pykspa | d71b6dc6ae5cb09251e78d67a03302292b63af2cb2b95073b19ec2e08faa86bb

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	cghqxfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	cghqxfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	bbygorkllli.exe

Pykspa
Pykspa is a worm spreads via Skype uses DGA and it's written in C++.
worm pykspa
Pykspa family
pykspa

UAC bypass 3 TTPs 28 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	cghqxfj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	cghqxfj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	cghqxfj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	cghqxfj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cghqxfj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cghqxfj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	cghqxfj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	cghqxfj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bbygorkllli.exe

Detect Pykspa worm 2 IoCs

worm

resource	yara_rule
behavioral2/files/0x0024000000023c67-4.dat	family_pykspa
behavioral2/files/0x0007000000024211-84.dat	family_pykspa

Adds policy Run key to start application 2 TTPs 61 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wirixnzpftvzamy = "ewlidzrnjdlvcumzcnskz.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wirixnzpftvzamy = "boyqgxkbshkprerz.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tciwiverepop = "C:\\Users\\Admin\\AppData\\Local\\Temp\\boyqgxkbshkprerz.exe"	cghqxfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wirixnzpftvzamy = "iwharjxphxbhkymvu.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tciwiverepop = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iwharjxphxbhkymvu.exe"	cghqxfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wirixnzpftvzamy = "pguqkfwrmfmvbsjvxhlc.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wirixnzpftvzamy = "ewlidzrnjdlvcumzcnskz.exe"	cghqxfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wirixnzpftvzamy = "pguqkfwrmfmvbsjvxhlc.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wirixnzpftvzamy = "pguqkfwrmfmvbsjvxhlc.exe"	bbygorkllli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wirixnzpftvzamy = "ewlidzrnjdlvcumzcnskz.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wirixnzpftvzamy = "iwharjxphxbhkymvu.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tciwiverepop = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ewlidzrnjdlvcumzcnskz.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wirixnzpftvzamy = "rgsmexmfypubfujttb.exe"	cghqxfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tciwiverepop = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iwharjxphxbhkymvu.exe"	cghqxfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tciwiverepop = "C:\\Users\\Admin\\AppData\\Local\\Temp\\boyqgxkbshkprerz.exe"	bbygorkllli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	bbygorkllli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	bbygorkllli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	bbygorkllli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tciwiverepop = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ewlidzrnjdlvcumzcnskz.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wirixnzpftvzamy = "boyqgxkbshkprerz.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tciwiverepop = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rgsmexmfypubfujttb.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tciwiverepop = "C:\\Users\\Admin\\AppData\\Local\\Temp\\boyqgxkbshkprerz.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tciwiverepop = "C:\\Users\\Admin\\AppData\\Local\\Temp\\csfatndxrjpxcsitudg.exe"	bbygorkllli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wirixnzpftvzamy = "boyqgxkbshkprerz.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wirixnzpftvzamy = "boyqgxkbshkprerz.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wirixnzpftvzamy = "pguqkfwrmfmvbsjvxhlc.exe"	cghqxfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tciwiverepop = "C:\\Users\\Admin\\AppData\\Local\\Temp\\csfatndxrjpxcsitudg.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tciwiverepop = "C:\\Users\\Admin\\AppData\\Local\\Temp\\boyqgxkbshkprerz.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wirixnzpftvzamy = "iwharjxphxbhkymvu.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wirixnzpftvzamy = "iwharjxphxbhkymvu.exe"	bbygorkllli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	bbygorkllli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	bbygorkllli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wirixnzpftvzamy = "rgsmexmfypubfujttb.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tciwiverepop = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ewlidzrnjdlvcumzcnskz.exe"	cghqxfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tciwiverepop = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ewlidzrnjdlvcumzcnskz.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wirixnzpftvzamy = "csfatndxrjpxcsitudg.exe"	cghqxfj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wirixnzpftvzamy = "rgsmexmfypubfujttb.exe"	bbygorkllli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wirixnzpftvzamy = "rgsmexmfypubfujttb.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tciwiverepop = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iwharjxphxbhkymvu.exe"	bbygorkllli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tciwiverepop = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pguqkfwrmfmvbsjvxhlc.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wirixnzpftvzamy = "ewlidzrnjdlvcumzcnskz.exe"	cghqxfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tciwiverepop = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iwharjxphxbhkymvu.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tciwiverepop = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pguqkfwrmfmvbsjvxhlc.exe"	bbygorkllli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tciwiverepop = "C:\\Users\\Admin\\AppData\\Local\\Temp\\csfatndxrjpxcsitudg.exe"	bbygorkllli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	cghqxfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tciwiverepop = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pguqkfwrmfmvbsjvxhlc.exe"	cghqxfj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	bbygorkllli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tciwiverepop = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ewlidzrnjdlvcumzcnskz.exe"	bbygorkllli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	cghqxfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tciwiverepop = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ewlidzrnjdlvcumzcnskz.exe"	cghqxfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tciwiverepop = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iwharjxphxbhkymvu.exe"	bbygorkllli.exe

Blocklisted process makes network request 5 IoCs

flow	pid	Process
65	2712	backgroundTaskHost.exe
66	2712	backgroundTaskHost.exe
67	2712	backgroundTaskHost.exe
73	1560	Process not Found
72	1560	Process not Found

Disables RegEdit via registry modification 6 IoCs

defense_evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	cghqxfj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	cghqxfj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	cghqxfj.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	bbygorkllli.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	cghqxfj.exe

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	pguqkfwrmfmvbsjvxhlc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	ewlidzrnjdlvcumzcnskz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	iwharjxphxbhkymvu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	pguqkfwrmfmvbsjvxhlc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	pguqkfwrmfmvbsjvxhlc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	rgsmexmfypubfujttb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	iwharjxphxbhkymvu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	iwharjxphxbhkymvu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	rgsmexmfypubfujttb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	bbygorkllli.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	ewlidzrnjdlvcumzcnskz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	csfatndxrjpxcsitudg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	rgsmexmfypubfujttb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	rgsmexmfypubfujttb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	csfatndxrjpxcsitudg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	boyqgxkbshkprerz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	iwharjxphxbhkymvu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	boyqgxkbshkprerz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	boyqgxkbshkprerz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	pguqkfwrmfmvbsjvxhlc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	rgsmexmfypubfujttb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	csfatndxrjpxcsitudg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	boyqgxkbshkprerz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	csfatndxrjpxcsitudg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	boyqgxkbshkprerz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	ewlidzrnjdlvcumzcnskz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	boyqgxkbshkprerz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	boyqgxkbshkprerz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	ewlidzrnjdlvcumzcnskz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	csfatndxrjpxcsitudg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	ewlidzrnjdlvcumzcnskz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	rgsmexmfypubfujttb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	rgsmexmfypubfujttb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	rgsmexmfypubfujttb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	pguqkfwrmfmvbsjvxhlc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	boyqgxkbshkprerz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	boyqgxkbshkprerz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	csfatndxrjpxcsitudg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	ewlidzrnjdlvcumzcnskz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	csfatndxrjpxcsitudg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	rgsmexmfypubfujttb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	rgsmexmfypubfujttb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	iwharjxphxbhkymvu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	pguqkfwrmfmvbsjvxhlc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	ewlidzrnjdlvcumzcnskz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	ewlidzrnjdlvcumzcnskz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	boyqgxkbshkprerz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	ewlidzrnjdlvcumzcnskz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	csfatndxrjpxcsitudg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	iwharjxphxbhkymvu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	ewlidzrnjdlvcumzcnskz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	rgsmexmfypubfujttb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	pguqkfwrmfmvbsjvxhlc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	rgsmexmfypubfujttb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	pguqkfwrmfmvbsjvxhlc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	iwharjxphxbhkymvu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	boyqgxkbshkprerz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	csfatndxrjpxcsitudg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	iwharjxphxbhkymvu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	iwharjxphxbhkymvu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	csfatndxrjpxcsitudg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	ewlidzrnjdlvcumzcnskz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	boyqgxkbshkprerz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	pguqkfwrmfmvbsjvxhlc.exe

