped EXE
  PID:600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fvlzqkdwkxwnxbzys.exe
1⤵
PID:4032
- C:\Users\Admin\AppData\Local\Temp\fvlzqkdwkxwnxbzys.exe
  C:\Users\Admin\AppData\Local\Temp\fvlzqkdwkxwnxbzys.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cqhcvkcxlzwnxbzys.exe .
1⤵
PID:4144
- C:\Windows\cqhcvkcxlzwnxbzys.exe
  cqhcvkcxlzwnxbzys.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4656
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\cqhcvkcxlzwnxbzys.exe*."
    3⤵
    - Executes dropped EXE
    PID:5204

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mfypjgcypfhbovwyvhib.exe .
1⤵
PID:2384
- C:\Users\Admin\AppData\Local\Temp\mfypjgcypfhbovwyvhib.exe
  C:\Users\Admin\AppData\Local\Temp\mfypjgcypfhbovwyvhib.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3220
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\mfypjgcypfhbovwyvhib.exe*."
    3⤵
    - Executes dropped EXE
    PID:5296

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cqhcvkcxlzwnxbzys.exe .
1⤵
PID:4788
- C:\Windows\cqhcvkcxlzwnxbzys.exe
  cqhcvkcxlzwnxbzys.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5600
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\cqhcvkcxlzwnxbzys.exe*."
    3⤵
    PID:5880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yqlkhawvnfgbpxzcanmez.exe .
1⤵
PID:1740
- C:\Windows\yqlkhawvnfgbpxzcanmez.exe
  yqlkhawvnfgbpxzcanmez.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5700
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\yqlkhawvnfgbpxzcanmez.exe*."
    3⤵
    PID:6056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c viyskypjwjfvehec.exe
1⤵
PID:440
- C:\Windows\viyskypjwjfvehec.exe
  viyskypjwjfvehec.exe
  2⤵
  - Executes dropped EXE
  PID:5656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jausogbzqhhbovwyvhfw.exe .
1⤵
PID:4652
- C:\Windows\jausogbzqhhbovwyvhfw.exe
  jausogbzqhhbovwyvhfw.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5256
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\jausogbzqhhbovwyvhfw.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:5776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yqlkhawvnfgbpxzcanmez.exe
1⤵
PID:4548
- C:\Windows\yqlkhawvnfgbpxzcanmez.exe
  yqlkhawvnfgbpxzcanmez.exe
  2⤵
  PID:5860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmfcxoifvlkdpvvwsda.exe
1⤵
PID:3564
- C:\Windows\wmfcxoifvlkdpvvwsda.exe
  wmfcxoifvlkdpvvwsda.exe
  2⤵
  PID:5920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jausogbzqhhbovwyvhfw.exe
1⤵
PID:3408
- C:\Users\Admin\AppData\Local\Temp\jausogbzqhhbovwyvhfw.exe
  C:\Users\Admin\AppData\Local\Temp\jausogbzqhhbovwyvhfw.exe
  2⤵
  PID:5848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bvphcaxumdgbpxzcanpjd.exe
1⤵
PID:2452
- C:\Users\Admin\AppData\Local\Temp\bvphcaxumdgbpxzcanpjd.exe
  C:\Users\Admin\AppData\Local\Temp\bvphcaxumdgbpxzcanpjd.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\viyskypjwjfvehec.exe .
1⤵
PID:4468
- C:\Users\Admin\AppData\Local\Temp\viyskypjwjfvehec.exe
  C:\Users\Admin\AppData\Local\Temp\viyskypjwjfvehec.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:6096
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\viyskypjwjfvehec.exe*."
    3⤵
    PID:1936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mfypjgcypfhbovwyvhib.exe .
1⤵
PID:2424
- C:\Users\Admin\AppData\Local\Temp\mfypjgcypfhbovwyvhib.exe
  C:\Users\Admin\AppData\Local\Temp\mfypjgcypfhbovwyvhib.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5984
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\mfypjgcypfhbovwyvhib.exe*."
    3⤵
    PID:3220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jausogbzqhhbovwyvhfw.exe .
1⤵
PID:3192
- C:\Windows\jausogbzqhhbovwyvhfw.exe
  jausogbzqhhbovwyvhfw.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:5964
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\jausogbzqhhbovwyvhfw.exe*."
    3⤵
    PID:696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yqlkhawvnfgbpxzcanmez.exe .
1⤵
PID:3684
- C:\Windows\yqlkhawvnfgbpxzcanmez.exe
  yqlkhawvnfgbpxzcanmez.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:6016
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\yqlkhawvnfgbpxzcanmez.exe*."
    3⤵
    PID:4316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yqlkhawvnfgbpxzcanmez.exe
1⤵
PID:2860
- C:\Users\Admin\AppData\Local\Temp\yqlkhawvnfgbpxzcanmez.exe
  C:\Users\Admin\AppData\Local\Temp\yqlkhawvnfgbpxzcanmez.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:6124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jausogbzqhhbovwyvhfw.exe
1⤵
PID:764
- C:\Users\Admin\AppData\Local\Temp\jausogbzqhhbovwyvhfw.exe
  C:\Users\Admin\AppData\Local\Temp\jausogbzqhhbovwyvhfw.exe
  2⤵
  PID:6104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wmfcxoifvlkdpvvwsda.exe .
1⤵
PID:3152
- C:\Users\Admin\AppData\Local\Temp\wmfcxoifvlkdpvvwsda.exe
  C:\Users\Admin\AppData\Local\Temp\wmfcxoifvlkdpvvwsda.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:5912
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\wmfcxoifvlkdpvvwsda.exe*."
    3⤵
    PID:3764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cqhcvkcxlzwnxbzys.exe .
1⤵
PID:5036
- C:\Users\Admin\AppData\Local\Temp\cqhcvkcxlzwnxbzys.exe
  C:\Users\Admin\AppData\Local\Temp\cqhcvkcxlzwnxbzys.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:6112
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\cqhcvkcxlzwnxbzys.exe*."
    3⤵
    PID:5380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cqhcvkcxlzwnxbzys.exe
1⤵
PID:5152
- C:\Users\Admin\AppData\Local\Temp\cqhcvkcxlzwnxbzys.exe
  C:\Users\Admin\AppData\Local\Temp\cqhcvkcxlzwnxbzys.exe
  2⤵
  PID:5940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\viyskypjwjfvehec.exe .
1⤵
PID:5288
- C:\Users\Admin\AppData\Local\Temp\viyskypjwjfvehec.exe
  C:\Users\Admin\AppData\Local\Temp\viyskypjwjfvehec.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:2068
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\viyskypjwjfvehec.exe*."
    3⤵
    PID:1568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\viyskypjwjfvehec.exe
1⤵
PID:5392
- C:\Users\Admin\AppData\Local\Temp\viyskypjwjfvehec.exe
  C:\Users\Admin\AppData\Local\Temp\viyskypjwjfvehec.exe
  2⤵
  PID:3408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\viyskypjwjfvehec.exe
1⤵
PID:5400
- C:\Users\Admin\AppData\Local\Temp\viyskypjwjfvehec.exe
  C:\Users\Admin\AppData\Local\Temp\viyskypjwjfvehec.exe
  2⤵
  PID:2072

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cqhcvkcxlzwnxbzys.exe .
1⤵
PID:5480
- C:\Users\Admin\AppData\Local\Temp\cqhcvkcxlzwnxbzys.exe
  C:\Users\Admin\AppData\Local\Temp\cqhcvkcxlzwnxbzys.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:5244
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\cqhcvkcxlzwnxbzys.exe*."
    3⤵
    PID:5620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cqhcvkcxlzwnxbzys.exe .
1⤵
PID:5488
- C:\Users\Admin\AppData\Local\Temp\cqhcvkcxlzwnxbzys.exe
  C:\Users\Admin\AppData\Local\Temp\cqhcvkcxlzwnxbzys.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:844
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\cqhcvkcxlzwnxbzys.exe*."
    3⤵
    PID:5644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c viyskypjwjfvehec.exe
1⤵
PID:4612
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3252
- C:\Windows\viyskypjwjfvehec.exe
  viyskypjwjfvehec.exe
  2⤵
  PID:5792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cqhcvkcxlzwnxbzys.exe .
1⤵
PID:60
- C:\Windows\cqhcvkcxlzwnxbzys.exe
  cqhcvkcxlzwnxbzys.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1608
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\cqhcvkcxlzwnxbzys.exe*."
    3⤵
    PID:5736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmfcxoifvlkdpvvwsda.exe
1⤵
PID:4868
- C:\Windows\wmfcxoifvlkdpvvwsda.exe
  wmfcxoifvlkdpvvwsda.exe
  2⤵
  PID:5768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yqlkhawvnfgbpxzcanmez.exe .
1⤵
PID:2776
- C:\Windows\yqlkhawvnfgbpxzcanmez.exe
  yqlkhawvnfgbpxzcanmez.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:6000
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\yqlkhawvnfgbpxzcanmez.exe*."
    3⤵
    PID:4672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lasoiyrncrphsxwwrb.exe
1⤵
PID:5860
- C:\Users\Admin\AppData\Local\Temp\lasoiyrncrphsxwwrb.exe
  C:\Users\Admin\AppData\Local\Temp\lasoiyrncrphsxwwrb.exe
  2⤵
  PID:2880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lasoiyrncrphsxwwrb.exe .
1⤵
PID:6008
- C:\Users\Admin\AppData\Local\Temp\lasoiyrncrphsxwwrb.exe
  C:\Users\Admin\AppData\Local\Temp\lasoiyrncrphsxwwrb.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:6132
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\lasoiyrncrphsxwwrb.exe*."
    3⤵
    PID:1340

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jausogbzqhhbovwyvhfw.exe
1⤵
PID:5136
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4964
- C:\Users\Admin\AppData\Local\Temp\jausogbzqhhbovwyvhfw.exe
  C:\Users\Admin\AppData\Local\Temp\jausogbzqhhbovwyvhfw.exe
  2⤵
  PID:3348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cqhcvkcxlzwnxbzys.exe .
1⤵
PID:1716
- C:\Users\Admin\AppData\Local\Temp\cqhcvkcxlzwnxbzys.exe
  C:\Users\Admin\AppData\Local\Temp\cqhcvkcxlzwnxbzys.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1924
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\cqhcvkcxlzwnxbzys.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:2548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bvphcaxumdgbpxzcanpjd.exe
1⤵
PID:2232
- C:\Windows\bvphcaxumdgbpxzcanpjd.exe
  bvphcaxumdgbpxzcanpjd.exe
  2⤵
  PID:6072

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bvphcaxumdgbpxzcanpjd.exe .
1⤵
PID:5636
- C:\Windows\bvphcaxumdgbpxzcanpjd.exe
  bvphcaxumdgbpxzcanpjd.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4960
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\bvphcaxumdgbpxzcanpjd.exe*."
    3⤵
    PID:5232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ofwldysmbpphsxwwrb.exe
1⤵
PID:960
- C:\Windows\ofwldysmbpphsxwwrb.exe
  ofwldysmbpphsxwwrb.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ofwldysmbpphsxwwrb.exe .
1⤵
PID:3220
- C:\Windows\ofwldysmbpphsxwwrb.exe
  ofwldysmbpphsxwwrb.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4600
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\ofwldysmbpphsxwwrb.exe*."
    3⤵
    PID:1728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zrjzsojeujkdpvvwsdd.exe
1⤵
PID:5380
- C:\Users\Admin\AppData\Local\Temp\zrjzsojeujkdpvvwsdd.exe
  C:\Users\Admin\AppData\Local\Temp\zrjzsojeujkdpvvwsdd.exe
  2⤵
  PID:2424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yqlkhawvnfgbpxzcanmez.exe
1⤵
PID:2828
- C:\Windows\yqlkhawvnfgbpxzcanmez.exe
  yqlkhawvnfgbpxzcanmez.exe
  2⤵
  PID:4204