Executes dropped EXE 64 IoCs

pid	Process
3216	bbygorkllli.exe
1536	csfatndxrjpxcsitudg.exe
2480	pguqkfwrmfmvbsjvxhlc.exe
4064	bbygorkllli.exe
1116	ewlidzrnjdlvcumzcnskz.exe
1752	csfatndxrjpxcsitudg.exe
2344	iwharjxphxbhkymvu.exe
3456	bbygorkllli.exe
1764	ewlidzrnjdlvcumzcnskz.exe
1416	bbygorkllli.exe
3684	iwharjxphxbhkymvu.exe
2432	rgsmexmfypubfujttb.exe
2408	bbygorkllli.exe
4140	cghqxfj.exe
4528	cghqxfj.exe
1308	csfatndxrjpxcsitudg.exe
1748	csfatndxrjpxcsitudg.exe
4460	rgsmexmfypubfujttb.exe
4212	rgsmexmfypubfujttb.exe
2096	bbygorkllli.exe
4408	iwharjxphxbhkymvu.exe
1872	bbygorkllli.exe
4788	csfatndxrjpxcsitudg.exe
8	boyqgxkbshkprerz.exe
1964	csfatndxrjpxcsitudg.exe
3932	iwharjxphxbhkymvu.exe
1404	ewlidzrnjdlvcumzcnskz.exe
1316	boyqgxkbshkprerz.exe
3728	bbygorkllli.exe
4832	bbygorkllli.exe
4112	bbygorkllli.exe
3920	ewlidzrnjdlvcumzcnskz.exe
2332	ewlidzrnjdlvcumzcnskz.exe
3876	rgsmexmfypubfujttb.exe
3768	boyqgxkbshkprerz.exe
2344	bbygorkllli.exe
2312	rgsmexmfypubfujttb.exe
3304	bbygorkllli.exe
840	bbygorkllli.exe
3392	iwharjxphxbhkymvu.exe
1032	boyqgxkbshkprerz.exe
1872	bbygorkllli.exe
3916	rgsmexmfypubfujttb.exe
4392	pguqkfwrmfmvbsjvxhlc.exe
4232	ewlidzrnjdlvcumzcnskz.exe
1560	bbygorkllli.exe
3356	rgsmexmfypubfujttb.exe
4500	bbygorkllli.exe
2220	boyqgxkbshkprerz.exe
4976	ewlidzrnjdlvcumzcnskz.exe
3000	bbygorkllli.exe
4388	csfatndxrjpxcsitudg.exe
2232	ewlidzrnjdlvcumzcnskz.exe
4884	pguqkfwrmfmvbsjvxhlc.exe
1748	iwharjxphxbhkymvu.exe
4436	rgsmexmfypubfujttb.exe
4476	bbygorkllli.exe
2676	ewlidzrnjdlvcumzcnskz.exe
3260	bbygorkllli.exe
1308	boyqgxkbshkprerz.exe
916	csfatndxrjpxcsitudg.exe
3288	ewlidzrnjdlvcumzcnskz.exe
2848	rgsmexmfypubfujttb.exe
2184	bbygorkllli.exe

Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs

defense_evasion

Safe Mode Boot

T1562.009

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys	cghqxfj.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc	cghqxfj.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power	cghqxfj.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys	cghqxfj.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc	cghqxfj.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager	cghqxfj.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

defense_evasion persistence privilege_escalation

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rgsmexmfypubfujttb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pguqkfwrmfmvbsjvxhlc.exe ."	bbygorkllli.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\iwharjxphxbhkymvu = "pguqkfwrmfmvbsjvxhlc.exe ."	cghqxfj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\boyqgxkbshkprerz = "csfatndxrjpxcsitudg.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\boyqgxkbshkprerz = "boyqgxkbshkprerz.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\scjylzjxlxxzy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rgsmexmfypubfujttb.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\temcqfqfuhillw = "boyqgxkbshkprerz.exe ."	bbygorkllli.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\boyqgxkbshkprerz = "rgsmexmfypubfujttb.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\iwharjxphxbhkymvu = "boyqgxkbshkprerz.exe ."	cghqxfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\csfatndxrjpxcsitudg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iwharjxphxbhkymvu.exe"	cghqxfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\csfatndxrjpxcsitudg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ewlidzrnjdlvcumzcnskz.exe"	cghqxfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\scjylzjxlxxzy = "csfatndxrjpxcsitudg.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\csfatndxrjpxcsitudg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\csfatndxrjpxcsitudg.exe"	cghqxfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\temcqfqfuhillw = "boyqgxkbshkprerz.exe ."	bbygorkllli.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\boyqgxkbshkprerz = "boyqgxkbshkprerz.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\temcqfqfuhillw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pguqkfwrmfmvbsjvxhlc.exe ."	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\csfatndxrjpxcsitudg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\boyqgxkbshkprerz.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\iwharjxphxbhkymvu = "boyqgxkbshkprerz.exe ."	cghqxfj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\scjylzjxlxxzy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\boyqgxkbshkprerz.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\csfatndxrjpxcsitudg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\csfatndxrjpxcsitudg.exe"	cghqxfj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\iwharjxphxbhkymvu = "boyqgxkbshkprerz.exe ."	bbygorkllli.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\scjylzjxlxxzy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rgsmexmfypubfujttb.exe"	cghqxfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\temcqfqfuhillw = "ewlidzrnjdlvcumzcnskz.exe ."	bbygorkllli.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\scjylzjxlxxzy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pguqkfwrmfmvbsjvxhlc.exe"	cghqxfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\scjylzjxlxxzy = "csfatndxrjpxcsitudg.exe"	cghqxfj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\iwharjxphxbhkymvu = "iwharjxphxbhkymvu.exe ."	cghqxfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\csfatndxrjpxcsitudg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pguqkfwrmfmvbsjvxhlc.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\temcqfqfuhillw = "csfatndxrjpxcsitudg.exe ."	cghqxfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rgsmexmfypubfujttb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iwharjxphxbhkymvu.exe ."	cghqxfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\scjylzjxlxxzy = "rgsmexmfypubfujttb.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\csfatndxrjpxcsitudg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\csfatndxrjpxcsitudg.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\boyqgxkbshkprerz = "csfatndxrjpxcsitudg.exe"	cghqxfj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\temcqfqfuhillw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iwharjxphxbhkymvu.exe ."	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rgsmexmfypubfujttb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\boyqgxkbshkprerz.exe ."	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rgsmexmfypubfujttb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pguqkfwrmfmvbsjvxhlc.exe ."	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\temcqfqfuhillw = "csfatndxrjpxcsitudg.exe ."	bbygorkllli.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\iwharjxphxbhkymvu = "csfatndxrjpxcsitudg.exe ."	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\temcqfqfuhillw = "rgsmexmfypubfujttb.exe ."	cghqxfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\temcqfqfuhillw = "boyqgxkbshkprerz.exe ."	cghqxfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\temcqfqfuhillw = "ewlidzrnjdlvcumzcnskz.exe ."	bbygorkllli.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\scjylzjxlxxzy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iwharjxphxbhkymvu.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\iwharjxphxbhkymvu = "iwharjxphxbhkymvu.exe ."	bbygorkllli.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\boyqgxkbshkprerz = "rgsmexmfypubfujttb.exe"	cghqxfj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\scjylzjxlxxzy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iwharjxphxbhkymvu.exe"	cghqxfj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\scjylzjxlxxzy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pguqkfwrmfmvbsjvxhlc.exe"	cghqxfj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\iwharjxphxbhkymvu = "boyqgxkbshkprerz.exe ."	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\csfatndxrjpxcsitudg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\csfatndxrjpxcsitudg.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\temcqfqfuhillw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\csfatndxrjpxcsitudg.exe ."	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rgsmexmfypubfujttb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\csfatndxrjpxcsitudg.exe ."	bbygorkllli.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\boyqgxkbshkprerz = "rgsmexmfypubfujttb.exe"	cghqxfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\csfatndxrjpxcsitudg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\boyqgxkbshkprerz.exe"	cghqxfj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\iwharjxphxbhkymvu = "ewlidzrnjdlvcumzcnskz.exe ."	cghqxfj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\scjylzjxlxxzy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ewlidzrnjdlvcumzcnskz.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\iwharjxphxbhkymvu = "boyqgxkbshkprerz.exe ."	bbygorkllli.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\iwharjxphxbhkymvu = "pguqkfwrmfmvbsjvxhlc.exe ."	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\scjylzjxlxxzy = "rgsmexmfypubfujttb.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\scjylzjxlxxzy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\csfatndxrjpxcsitudg.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\scjylzjxlxxzy = "boyqgxkbshkprerz.exe"	cghqxfj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\temcqfqfuhillw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\boyqgxkbshkprerz.exe ."	cghqxfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\scjylzjxlxxzy = "ewlidzrnjdlvcumzcnskz.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\boyqgxkbshkprerz = "ewlidzrnjdlvcumzcnskz.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\temcqfqfuhillw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ewlidzrnjdlvcumzcnskz.exe ."	bbygorkllli.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\iwharjxphxbhkymvu = "iwharjxphxbhkymvu.exe ."	cghqxfj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\boyqgxkbshkprerz = "rgsmexmfypubfujttb.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rgsmexmfypubfujttb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rgsmexmfypubfujttb.exe ."	bbygorkllli.exe

Checks whether UAC is enabled 1 TTPs 38 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bbygorkllli.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bbygorkllli.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bbygorkllli.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bbygorkllli.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bbygorkllli.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bbygorkllli.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bbygorkllli.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bbygorkllli.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bbygorkllli.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bbygorkllli.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bbygorkllli.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cghqxfj.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bbygorkllli.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bbygorkllli.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bbygorkllli.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cghqxfj.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cghqxfj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cghqxfj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bbygorkllli.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bbygorkllli.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bbygorkllli.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bbygorkllli.exe

Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 3 IoCs

Possible Turn off User Account Control's privilege elevation for standard users.