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ofwldysmbpphsxwwrb.exe .
1⤵
PID:5408
- C:\Users\Admin\AppData\Local\Temp\ofwldysmbpphsxwwrb.exe
  C:\Users\Admin\AppData\Local\Temp\ofwldysmbpphsxwwrb.exe .
  2⤵
  PID:1676
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\ofwldysmbpphsxwwrb.exe*."
    3⤵
    PID:5668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cqhcvkcxlzwnxbzys.exe .
1⤵
PID:5248
- C:\Windows\cqhcvkcxlzwnxbzys.exe
  cqhcvkcxlzwnxbzys.exe .
  2⤵
  PID:224
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\cqhcvkcxlzwnxbzys.exe*."
    3⤵
    PID:5736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ofwldysmbpphsxwwrb.exe
1⤵
PID:2576
- C:\Users\Admin\AppData\Local\Temp\ofwldysmbpphsxwwrb.exe
  C:\Users\Admin\AppData\Local\Temp\ofwldysmbpphsxwwrb.exe
  2⤵
  PID:5688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mfypjgcypfhbovwyvhib.exe .
1⤵
PID:5492
- C:\Users\Admin\AppData\Local\Temp\mfypjgcypfhbovwyvhib.exe
  C:\Users\Admin\AppData\Local\Temp\mfypjgcypfhbovwyvhib.exe .
  2⤵
  PID:1320
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\mfypjgcypfhbovwyvhib.exe*."
    3⤵
    PID:3020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c viyskypjwjfvehec.exe
1⤵
PID:5484
- C:\Windows\viyskypjwjfvehec.exe
  viyskypjwjfvehec.exe
  2⤵
  PID:5652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c viyskypjwjfvehec.exe .
1⤵
PID:4012
- C:\Windows\viyskypjwjfvehec.exe
  viyskypjwjfvehec.exe .
  2⤵
  PID:6024
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\viyskypjwjfvehec.exe*."
    3⤵
    PID:5404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lasoiyrncrphsxwwrb.exe
1⤵
PID:6060
- C:\Users\Admin\AppData\Local\Temp\lasoiyrncrphsxwwrb.exe
  C:\Users\Admin\AppData\Local\Temp\lasoiyrncrphsxwwrb.exe
  2⤵
  PID:5600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jausogbzqhhbovwyvhfw.exe .
1⤵
PID:5532
- C:\Users\Admin\AppData\Local\Temp\jausogbzqhhbovwyvhfw.exe
  C:\Users\Admin\AppData\Local\Temp\jausogbzqhhbovwyvhfw.exe .
  2⤵
  PID:6124
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\jausogbzqhhbovwyvhfw.exe*."
    3⤵
    PID:4076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wmfcxoifvlkdpvvwsda.exe
1⤵
PID:6132
- C:\Users\Admin\AppData\Local\Temp\wmfcxoifvlkdpvvwsda.exe
  C:\Users\Admin\AppData\Local\Temp\wmfcxoifvlkdpvvwsda.exe
  2⤵
  PID:3408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cqhcvkcxlzwnxbzys.exe .
1⤵
PID:5700
- C:\Users\Admin\AppData\Local\Temp\cqhcvkcxlzwnxbzys.exe
  C:\Users\Admin\AppData\Local\Temp\cqhcvkcxlzwnxbzys.exe .
  2⤵
  PID:1768
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\cqhcvkcxlzwnxbzys.exe*."
    3⤵
    PID:2408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c lasoiyrncrphsxwwrb.exe
1⤵
PID:2444
- C:\Windows\lasoiyrncrphsxwwrb.exe
  lasoiyrncrphsxwwrb.exe
  2⤵
  PID:4688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmfcxoifvlkdpvvwsda.exe .
1⤵
PID:2512
- C:\Windows\wmfcxoifvlkdpvvwsda.exe
  wmfcxoifvlkdpvvwsda.exe .
  2⤵
  PID:3988
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\wmfcxoifvlkdpvvwsda.exe*."
    3⤵
    PID:4664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jausogbzqhhbovwyvhfw.exe
1⤵
PID:5028
- C:\Windows\jausogbzqhhbovwyvhfw.exe
  jausogbzqhhbovwyvhfw.exe
  2⤵
  PID:3104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yqlkhawvnfgbpxzcanmez.exe .
1⤵
PID:3808
- C:\Windows\yqlkhawvnfgbpxzcanmez.exe
  yqlkhawvnfgbpxzcanmez.exe .
  2⤵
  PID:2784
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\yqlkhawvnfgbpxzcanmez.exe*."
    3⤵
    PID:4596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lasoiyrncrphsxwwrb.exe
1⤵
PID:6020
- C:\Users\Admin\AppData\Local\Temp\lasoiyrncrphsxwwrb.exe
  C:\Users\Admin\AppData\Local\Temp\lasoiyrncrphsxwwrb.exe
  2⤵
  PID:1888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wmfcxoifvlkdpvvwsda.exe .
1⤵
PID:4840
- C:\Users\Admin\AppData\Local\Temp\wmfcxoifvlkdpvvwsda.exe
  C:\Users\Admin\AppData\Local\Temp\wmfcxoifvlkdpvvwsda.exe .
  2⤵
  PID:5312
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\wmfcxoifvlkdpvvwsda.exe*."
    3⤵
    PID:5236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lasoiyrncrphsxwwrb.exe
1⤵
PID:3868
- C:\Users\Admin\AppData\Local\Temp\lasoiyrncrphsxwwrb.exe
  C:\Users\Admin\AppData\Local\Temp\lasoiyrncrphsxwwrb.exe
  2⤵
  PID:3692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yqlkhawvnfgbpxzcanmez.exe .
1⤵
PID:5444
- C:\Users\Admin\AppData\Local\Temp\yqlkhawvnfgbpxzcanmez.exe
  C:\Users\Admin\AppData\Local\Temp\yqlkhawvnfgbpxzcanmez.exe .
  2⤵
  PID:3080
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\yqlkhawvnfgbpxzcanmez.exe*."
    3⤵
    PID:1996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmfcxoifvlkdpvvwsda.exe
1⤵
PID:5216
- C:\Windows\wmfcxoifvlkdpvvwsda.exe
  wmfcxoifvlkdpvvwsda.exe
  2⤵
  PID:3252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jausogbzqhhbovwyvhfw.exe .
1⤵
PID:4568
- C:\Windows\jausogbzqhhbovwyvhfw.exe
  jausogbzqhhbovwyvhfw.exe .
  2⤵
  PID:5408
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\jausogbzqhhbovwyvhfw.exe*."
    3⤵
    PID:5788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yqlkhawvnfgbpxzcanmez.exe
1⤵
PID:5712
- C:\Windows\yqlkhawvnfgbpxzcanmez.exe
  yqlkhawvnfgbpxzcanmez.exe
  2⤵
  PID:5792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jausogbzqhhbovwyvhfw.exe .
1⤵
PID:5828
- C:\Windows\jausogbzqhhbovwyvhfw.exe
  jausogbzqhhbovwyvhfw.exe .
  2⤵
  PID:5756
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\jausogbzqhhbovwyvhfw.exe*."
    3⤵
    PID:3020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jausogbzqhhbovwyvhfw.exe
1⤵
PID:5892
- C:\Users\Admin\AppData\Local\Temp\jausogbzqhhbovwyvhfw.exe
  C:\Users\Admin\AppData\Local\Temp\jausogbzqhhbovwyvhfw.exe
  2⤵
  PID:6084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yqlkhawvnfgbpxzcanmez.exe .
1⤵
PID:5924
- C:\Users\Admin\AppData\Local\Temp\yqlkhawvnfgbpxzcanmez.exe
  C:\Users\Admin\AppData\Local\Temp\yqlkhawvnfgbpxzcanmez.exe .
  2⤵
  PID:5820
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\yqlkhawvnfgbpxzcanmez.exe*."
    3⤵
    PID:5452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wmfcxoifvlkdpvvwsda.exe
1⤵
PID:5616
- C:\Users\Admin\AppData\Local\Temp\wmfcxoifvlkdpvvwsda.exe
  C:\Users\Admin\AppData\Local\Temp\wmfcxoifvlkdpvvwsda.exe
  2⤵
  PID:1108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cqhcvkcxlzwnxbzys.exe .
1⤵
PID:3076
- C:\Users\Admin\AppData\Local\Temp\cqhcvkcxlzwnxbzys.exe
  C:\Users\Admin\AppData\Local\Temp\cqhcvkcxlzwnxbzys.exe .
  2⤵
  PID:1096
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\cqhcvkcxlzwnxbzys.exe*."
    3⤵
    PID:4076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c lasoiyrncrphsxwwrb.exe
1⤵
PID:5580
- C:\Windows\lasoiyrncrphsxwwrb.exe
  lasoiyrncrphsxwwrb.exe
  2⤵
  PID:5424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yqlkhawvnfgbpxzcanmez.exe .
1⤵
PID:1808
- C:\Windows\yqlkhawvnfgbpxzcanmez.exe
  yqlkhawvnfgbpxzcanmez.exe .
  2⤵
  PID:5456
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\yqlkhawvnfgbpxzcanmez.exe*."
    3⤵
    PID:5240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c viyskypjwjfvehec.exe
1⤵
PID:1532
- C:\Windows\viyskypjwjfvehec.exe
  viyskypjwjfvehec.exe
  2⤵
  PID:3332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yqlkhawvnfgbpxzcanmez.exe .
1⤵
PID:1620
- C:\Windows\yqlkhawvnfgbpxzcanmez.exe
  yqlkhawvnfgbpxzcanmez.exe .
  2⤵
  PID:4520
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\yqlkhawvnfgbpxzcanmez.exe*."
    3⤵
    PID:696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jausogbzqhhbovwyvhfw.exe
1⤵
PID:4544
- C:\Users\Admin\AppData\Local\Temp\jausogbzqhhbovwyvhfw.exe
  C:\Users\Admin\AppData\Local\Temp\jausogbzqhhbovwyvhfw.exe
  2⤵
  PID:5932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cqhcvkcxlzwnxbzys.exe .
1⤵
PID:4548
- C:\Users\Admin\AppData\Local\Temp\cqhcvkcxlzwnxbzys.exe
  C:\Users\Admin\AppData\Local\Temp\cqhcvkcxlzwnxbzys.exe .
  2⤵
  PID:3764
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\cqhcvkcxlzwnxbzys.exe*."
    3⤵
    PID:5740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\viyskypjwjfvehec.exe
1⤵
PID:776
- C:\Users\Admin\AppData\Local\Temp\viyskypjwjfvehec.exe
  C:\Users\Admin\AppData\Local\Temp\viyskypjwjfvehec.exe
  2⤵
  PID:2476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cqhcvkcxlzwnxbzys.exe .
1⤵
PID:2328
- C:\Users\Admin\AppData\Local\Temp\cqhcvkcxlzwnxbzys.exe
  C:\Users\Admin\AppData\Local\Temp\cqhcvkcxlzwnxbzys.exe .
  2⤵
  PID:2860
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\cqhcvkcxlzwnxbzys.exe*."
    3⤵
    PID:5236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmfcxoifvlkdpvvwsda.exe
1⤵
PID:1136
- C:\Windows\wmfcxoifvlkdpvvwsda.exe
  wmfcxoifvlkdpvvwsda.exe
  2⤵
  PID:3844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c lasoiyrncrphsxwwrb.exe .
1⤵
PID:4864
- C:\Windows\lasoiyrncrphsxwwrb.exe
  lasoiyrncrphsxwwrb.exe .
  2⤵
  PID:3808
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\lasoiyrncrphsxwwrb.exe*."
    3⤵
    PID:2016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cqhcvkcxlzwnxbzys.exe
1⤵
PID:4204
- C:\Windows\cqhcvkcxlzwnxbzys.exe
  cqhcvkcxlzwnxbzys.exe
  2⤵
  PID:4956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jausogbzqhhbovwyvhfw.exe
1⤵
PID:2080
- C:\Windows\jausogbzqhhbovwyvhfw.exe
  jausogbzqhhbovwyvhfw.exe
  2⤵
  PID:5112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c viyskypjwjfvehec.exe
1⤵
PID:5524
- C:\Windows\viyskypjwjfvehec.exe
  viyskypjwjfvehec.exe
  2⤵
  PID:5688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c viyskypjwjfvehec.exe .
1⤵
PID:1112
- C:\Windows\viyskypjwjfvehec.exe
  viyskypjwjfvehec.exe .
  2⤵
  PID:3048
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\viyskypjwjfvehec.exe*."
    3⤵
    PID:5412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yqlkhawvnfgbpxzcanmez.exe .
1⤵
PID:5056
- C:\Windows\yqlkhawvnfgbpxzcanmez.exe
  yqlkhawvnfgbpxzcanmez.exe .
  2⤵
  PID:4672
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\yqlkhawvnfgbpxzcanmez.exe*."
    3⤵
    PID:1016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmfcxoifvlkdpvvwsda.exe .
1⤵
PID:2176
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3496
- C:\Windows\wmfcxoifvlkdpvvwsda.exe
  wmfcxoifvlkdpvvwsda.exe .
  2⤵
  PID:4124
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\wmfcxoifvlkdpvvwsda.exe*."
    3⤵
    PID:1888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cqhcvkcxlzwnxbzys.exe
1⤵
PID:3400
- C:\Users\Admin\AppData\Local\Temp\cqhcvkcxlzwnxbzys.exe
  C:\Users\Admin\AppData\Local\Temp\cqhcvkcxlzwnxbzys.exe
  2⤵
  PID:5808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c lasoiyrncrphsxwwrb.exe
1⤵
PID:5840
- C:\Windows\lasoiyrncrphsxwwrb.exe
  lasoiyrncrphsxwwrb.exe
  2⤵
  PID:5700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yqlkhawvnfgbpxzcanmez.exe .
1⤵
PID:5652
- C:\Users\Admin\AppData\Local\Temp\yqlkhawvnfgbpxzcanmez.exe
  C:\Users\Admin\AppData\Local\Temp\yqlkhawvnfgbpxzcanmez.exe .
  2⤵
  PID:4468
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\yqlkhawvnfgbpxzcanmez.exe*."
    3⤵
    PID:1756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jausogbzqhhbovwyvhfw.exe
1⤵
PID:5792
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2552
- C:\Windows\jausogbzqhhbovwyvhfw.exe
  jausogbzqhhbovwyvhfw.exe
  2⤵
  PID:5764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cqhcvkcxlzwnxbzys.exe .
1⤵
PID:5248
- C:\Windows\cqhcvkcxlzwnxbzys.exe
  cqhcvkcxlzwnxbzys.exe .
  2⤵
  PID:4332
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\cqhcvkcxlzwnxbzys.exe*."
    3⤵
    PID:4528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c viyskypjwjfvehec.exe .
1⤵
PID:4492
- C:\Windows\viyskypjwjfvehec.exe
  viyskypjwjfvehec.exe .
  2⤵
  PID:5132
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\viyskypjwjfvehec.exe*."
    3⤵
    PID:776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lasoiyrncrphsxwwrb.exe
1⤵
PID:2880
- C:\Users\Admin\AppData\Local\Temp\lasoiyrncrphsxwwrb.exe
  C:\Users\Admin\AppData\Local\Temp\lasoiyrncrphsxwwrb.exe
  2⤵
  PID:3480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\viyskypjwjfvehec.exe
1⤵
PID:5712
- C:\Users\Admin\AppData\Local\Temp\viyskypjwjfvehec.exe
  C:\Users\Admin\AppData\Local\Temp\viyskypjwjfvehec.exe
  2⤵
  PID:5668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yqlkhawvnfgbpxzcanmez.exe .
1⤵
PID:5944
- C:\Users\Admin\AppData\Local\Temp\yqlkhawvnfgbpxzcanmez.exe
  C:\Users\Admin\AppData\Local\Temp\yqlkhawvnfgbpxzcanmez.exe .
  2⤵
  PID:4564
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\yqlkhawvnfgbpxzcanmez.exe*."
    3⤵
    PID:2540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lasoiyrncrphsxwwrb.exe .
1⤵
PID:5844
- C:\Users\Admin\AppData\Local\Temp\lasoiyrncrphsxwwrb.exe
  C:\Users\Admin\AppData\Local\Temp\lasoiyrncrphsxwwrb.exe .
  2⤵
  PID:1936
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\lasoiyrncrphsxwwrb.exe*."
    3⤵
    PID:3696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\viyskypjwjfvehec.exe
1⤵
PID:2776
- C:\Users\Admin\AppData\Local\Temp\viyskypjwjfvehec.exe
  C:\Users\Admin\AppData\Local\Temp\viyskypjwjfvehec.exe
  2⤵
  PID:5788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jausogbzqhhbovwyvhfw.exe .
1⤵
PID:2072
- C:\Users\Admin\AppData\Local\Temp\jausogbzqhhbovwyvhfw.exe
  C:\Users\Admin\AppData\Local\Temp\jausogbzqhhbovwyvhfw.exe .
  2⤵
  PID:4520
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\jausogbzqhhbovwyvhfw.exe*."
    3⤵
    PID:3660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yqlkhawvnfgbpxzcanmez.exe
1⤵
PID:1892
- C:\Users\Admin\AppData\Local\Temp\yqlkhawvnfgbpxzcanmez.exe
  C:\Users\Admin\AppData\Local\Temp\yqlkhawvnfgbpxzcanmez.exe
  2⤵
  PID:5624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jausogbzqhhbovwyvhfw.exe
1⤵
PID:2912
- C:\Users\Admin\AppData\Local\Temp\jausogbzqhhbovwyvhfw.exe
  C:\Users\Admin\AppData\Local\Temp\jausogbzqhhbovwyvhfw.exe
  2⤵
  PID:5020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\viyskypjwjfvehec.exe .
1⤵
PID:5364
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:880
- C:\Users\Admin\AppData\Local\Temp\viyskypjwjfvehec.exe
  C:\Users\Admin\AppData\Local\Temp\viyskypjwjfvehec.exe .
  2⤵
  PID:4628
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\viyskypjwjfvehec.exe*."
    3⤵
    PID:3400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jausogbzqhhbovwyvhfw.exe .
1⤵
PID:5392
- C:\Users\Admin\AppData\Local\Temp\jausogbzqhhbovwyvhfw.exe
  C:\Users\Admin\AppData\Local\Temp\jausogbzqhhbovwyvhfw.exe .
  2⤵
  PID:5184
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\jausogbzqhhbovwyvhfw.exe*."
    3⤵
    PID:5812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yqlkhawvnfgbpxzcanmez.exe
1⤵
PID:4316
- C:\Windows\yqlkhawvnfgbpxzcanmez.exe
  yqlkhawvnfgbpxzcanmez.exe
  2⤵
  PID:816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cqhcvkcxlzwnxbzys.exe .
1⤵
PID:1744
- C:\Windows\cqhcvkcxlzwnxbzys.exe
  cqhcvkcxlzwnxbzys.exe .
  2⤵
  PID:1856
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\cqhcvkcxlzwnxbzys.exe*."
    3⤵
    PID:2300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmfcxoifvlkdpvvwsda.exe
1⤵
PID:5284
- C:\Windows\wmfcxoifvlkdpvvwsda.exe
  wmfcxoifvlkdpvvwsda.exe
  2⤵
  PID:5816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c lasoiyrncrphsxwwrb.exe .
1⤵
PID:468
- C:\Windows\lasoiyrncrphsxwwrb.exe
  lasoiyrncrphsxwwrb.exe .
  2⤵
  PID:3076
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\lasoiyrncrphsxwwrb.exe*."
    3⤵
    PID:5280

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lasoiyrncrphsxwwrb.exe
1⤵
PID:2372
- C:\Users\Admin\AppData\Local\Temp\lasoiyrncrphsxwwrb.exe
  C:\Users\Admin\AppData\Local\Temp\lasoiyrncrphsxwwrb.exe
  2⤵
  PID:4944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wmfcxoifvlkdpvvwsda.exe .
1⤵
PID:5336
- C:\Users\Admin\AppData\Local\Temp\wmfcxoifvlkdpvvwsda.exe
  C:\Users\Admin\AppData\Local\Temp\wmfcxoifvlkdpvvwsda.exe .
  2⤵
  PID:5356
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\wmfcxoifvlkdpvvwsda.exe*."
    3⤵
    PID:5932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jausogbzqhhbovwyvhfw.exe
1⤵
PID:1032
- C:\Users\Admin\AppData\Local\Temp\jausogbzqhhbovwyvhfw.exe
  C:\Users\Admin\AppData\Local\Temp\jausogbzqhhbovwyvhfw.exe
  2⤵
  PID:4932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cqhcvkcxlzwnxbzys.exe .
1⤵
PID:2576
- C:\Users\Admin\AppData\Local\Temp\cqhcvkcxlzwnxbzys.exe
  C:\Users\Admin\AppData\Local\Temp\cqhcvkcxlzwnxbzys.exe .
  2⤵
  PID:4072
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\cqhcvkcxlzwnxbzys.exe*."
    3⤵
    PID:2420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fvlzqkdwkxwnxbzys.exe
1⤵
PID:4268
- C:\Windows\fvlzqkdwkxwnxbzys.exe
  fvlzqkdwkxwnxbzys.exe
  2⤵
  PID:4172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fvlzqkdwkxwnxbzys.exe .
1⤵
PID:4468
- C:\Windows\fvlzqkdwkxwnxbzys.exe
  fvlzqkdwkxwnxbzys.exe .
  2⤵
  PID:764
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\fvlzqkdwkxwnxbzys.exe*."
    3⤵
    PID:3464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmfcxoifvlkdpvvwsda.exe
1⤵
PID:5624
- C:\Windows\wmfcxoifvlkdpvvwsda.exe
  wmfcxoifvlkdpvvwsda.exe
  2⤵
  PID:5852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fvlzqkdwkxwnxbzys.exe
1⤵
PID:6060
- C:\Windows\fvlzqkdwkxwnxbzys.exe
  fvlzqkdwkxwnxbzys.exe
  2⤵
  PID:60

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yncpfyqivhfvehec.exe .
1⤵
PID:4520
- C:\Windows\yncpfyqivhfvehec.exe
  yncpfyqivhfvehec.exe .
  2⤵
  PID:5240
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\yncpfyqivhfvehec.exe*."
    3⤵
    PID:4652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yqlkhawvnfgbpxzcanmez.exe .
1⤵
PID:4008
- C:\Windows\yqlkhawvnfgbpxzcanmez.exe
  yqlkhawvnfgbpxzcanmez.exe .
  2⤵
  PID:2540
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\yqlkhawvnfgbpxzcanmez.exe*."
    3⤵
    PID:2400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fvlzqkdwkxwnxbzys.exe
1⤵
PID:5920
- C:\Users\Admin\AppData\Local\Temp\fvlzqkdwkxwnxbzys.exe
  C:\Users\Admin\AppData\Local\Temp\fvlzqkdwkxwnxbzys.exe
  2⤵
  PID:5836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yncpfyqivhfvehec.exe .
1⤵
PID:384
- C:\Users\Admin\AppData\Local\Temp\yncpfyqivhfvehec.exe
  C:\Users\Admin\AppData\Local\Temp\yncpfyqivhfvehec.exe .
  2⤵
  PID:2452
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\yncpfyqivhfvehec.exe*."
    3⤵
    PID:1744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmfcxoifvlkdpvvwsda.exe
1⤵
PID:2312
- C:\Windows\wmfcxoifvlkdpvvwsda.exe
  wmfcxoifvlkdpvvwsda.exe
  2⤵
  PID:3576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jausogbzqhhbovwyvhfw.exe .
1⤵
PID:4516
- C:\Windows\jausogbzqhhbovwyvhfw.exe
  jausogbzqhhbovwyvhfw.exe .
  2⤵
  PID:1532
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\jausogbzqhhbovwyvhfw.exe*."
    3⤵
    PID:2016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cqhcvkcxlzwnxbzys.exe
1⤵
PID:3252
- C:\Users\Admin\AppData\Local\Temp\cqhcvkcxlzwnxbzys.exe
  C:\Users\Admin\AppData\Local\Temp\cqhcvkcxlzwnxbzys.exe
  2⤵
  PID:5780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zrjzsojeujkdpvvwsdd.exe
1⤵
PID:4656
- C:\Users\Admin\AppData\Local\Temp\zrjzsojeujkdpvvwsdd.exe
  C:\Users\Admin\AppData\Local\Temp\zrjzsojeujkdpvvwsdd.exe
  2⤵
  PID:4860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\viyskypjwjfvehec.exe .
1⤵
PID:5368
- C:\Users\Admin\AppData\Local\Temp\viyskypjwjfvehec.exe
  C:\Users\Admin\AppData\Local\Temp\viyskypjwjfvehec.exe .
  2⤵
  PID:4140
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\viyskypjwjfvehec.exe*."
    3⤵
    PID:3220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bvphcaxumdgbpxzcanpjd.exe .
1⤵
PID:440
- C:\Users\Admin\AppData\Local\Temp\bvphcaxumdgbpxzcanpjd.exe
  C:\Users\Admin\AppData\Local\Temp\bvphcaxumdgbpxzcanpjd.exe .
  2⤵
  PID:5724
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\bvphcaxumdgbpxzcanpjd.exe*."
    3⤵
    PID:4032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yqlkhawvnfgbpxzcanmez.exe
1⤵
PID:5220
- C:\Users\Admin\AppData\Local\Temp\yqlkhawvnfgbpxzcanmez.exe
  C:\Users\Admin\AppData\Local\Temp\yqlkhawvnfgbpxzcanmez.exe
  2⤵
  PID:5664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yqlkhawvnfgbpxzcanmez.exe .
1⤵
PID:3028
- C:\Users\Admin\AppData\Local\Temp\yqlkhawvnfgbpxzcanmez.exe
  C:\Users\Admin\AppData\Local\Temp\yqlkhawvnfgbpxzcanmez.exe .
  2⤵
  PID:5280
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\yqlkhawvnfgbpxzcanmez.exe*."
    3⤵
    PID:5808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yqlkhawvnfgbpxzcanmez.exe
1⤵
PID:4612
- C:\Windows\yqlkhawvnfgbpxzcanmez.exe
  yqlkhawvnfgbpxzcanmez.exe
  2⤵
  PID:4124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c viyskypjwjfvehec.exe .
1⤵
PID:5988
- C:\Windows\viyskypjwjfvehec.exe
  viyskypjwjfvehec.exe .
  2⤵
  PID:4960
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\viyskypjwjfvehec.exe*."
    3⤵
    PID:4648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c lasoiyrncrphsxwwrb.exe
1⤵
PID:6112
- C:\Windows\lasoiyrncrphsxwwrb.exe
  lasoiyrncrphsxwwrb.exe
  2⤵
  PID:5164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jausogbzqhhbovwyvhfw.exe .
1⤵
PID:2644
- C:\Windows\jausogbzqhhbovwyvhfw.exe
  jausogbzqhhbovwyvhfw.exe .
  2⤵
  PID:1924
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\jausogbzqhhbovwyvhfw.exe*."
    3⤵
    PID:4528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wmfcxoifvlkdpvvwsda.exe
1⤵
PID:4244
- C:\Users\Admin\AppData\Local\Temp\wmfcxoifvlkdpvvwsda.exe
  C:\Users\Admin\AppData\Local\Temp\wmfcxoifvlkdpvvwsda.exe
  2⤵
  PID:696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lasoiyrncrphsxwwrb.exe .
1⤵
PID:5056
- C:\Users\Admin\AppData\Local\Temp\lasoiyrncrphsxwwrb.exe
  C:\Users\Admin\AppData\Local\Temp\lasoiyrncrphsxwwrb.exe .
  2⤵
  PID:2220
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\lasoiyrncrphsxwwrb.exe*."
    3⤵
    PID:1036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wmfcxoifvlkdpvvwsda.exe
1⤵
PID:4044
- C:\Users\Admin\AppData\Local\Temp\wmfcxoifvlkdpvvwsda.exe
  C:\Users\Admin\AppData\Local\Temp\wmfcxoifvlkdpvvwsda.exe
  2⤵
  PID:5484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cqhcvkcxlzwnxbzys.exe .
1⤵
PID:6060
- C:\Users\Admin\AppData\Local\Temp\cqhcvkcxlzwnxbzys.exe
  C:\Users\Admin\AppData\Local\Temp\cqhcvkcxlzwnxbzys.exe .
  2⤵
  PID:6100
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\cqhcvkcxlzwnxbzys.exe*."
    3⤵
    PID:6084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jausogbzqhhbovwyvhfw.exe
1⤵
PID:6092
- C:\Windows\jausogbzqhhbovwyvhfw.exe
  jausogbzqhhbovwyvhfw.exe
  2⤵
  PID:6076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yqlkhawvnfgbpxzcanmez.exe .
1⤵
PID:3844
- C:\Windows\yqlkhawvnfgbpxzcanmez.exe
  yqlkhawvnfgbpxzcanmez.exe .
  2⤵
  PID:4676
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\yqlkhawvnfgbpxzcanmez.exe*."
    3⤵
    PID:4668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yqlkhawvnfgbpxzcanmez.exe
1⤵
PID:6012
- C:\Windows\yqlkhawvnfgbpxzcanmez.exe
  yqlkhawvnfgbpxzcanmez.exe
  2⤵
  PID:5332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yqlkhawvnfgbpxzcanmez.exe .
1⤵
PID:4956
- C:\Windows\yqlkhawvnfgbpxzcanmez.exe
  yqlkhawvnfgbpxzcanmez.exe .
  2⤵
  PID:5160
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\yqlkhawvnfgbpxzcanmez.exe*."
    3⤵
    PID:1676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jausogbzqhhbovwyvhfw.exe
1⤵
PID:5768
- C:\Users\Admin\AppData\Local\Temp\jausogbzqhhbovwyvhfw.exe
  C:\Users\Admin\AppData\Local\Temp\jausogbzqhhbovwyvhfw.exe
  2⤵
  PID:5352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\viyskypjwjfvehec.exe .
1⤵
PID:1136
- C:\Users\Admin\AppData\Local\Temp\viyskypjwjfvehec.exe
  C:\Users\Admin\AppData\Local\Temp\viyskypjwjfvehec.exe .
  2⤵
  PID:2512
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\viyskypjwjfvehec.exe*."
    3⤵
    PID:1184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cqhcvkcxlzwnxbzys.exe
1⤵
PID:4516
- C:\Users\Admin\AppData\Local\Temp\cqhcvkcxlzwnxbzys.exe
  C:\Users\Admin\AppData\Local\Temp\cqhcvkcxlzwnxbzys.exe
  2⤵
  PID:5420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lasoiyrncrphsxwwrb.exe .
1⤵
PID:5324
- C:\Users\Admin\AppData\Local\Temp\lasoiyrncrphsxwwrb.exe
  C:\Users\Admin\AppData\Local\Temp\lasoiyrncrphsxwwrb.exe .
  2⤵
  PID:5260
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\lasoiyrncrphsxwwrb.exe*."
    3⤵
    PID:1720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c lasoiyrncrphsxwwrb.exe
1⤵
PID:5448
- C:\Windows\lasoiyrncrphsxwwrb.exe
  lasoiyrncrphsxwwrb.exe
  2⤵
  PID:5656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jausogbzqhhbovwyvhfw.exe .
1⤵
PID:5280
- C:\Windows\jausogbzqhhbovwyvhfw.exe
  jausogbzqhhbovwyvhfw.exe .
  2⤵
  PID:2080
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\jausogbzqhhbovwyvhfw.exe*."
    3⤵
    PID:8