Executable Installer File Permissions Weakness

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	cghqxfj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	cghqxfj.exe

Looks up external IP address via web service 6 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
47	www.whatismyip.ca
25	www.showmyipaddress.com
32	www.whatismyip.ca
33	whatismyipaddress.com
37	whatismyip.everdot.org
41	www.whatismyip.ca

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\rgsmexmfypubfujttb.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\csfatndxrjpxcsitudg.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\pguqkfwrmfmvbsjvxhlc.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\voecyvolidmxfyrfjvbuki.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\rgsmexmfypubfujttb.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\csfatndxrjpxcsitudg.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\boyqgxkbshkprerz.exe	cghqxfj.exe
File opened for modification	C:\Windows\SysWOW64\ewlidzrnjdlvcumzcnskz.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\rgsmexmfypubfujttb.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\iwharjxphxbhkymvu.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\pguqkfwrmfmvbsjvxhlc.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\csfatndxrjpxcsitudg.exe	cghqxfj.exe
File opened for modification	C:\Windows\SysWOW64\pguqkfwrmfmvbsjvxhlc.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\iwharjxphxbhkymvu.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\voecyvolidmxfyrfjvbuki.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\voecyvolidmxfyrfjvbuki.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\rgsmexmfypubfujttb.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\csfatndxrjpxcsitudg.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\boyqgxkbshkprerz.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\pguqkfwrmfmvbsjvxhlc.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\boyqgxkbshkprerz.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\pguqkfwrmfmvbsjvxhlc.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\pguqkfwrmfmvbsjvxhlc.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\iwharjxphxbhkymvu.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\rgsmexmfypubfujttb.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\ewlidzrnjdlvcumzcnskz.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\boyqgxkbshkprerz.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\csfatndxrjpxcsitudg.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\ewlidzrnjdlvcumzcnskz.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\boyqgxkbshkprerz.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\iwharjxphxbhkymvu.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\voecyvolidmxfyrfjvbuki.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\csfatndxrjpxcsitudg.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\boyqgxkbshkprerz.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\iwharjxphxbhkymvu.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\voecyvolidmxfyrfjvbuki.exe	cghqxfj.exe
File opened for modification	C:\Windows\SysWOW64\voecyvolidmxfyrfjvbuki.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\voecyvolidmxfyrfjvbuki.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\iwharjxphxbhkymvu.exe	bbygorkllli.exe
File created	C:\Windows\SysWOW64\tciwiverepopnwfjdfbkqeqdmzmxwxvenr.njs	cghqxfj.exe
File opened for modification	C:\Windows\SysWOW64\boyqgxkbshkprerz.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\rgsmexmfypubfujttb.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\pguqkfwrmfmvbsjvxhlc.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\csfatndxrjpxcsitudg.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\ewlidzrnjdlvcumzcnskz.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\ewlidzrnjdlvcumzcnskz.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\pguqkfwrmfmvbsjvxhlc.exe	cghqxfj.exe
File opened for modification	C:\Windows\SysWOW64\voecyvolidmxfyrfjvbuki.exe	cghqxfj.exe
File opened for modification	C:\Windows\SysWOW64\ewlidzrnjdlvcumzcnskz.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\pguqkfwrmfmvbsjvxhlc.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\pguqkfwrmfmvbsjvxhlc.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\iwharjxphxbhkymvu.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\rgsmexmfypubfujttb.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\boyqgxkbshkprerz.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\iwharjxphxbhkymvu.exe	cghqxfj.exe
File opened for modification	C:\Windows\SysWOW64\iwharjxphxbhkymvu.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\ewlidzrnjdlvcumzcnskz.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\voecyvolidmxfyrfjvbuki.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\iwharjxphxbhkymvu.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\csfatndxrjpxcsitudg.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\csfatndxrjpxcsitudg.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\csfatndxrjpxcsitudg.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\iwharjxphxbhkymvu.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\voecyvolidmxfyrfjvbuki.exe	bbygorkllli.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\tciwiverepopnwfjdfbkqeqdmzmxwxvenr.njs	cghqxfj.exe
File created	C:\Program Files (x86)\tciwiverepopnwfjdfbkqeqdmzmxwxvenr.njs	cghqxfj.exe
File opened for modification	C:\Program Files (x86)\gezcdfdfhhvlywunwnywruv.vxz	cghqxfj.exe
File created	C:\Program Files (x86)\gezcdfdfhhvlywunwnywruv.vxz	cghqxfj.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\pguqkfwrmfmvbsjvxhlc.exe	bbygorkllli.exe
File opened for modification	C:\Windows\pguqkfwrmfmvbsjvxhlc.exe	bbygorkllli.exe
File opened for modification	C:\Windows\pguqkfwrmfmvbsjvxhlc.exe	bbygorkllli.exe
File opened for modification	C:\Windows\ewlidzrnjdlvcumzcnskz.exe	bbygorkllli.exe
File opened for modification	C:\Windows\iwharjxphxbhkymvu.exe	bbygorkllli.exe
File opened for modification	C:\Windows\rgsmexmfypubfujttb.exe	bbygorkllli.exe
File opened for modification	C:\Windows\ewlidzrnjdlvcumzcnskz.exe	bbygorkllli.exe
File opened for modification	C:\Windows\pguqkfwrmfmvbsjvxhlc.exe	bbygorkllli.exe
File opened for modification	C:\Windows\pguqkfwrmfmvbsjvxhlc.exe	bbygorkllli.exe
File opened for modification	C:\Windows\rgsmexmfypubfujttb.exe	bbygorkllli.exe
File opened for modification	C:\Windows\ewlidzrnjdlvcumzcnskz.exe	bbygorkllli.exe
File opened for modification	C:\Windows\iwharjxphxbhkymvu.exe	bbygorkllli.exe
File opened for modification	C:\Windows\boyqgxkbshkprerz.exe	bbygorkllli.exe
File opened for modification	C:\Windows\rgsmexmfypubfujttb.exe	bbygorkllli.exe
File opened for modification	C:\Windows\ewlidzrnjdlvcumzcnskz.exe	cghqxfj.exe
File opened for modification	C:\Windows\voecyvolidmxfyrfjvbuki.exe	bbygorkllli.exe
File opened for modification	C:\Windows\iwharjxphxbhkymvu.exe	bbygorkllli.exe
File opened for modification	C:\Windows\ewlidzrnjdlvcumzcnskz.exe	bbygorkllli.exe
File opened for modification	C:\Windows\rgsmexmfypubfujttb.exe	bbygorkllli.exe
File opened for modification	C:\Windows\rgsmexmfypubfujttb.exe	cghqxfj.exe
File created	C:\Windows\tciwiverepopnwfjdfbkqeqdmzmxwxvenr.njs	cghqxfj.exe
File opened for modification	C:\Windows\pguqkfwrmfmvbsjvxhlc.exe	bbygorkllli.exe
File opened for modification	C:\Windows\iwharjxphxbhkymvu.exe	cghqxfj.exe
File opened for modification	C:\Windows\voecyvolidmxfyrfjvbuki.exe	bbygorkllli.exe
File opened for modification	C:\Windows\iwharjxphxbhkymvu.exe	bbygorkllli.exe
File opened for modification	C:\Windows\boyqgxkbshkprerz.exe	bbygorkllli.exe
File opened for modification	C:\Windows\voecyvolidmxfyrfjvbuki.exe	bbygorkllli.exe
File opened for modification	C:\Windows\pguqkfwrmfmvbsjvxhlc.exe	bbygorkllli.exe
File opened for modification	C:\Windows\iwharjxphxbhkymvu.exe	bbygorkllli.exe
File opened for modification	C:\Windows\pguqkfwrmfmvbsjvxhlc.exe	bbygorkllli.exe
File opened for modification	C:\Windows\ewlidzrnjdlvcumzcnskz.exe	bbygorkllli.exe
File opened for modification	C:\Windows\boyqgxkbshkprerz.exe	bbygorkllli.exe
File opened for modification	C:\Windows\voecyvolidmxfyrfjvbuki.exe	bbygorkllli.exe
File opened for modification	C:\Windows\voecyvolidmxfyrfjvbuki.exe	bbygorkllli.exe
File opened for modification	C:\Windows\ewlidzrnjdlvcumzcnskz.exe	cghqxfj.exe
File opened for modification	C:\Windows\gezcdfdfhhvlywunwnywruv.vxz	cghqxfj.exe
File opened for modification	C:\Windows\tciwiverepopnwfjdfbkqeqdmzmxwxvenr.njs	cghqxfj.exe
File opened for modification	C:\Windows\rgsmexmfypubfujttb.exe	bbygorkllli.exe
File opened for modification	C:\Windows\ewlidzrnjdlvcumzcnskz.exe	bbygorkllli.exe
File opened for modification	C:\Windows\csfatndxrjpxcsitudg.exe	bbygorkllli.exe
File opened for modification	C:\Windows\boyqgxkbshkprerz.exe	bbygorkllli.exe
File opened for modification	C:\Windows\voecyvolidmxfyrfjvbuki.exe	cghqxfj.exe
File opened for modification	C:\Windows\ewlidzrnjdlvcumzcnskz.exe	bbygorkllli.exe
File opened for modification	C:\Windows\boyqgxkbshkprerz.exe	bbygorkllli.exe
File opened for modification	C:\Windows\ewlidzrnjdlvcumzcnskz.exe	bbygorkllli.exe
File opened for modification	C:\Windows\boyqgxkbshkprerz.exe	bbygorkllli.exe
File opened for modification	C:\Windows\csfatndxrjpxcsitudg.exe	cghqxfj.exe
File opened for modification	C:\Windows\iwharjxphxbhkymvu.exe	cghqxfj.exe
File opened for modification	C:\Windows\rgsmexmfypubfujttb.exe	bbygorkllli.exe
File opened for modification	C:\Windows\rgsmexmfypubfujttb.exe	bbygorkllli.exe
File opened for modification	C:\Windows\ewlidzrnjdlvcumzcnskz.exe	bbygorkllli.exe
File opened for modification	C:\Windows\boyqgxkbshkprerz.exe	bbygorkllli.exe
File opened for modification	C:\Windows\csfatndxrjpxcsitudg.exe	bbygorkllli.exe
File opened for modification	C:\Windows\csfatndxrjpxcsitudg.exe	bbygorkllli.exe
File opened for modification	C:\Windows\boyqgxkbshkprerz.exe	bbygorkllli.exe
File opened for modification	C:\Windows\pguqkfwrmfmvbsjvxhlc.exe	bbygorkllli.exe
File created	C:\Windows\gezcdfdfhhvlywunwnywruv.vxz	cghqxfj.exe
File opened for modification	C:\Windows\ewlidzrnjdlvcumzcnskz.exe	bbygorkllli.exe
File opened for modification	C:\Windows\pguqkfwrmfmvbsjvxhlc.exe	bbygorkllli.exe
File opened for modification	C:\Windows\ewlidzrnjdlvcumzcnskz.exe	bbygorkllli.exe
File opened for modification	C:\Windows\iwharjxphxbhkymvu.exe	bbygorkllli.exe
File opened for modification	C:\Windows\ewlidzrnjdlvcumzcnskz.exe	bbygorkllli.exe
File opened for modification	C:\Windows\rgsmexmfypubfujttb.exe	bbygorkllli.exe