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jausogbzqhhbovwyvhfw.exe
1⤵
PID:5828
- C:\Windows\jausogbzqhhbovwyvhfw.exe
  jausogbzqhhbovwyvhfw.exe
  2⤵
  PID:3004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jausogbzqhhbovwyvhfw.exe .
1⤵
PID:428
- C:\Windows\jausogbzqhhbovwyvhfw.exe
  jausogbzqhhbovwyvhfw.exe .
  2⤵
  PID:4124
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\jausogbzqhhbovwyvhfw.exe*."
    3⤵
    PID:1344

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yqlkhawvnfgbpxzcanmez.exe
1⤵
PID:2864
- C:\Users\Admin\AppData\Local\Temp\yqlkhawvnfgbpxzcanmez.exe
  C:\Users\Admin\AppData\Local\Temp\yqlkhawvnfgbpxzcanmez.exe
  2⤵
  PID:4960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\viyskypjwjfvehec.exe .
1⤵
PID:2084
- C:\Users\Admin\AppData\Local\Temp\viyskypjwjfvehec.exe
  C:\Users\Admin\AppData\Local\Temp\viyskypjwjfvehec.exe .
  2⤵
  PID:5388
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\viyskypjwjfvehec.exe*."
    3⤵
    PID:5224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wmfcxoifvlkdpvvwsda.exe
1⤵
PID:5216
- C:\Users\Admin\AppData\Local\Temp\wmfcxoifvlkdpvvwsda.exe
  C:\Users\Admin\AppData\Local\Temp\wmfcxoifvlkdpvvwsda.exe
  2⤵
  PID:5312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jausogbzqhhbovwyvhfw.exe .
1⤵
PID:1684
- C:\Users\Admin\AppData\Local\Temp\jausogbzqhhbovwyvhfw.exe
  C:\Users\Admin\AppData\Local\Temp\jausogbzqhhbovwyvhfw.exe .
  2⤵
  PID:5028
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\jausogbzqhhbovwyvhfw.exe*."
    3⤵
    PID:1672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cqhcvkcxlzwnxbzys.exe
1⤵
PID:6052
- C:\Windows\cqhcvkcxlzwnxbzys.exe
  cqhcvkcxlzwnxbzys.exe
  2⤵
  PID:3388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c lasoiyrncrphsxwwrb.exe .
1⤵
PID:5888
- C:\Windows\lasoiyrncrphsxwwrb.exe
  lasoiyrncrphsxwwrb.exe .
  2⤵
  PID:5944
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\lasoiyrncrphsxwwrb.exe*."
    3⤵
    PID:1748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jausogbzqhhbovwyvhfw.exe
1⤵
PID:6136
- C:\Windows\jausogbzqhhbovwyvhfw.exe
  jausogbzqhhbovwyvhfw.exe
  2⤵
  PID:5180

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c viyskypjwjfvehec.exe .
1⤵
PID:700
- C:\Windows\viyskypjwjfvehec.exe
  viyskypjwjfvehec.exe .
  2⤵
  PID:5000
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\viyskypjwjfvehec.exe*."
    3⤵
    PID:4520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lasoiyrncrphsxwwrb.exe
1⤵
PID:5868
- C:\Users\Admin\AppData\Local\Temp\lasoiyrncrphsxwwrb.exe
  C:\Users\Admin\AppData\Local\Temp\lasoiyrncrphsxwwrb.exe
  2⤵
  PID:3800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jausogbzqhhbovwyvhfw.exe .
1⤵
PID:3660
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:6056
- C:\Users\Admin\AppData\Local\Temp\jausogbzqhhbovwyvhfw.exe
  C:\Users\Admin\AppData\Local\Temp\jausogbzqhhbovwyvhfw.exe .
  2⤵
  PID:5768
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\jausogbzqhhbovwyvhfw.exe*."
    3⤵
    PID:5824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yqlkhawvnfgbpxzcanmez.exe
1⤵
PID:2452
- C:\Windows\yqlkhawvnfgbpxzcanmez.exe
  yqlkhawvnfgbpxzcanmez.exe
  2⤵
  PID:5040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c lasoiyrncrphsxwwrb.exe
1⤵
PID:2072
- C:\Windows\lasoiyrncrphsxwwrb.exe
  lasoiyrncrphsxwwrb.exe
  2⤵
  PID:2372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c lasoiyrncrphsxwwrb.exe .
1⤵
PID:2248
- C:\Windows\lasoiyrncrphsxwwrb.exe
  lasoiyrncrphsxwwrb.exe .
  2⤵
  PID:5876
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\lasoiyrncrphsxwwrb.exe*."
    3⤵
    PID:5524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wmfcxoifvlkdpvvwsda.exe
1⤵
PID:5724
- C:\Users\Admin\AppData\Local\Temp\wmfcxoifvlkdpvvwsda.exe
  C:\Users\Admin\AppData\Local\Temp\wmfcxoifvlkdpvvwsda.exe
  2⤵
  PID:2428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yqlkhawvnfgbpxzcanmez.exe .
1⤵
PID:3220
- C:\Users\Admin\AppData\Local\Temp\yqlkhawvnfgbpxzcanmez.exe
  C:\Users\Admin\AppData\Local\Temp\yqlkhawvnfgbpxzcanmez.exe .
  2⤵
  PID:3104
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\yqlkhawvnfgbpxzcanmez.exe*."
    3⤵
    PID:4068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c lasoiyrncrphsxwwrb.exe .
1⤵
PID:5220
- C:\Windows\lasoiyrncrphsxwwrb.exe
  lasoiyrncrphsxwwrb.exe .
  2⤵
  PID:5476
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\lasoiyrncrphsxwwrb.exe*."
    3⤵
    PID:5740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jausogbzqhhbovwyvhfw.exe
1⤵
PID:5324
- C:\Windows\jausogbzqhhbovwyvhfw.exe
  jausogbzqhhbovwyvhfw.exe
  2⤵
  PID:5820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmfcxoifvlkdpvvwsda.exe
1⤵
PID:4288
- C:\Windows\wmfcxoifvlkdpvvwsda.exe
  wmfcxoifvlkdpvvwsda.exe
  2⤵
  PID:5420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cqhcvkcxlzwnxbzys.exe .
1⤵
PID:3080
- C:\Windows\cqhcvkcxlzwnxbzys.exe
  cqhcvkcxlzwnxbzys.exe .
  2⤵
  PID:5896
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\cqhcvkcxlzwnxbzys.exe*."
    3⤵
    PID:5156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c lasoiyrncrphsxwwrb.exe .
1⤵
PID:5340
- C:\Windows\lasoiyrncrphsxwwrb.exe
  lasoiyrncrphsxwwrb.exe .
  2⤵
  PID:2644
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\lasoiyrncrphsxwwrb.exe*."
    3⤵
    PID:2816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yqlkhawvnfgbpxzcanmez.exe
1⤵
PID:5596
- C:\Users\Admin\AppData\Local\Temp\yqlkhawvnfgbpxzcanmez.exe
  C:\Users\Admin\AppData\Local\Temp\yqlkhawvnfgbpxzcanmez.exe
  2⤵
  PID:2176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\viyskypjwjfvehec.exe
1⤵
PID:5752
- C:\Users\Admin\AppData\Local\Temp\viyskypjwjfvehec.exe
  C:\Users\Admin\AppData\Local\Temp\viyskypjwjfvehec.exe
  2⤵
  PID:1744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lasoiyrncrphsxwwrb.exe .
1⤵
PID:3888
- C:\Users\Admin\AppData\Local\Temp\lasoiyrncrphsxwwrb.exe
  C:\Users\Admin\AppData\Local\Temp\lasoiyrncrphsxwwrb.exe .
  2⤵
  PID:3796
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\lasoiyrncrphsxwwrb.exe*."
    3⤵
    PID:4740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\viyskypjwjfvehec.exe .
1⤵
PID:3764
- C:\Users\Admin\AppData\Local\Temp\viyskypjwjfvehec.exe
  C:\Users\Admin\AppData\Local\Temp\viyskypjwjfvehec.exe .
  2⤵
  PID:4492
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\viyskypjwjfvehec.exe*."
    3⤵
    PID:1524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wmfcxoifvlkdpvvwsda.exe
1⤵
PID:5388
- C:\Users\Admin\AppData\Local\Temp\wmfcxoifvlkdpvvwsda.exe
  C:\Users\Admin\AppData\Local\Temp\wmfcxoifvlkdpvvwsda.exe
  2⤵
  PID:5944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yqlkhawvnfgbpxzcanmez.exe
1⤵
PID:1756
- C:\Users\Admin\AppData\Local\Temp\yqlkhawvnfgbpxzcanmez.exe
  C:\Users\Admin\AppData\Local\Temp\yqlkhawvnfgbpxzcanmez.exe
  2⤵
  PID:5456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lasoiyrncrphsxwwrb.exe .
1⤵
PID:5244
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5600
- C:\Users\Admin\AppData\Local\Temp\lasoiyrncrphsxwwrb.exe
  C:\Users\Admin\AppData\Local\Temp\lasoiyrncrphsxwwrb.exe .
  2⤵
  PID:1472
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\lasoiyrncrphsxwwrb.exe*."
    3⤵
    PID:960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c viyskypjwjfvehec.exe
1⤵
PID:4144
- C:\Windows\viyskypjwjfvehec.exe
  viyskypjwjfvehec.exe
  2⤵
  PID:5528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jausogbzqhhbovwyvhfw.exe .
1⤵
PID:2516
- C:\Users\Admin\AppData\Local\Temp\jausogbzqhhbovwyvhfw.exe
  C:\Users\Admin\AppData\Local\Temp\jausogbzqhhbovwyvhfw.exe .
  2⤵
  PID:3264
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\jausogbzqhhbovwyvhfw.exe*."
    3⤵
    PID:2300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmfcxoifvlkdpvvwsda.exe .
1⤵
PID:5172
- C:\Windows\wmfcxoifvlkdpvvwsda.exe
  wmfcxoifvlkdpvvwsda.exe .
  2⤵
  PID:232
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\wmfcxoifvlkdpvvwsda.exe*."
    3⤵
    PID:408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yqlkhawvnfgbpxzcanmez.exe
1⤵
PID:1528
- C:\Windows\yqlkhawvnfgbpxzcanmez.exe
  yqlkhawvnfgbpxzcanmez.exe
  2⤵
  PID:4668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jausogbzqhhbovwyvhfw.exe .
1⤵
PID:4944
- C:\Windows\jausogbzqhhbovwyvhfw.exe
  jausogbzqhhbovwyvhfw.exe .
  2⤵
  PID:1708
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\jausogbzqhhbovwyvhfw.exe*."
    3⤵
    PID:3660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\viyskypjwjfvehec.exe
1⤵
PID:5040
- C:\Users\Admin\AppData\Local\Temp\viyskypjwjfvehec.exe
  C:\Users\Admin\AppData\Local\Temp\viyskypjwjfvehec.exe
  2⤵
  PID:4108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wmfcxoifvlkdpvvwsda.exe .
1⤵
PID:2548
- C:\Users\Admin\AppData\Local\Temp\wmfcxoifvlkdpvvwsda.exe
  C:\Users\Admin\AppData\Local\Temp\wmfcxoifvlkdpvvwsda.exe .
  2⤵
  PID:5396
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\wmfcxoifvlkdpvvwsda.exe*."
    3⤵
    PID:4672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\viyskypjwjfvehec.exe
1⤵
PID:4632
- C:\Users\Admin\AppData\Local\Temp\viyskypjwjfvehec.exe
  C:\Users\Admin\AppData\Local\Temp\viyskypjwjfvehec.exe
  2⤵
  PID:3252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lasoiyrncrphsxwwrb.exe .
1⤵
PID:1108
- C:\Users\Admin\AppData\Local\Temp\lasoiyrncrphsxwwrb.exe
  C:\Users\Admin\AppData\Local\Temp\lasoiyrncrphsxwwrb.exe .
  2⤵
  PID:5644
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\lasoiyrncrphsxwwrb.exe*."
    3⤵
    PID:5148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c viyskypjwjfvehec.exe
1⤵
PID:2084
- C:\Windows\viyskypjwjfvehec.exe
  viyskypjwjfvehec.exe
  2⤵
  PID:4596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cqhcvkcxlzwnxbzys.exe .
1⤵
PID:5232
- C:\Windows\cqhcvkcxlzwnxbzys.exe
  cqhcvkcxlzwnxbzys.exe .
  2⤵
  PID:60
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\cqhcvkcxlzwnxbzys.exe*."
    3⤵
    PID:4432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c viyskypjwjfvehec.exe
1⤵
PID:6116
- C:\Windows\viyskypjwjfvehec.exe
  viyskypjwjfvehec.exe
  2⤵
  PID:2116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmfcxoifvlkdpvvwsda.exe .
1⤵
PID:432
- C:\Windows\wmfcxoifvlkdpvvwsda.exe
  wmfcxoifvlkdpvvwsda.exe .
  2⤵
  PID:1984
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\wmfcxoifvlkdpvvwsda.exe*."
    3⤵
    PID:5800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fvlzqkdwkxwnxbzys.exe
1⤵
PID:3868
- C:\Windows\fvlzqkdwkxwnxbzys.exe
  fvlzqkdwkxwnxbzys.exe
  2⤵
  PID:3080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\viyskypjwjfvehec.exe
1⤵
PID:2736
- C:\Users\Admin\AppData\Local\Temp\viyskypjwjfvehec.exe
  C:\Users\Admin\AppData\Local\Temp\viyskypjwjfvehec.exe
  2⤵
  PID:5180

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\viyskypjwjfvehec.exe .
1⤵
PID:2828
- C:\Users\Admin\AppData\Local\Temp\viyskypjwjfvehec.exe
  C:\Users\Admin\AppData\Local\Temp\viyskypjwjfvehec.exe .
  2⤵
  PID:1936
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\viyskypjwjfvehec.exe*."
    3⤵
    PID:6080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ofwldysmbpphsxwwrb.exe .
1⤵
PID:5568
- C:\Windows\ofwldysmbpphsxwwrb.exe
  ofwldysmbpphsxwwrb.exe .
  2⤵
  PID:3876
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\ofwldysmbpphsxwwrb.exe*."
    3⤵
    PID:4612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mfypjgcypfhbovwyvhib.exe
1⤵
PID:4992
- C:\Windows\mfypjgcypfhbovwyvhib.exe
  mfypjgcypfhbovwyvhib.exe
  2⤵
  PID:2420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yqlkhawvnfgbpxzcanmez.exe
1⤵
PID:5636
- C:\Users\Admin\AppData\Local\Temp\yqlkhawvnfgbpxzcanmez.exe
  C:\Users\Admin\AppData\Local\Temp\yqlkhawvnfgbpxzcanmez.exe
  2⤵
  PID:5704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yncpfyqivhfvehec.exe .
1⤵
PID:1200
- C:\Windows\yncpfyqivhfvehec.exe
  yncpfyqivhfvehec.exe .
  2⤵
  PID:3476
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\yncpfyqivhfvehec.exe*."
    3⤵
    PID:652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yqlkhawvnfgbpxzcanmez.exe .
1⤵
PID:4332
- C:\Users\Admin\AppData\Local\Temp\yqlkhawvnfgbpxzcanmez.exe
  C:\Users\Admin\AppData\Local\Temp\yqlkhawvnfgbpxzcanmez.exe .
  2⤵
  PID:5028
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\yqlkhawvnfgbpxzcanmez.exe*."
    3⤵
    PID:4956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mfypjgcypfhbovwyvhib.exe
1⤵
PID:3452
- C:\Users\Admin\AppData\Local\Temp\mfypjgcypfhbovwyvhib.exe
  C:\Users\Admin\AppData\Local\Temp\mfypjgcypfhbovwyvhib.exe
  2⤵
  PID:1708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yncpfyqivhfvehec.exe .
1⤵
PID:6136
- C:\Users\Admin\AppData\Local\Temp\yncpfyqivhfvehec.exe
  C:\Users\Admin\AppData\Local\Temp\yncpfyqivhfvehec.exe .
  2⤵
  PID:5040
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\yncpfyqivhfvehec.exe*."
    3⤵
    PID:468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fvlzqkdwkxwnxbzys.exe
1⤵
PID:752
- C:\Users\Admin\AppData\Local\Temp\fvlzqkdwkxwnxbzys.exe
  C:\Users\Admin\AppData\Local\Temp\fvlzqkdwkxwnxbzys.exe
  2⤵
  PID:5184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fvlzqkdwkxwnxbzys.exe .
1⤵
PID:1688
- C:\Users\Admin\AppData\Local\Temp\fvlzqkdwkxwnxbzys.exe
  C:\Users\Admin\AppData\Local\Temp\fvlzqkdwkxwnxbzys.exe .
  2⤵
  PID:5816
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\fvlzqkdwkxwnxbzys.exe*."
    3⤵
    PID:3104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c viyskypjwjfvehec.exe
1⤵
PID:4140
- C:\Windows\viyskypjwjfvehec.exe
  viyskypjwjfvehec.exe
  2⤵
  PID:5276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmfcxoifvlkdpvvwsda.exe .
1⤵
PID:5400
- C:\Windows\wmfcxoifvlkdpvvwsda.exe
  wmfcxoifvlkdpvvwsda.exe .
  2⤵
  PID:3048
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\wmfcxoifvlkdpvvwsda.exe*."
    3⤵
    PID:5856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c viyskypjwjfvehec.exe
1⤵
PID:5820
- C:\Windows\viyskypjwjfvehec.exe
  viyskypjwjfvehec.exe
  2⤵
  PID:4788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmfcxoifvlkdpvvwsda.exe .
1⤵
PID:1108
- C:\Windows\wmfcxoifvlkdpvvwsda.exe
  wmfcxoifvlkdpvvwsda.exe .
  2⤵
  PID:5492
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\wmfcxoifvlkdpvvwsda.exe*."
    3⤵
    PID:4732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wmfcxoifvlkdpvvwsda.exe
1⤵
PID:2864
- C:\Users\Admin\AppData\Local\Temp\wmfcxoifvlkdpvvwsda.exe
  C:\Users\Admin\AppData\Local\Temp\wmfcxoifvlkdpvvwsda.exe
  2⤵
  PID:5740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yqlkhawvnfgbpxzcanmez.exe .
1⤵
PID:5220
- C:\Users\Admin\AppData\Local\Temp\yqlkhawvnfgbpxzcanmez.exe
  C:\Users\Admin\AppData\Local\Temp\yqlkhawvnfgbpxzcanmez.exe .
  2⤵
  PID:4264
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\yqlkhawvnfgbpxzcanmez.exe*."
    3⤵
    PID:764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yqlkhawvnfgbpxzcanmez.exe
1⤵
PID:5596
- C:\Users\Admin\AppData\Local\Temp\yqlkhawvnfgbpxzcanmez.exe
  C:\Users\Admin\AppData\Local\Temp\yqlkhawvnfgbpxzcanmez.exe
  2⤵
  PID:5440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cqhcvkcxlzwnxbzys.exe .
1⤵
PID:5496
- C:\Users\Admin\AppData\Local\Temp\cqhcvkcxlzwnxbzys.exe
  C:\Users\Admin\AppData\Local\Temp\cqhcvkcxlzwnxbzys.exe .
  2⤵
  PID:5348
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\cqhcvkcxlzwnxbzys.exe*."
    3⤵
    PID:432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yqlkhawvnfgbpxzcanmez.exe
1⤵
PID:5332
- C:\Windows\yqlkhawvnfgbpxzcanmez.exe
  yqlkhawvnfgbpxzcanmez.exe
  2⤵
  PID:4612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yqlkhawvnfgbpxzcanmez.exe .
1⤵
PID:4668
- C:\Windows\yqlkhawvnfgbpxzcanmez.exe
  yqlkhawvnfgbpxzcanmez.exe .
  2⤵
  PID:3020
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\yqlkhawvnfgbpxzcanmez.exe*."
    3⤵
    PID:5684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmfcxoifvlkdpvvwsda.exe
1⤵
PID:2748
- C:\Windows\wmfcxoifvlkdpvvwsda.exe
  wmfcxoifvlkdpvvwsda.exe
  2⤵
  PID:2880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jausogbzqhhbovwyvhfw.exe .
1⤵
PID:5352
- C:\Windows\jausogbzqhhbovwyvhfw.exe
  jausogbzqhhbovwyvhfw.exe .
  2⤵
  PID:2220
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\jausogbzqhhbovwyvhfw.exe*."
    3⤵
    PID:3592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\viyskypjwjfvehec.exe
1⤵
PID:5388
- C:\Users\Admin\AppData\Local\Temp\viyskypjwjfvehec.exe
  C:\Users\Admin\AppData\Local\Temp\viyskypjwjfvehec.exe
  2⤵
  PID:5024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\viyskypjwjfvehec.exe .
1⤵
PID:6012
- C:\Users\Admin\AppData\Local\Temp\viyskypjwjfvehec.exe
  C:\Users\Admin\AppData\Local\Temp\viyskypjwjfvehec.exe .
  2⤵
  PID:5520
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\viyskypjwjfvehec.exe*."
    3⤵
    PID:5448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\viyskypjwjfvehec.exe
1⤵
PID:3800
- C:\Users\Admin\AppData\Local\Temp\viyskypjwjfvehec.exe
  C:\Users\Admin\AppData\Local\Temp\viyskypjwjfvehec.exe
  2⤵
  PID:1472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lasoiyrncrphsxwwrb.exe .
1⤵
PID:6092
- C:\Users\Admin\AppData\Local\Temp\lasoiyrncrphsxwwrb.exe
  C:\Users\Admin\AppData\Local\Temp\lasoiyrncrphsxwwrb.exe .
  2⤵
  PID:5624
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\lasoiyrncrphsxwwrb.exe*."
    3⤵
    PID:5040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jausogbzqhhbovwyvhfw.exe
1⤵
PID:5396
- C:\Windows\jausogbzqhhbovwyvhfw.exe
  jausogbzqhhbovwyvhfw.exe
  2⤵
  PID:5616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c lasoiyrncrphsxwwrb.exe .
1⤵
PID:4520
- C:\Windows\lasoiyrncrphsxwwrb.exe
  lasoiyrncrphsxwwrb.exe .
  2⤵
  PID:5884
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\lasoiyrncrphsxwwrb.exe*."
    3⤵
    PID:1888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yqlkhawvnfgbpxzcanmez.exe
1⤵
PID:5192
- C:\Windows\yqlkhawvnfgbpxzcanmez.exe
  yqlkhawvnfgbpxzcanmez.exe
  2⤵
  PID:5500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c lasoiyrncrphsxwwrb.exe .
1⤵
PID:1688
- C:\Windows\lasoiyrncrphsxwwrb.exe
  lasoiyrncrphsxwwrb.exe .
  2⤵
  PID:3240
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\lasoiyrncrphsxwwrb.exe*."
    3⤵
    PID:3464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wmfcxoifvlkdpvvwsda.exe
1⤵
PID:2912
- C:\Users\Admin\AppData\Local\Temp\wmfcxoifvlkdpvvwsda.exe
  C:\Users\Admin\AppData\Local\Temp\wmfcxoifvlkdpvvwsda.exe
  2⤵
  PID:1376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\viyskypjwjfvehec.exe .
1⤵
PID:5524
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3220
- C:\Users\Admin\AppData\Local\Temp\viyskypjwjfvehec.exe
  C:\Users\Admin\AppData\Local\Temp\viyskypjwjfvehec.exe .
  2⤵
  PID:2552
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\viyskypjwjfvehec.exe*."
    3⤵
    PID:5456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jausogbzqhhbovwyvhfw.exe
1⤵
PID:3576
- C:\Users\Admin\AppData\Local\Temp\jausogbzqhhbovwyvhfw.exe
  C:\Users\Admin\AppData\Local\Temp\jausogbzqhhbovwyvhfw.exe
  2⤵
  PID:3868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wmfcxoifvlkdpvvwsda.exe .
1⤵
PID:4484
- C:\Users\Admin\AppData\Local\Temp\wmfcxoifvlkdpvvwsda.exe
  C:\Users\Admin\AppData\Local\Temp\wmfcxoifvlkdpvvwsda.exe .
  2⤵
  PID:3140
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\wmfcxoifvlkdpvvwsda.exe*."
    3⤵
    PID:1716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yqlkhawvnfgbpxzcanmez.exe
1⤵
PID:5308
- C:\Windows\yqlkhawvnfgbpxzcanmez.exe
  yqlkhawvnfgbpxzcanmez.exe
  2⤵
  PID:5472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c lasoiyrncrphsxwwrb.exe .
1⤵
PID:5348
- C:\Windows\lasoiyrncrphsxwwrb.exe
  lasoiyrncrphsxwwrb.exe .
  2⤵
  PID:4676
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\lasoiyrncrphsxwwrb.exe*."
    3⤵
    PID:5548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c lasoiyrncrphsxwwrb.exe
1⤵
PID:5216
- C:\Windows\lasoiyrncrphsxwwrb.exe
  lasoiyrncrphsxwwrb.exe
  2⤵
  PID:4044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jausogbzqhhbovwyvhfw.exe .
1⤵
PID:1332
- C:\Windows\jausogbzqhhbovwyvhfw.exe
  jausogbzqhhbovwyvhfw.exe .
  2⤵
  PID:5608
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\jausogbzqhhbovwyvhfw.exe*."
    3⤵
    PID:5768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yqlkhawvnfgbpxzcanmez.exe
1⤵
PID:3020
- C:\Users\Admin\AppData\Local\Temp\yqlkhawvnfgbpxzcanmez.exe
  C:\Users\Admin\AppData\Local\Temp\yqlkhawvnfgbpxzcanmez.exe
  2⤵
  PID:3040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yqlkhawvnfgbpxzcanmez.exe .
1⤵
PID:6076
- C:\Users\Admin\AppData\Local\Temp\yqlkhawvnfgbpxzcanmez.exe
  C:\Users\Admin\AppData\Local\Temp\yqlkhawvnfgbpxzcanmez.exe .
  2⤵
  PID:1676
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\yqlkhawvnfgbpxzcanmez.exe*."
    3⤵
    PID:3388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cqhcvkcxlzwnxbzys.exe
1⤵
PID:4344
- C:\Users\Admin\AppData\Local\Temp\cqhcvkcxlzwnxbzys.exe
  C:\Users\Admin\AppData\Local\Temp\cqhcvkcxlzwnxbzys.exe
  2⤵
  PID:5888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jausogbzqhhbovwyvhfw.exe .
1⤵
PID:2476
- C:\Users\Admin\AppData\Local\Temp\jausogbzqhhbovwyvhfw.exe
  C:\Users\Admin\AppData\Local\Temp\jausogbzqhhbovwyvhfw.exe .
  2⤵
  PID:1944
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\jausogbzqhhbovwyvhfw.exe*."
    3⤵
    PID:1112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cqhcvkcxlzwnxbzys.exe
1⤵
PID:2252
- C:\Windows\cqhcvkcxlzwnxbzys.exe
  cqhcvkcxlzwnxbzys.exe
  2⤵
  PID:5772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmfcxoifvlkdpvvwsda.exe
1⤵
PID:5972
- C:\Windows\wmfcxoifvlkdpvvwsda.exe
  wmfcxoifvlkdpvvwsda.exe
  2⤵
  PID:4656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c viyskypjwjfvehec.exe .
1⤵
PID:5480
- C:\Windows\viyskypjwjfvehec.exe
  viyskypjwjfvehec.exe .
  2⤵
  PID:5252
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\viyskypjwjfvehec.exe*."
    3⤵
    PID:5400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c lasoiyrncrphsxwwrb.exe
1⤵
PID:4468
- C:\Windows\lasoiyrncrphsxwwrb.exe
  lasoiyrncrphsxwwrb.exe
  2⤵
  PID:5280