File opened for modification	C:\Windows\csfatndxrjpxcsitudg.exe	cghqxfj.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csfatndxrjpxcsitudg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pguqkfwrmfmvbsjvxhlc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rgsmexmfypubfujttb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	boyqgxkbshkprerz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	boyqgxkbshkprerz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csfatndxrjpxcsitudg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pguqkfwrmfmvbsjvxhlc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csfatndxrjpxcsitudg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ewlidzrnjdlvcumzcnskz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csfatndxrjpxcsitudg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pguqkfwrmfmvbsjvxhlc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	boyqgxkbshkprerz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csfatndxrjpxcsitudg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	boyqgxkbshkprerz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csfatndxrjpxcsitudg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	boyqgxkbshkprerz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rgsmexmfypubfujttb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ewlidzrnjdlvcumzcnskz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iwharjxphxbhkymvu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rgsmexmfypubfujttb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ewlidzrnjdlvcumzcnskz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csfatndxrjpxcsitudg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_948636ee0882cf1b082de9702cc5e984.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csfatndxrjpxcsitudg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ewlidzrnjdlvcumzcnskz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csfatndxrjpxcsitudg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iwharjxphxbhkymvu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ewlidzrnjdlvcumzcnskz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ewlidzrnjdlvcumzcnskz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iwharjxphxbhkymvu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iwharjxphxbhkymvu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pguqkfwrmfmvbsjvxhlc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iwharjxphxbhkymvu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	boyqgxkbshkprerz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csfatndxrjpxcsitudg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pguqkfwrmfmvbsjvxhlc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rgsmexmfypubfujttb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	boyqgxkbshkprerz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iwharjxphxbhkymvu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	boyqgxkbshkprerz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iwharjxphxbhkymvu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iwharjxphxbhkymvu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pguqkfwrmfmvbsjvxhlc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rgsmexmfypubfujttb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rgsmexmfypubfujttb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iwharjxphxbhkymvu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ewlidzrnjdlvcumzcnskz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ewlidzrnjdlvcumzcnskz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csfatndxrjpxcsitudg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pguqkfwrmfmvbsjvxhlc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	boyqgxkbshkprerz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	boyqgxkbshkprerz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csfatndxrjpxcsitudg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ewlidzrnjdlvcumzcnskz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ewlidzrnjdlvcumzcnskz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iwharjxphxbhkymvu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rgsmexmfypubfujttb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rgsmexmfypubfujttb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	boyqgxkbshkprerz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iwharjxphxbhkymvu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	boyqgxkbshkprerz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bbygorkllli.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iwharjxphxbhkymvu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	boyqgxkbshkprerz.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
632	JaffaCakes118_948636ee0882cf1b082de9702cc5e984.exe
632	JaffaCakes118_948636ee0882cf1b082de9702cc5e984.exe
632	JaffaCakes118_948636ee0882cf1b082de9702cc5e984.exe
632	JaffaCakes118_948636ee0882cf1b082de9702cc5e984.exe
632	JaffaCakes118_948636ee0882cf1b082de9702cc5e984.exe
632	JaffaCakes118_948636ee0882cf1b082de9702cc5e984.exe
632	JaffaCakes118_948636ee0882cf1b082de9702cc5e984.exe
632	JaffaCakes118_948636ee0882cf1b082de9702cc5e984.exe
632	JaffaCakes118_948636ee0882cf1b082de9702cc5e984.exe
632	JaffaCakes118_948636ee0882cf1b082de9702cc5e984.exe
632	JaffaCakes118_948636ee0882cf1b082de9702cc5e984.exe
632	JaffaCakes118_948636ee0882cf1b082de9702cc5e984.exe
632	JaffaCakes118_948636ee0882cf1b082de9702cc5e984.exe
632	JaffaCakes118_948636ee0882cf1b082de9702cc5e984.exe
632	JaffaCakes118_948636ee0882cf1b082de9702cc5e984.exe
632	JaffaCakes118_948636ee0882cf1b082de9702cc5e984.exe
4140	cghqxfj.exe
4140	cghqxfj.exe
632	JaffaCakes118_948636ee0882cf1b082de9702cc5e984.exe
632	JaffaCakes118_948636ee0882cf1b082de9702cc5e984.exe
632	JaffaCakes118_948636ee0882cf1b082de9702cc5e984.exe
632	JaffaCakes118_948636ee0882cf1b082de9702cc5e984.exe
632	JaffaCakes118_948636ee0882cf1b082de9702cc5e984.exe
632	JaffaCakes118_948636ee0882cf1b082de9702cc5e984.exe
632	JaffaCakes118_948636ee0882cf1b082de9702cc5e984.exe
632	JaffaCakes118_948636ee0882cf1b082de9702cc5e984.exe
632	JaffaCakes118_948636ee0882cf1b082de9702cc5e984.exe
632	JaffaCakes118_948636ee0882cf1b082de9702cc5e984.exe
632	JaffaCakes118_948636ee0882cf1b082de9702cc5e984.exe
632	JaffaCakes118_948636ee0882cf1b082de9702cc5e984.exe
632	JaffaCakes118_948636ee0882cf1b082de9702cc5e984.exe
632	JaffaCakes118_948636ee0882cf1b082de9702cc5e984.exe
632	JaffaCakes118_948636ee0882cf1b082de9702cc5e984.exe
632	JaffaCakes118_948636ee0882cf1b082de9702cc5e984.exe
632	JaffaCakes118_948636ee0882cf1b082de9702cc5e984.exe
632	JaffaCakes118_948636ee0882cf1b082de9702cc5e984.exe
632	JaffaCakes118_948636ee0882cf1b082de9702cc5e984.exe
632	JaffaCakes118_948636ee0882cf1b082de9702cc5e984.exe
632	JaffaCakes118_948636ee0882cf1b082de9702cc5e984.exe
632	JaffaCakes118_948636ee0882cf1b082de9702cc5e984.exe
632	JaffaCakes118_948636ee0882cf1b082de9702cc5e984.exe
632	JaffaCakes118_948636ee0882cf1b082de9702cc5e984.exe
632	JaffaCakes118_948636ee0882cf1b082de9702cc5e984.exe
632	JaffaCakes118_948636ee0882cf1b082de9702cc5e984.exe
632	JaffaCakes118_948636ee0882cf1b082de9702cc5e984.exe
632	JaffaCakes118_948636ee0882cf1b082de9702cc5e984.exe
632	JaffaCakes118_948636ee0882cf1b082de9702cc5e984.exe
632	JaffaCakes118_948636ee0882cf1b082de9702cc5e984.exe
632	JaffaCakes118_948636ee0882cf1b082de9702cc5e984.exe
632	JaffaCakes118_948636ee0882cf1b082de9702cc5e984.exe
632	JaffaCakes118_948636ee0882cf1b082de9702cc5e984.exe
632	JaffaCakes118_948636ee0882cf1b082de9702cc5e984.exe
4140	cghqxfj.exe
4140	cghqxfj.exe
632	JaffaCakes118_948636ee0882cf1b082de9702cc5e984.exe
632	JaffaCakes118_948636ee0882cf1b082de9702cc5e984.exe
632	JaffaCakes118_948636ee0882cf1b082de9702cc5e984.exe
632	JaffaCakes118_948636ee0882cf1b082de9702cc5e984.exe
632	JaffaCakes118_948636ee0882cf1b082de9702cc5e984.exe
632	JaffaCakes118_948636ee0882cf1b082de9702cc5e984.exe
632	JaffaCakes118_948636ee0882cf1b082de9702cc5e984.exe
632	JaffaCakes118_948636ee0882cf1b082de9702cc5e984.exe
632	JaffaCakes118_948636ee0882cf1b082de9702cc5e984.exe
632	JaffaCakes118_948636ee0882cf1b082de9702cc5e984.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4140	cghqxfj.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 632 wrote to memory of 3216	632	JaffaCakes118_948636ee0882cf1b082de9702cc5e984.exe	89
PID 632 wrote to memory of 3216	632	JaffaCakes118_948636ee0882cf1b082de9702cc5e984.exe	89
PID 632 wrote to memory of 3216	632	JaffaCakes118_948636ee0882cf1b082de9702cc5e984.exe	89
PID 1780 wrote to memory of 1536	1780	cmd.exe	92
PID 1780 wrote to memory of 1536	1780	cmd.exe	92
PID 1780 wrote to memory of 1536	1780	cmd.exe	92
PID 804 wrote to memory of 2480	804	cmd.exe	95
PID 804 wrote to memory of 2480	804	cmd.exe	95
PID 804 wrote to memory of 2480	804	cmd.exe	95
PID 2480 wrote to memory of 4064	2480	pguqkfwrmfmvbsjvxhlc.exe	98
PID 2480 wrote to memory of 4064	2480	pguqkfwrmfmvbsjvxhlc.exe	98
PID 2480 wrote to memory of 4064	2480	pguqkfwrmfmvbsjvxhlc.exe	98
PID 2784 wrote to memory of 1116	2784	cmd.exe	99
PID 2784 wrote to memory of 1116	2784	cmd.exe	99
PID 2784 wrote to memory of 1116	2784	cmd.exe	99
PID 1740 wrote to memory of 1752	1740	cmd.exe	104
PID 1740 wrote to memory of 1752	1740	cmd.exe	104
PID 1740 wrote to memory of 1752	1740	cmd.exe	104
PID 3392 wrote to memory of 2344	3392	cmd.exe	176
PID 3392 wrote to memory of 2344	3392	cmd.exe	176
PID 3392 wrote to memory of 2344	3392	cmd.exe	176
PID 1752 wrote to memory of 3456	1752	csfatndxrjpxcsitudg.exe	108
PID 1752 wrote to memory of 3456	1752	csfatndxrjpxcsitudg.exe	108
PID 1752 wrote to memory of 3456	1752	csfatndxrjpxcsitudg.exe	108
PID 4040 wrote to memory of 1764	4040	cmd.exe	109
PID 4040 wrote to memory of 1764	4040	cmd.exe	109
PID 4040 wrote to memory of 1764	4040	cmd.exe	109
PID 1764 wrote to memory of 1416	1764	ewlidzrnjdlvcumzcnskz.exe	112
PID 1764 wrote to memory of 1416	1764	ewlidzrnjdlvcumzcnskz.exe	112
PID 1764 wrote to memory of 1416	1764	ewlidzrnjdlvcumzcnskz.exe	112
PID 2016 wrote to memory of 3684	2016	cmd.exe	115
PID 2016 wrote to memory of 3684	2016	cmd.exe	115
PID 2016 wrote to memory of 3684	2016	cmd.exe	115
PID 4500 wrote to memory of 2432	4500	cmd.exe	116
PID 4500 wrote to memory of 2432	4500	cmd.exe	116
PID 4500 wrote to memory of 2432	4500	cmd.exe	116
PID 2432 wrote to memory of 2408	2432	rgsmexmfypubfujttb.exe	117
PID 2432 wrote to memory of 2408	2432	rgsmexmfypubfujttb.exe	117
PID 2432 wrote to memory of 2408	2432	rgsmexmfypubfujttb.exe	117
PID 3216 wrote to memory of 4140	3216	bbygorkllli.exe	120
PID 3216 wrote to memory of 4140	3216	bbygorkllli.exe	120
PID 3216 wrote to memory of 4140	3216	bbygorkllli.exe	120
PID 3216 wrote to memory of 4528	3216	bbygorkllli.exe	121
PID 3216 wrote to memory of 4528	3216	bbygorkllli.exe	121
PID 3216 wrote to memory of 4528	3216	bbygorkllli.exe	121
PID 4100 wrote to memory of 1308	4100	cmd.exe	251
PID 4100 wrote to memory of 1308	4100	cmd.exe	251
PID 4100 wrote to memory of 1308	4100	cmd.exe	251
PID 1692 wrote to memory of 1748	1692	cmd.exe	311
PID 1692 wrote to memory of 1748	1692	cmd.exe	311
PID 1692 wrote to memory of 1748	1692	cmd.exe	311
PID 3876 wrote to memory of 4460	3876	cmd.exe	134
PID 3876 wrote to memory of 4460	3876	cmd.exe	134
PID 3876 wrote to memory of 4460	3876	cmd.exe	134
PID 5040 wrote to memory of 4212	5040	cmd.exe	137
PID 5040 wrote to memory of 4212	5040	cmd.exe	137
PID 5040 wrote to memory of 4212	5040	cmd.exe	137
PID 4460 wrote to memory of 2096	4460	rgsmexmfypubfujttb.exe	328
PID 4460 wrote to memory of 2096	4460	rgsmexmfypubfujttb.exe	328
PID 4460 wrote to memory of 2096	4460	rgsmexmfypubfujttb.exe	328
PID 3668 wrote to memory of 4408	3668	cmd.exe	143
PID 3668 wrote to memory of 4408	3668	cmd.exe	143
PID 3668 wrote to memory of 4408	3668	cmd.exe	143
PID 4212 wrote to memory of 1872	4212	rgsmexmfypubfujttb.exe	188