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cqhcvkcxlzwnxbzys.exe .
1⤵
PID:5964
- C:\Windows\cqhcvkcxlzwnxbzys.exe
  cqhcvkcxlzwnxbzys.exe .
  2⤵
  PID:5128
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\cqhcvkcxlzwnxbzys.exe*."
    3⤵
    PID:6004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmfcxoifvlkdpvvwsda.exe
1⤵
PID:5840
- C:\Windows\wmfcxoifvlkdpvvwsda.exe
  wmfcxoifvlkdpvvwsda.exe
  2⤵
  PID:3184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c lasoiyrncrphsxwwrb.exe .
1⤵
PID:3252
- C:\Windows\lasoiyrncrphsxwwrb.exe
  lasoiyrncrphsxwwrb.exe .
  2⤵
  PID:5760
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\lasoiyrncrphsxwwrb.exe*."
    3⤵
    PID:5064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jausogbzqhhbovwyvhfw.exe .
1⤵
PID:3092
- C:\Windows\jausogbzqhhbovwyvhfw.exe
  jausogbzqhhbovwyvhfw.exe .
  2⤵
  PID:4484
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\jausogbzqhhbovwyvhfw.exe*."
    3⤵
    PID:5168

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c viyskypjwjfvehec.exe
1⤵
PID:4788
- C:\Windows\viyskypjwjfvehec.exe
  viyskypjwjfvehec.exe
  2⤵
  PID:5180

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jausogbzqhhbovwyvhfw.exe
1⤵
PID:5420
- C:\Users\Admin\AppData\Local\Temp\jausogbzqhhbovwyvhfw.exe
  C:\Users\Admin\AppData\Local\Temp\jausogbzqhhbovwyvhfw.exe
  2⤵
  PID:5568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yqlkhawvnfgbpxzcanmez.exe .
1⤵
PID:5164
- C:\Windows\yqlkhawvnfgbpxzcanmez.exe
  yqlkhawvnfgbpxzcanmez.exe .
  2⤵
  PID:5148
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\yqlkhawvnfgbpxzcanmez.exe*."
    3⤵
    PID:1940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cqhcvkcxlzwnxbzys.exe .
1⤵
PID:5204
- C:\Users\Admin\AppData\Local\Temp\cqhcvkcxlzwnxbzys.exe
  C:\Users\Admin\AppData\Local\Temp\cqhcvkcxlzwnxbzys.exe .
  2⤵
  PID:1812
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\cqhcvkcxlzwnxbzys.exe*."
    3⤵
    PID:4620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmfcxoifvlkdpvvwsda.exe
1⤵
PID:1228
- C:\Windows\wmfcxoifvlkdpvvwsda.exe
  wmfcxoifvlkdpvvwsda.exe
  2⤵
  PID:4668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\viyskypjwjfvehec.exe
1⤵
PID:3868
- C:\Users\Admin\AppData\Local\Temp\viyskypjwjfvehec.exe
  C:\Users\Admin\AppData\Local\Temp\viyskypjwjfvehec.exe
  2⤵
  PID:5940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yqlkhawvnfgbpxzcanmez.exe .
1⤵
PID:5676
- C:\Windows\yqlkhawvnfgbpxzcanmez.exe
  yqlkhawvnfgbpxzcanmez.exe .
  2⤵
  PID:4664
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\yqlkhawvnfgbpxzcanmez.exe*."
    3⤵
    PID:3088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\viyskypjwjfvehec.exe .
1⤵
PID:5416
- C:\Users\Admin\AppData\Local\Temp\viyskypjwjfvehec.exe
  C:\Users\Admin\AppData\Local\Temp\viyskypjwjfvehec.exe .
  2⤵
  PID:3144
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\viyskypjwjfvehec.exe*."
    3⤵
    PID:5184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wmfcxoifvlkdpvvwsda.exe
1⤵
PID:5792
- C:\Users\Admin\AppData\Local\Temp\wmfcxoifvlkdpvvwsda.exe
  C:\Users\Admin\AppData\Local\Temp\wmfcxoifvlkdpvvwsda.exe
  2⤵
  PID:5848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jausogbzqhhbovwyvhfw.exe
1⤵
PID:1008
- C:\Users\Admin\AppData\Local\Temp\jausogbzqhhbovwyvhfw.exe
  C:\Users\Admin\AppData\Local\Temp\jausogbzqhhbovwyvhfw.exe
  2⤵
  PID:4920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\viyskypjwjfvehec.exe .
1⤵
PID:5560
- C:\Users\Admin\AppData\Local\Temp\viyskypjwjfvehec.exe
  C:\Users\Admin\AppData\Local\Temp\viyskypjwjfvehec.exe .
  2⤵
  PID:5704
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\viyskypjwjfvehec.exe*."
    3⤵
    PID:5468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jausogbzqhhbovwyvhfw.exe .
1⤵
PID:6080
- C:\Users\Admin\AppData\Local\Temp\jausogbzqhhbovwyvhfw.exe
  C:\Users\Admin\AppData\Local\Temp\jausogbzqhhbovwyvhfw.exe .
  2⤵
  PID:4276
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\jausogbzqhhbovwyvhfw.exe*."
    3⤵
    PID:6064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yqlkhawvnfgbpxzcanmez.exe
1⤵
PID:1952
- C:\Users\Admin\AppData\Local\Temp\yqlkhawvnfgbpxzcanmez.exe
  C:\Users\Admin\AppData\Local\Temp\yqlkhawvnfgbpxzcanmez.exe
  2⤵
  PID:5672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yqlkhawvnfgbpxzcanmez.exe .
1⤵
PID:600
- C:\Users\Admin\AppData\Local\Temp\yqlkhawvnfgbpxzcanmez.exe
  C:\Users\Admin\AppData\Local\Temp\yqlkhawvnfgbpxzcanmez.exe .
  2⤵
  PID:3348
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\yqlkhawvnfgbpxzcanmez.exe*."
    3⤵
    PID:5708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jausogbzqhhbovwyvhfw.exe
1⤵
PID:5684
- C:\Users\Admin\AppData\Local\Temp\jausogbzqhhbovwyvhfw.exe
  C:\Users\Admin\AppData\Local\Temp\jausogbzqhhbovwyvhfw.exe
  2⤵
  PID:5780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cqhcvkcxlzwnxbzys.exe .
1⤵
PID:5924
- C:\Users\Admin\AppData\Local\Temp\cqhcvkcxlzwnxbzys.exe
  C:\Users\Admin\AppData\Local\Temp\cqhcvkcxlzwnxbzys.exe .
  2⤵
  PID:5556
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\cqhcvkcxlzwnxbzys.exe*."
    3⤵
    PID:4964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cqhcvkcxlzwnxbzys.exe
1⤵
PID:5872
- C:\Windows\cqhcvkcxlzwnxbzys.exe
  cqhcvkcxlzwnxbzys.exe
  2⤵
  PID:4432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmfcxoifvlkdpvvwsda.exe .
1⤵
PID:5724
- C:\Windows\wmfcxoifvlkdpvvwsda.exe
  wmfcxoifvlkdpvvwsda.exe .
  2⤵
  PID:3576
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\wmfcxoifvlkdpvvwsda.exe*."
    3⤵
    PID:4676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmfcxoifvlkdpvvwsda.exe
1⤵
PID:5480
- C:\Windows\wmfcxoifvlkdpvvwsda.exe
  wmfcxoifvlkdpvvwsda.exe
  2⤵
  PID:5180

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c viyskypjwjfvehec.exe .
1⤵
PID:5948
- C:\Windows\viyskypjwjfvehec.exe
  viyskypjwjfvehec.exe .
  2⤵
  PID:1112
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\viyskypjwjfvehec.exe*."
    3⤵
    PID:3564