System policy modification 1 TTPs 64 IoCs

defense_evasion

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bbygorkllli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cghqxfj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	cghqxfj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	bbygorkllli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	cghqxfj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cghqxfj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	bbygorkllli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	cghqxfj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	cghqxfj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	cghqxfj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cghqxfj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	cghqxfj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bbygorkllli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	cghqxfj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	cghqxfj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	cghqxfj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	cghqxfj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bbygorkllli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	cghqxfj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bbygorkllli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cghqxfj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	cghqxfj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	cghqxfj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	cghqxfj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	cghqxfj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	cghqxfj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	bbygorkllli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	cghqxfj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	bbygorkllli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	cghqxfj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	cghqxfj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bbygorkllli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	bbygorkllli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	bbygorkllli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	bbygorkllli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bbygorkllli.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_948636ee0882cf1b082de9702cc5e984.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_948636ee0882cf1b082de9702cc5e984.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:632
- C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
  "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\jaffacakes118_948636ee0882cf1b082de9702cc5e984.exe*"
  2⤵
  - Modifies WinLogon for persistence
  - UAC bypass
  - Adds policy Run key to start application
  - Disables RegEdit via registry modification
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Hijack Execution Flow: Executable Installer File Permissions Weakness
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:3216
- - C:\Users\Admin\AppData\Local\Temp\cghqxfj.exe
    "C:\Users\Admin\AppData\Local\Temp\cghqxfj.exe" "-C:\Users\Admin\AppData\Local\Temp\boyqgxkbshkprerz.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Impair Defenses: Safe Mode Boot
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Hijack Execution Flow: Executable Installer File Permissions Weakness
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:4140
- - C:\Users\Admin\AppData\Local\Temp\cghqxfj.exe
    "C:\Users\Admin\AppData\Local\Temp\cghqxfj.exe" "-C:\Users\Admin\AppData\Local\Temp\boyqgxkbshkprerz.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Hijack Execution Flow: Executable Installer File Permissions Weakness
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:4528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c csfatndxrjpxcsitudg.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:1780
- C:\Windows\csfatndxrjpxcsitudg.exe
  csfatndxrjpxcsitudg.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pguqkfwrmfmvbsjvxhlc.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:804
- C:\Windows\pguqkfwrmfmvbsjvxhlc.exe
  pguqkfwrmfmvbsjvxhlc.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2480
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\pguqkfwrmfmvbsjvxhlc.exe*."
    3⤵
    - Executes dropped EXE
    PID:4064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ewlidzrnjdlvcumzcnskz.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2784
- C:\Windows\ewlidzrnjdlvcumzcnskz.exe
  ewlidzrnjdlvcumzcnskz.exe
  2⤵
  - Executes dropped EXE
  PID:1116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c csfatndxrjpxcsitudg.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:1740
- C:\Windows\csfatndxrjpxcsitudg.exe
  csfatndxrjpxcsitudg.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1752
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\csfatndxrjpxcsitudg.exe*."
    3⤵
    - Executes dropped EXE
    PID:3456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iwharjxphxbhkymvu.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:3392
- C:\Users\Admin\AppData\Local\Temp\iwharjxphxbhkymvu.exe
  C:\Users\Admin\AppData\Local\Temp\iwharjxphxbhkymvu.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2344

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ewlidzrnjdlvcumzcnskz.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:4040
- C:\Users\Admin\AppData\Local\Temp\ewlidzrnjdlvcumzcnskz.exe
  C:\Users\Admin\AppData\Local\Temp\ewlidzrnjdlvcumzcnskz.exe .
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1764
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ewlidzrnjdlvcumzcnskz.exe*."
    3⤵
    - Executes dropped EXE
    PID:1416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iwharjxphxbhkymvu.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2016
- C:\Users\Admin\AppData\Local\Temp\iwharjxphxbhkymvu.exe
  C:\Users\Admin\AppData\Local\Temp\iwharjxphxbhkymvu.exe
  2⤵
  - Executes dropped EXE
  PID:3684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rgsmexmfypubfujttb.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:4500
- C:\Users\Admin\AppData\Local\Temp\rgsmexmfypubfujttb.exe
  C:\Users\Admin\AppData\Local\Temp\rgsmexmfypubfujttb.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2432
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\rgsmexmfypubfujttb.exe*."
    3⤵
    - Executes dropped EXE
    PID:2408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c csfatndxrjpxcsitudg.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4100
- C:\Windows\csfatndxrjpxcsitudg.exe
  csfatndxrjpxcsitudg.exe
  2⤵
  - Executes dropped EXE
  PID:1308

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c csfatndxrjpxcsitudg.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:1692
- C:\Windows\csfatndxrjpxcsitudg.exe
  csfatndxrjpxcsitudg.exe
  2⤵
  - Executes dropped EXE
  PID:1748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rgsmexmfypubfujttb.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:3876
- C:\Windows\rgsmexmfypubfujttb.exe
  rgsmexmfypubfujttb.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4460
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\rgsmexmfypubfujttb.exe*."
    3⤵
    - Executes dropped EXE
    PID:2096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rgsmexmfypubfujttb.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:5040
- C:\Windows\rgsmexmfypubfujttb.exe
  rgsmexmfypubfujttb.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4212
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\rgsmexmfypubfujttb.exe*."
    3⤵
    - Executes dropped EXE
    PID:1872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c iwharjxphxbhkymvu.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:3668
- C:\Windows\iwharjxphxbhkymvu.exe
  iwharjxphxbhkymvu.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c boyqgxkbshkprerz.exe .
1⤵
PID:1740
- C:\Windows\boyqgxkbshkprerz.exe
  boyqgxkbshkprerz.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:8
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\boyqgxkbshkprerz.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:3728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c csfatndxrjpxcsitudg.exe
1⤵
PID:2160
- C:\Windows\csfatndxrjpxcsitudg.exe
  csfatndxrjpxcsitudg.exe
  2⤵
  - Executes dropped EXE
  PID:4788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ewlidzrnjdlvcumzcnskz.exe
1⤵
PID:4200
- C:\Users\Admin\AppData\Local\Temp\ewlidzrnjdlvcumzcnskz.exe
  C:\Users\Admin\AppData\Local\Temp\ewlidzrnjdlvcumzcnskz.exe
  2⤵
  - Executes dropped EXE
  PID:1404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c iwharjxphxbhkymvu.exe .
1⤵
PID:3548
- C:\Windows\iwharjxphxbhkymvu.exe
  iwharjxphxbhkymvu.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:3932
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\iwharjxphxbhkymvu.exe*."
    3⤵
    - Executes dropped EXE
    PID:4832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\csfatndxrjpxcsitudg.exe .
1⤵
PID:3504
- C:\Users\Admin\AppData\Local\Temp\csfatndxrjpxcsitudg.exe
  C:\Users\Admin\AppData\Local\Temp\csfatndxrjpxcsitudg.exe .
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1964
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\csfatndxrjpxcsitudg.exe*."
    3⤵
    - Executes dropped EXE
    PID:4112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\boyqgxkbshkprerz.exe
1⤵
PID:4904
- C:\Users\Admin\AppData\Local\Temp\boyqgxkbshkprerz.exe
  C:\Users\Admin\AppData\Local\Temp\boyqgxkbshkprerz.exe
  2⤵
  - Executes dropped EXE
  PID:1316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ewlidzrnjdlvcumzcnskz.exe .
1⤵
PID:4484
- C:\Users\Admin\AppData\Local\Temp\ewlidzrnjdlvcumzcnskz.exe
  C:\Users\Admin\AppData\Local\Temp\ewlidzrnjdlvcumzcnskz.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3920
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ewlidzrnjdlvcumzcnskz.exe*."
    3⤵
    - Executes dropped EXE
    PID:2344

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rgsmexmfypubfujttb.exe
1⤵
PID:3756
- C:\Users\Admin\AppData\Local\Temp\rgsmexmfypubfujttb.exe
  C:\Users\Admin\AppData\Local\Temp\rgsmexmfypubfujttb.exe
  2⤵
  - Executes dropped EXE
  PID:3876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\boyqgxkbshkprerz.exe .
1⤵
PID:1928
- C:\Users\Admin\AppData\Local\Temp\boyqgxkbshkprerz.exe
  C:\Users\Admin\AppData\Local\Temp\boyqgxkbshkprerz.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3768
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\boyqgxkbshkprerz.exe*."
    3⤵
    - Executes dropped EXE
    PID:3304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ewlidzrnjdlvcumzcnskz.exe
1⤵
PID:2780
- C:\Users\Admin\AppData\Local\Temp\ewlidzrnjdlvcumzcnskz.exe
  C:\Users\Admin\AppData\Local\Temp\ewlidzrnjdlvcumzcnskz.exe
  2⤵
  - Executes dropped EXE
  PID:2332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rgsmexmfypubfujttb.exe .
1⤵
PID:4552
- C:\Users\Admin\AppData\Local\Temp\rgsmexmfypubfujttb.exe
  C:\Users\Admin\AppData\Local\Temp\rgsmexmfypubfujttb.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:2312
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\rgsmexmfypubfujttb.exe*."
    3⤵
    - Executes dropped EXE
    PID:840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c iwharjxphxbhkymvu.exe
1⤵
PID:468
- C:\Windows\iwharjxphxbhkymvu.exe
  iwharjxphxbhkymvu.exe
  2⤵
  - Executes dropped EXE
  PID:3392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c boyqgxkbshkprerz.exe .
1⤵
PID:2368
- C:\Windows\boyqgxkbshkprerz.exe
  boyqgxkbshkprerz.exe .
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1032
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\boyqgxkbshkprerz.exe*."
    3⤵
    - Executes dropped EXE
    PID:1872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rgsmexmfypubfujttb.exe
1⤵
PID:5056
- C:\Windows\rgsmexmfypubfujttb.exe
  rgsmexmfypubfujttb.exe
  2⤵
  - Executes dropped EXE
  PID:3916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pguqkfwrmfmvbsjvxhlc.exe .
1⤵
PID:2660
- C:\Windows\pguqkfwrmfmvbsjvxhlc.exe
  pguqkfwrmfmvbsjvxhlc.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:4392
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\pguqkfwrmfmvbsjvxhlc.exe*."
    3⤵
    - Executes dropped EXE
    PID:1560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ewlidzrnjdlvcumzcnskz.exe
1⤵
PID:3548
- C:\Users\Admin\AppData\Local\Temp\ewlidzrnjdlvcumzcnskz.exe
  C:\Users\Admin\AppData\Local\Temp\ewlidzrnjdlvcumzcnskz.exe
  2⤵
  - Executes dropped EXE
  PID:4232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rgsmexmfypubfujttb.exe .
1⤵
PID:2260
- C:\Users\Admin\AppData\Local\Temp\rgsmexmfypubfujttb.exe
  C:\Users\Admin\AppData\Local\Temp\rgsmexmfypubfujttb.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3356
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\rgsmexmfypubfujttb.exe*."
    3⤵
    - Executes dropped EXE
    PID:4500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\boyqgxkbshkprerz.exe
1⤵
PID:4144
- C:\Users\Admin\AppData\Local\Temp\boyqgxkbshkprerz.exe
  C:\Users\Admin\AppData\Local\Temp\boyqgxkbshkprerz.exe
  2⤵
  - Executes dropped EXE
  PID:2220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ewlidzrnjdlvcumzcnskz.exe .
1⤵
PID:2564
- C:\Users\Admin\AppData\Local\Temp\ewlidzrnjdlvcumzcnskz.exe
  C:\Users\Admin\AppData\Local\Temp\ewlidzrnjdlvcumzcnskz.exe .
  2⤵
  - Executes dropped EXE
  PID:4976
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ewlidzrnjdlvcumzcnskz.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:3000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c csfatndxrjpxcsitudg.exe
1⤵
PID:4948
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:840
- C:\Windows\csfatndxrjpxcsitudg.exe
  csfatndxrjpxcsitudg.exe
  2⤵
  - Executes dropped EXE
  PID:4388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ewlidzrnjdlvcumzcnskz.exe
1⤵
PID:1776
- C:\Windows\ewlidzrnjdlvcumzcnskz.exe
  ewlidzrnjdlvcumzcnskz.exe
  2⤵
  - Executes dropped EXE
  PID:2232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c iwharjxphxbhkymvu.exe .
1⤵
PID:3392
- C:\Windows\iwharjxphxbhkymvu.exe
  iwharjxphxbhkymvu.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:1748
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\iwharjxphxbhkymvu.exe*."
    3⤵
    - Executes dropped EXE
    PID:4476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pguqkfwrmfmvbsjvxhlc.exe
1⤵
PID:2376
- C:\Windows\pguqkfwrmfmvbsjvxhlc.exe
  pguqkfwrmfmvbsjvxhlc.exe
  2⤵
  - Executes dropped EXE
  PID:4884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rgsmexmfypubfujttb.exe .
1⤵
PID:2620
- C:\Windows\rgsmexmfypubfujttb.exe
  rgsmexmfypubfujttb.exe .
  2⤵
  - Executes dropped EXE
  PID:4436
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\rgsmexmfypubfujttb.exe*."
    3⤵
    - Executes dropped EXE
    PID:3260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ewlidzrnjdlvcumzcnskz.exe
1⤵
PID:2644
- C:\Windows\ewlidzrnjdlvcumzcnskz.exe
  ewlidzrnjdlvcumzcnskz.exe
  2⤵
  - Executes dropped EXE
  PID:3288