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cqhcvkcxlzwnxbzys.exe
1⤵
PID:6060
- C:\Users\Admin\AppData\Local\Temp\cqhcvkcxlzwnxbzys.exe
  C:\Users\Admin\AppData\Local\Temp\cqhcvkcxlzwnxbzys.exe
  2⤵
  PID:5788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yqlkhawvnfgbpxzcanmez.exe .
1⤵
PID:2140
- C:\Users\Admin\AppData\Local\Temp\yqlkhawvnfgbpxzcanmez.exe
  C:\Users\Admin\AppData\Local\Temp\yqlkhawvnfgbpxzcanmez.exe .
  2⤵
  PID:696
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\yqlkhawvnfgbpxzcanmez.exe*."
    3⤵
    PID:5516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lasoiyrncrphsxwwrb.exe
1⤵
PID:1120
- C:\Users\Admin\AppData\Local\Temp\lasoiyrncrphsxwwrb.exe
  C:\Users\Admin\AppData\Local\Temp\lasoiyrncrphsxwwrb.exe
  2⤵
  PID:1940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jausogbzqhhbovwyvhfw.exe .
1⤵
PID:5824
- C:\Users\Admin\AppData\Local\Temp\jausogbzqhhbovwyvhfw.exe
  C:\Users\Admin\AppData\Local\Temp\jausogbzqhhbovwyvhfw.exe .
  2⤵
  PID:2116
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\jausogbzqhhbovwyvhfw.exe*."
    3⤵
    PID:4176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jausogbzqhhbovwyvhfw.exe
1⤵
PID:5284
- C:\Windows\jausogbzqhhbovwyvhfw.exe
  jausogbzqhhbovwyvhfw.exe
  2⤵
  PID:2912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zrjzsojeujkdpvvwsdd.exe
1⤵
PID:5200
- C:\Windows\zrjzsojeujkdpvvwsdd.exe
  zrjzsojeujkdpvvwsdd.exe
  2⤵
  PID:3464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cqhcvkcxlzwnxbzys.exe .
1⤵
PID:4172
- C:\Windows\cqhcvkcxlzwnxbzys.exe
  cqhcvkcxlzwnxbzys.exe .
  2⤵
  PID:4652
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\cqhcvkcxlzwnxbzys.exe*."
    3⤵
    PID:5112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ofwldysmbpphsxwwrb.exe .
1⤵
PID:2172
- C:\Windows\ofwldysmbpphsxwwrb.exe
  ofwldysmbpphsxwwrb.exe .
  2⤵
  PID:6052
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\ofwldysmbpphsxwwrb.exe*."
    3⤵
    PID:4076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fvlzqkdwkxwnxbzys.exe
1⤵
PID:764
- C:\Windows\fvlzqkdwkxwnxbzys.exe
  fvlzqkdwkxwnxbzys.exe
  2⤵
  PID:3076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jausogbzqhhbovwyvhfw.exe
1⤵
PID:5888
- C:\Windows\jausogbzqhhbovwyvhfw.exe
  jausogbzqhhbovwyvhfw.exe
  2⤵
  PID:5396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fvlzqkdwkxwnxbzys.exe .
1⤵
PID:1768
- C:\Windows\fvlzqkdwkxwnxbzys.exe
  fvlzqkdwkxwnxbzys.exe .
  2⤵
  PID:5676
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\fvlzqkdwkxwnxbzys.exe*."
    3⤵
    PID:3700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cqhcvkcxlzwnxbzys.exe .
1⤵
PID:2312
- C:\Windows\cqhcvkcxlzwnxbzys.exe
  cqhcvkcxlzwnxbzys.exe .
  2⤵
  PID:4828
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\cqhcvkcxlzwnxbzys.exe*."
    3⤵
    PID:4580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ofwldysmbpphsxwwrb.exe
1⤵
PID:5828
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:700
- C:\Users\Admin\AppData\Local\Temp\ofwldysmbpphsxwwrb.exe
  C:\Users\Admin\AppData\Local\Temp\ofwldysmbpphsxwwrb.exe
  2⤵
  PID:1200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lasoiyrncrphsxwwrb.exe
1⤵
PID:3088
- C:\Users\Admin\AppData\Local\Temp\lasoiyrncrphsxwwrb.exe
  C:\Users\Admin\AppData\Local\Temp\lasoiyrncrphsxwwrb.exe
  2⤵
  PID:5400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fvlzqkdwkxwnxbzys.exe .
1⤵
PID:4028
- C:\Users\Admin\AppData\Local\Temp\fvlzqkdwkxwnxbzys.exe
  C:\Users\Admin\AppData\Local\Temp\fvlzqkdwkxwnxbzys.exe .
  2⤵
  PID:1036
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\fvlzqkdwkxwnxbzys.exe*."
    3⤵
    PID:3212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cqhcvkcxlzwnxbzys.exe .
1⤵
PID:5276
- C:\Users\Admin\AppData\Local\Temp\cqhcvkcxlzwnxbzys.exe
  C:\Users\Admin\AppData\Local\Temp\cqhcvkcxlzwnxbzys.exe .
  2⤵
  PID:5616
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\cqhcvkcxlzwnxbzys.exe*."
    3⤵
    PID:3612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ofwldysmbpphsxwwrb.exe
1⤵
PID:5532
- C:\Users\Admin\AppData\Local\Temp\ofwldysmbpphsxwwrb.exe
  C:\Users\Admin\AppData\Local\Temp\ofwldysmbpphsxwwrb.exe
  2⤵
  PID:4840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wmfcxoifvlkdpvvwsda.exe
1⤵
PID:5556
- C:\Users\Admin\AppData\Local\Temp\wmfcxoifvlkdpvvwsda.exe
  C:\Users\Admin\AppData\Local\Temp\wmfcxoifvlkdpvvwsda.exe
  2⤵
  PID:4676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mfypjgcypfhbovwyvhib.exe .
1⤵
PID:6008
- C:\Users\Admin\AppData\Local\Temp\mfypjgcypfhbovwyvhib.exe
  C:\Users\Admin\AppData\Local\Temp\mfypjgcypfhbovwyvhib.exe .
  2⤵
  PID:5300
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\mfypjgcypfhbovwyvhib.exe*."
    3⤵
    PID:4672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yqlkhawvnfgbpxzcanmez.exe .
1⤵
PID:5736
- C:\Users\Admin\AppData\Local\Temp\yqlkhawvnfgbpxzcanmez.exe
  C:\Users\Admin\AppData\Local\Temp\yqlkhawvnfgbpxzcanmez.exe .
  2⤵
  PID:3808
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\yqlkhawvnfgbpxzcanmez.exe*."
    3⤵
    PID:1808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c viyskypjwjfvehec.exe
1⤵
PID:5764
- C:\Windows\viyskypjwjfvehec.exe
  viyskypjwjfvehec.exe
  2⤵
  PID:2084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cqhcvkcxlzwnxbzys.exe .
1⤵
PID:2328
- C:\Windows\cqhcvkcxlzwnxbzys.exe
  cqhcvkcxlzwnxbzys.exe .
  2⤵
  PID:1932
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\cqhcvkcxlzwnxbzys.exe*."
    3⤵
    PID:5060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jausogbzqhhbovwyvhfw.exe
1⤵
PID:5376
- C:\Windows\jausogbzqhhbovwyvhfw.exe
  jausogbzqhhbovwyvhfw.exe
  2⤵
  PID:3264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yqlkhawvnfgbpxzcanmez.exe .
1⤵
PID:4992
- C:\Windows\yqlkhawvnfgbpxzcanmez.exe
  yqlkhawvnfgbpxzcanmez.exe .
  2⤵
  PID:1716
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\yqlkhawvnfgbpxzcanmez.exe*."
    3⤵
    PID:1744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cqhcvkcxlzwnxbzys.exe
1⤵
PID:3096
- C:\Users\Admin\AppData\Local\Temp\cqhcvkcxlzwnxbzys.exe
  C:\Users\Admin\AppData\Local\Temp\cqhcvkcxlzwnxbzys.exe
  2⤵
  PID:2424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wmfcxoifvlkdpvvwsda.exe .
1⤵
PID:5212
- C:\Users\Admin\AppData\Local\Temp\wmfcxoifvlkdpvvwsda.exe
  C:\Users\Admin\AppData\Local\Temp\wmfcxoifvlkdpvvwsda.exe .
  2⤵
  PID:5984
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\wmfcxoifvlkdpvvwsda.exe*."
    3⤵
    PID:2836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wmfcxoifvlkdpvvwsda.exe
1⤵
PID:4920
- C:\Users\Admin\AppData\Local\Temp\wmfcxoifvlkdpvvwsda.exe
  C:\Users\Admin\AppData\Local\Temp\wmfcxoifvlkdpvvwsda.exe
  2⤵
  PID:4860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cqhcvkcxlzwnxbzys.exe .
1⤵
PID:216
- C:\Users\Admin\AppData\Local\Temp\cqhcvkcxlzwnxbzys.exe
  C:\Users\Admin\AppData\Local\Temp\cqhcvkcxlzwnxbzys.exe .
  2⤵
  PID:5792
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\cqhcvkcxlzwnxbzys.exe*."
    3⤵
    PID:5136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jausogbzqhhbovwyvhfw.exe
1⤵
PID:5164
- C:\Windows\jausogbzqhhbovwyvhfw.exe
  jausogbzqhhbovwyvhfw.exe
  2⤵
  PID:5572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jausogbzqhhbovwyvhfw.exe .
1⤵
PID:4140
- C:\Windows\jausogbzqhhbovwyvhfw.exe
  jausogbzqhhbovwyvhfw.exe .
  2⤵
  PID:5184
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\jausogbzqhhbovwyvhfw.exe*."
    3⤵
    PID:5772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jausogbzqhhbovwyvhfw.exe
1⤵
PID:4432
- C:\Windows\jausogbzqhhbovwyvhfw.exe
  jausogbzqhhbovwyvhfw.exe
  2⤵
  PID:1892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cqhcvkcxlzwnxbzys.exe .
1⤵
PID:3244
- C:\Windows\cqhcvkcxlzwnxbzys.exe
  cqhcvkcxlzwnxbzys.exe .
  2⤵
  PID:5780
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\cqhcvkcxlzwnxbzys.exe*."
    3⤵
    PID:5744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yqlkhawvnfgbpxzcanmez.exe
1⤵
PID:3744
- C:\Users\Admin\AppData\Local\Temp\yqlkhawvnfgbpxzcanmez.exe
  C:\Users\Admin\AppData\Local\Temp\yqlkhawvnfgbpxzcanmez.exe
  2⤵
  PID:4316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lasoiyrncrphsxwwrb.exe .
1⤵
PID:4176
- C:\Users\Admin\AppData\Local\Temp\lasoiyrncrphsxwwrb.exe
  C:\Users\Admin\AppData\Local\Temp\lasoiyrncrphsxwwrb.exe .
  2⤵
  PID:4004
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\lasoiyrncrphsxwwrb.exe*."
    3⤵
    PID:6092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yqlkhawvnfgbpxzcanmez.exe
1⤵
PID:5160
- C:\Users\Admin\AppData\Local\Temp\yqlkhawvnfgbpxzcanmez.exe
  C:\Users\Admin\AppData\Local\Temp\yqlkhawvnfgbpxzcanmez.exe
  2⤵
  PID:1532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yqlkhawvnfgbpxzcanmez.exe .
1⤵
PID:1524
- C:\Users\Admin\AppData\Local\Temp\yqlkhawvnfgbpxzcanmez.exe
  C:\Users\Admin\AppData\Local\Temp\yqlkhawvnfgbpxzcanmez.exe .
  2⤵
  PID:3660
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\yqlkhawvnfgbpxzcanmez.exe*."
    3⤵
    PID:5788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yqlkhawvnfgbpxzcanmez.exe
1⤵
PID:5180
- C:\Windows\yqlkhawvnfgbpxzcanmez.exe
  yqlkhawvnfgbpxzcanmez.exe
  2⤵
  PID:468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c lasoiyrncrphsxwwrb.exe .
1⤵
PID:1184
- C:\Windows\lasoiyrncrphsxwwrb.exe
  lasoiyrncrphsxwwrb.exe .
  2⤵
  PID:924
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\lasoiyrncrphsxwwrb.exe*."
    3⤵
    PID:5708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c viyskypjwjfvehec.exe
1⤵
PID:3664
- C:\Windows\viyskypjwjfvehec.exe
  viyskypjwjfvehec.exe
  2⤵
  PID:2256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmfcxoifvlkdpvvwsda.exe .
1⤵
PID:5716
- C:\Windows\wmfcxoifvlkdpvvwsda.exe
  wmfcxoifvlkdpvvwsda.exe .
  2⤵
  PID:3496
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\wmfcxoifvlkdpvvwsda.exe*."
    3⤵
    PID:4224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cqhcvkcxlzwnxbzys.exe
1⤵
PID:1132
- C:\Users\Admin\AppData\Local\Temp\cqhcvkcxlzwnxbzys.exe
  C:\Users\Admin\AppData\Local\Temp\cqhcvkcxlzwnxbzys.exe
  2⤵
  PID:5964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lasoiyrncrphsxwwrb.exe .
1⤵
PID:1108
- C:\Users\Admin\AppData\Local\Temp\lasoiyrncrphsxwwrb.exe
  C:\Users\Admin\AppData\Local\Temp\lasoiyrncrphsxwwrb.exe .
  2⤵
  PID:5568
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\lasoiyrncrphsxwwrb.exe*."
    3⤵
    PID:2880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wmfcxoifvlkdpvvwsda.exe
1⤵
PID:4484
- C:\Users\Admin\AppData\Local\Temp\wmfcxoifvlkdpvvwsda.exe
  C:\Users\Admin\AppData\Local\Temp\wmfcxoifvlkdpvvwsda.exe
  2⤵
  PID:1676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jausogbzqhhbovwyvhfw.exe .
1⤵
PID:5240
- C:\Users\Admin\AppData\Local\Temp\jausogbzqhhbovwyvhfw.exe
  C:\Users\Admin\AppData\Local\Temp\jausogbzqhhbovwyvhfw.exe .
  2⤵
  PID:5748
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\jausogbzqhhbovwyvhfw.exe*."
    3⤵
    PID:1924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmfcxoifvlkdpvvwsda.exe
1⤵
PID:5984
- C:\Windows\wmfcxoifvlkdpvvwsda.exe
  wmfcxoifvlkdpvvwsda.exe
  2⤵
  PID:2220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c lasoiyrncrphsxwwrb.exe .
1⤵
PID:5408
- C:\Windows\lasoiyrncrphsxwwrb.exe
  lasoiyrncrphsxwwrb.exe .
  2⤵
  PID:5448
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\lasoiyrncrphsxwwrb.exe*."
    3⤵
    PID:1228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c lasoiyrncrphsxwwrb.exe
1⤵
PID:5904
- C:\Windows\lasoiyrncrphsxwwrb.exe
  lasoiyrncrphsxwwrb.exe
  2⤵
  PID:6052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmfcxoifvlkdpvvwsda.exe .
1⤵
PID:3140
- C:\Windows\wmfcxoifvlkdpvvwsda.exe
  wmfcxoifvlkdpvvwsda.exe .
  2⤵
  PID:5440
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\wmfcxoifvlkdpvvwsda.exe*."
    3⤵
    PID:32

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jausogbzqhhbovwyvhfw.exe
1⤵
PID:1812
- C:\Users\Admin\AppData\Local\Temp\jausogbzqhhbovwyvhfw.exe
  C:\Users\Admin\AppData\Local\Temp\jausogbzqhhbovwyvhfw.exe
  2⤵
  PID:3408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\viyskypjwjfvehec.exe .
1⤵
PID:4544
- C:\Users\Admin\AppData\Local\Temp\viyskypjwjfvehec.exe
  C:\Users\Admin\AppData\Local\Temp\viyskypjwjfvehec.exe .
  2⤵
  PID:428
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\viyskypjwjfvehec.exe*."
    3⤵
    PID:4580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jausogbzqhhbovwyvhfw.exe
1⤵
PID:5868
- C:\Windows\jausogbzqhhbovwyvhfw.exe
  jausogbzqhhbovwyvhfw.exe
  2⤵
  PID:6116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c lasoiyrncrphsxwwrb.exe .
1⤵
PID:1520
- C:\Windows\lasoiyrncrphsxwwrb.exe
  lasoiyrncrphsxwwrb.exe .
  2⤵
  PID:5772
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\lasoiyrncrphsxwwrb.exe*."
    3⤵
    PID:5804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jausogbzqhhbovwyvhfw.exe
1⤵
PID:5028
- C:\Users\Admin\AppData\Local\Temp\jausogbzqhhbovwyvhfw.exe
  C:\Users\Admin\AppData\Local\Temp\jausogbzqhhbovwyvhfw.exe
  2⤵
  PID:5796

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmfcxoifvlkdpvvwsda.exe
1⤵
PID:3608
- C:\Windows\wmfcxoifvlkdpvvwsda.exe
  wmfcxoifvlkdpvvwsda.exe
  2⤵
  PID:2248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yqlkhawvnfgbpxzcanmez.exe .
1⤵
PID:4520
- C:\Users\Admin\AppData\Local\Temp\yqlkhawvnfgbpxzcanmez.exe
  C:\Users\Admin\AppData\Local\Temp\yqlkhawvnfgbpxzcanmez.exe .
  2⤵
  PID:5416
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\yqlkhawvnfgbpxzcanmez.exe*."
    3⤵
    PID:1804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jausogbzqhhbovwyvhfw.exe
1⤵
PID:4316
- C:\Windows\jausogbzqhhbovwyvhfw.exe
  jausogbzqhhbovwyvhfw.exe
  2⤵
  PID:4528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmfcxoifvlkdpvvwsda.exe .
1⤵
PID:3332
- C:\Windows\wmfcxoifvlkdpvvwsda.exe
  wmfcxoifvlkdpvvwsda.exe .
  2⤵
  PID:5684
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\wmfcxoifvlkdpvvwsda.exe*."
    3⤵
    PID:2296

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c viyskypjwjfvehec.exe .
1⤵
PID:5784
- C:\Windows\viyskypjwjfvehec.exe
  viyskypjwjfvehec.exe .
  2⤵
  PID:752
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\viyskypjwjfvehec.exe*."
    3⤵
    PID:5472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jausogbzqhhbovwyvhfw.exe
1⤵
PID:5340
- C:\Users\Admin\AppData\Local\Temp\jausogbzqhhbovwyvhfw.exe
  C:\Users\Admin\AppData\Local\Temp\jausogbzqhhbovwyvhfw.exe
  2⤵
  PID:1376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\viyskypjwjfvehec.exe .
1⤵
PID:2828
- C:\Users\Admin\AppData\Local\Temp\viyskypjwjfvehec.exe
  C:\Users\Admin\AppData\Local\Temp\viyskypjwjfvehec.exe .
  2⤵
  PID:3080
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\viyskypjwjfvehec.exe*."
    3⤵
    PID:5060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yqlkhawvnfgbpxzcanmez.exe
1⤵
PID:5812
- C:\Windows\yqlkhawvnfgbpxzcanmez.exe
  yqlkhawvnfgbpxzcanmez.exe
  2⤵
  PID:5800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c viyskypjwjfvehec.exe .
1⤵
PID:2208
- C:\Windows\viyskypjwjfvehec.exe
  viyskypjwjfvehec.exe .
  2⤵
  PID:4580
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\viyskypjwjfvehec.exe*."
    3⤵
    PID:2548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jausogbzqhhbovwyvhfw.exe
1⤵
PID:5692
- C:\Users\Admin\AppData\Local\Temp\jausogbzqhhbovwyvhfw.exe
  C:\Users\Admin\AppData\Local\Temp\jausogbzqhhbovwyvhfw.exe
  2⤵
  PID:5848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cqhcvkcxlzwnxbzys.exe
1⤵
PID:5656
- C:\Users\Admin\AppData\Local\Temp\cqhcvkcxlzwnxbzys.exe
  C:\Users\Admin\AppData\Local\Temp\cqhcvkcxlzwnxbzys.exe
  2⤵
  PID:5128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cqhcvkcxlzwnxbzys.exe .
1⤵
PID:924
- C:\Users\Admin\AppData\Local\Temp\cqhcvkcxlzwnxbzys.exe
  C:\Users\Admin\AppData\Local\Temp\cqhcvkcxlzwnxbzys.exe .
  2⤵
  PID:6028
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\cqhcvkcxlzwnxbzys.exe*."
    3⤵
    PID:2220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wmfcxoifvlkdpvvwsda.exe .
1⤵
PID:3668
- C:\Users\Admin\AppData\Local\Temp\wmfcxoifvlkdpvvwsda.exe
  C:\Users\Admin\AppData\Local\Temp\wmfcxoifvlkdpvvwsda.exe .
  2⤵
  PID:2424
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\wmfcxoifvlkdpvvwsda.exe*."
    3⤵
    PID:5428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmfcxoifvlkdpvvwsda.exe
1⤵
PID:5964
- C:\Windows\wmfcxoifvlkdpvvwsda.exe
  wmfcxoifvlkdpvvwsda.exe
  2⤵
  PID:2592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\viyskypjwjfvehec.exe
1⤵
PID:4288
- C:\Users\Admin\AppData\Local\Temp\viyskypjwjfvehec.exe
  C:\Users\Admin\AppData\Local\Temp\viyskypjwjfvehec.exe
  2⤵
  PID:2540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmfcxoifvlkdpvvwsda.exe .
1⤵
PID:2372
- C:\Windows\wmfcxoifvlkdpvvwsda.exe
  wmfcxoifvlkdpvvwsda.exe .
  2⤵
  PID:5172
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\wmfcxoifvlkdpvvwsda.exe*."
    3⤵
    PID:4780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cqhcvkcxlzwnxbzys.exe .
1⤵
PID:1676
- C:\Users\Admin\AppData\Local\Temp\cqhcvkcxlzwnxbzys.exe
  C:\Users\Admin\AppData\Local\Temp\cqhcvkcxlzwnxbzys.exe .
  2⤵
  PID:4360
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\cqhcvkcxlzwnxbzys.exe*."
    3⤵
    PID:6052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c lasoiyrncrphsxwwrb.exe
1⤵
PID:4268
- C:\Windows\lasoiyrncrphsxwwrb.exe
  lasoiyrncrphsxwwrb.exe
  2⤵
  PID:2336

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c lasoiyrncrphsxwwrb.exe .
1⤵
PID:2740
- C:\Windows\lasoiyrncrphsxwwrb.exe
  lasoiyrncrphsxwwrb.exe .
  2⤵
  PID:3076
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\lasoiyrncrphsxwwrb.exe*."
    3⤵
    PID:4012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yqlkhawvnfgbpxzcanmez.exe
1⤵
PID:5752
- C:\Users\Admin\AppData\Local\Temp\yqlkhawvnfgbpxzcanmez.exe
  C:\Users\Admin\AppData\Local\Temp\yqlkhawvnfgbpxzcanmez.exe
  2⤵
  PID:2780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wmfcxoifvlkdpvvwsda.exe .
1⤵
PID:4920
- C:\Users\Admin\AppData\Local\Temp\wmfcxoifvlkdpvvwsda.exe
  C:\Users\Admin\AppData\Local\Temp\wmfcxoifvlkdpvvwsda.exe .
  2⤵
  PID:3408
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\wmfcxoifvlkdpvvwsda.exe*."
    3⤵
    PID:32

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\viyskypjwjfvehec.exe
1⤵
PID:3140
- C:\Users\Admin\AppData\Local\Temp\viyskypjwjfvehec.exe
  C:\Users\Admin\AppData\Local\Temp\viyskypjwjfvehec.exe
  2⤵
  PID:5192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jausogbzqhhbovwyvhfw.exe .
1⤵
PID:384
- C:\Users\Admin\AppData\Local\Temp\jausogbzqhhbovwyvhfw.exe
  C:\Users\Admin\AppData\Local\Temp\jausogbzqhhbovwyvhfw.exe .
  2⤵
  PID:5668
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\jausogbzqhhbovwyvhfw.exe*."
    3⤵
    PID:5196

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c viyskypjwjfvehec.exe
1⤵
PID:5556
- C:\Windows\viyskypjwjfvehec.exe
  viyskypjwjfvehec.exe
  2⤵
  PID:3028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmfcxoifvlkdpvvwsda.exe .
1⤵
PID:5388
- C:\Windows\wmfcxoifvlkdpvvwsda.exe
  wmfcxoifvlkdpvvwsda.exe .
  2⤵
  PID:5460
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\wmfcxoifvlkdpvvwsda.exe*."
    3⤵
    PID:5348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmfcxoifvlkdpvvwsda.exe
1⤵
PID:440
- C:\Windows\wmfcxoifvlkdpvvwsda.exe
  wmfcxoifvlkdpvvwsda.exe
  2⤵
  PID:4548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jausogbzqhhbovwyvhfw.exe .
1⤵
PID:1520
- C:\Windows\jausogbzqhhbovwyvhfw.exe
  jausogbzqhhbovwyvhfw.exe .
  2⤵
  PID:1612
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\jausogbzqhhbovwyvhfw.exe*."
    3⤵
    PID:3496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lasoiyrncrphsxwwrb.exe
1⤵
PID:4216
- C:\Users\Admin\AppData\Local\Temp\lasoiyrncrphsxwwrb.exe
  C:\Users\Admin\AppData\Local\Temp\lasoiyrncrphsxwwrb.exe
  2⤵
  PID:4740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jausogbzqhhbovwyvhfw.exe .
1⤵
PID:5684
- C:\Users\Admin\AppData\Local\Temp\jausogbzqhhbovwyvhfw.exe
  C:\Users\Admin\AppData\Local\Temp\jausogbzqhhbovwyvhfw.exe .
  2⤵
  PID:6060
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\jausogbzqhhbovwyvhfw.exe*."
    3⤵
    PID:456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mfypjgcypfhbovwyvhib.exe
1⤵
PID:2296
- C:\Windows\mfypjgcypfhbovwyvhib.exe
  mfypjgcypfhbovwyvhib.exe
  2⤵
  PID:2828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lasoiyrncrphsxwwrb.exe
1⤵
PID:2112
- C:\Users\Admin\AppData\Local\Temp\lasoiyrncrphsxwwrb.exe
  C:\Users\Admin\AppData\Local\Temp\lasoiyrncrphsxwwrb.exe
  2⤵
  PID:4992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fvlzqkdwkxwnxbzys.exe .
1⤵
PID:5180
- C:\Windows\fvlzqkdwkxwnxbzys.exe
  fvlzqkdwkxwnxbzys.exe .
  2⤵
  PID:5692
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\windows\fvlzqkdwkxwnxbzys.exe*."
    3⤵
    PID:412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jausogbzqhhbovwyvhfw.exe .
1⤵
PID:5176
- C:\Users\Admin\AppData\Local\Temp\jausogbzqhhbovwyvhfw.exe
  C:\Users\Admin\AppData\Local\Temp\jausogbzqhhbovwyvhfw.exe .
  2⤵
  PID:5664
- - C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe
    "C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\jausogbzqhhbovwyvhfw.exe*."
    3⤵
    PID:5428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bvphcaxumdgbpxzcanpjd.exe
1⤵
PID:2868
- C:\Windows\bvphcaxumdgbpxzcanpjd.exe
  bvphcaxumdgbpxzcanpjd.exe
  2⤵
  PID:4320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zrjzsojeujkdpvvwsdd.exe .
1⤵
PID:2176
- C:\Windows\zrjzsojeujkdpvvwsdd.exe
  zrjzsojeujkdpvvwsdd.exe .
  2⤵
  PID:4076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bvphcaxumdgbpxzcanpjd.exe
1⤵
PID:3564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Winlogon Helper DLL

T1547.004

Hijack Execution Flow

T1574

Executable Installer File Permissions Weakness

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Winlogon Helper DLL

T1547.004

Hijack Execution Flow

T1574

Executable Installer File Permissions Weakness

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hijack Execution Flow

T1574

Executable Installer File Permissions Weakness

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Safe Mode Boot

T1562.009

Modify Registry