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c boyqgxkbshkprerz.exe .
1⤵
PID:4920
- C:\Windows\boyqgxkbshkprerz.exe
  boyqgxkbshkprerz.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1308
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\boyqgxkbshkprerz.exe*."
    3⤵
    PID:1480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rgsmexmfypubfujttb.exe
1⤵
PID:3916
- C:\Windows\rgsmexmfypubfujttb.exe
  rgsmexmfypubfujttb.exe
  2⤵
  - Executes dropped EXE
  PID:2848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pguqkfwrmfmvbsjvxhlc.exe .
1⤵
PID:1812
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3876
- C:\Windows\pguqkfwrmfmvbsjvxhlc.exe
  pguqkfwrmfmvbsjvxhlc.exe .
  2⤵
  - Checks computer location settings
  PID:4692
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\pguqkfwrmfmvbsjvxhlc.exe*."
    3⤵
    PID:4200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ewlidzrnjdlvcumzcnskz.exe .
1⤵
PID:5088
- C:\Windows\ewlidzrnjdlvcumzcnskz.exe
  ewlidzrnjdlvcumzcnskz.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:2676
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ewlidzrnjdlvcumzcnskz.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:2184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\csfatndxrjpxcsitudg.exe
1⤵
PID:4240
- C:\Users\Admin\AppData\Local\Temp\csfatndxrjpxcsitudg.exe
  C:\Users\Admin\AppData\Local\Temp\csfatndxrjpxcsitudg.exe
  2⤵
  - Executes dropped EXE
  PID:916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c iwharjxphxbhkymvu.exe
1⤵
PID:5044
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4788
- C:\Windows\iwharjxphxbhkymvu.exe
  iwharjxphxbhkymvu.exe
  2⤵
  PID:1936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\csfatndxrjpxcsitudg.exe
1⤵
PID:1456
- C:\Users\Admin\AppData\Local\Temp\csfatndxrjpxcsitudg.exe
  C:\Users\Admin\AppData\Local\Temp\csfatndxrjpxcsitudg.exe
  2⤵
  PID:468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pguqkfwrmfmvbsjvxhlc.exe .
1⤵
PID:3756
- C:\Users\Admin\AppData\Local\Temp\pguqkfwrmfmvbsjvxhlc.exe
  C:\Users\Admin\AppData\Local\Temp\pguqkfwrmfmvbsjvxhlc.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3932
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\pguqkfwrmfmvbsjvxhlc.exe*."
    3⤵
    PID:4996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\boyqgxkbshkprerz.exe .
1⤵
PID:1740
- C:\Users\Admin\AppData\Local\Temp\boyqgxkbshkprerz.exe
  C:\Users\Admin\AppData\Local\Temp\boyqgxkbshkprerz.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3296
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\boyqgxkbshkprerz.exe*."
    3⤵
    PID:1508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pguqkfwrmfmvbsjvxhlc.exe .
1⤵
PID:3948
- C:\Windows\pguqkfwrmfmvbsjvxhlc.exe
  pguqkfwrmfmvbsjvxhlc.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4112
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\pguqkfwrmfmvbsjvxhlc.exe*."
    3⤵
    PID:1540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\csfatndxrjpxcsitudg.exe
1⤵
PID:3384
- C:\Users\Admin\AppData\Local\Temp\csfatndxrjpxcsitudg.exe
  C:\Users\Admin\AppData\Local\Temp\csfatndxrjpxcsitudg.exe
  2⤵
  PID:3316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iwharjxphxbhkymvu.exe .
1⤵
PID:1612
- C:\Users\Admin\AppData\Local\Temp\iwharjxphxbhkymvu.exe
  C:\Users\Admin\AppData\Local\Temp\iwharjxphxbhkymvu.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4064
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\iwharjxphxbhkymvu.exe*."
    3⤵
    PID:3432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rgsmexmfypubfujttb.exe
1⤵
PID:3988
- C:\Users\Admin\AppData\Local\Temp\rgsmexmfypubfujttb.exe
  C:\Users\Admin\AppData\Local\Temp\rgsmexmfypubfujttb.exe
  2⤵
  PID:3920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iwharjxphxbhkymvu.exe
1⤵
PID:2348
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4832
- C:\Users\Admin\AppData\Local\Temp\iwharjxphxbhkymvu.exe
  C:\Users\Admin\AppData\Local\Temp\iwharjxphxbhkymvu.exe
  2⤵
  PID:2028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ewlidzrnjdlvcumzcnskz.exe .
1⤵
PID:2096
- C:\Users\Admin\AppData\Local\Temp\ewlidzrnjdlvcumzcnskz.exe
  C:\Users\Admin\AppData\Local\Temp\ewlidzrnjdlvcumzcnskz.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:2740
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ewlidzrnjdlvcumzcnskz.exe*."
    3⤵
    PID:2564

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rgsmexmfypubfujttb.exe .
1⤵
PID:4108
- C:\Users\Admin\AppData\Local\Temp\rgsmexmfypubfujttb.exe
  C:\Users\Admin\AppData\Local\Temp\rgsmexmfypubfujttb.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:2676
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\rgsmexmfypubfujttb.exe*."
    3⤵
    PID:2948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pguqkfwrmfmvbsjvxhlc.exe
1⤵
PID:4912
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3392
- C:\Users\Admin\AppData\Local\Temp\pguqkfwrmfmvbsjvxhlc.exe
  C:\Users\Admin\AppData\Local\Temp\pguqkfwrmfmvbsjvxhlc.exe
  2⤵
  PID:4424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\boyqgxkbshkprerz.exe .
1⤵
PID:688
- C:\Users\Admin\AppData\Local\Temp\boyqgxkbshkprerz.exe
  C:\Users\Admin\AppData\Local\Temp\boyqgxkbshkprerz.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:2644
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\boyqgxkbshkprerz.exe*."
    3⤵
    PID:4024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c csfatndxrjpxcsitudg.exe
1⤵
PID:1660
- C:\Windows\csfatndxrjpxcsitudg.exe
  csfatndxrjpxcsitudg.exe
  2⤵
  PID:1788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ewlidzrnjdlvcumzcnskz.exe .
1⤵
PID:4236
- C:\Windows\ewlidzrnjdlvcumzcnskz.exe
  ewlidzrnjdlvcumzcnskz.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1168
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ewlidzrnjdlvcumzcnskz.exe*."
    3⤵
    PID:1464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c csfatndxrjpxcsitudg.exe
1⤵
PID:4240
- C:\Windows\csfatndxrjpxcsitudg.exe
  csfatndxrjpxcsitudg.exe
  2⤵
  PID:3084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c csfatndxrjpxcsitudg.exe .
1⤵
PID:916
- C:\Windows\csfatndxrjpxcsitudg.exe
  csfatndxrjpxcsitudg.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1416
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\csfatndxrjpxcsitudg.exe*."
    3⤵
    PID:1508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pguqkfwrmfmvbsjvxhlc.exe
1⤵
PID:4424
- C:\Users\Admin\AppData\Local\Temp\pguqkfwrmfmvbsjvxhlc.exe
  C:\Users\Admin\AppData\Local\Temp\pguqkfwrmfmvbsjvxhlc.exe
  2⤵
  PID:2016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\csfatndxrjpxcsitudg.exe .
1⤵
PID:3932
- C:\Users\Admin\AppData\Local\Temp\csfatndxrjpxcsitudg.exe
  C:\Users\Admin\AppData\Local\Temp\csfatndxrjpxcsitudg.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1748
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\csfatndxrjpxcsitudg.exe*."
    3⤵
    PID:4988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ewlidzrnjdlvcumzcnskz.exe
1⤵
PID:3152
- C:\Users\Admin\AppData\Local\Temp\ewlidzrnjdlvcumzcnskz.exe
  C:\Users\Admin\AppData\Local\Temp\ewlidzrnjdlvcumzcnskz.exe
  2⤵
  PID:3432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rgsmexmfypubfujttb.exe .
1⤵
PID:2028
- C:\Users\Admin\AppData\Local\Temp\rgsmexmfypubfujttb.exe
  C:\Users\Admin\AppData\Local\Temp\rgsmexmfypubfujttb.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:3244
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\rgsmexmfypubfujttb.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:2220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rgsmexmfypubfujttb.exe
1⤵
PID:2368
- C:\Windows\rgsmexmfypubfujttb.exe
  rgsmexmfypubfujttb.exe
  2⤵
  PID:4368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c boyqgxkbshkprerz.exe .
1⤵
PID:3180
- C:\Windows\boyqgxkbshkprerz.exe
  boyqgxkbshkprerz.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2344
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\boyqgxkbshkprerz.exe*."
    3⤵
    PID:2096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rgsmexmfypubfujttb.exe
1⤵
PID:5020
- C:\Windows\rgsmexmfypubfujttb.exe
  rgsmexmfypubfujttb.exe
  2⤵
  PID:4108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c boyqgxkbshkprerz.exe .
1⤵
PID:3260
- C:\Windows\boyqgxkbshkprerz.exe
  boyqgxkbshkprerz.exe .
  2⤵
  - Checks computer location settings
  PID:3568
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\boyqgxkbshkprerz.exe*."
    3⤵
    PID:4904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pguqkfwrmfmvbsjvxhlc.exe
1⤵
PID:3668
- C:\Users\Admin\AppData\Local\Temp\pguqkfwrmfmvbsjvxhlc.exe
  C:\Users\Admin\AppData\Local\Temp\pguqkfwrmfmvbsjvxhlc.exe
  2⤵
  PID:2408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\boyqgxkbshkprerz.exe .
1⤵
PID:3684
- C:\Users\Admin\AppData\Local\Temp\boyqgxkbshkprerz.exe
  C:\Users\Admin\AppData\Local\Temp\boyqgxkbshkprerz.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:3316
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\boyqgxkbshkprerz.exe*."
    3⤵
    PID:2284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iwharjxphxbhkymvu.exe
1⤵
PID:2444
- C:\Users\Admin\AppData\Local\Temp\iwharjxphxbhkymvu.exe
  C:\Users\Admin\AppData\Local\Temp\iwharjxphxbhkymvu.exe
  2⤵
  PID:2348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\boyqgxkbshkprerz.exe .
1⤵
PID:1416
- C:\Users\Admin\AppData\Local\Temp\boyqgxkbshkprerz.exe
  C:\Users\Admin\AppData\Local\Temp\boyqgxkbshkprerz.exe .
  2⤵
  - Checks computer location settings
  PID:2340
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\boyqgxkbshkprerz.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:3308

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ewlidzrnjdlvcumzcnskz.exe
1⤵
PID:744
- C:\Windows\ewlidzrnjdlvcumzcnskz.exe
  ewlidzrnjdlvcumzcnskz.exe
  2⤵
  PID:2804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rgsmexmfypubfujttb.exe .
1⤵
PID:3296
- C:\Windows\rgsmexmfypubfujttb.exe
  rgsmexmfypubfujttb.exe .
  2⤵
  PID:4996
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\rgsmexmfypubfujttb.exe*."
    3⤵
    PID:4976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rgsmexmfypubfujttb.exe
1⤵
PID:2592
- C:\Windows\rgsmexmfypubfujttb.exe
  rgsmexmfypubfujttb.exe
  2⤵
  PID:3288

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rgsmexmfypubfujttb.exe .
1⤵
PID:1472
- C:\Windows\rgsmexmfypubfujttb.exe
  rgsmexmfypubfujttb.exe .
  2⤵
  PID:1076
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\rgsmexmfypubfujttb.exe*."
    3⤵
    PID:4536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\csfatndxrjpxcsitudg.exe
1⤵
PID:4888
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4476
- C:\Users\Admin\AppData\Local\Temp\csfatndxrjpxcsitudg.exe
  C:\Users\Admin\AppData\Local\Temp\csfatndxrjpxcsitudg.exe
  2⤵
  PID:3756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ewlidzrnjdlvcumzcnskz.exe .
1⤵
PID:4196
- C:\Users\Admin\AppData\Local\Temp\ewlidzrnjdlvcumzcnskz.exe
  C:\Users\Admin\AppData\Local\Temp\ewlidzrnjdlvcumzcnskz.exe .
  2⤵
  - Checks computer location settings
  PID:2568
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ewlidzrnjdlvcumzcnskz.exe*."
    3⤵
    PID:2608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ewlidzrnjdlvcumzcnskz.exe
1⤵
PID:1908
- C:\Users\Admin\AppData\Local\Temp\ewlidzrnjdlvcumzcnskz.exe
  C:\Users\Admin\AppData\Local\Temp\ewlidzrnjdlvcumzcnskz.exe
  2⤵
  PID:3268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iwharjxphxbhkymvu.exe .
1⤵
PID:2232
- C:\Users\Admin\AppData\Local\Temp\iwharjxphxbhkymvu.exe
  C:\Users\Admin\AppData\Local\Temp\iwharjxphxbhkymvu.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:5088
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\iwharjxphxbhkymvu.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:3668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c iwharjxphxbhkymvu.exe
1⤵
PID:4540
- C:\Windows\iwharjxphxbhkymvu.exe
  iwharjxphxbhkymvu.exe
  2⤵
  PID:2160

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c iwharjxphxbhkymvu.exe .
1⤵
PID:2240
- C:\Windows\iwharjxphxbhkymvu.exe
  iwharjxphxbhkymvu.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:2704
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\iwharjxphxbhkymvu.exe*."
    3⤵
    PID:2444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ewlidzrnjdlvcumzcnskz.exe
1⤵
PID:3364
- C:\Windows\ewlidzrnjdlvcumzcnskz.exe
  ewlidzrnjdlvcumzcnskz.exe
  2⤵
  PID:2220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rgsmexmfypubfujttb.exe .
1⤵
PID:4636
- C:\Windows\rgsmexmfypubfujttb.exe
  rgsmexmfypubfujttb.exe .
  2⤵
  - Checks computer location settings
  PID:1056
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\rgsmexmfypubfujttb.exe*."
    3⤵
    PID:2040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iwharjxphxbhkymvu.exe
1⤵
PID:3356
- C:\Users\Admin\AppData\Local\Temp\iwharjxphxbhkymvu.exe
  C:\Users\Admin\AppData\Local\Temp\iwharjxphxbhkymvu.exe
  2⤵
  PID:2156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ewlidzrnjdlvcumzcnskz.exe .
1⤵
PID:1384
- C:\Users\Admin\AppData\Local\Temp\ewlidzrnjdlvcumzcnskz.exe
  C:\Users\Admin\AppData\Local\Temp\ewlidzrnjdlvcumzcnskz.exe .
  2⤵
  PID:4968
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ewlidzrnjdlvcumzcnskz.exe*."
    3⤵
    PID:1432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iwharjxphxbhkymvu.exe
1⤵
PID:1360
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3432
- C:\Users\Admin\AppData\Local\Temp\iwharjxphxbhkymvu.exe
  C:\Users\Admin\AppData\Local\Temp\iwharjxphxbhkymvu.exe
  2⤵
  PID:1456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\csfatndxrjpxcsitudg.exe .
1⤵
PID:3244
- C:\Users\Admin\AppData\Local\Temp\csfatndxrjpxcsitudg.exe
  C:\Users\Admin\AppData\Local\Temp\csfatndxrjpxcsitudg.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:2236
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\csfatndxrjpxcsitudg.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:1404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ewlidzrnjdlvcumzcnskz.exe
1⤵
PID:4536
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2028
- C:\Windows\ewlidzrnjdlvcumzcnskz.exe
  ewlidzrnjdlvcumzcnskz.exe
  2⤵
  PID:392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c boyqgxkbshkprerz.exe .
1⤵
PID:4672
- C:\Windows\boyqgxkbshkprerz.exe
  boyqgxkbshkprerz.exe .
  2⤵
  - Checks computer location settings
  PID:2180
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\boyqgxkbshkprerz.exe*."
    3⤵
    PID:4764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c iwharjxphxbhkymvu.exe
1⤵
PID:3768
- C:\Windows\iwharjxphxbhkymvu.exe
  iwharjxphxbhkymvu.exe
  2⤵
  PID:3060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c boyqgxkbshkprerz.exe .
1⤵
PID:3416
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1032
- C:\Windows\boyqgxkbshkprerz.exe
  boyqgxkbshkprerz.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:2408
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\boyqgxkbshkprerz.exe*."
    3⤵
    PID:1512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\csfatndxrjpxcsitudg.exe
1⤵
PID:3988
- C:\Users\Admin\AppData\Local\Temp\csfatndxrjpxcsitudg.exe
  C:\Users\Admin\AppData\Local\Temp\csfatndxrjpxcsitudg.exe
  2⤵
  PID:4228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\csfatndxrjpxcsitudg.exe .
1⤵
PID:3568
- C:\Users\Admin\AppData\Local\Temp\csfatndxrjpxcsitudg.exe
  C:\Users\Admin\AppData\Local\Temp\csfatndxrjpxcsitudg.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2016
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\csfatndxrjpxcsitudg.exe*."
    3⤵
    PID:2712

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rgsmexmfypubfujttb.exe
1⤵
PID:1616
- C:\Users\Admin\AppData\Local\Temp\rgsmexmfypubfujttb.exe
  C:\Users\Admin\AppData\Local\Temp\rgsmexmfypubfujttb.exe
  2⤵
  PID:5072

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pguqkfwrmfmvbsjvxhlc.exe .
1⤵
PID:3316
- C:\Users\Admin\AppData\Local\Temp\pguqkfwrmfmvbsjvxhlc.exe
  C:\Users\Admin\AppData\Local\Temp\pguqkfwrmfmvbsjvxhlc.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3876
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\pguqkfwrmfmvbsjvxhlc.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:4920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pguqkfwrmfmvbsjvxhlc.exe
1⤵
PID:1056
- C:\Windows\pguqkfwrmfmvbsjvxhlc.exe
  pguqkfwrmfmvbsjvxhlc.exe
  2⤵
  PID:1620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pguqkfwrmfmvbsjvxhlc.exe .
1⤵
PID:3412
- C:\Windows\pguqkfwrmfmvbsjvxhlc.exe
  pguqkfwrmfmvbsjvxhlc.exe .
  2⤵
  - Checks computer location settings
  PID:4996
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\pguqkfwrmfmvbsjvxhlc.exe*."
    3⤵
    PID:2592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rgsmexmfypubfujttb.exe
1⤵
PID:2480
- C:\Windows\rgsmexmfypubfujttb.exe
  rgsmexmfypubfujttb.exe
  2⤵
  PID:4024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pguqkfwrmfmvbsjvxhlc.exe .
1⤵
PID:3384
- C:\Windows\pguqkfwrmfmvbsjvxhlc.exe
  pguqkfwrmfmvbsjvxhlc.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4888
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\pguqkfwrmfmvbsjvxhlc.exe*."
    3⤵
    PID:4788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\csfatndxrjpxcsitudg.exe
1⤵
PID:4856
- C:\Users\Admin\AppData\Local\Temp\csfatndxrjpxcsitudg.exe
  C:\Users\Admin\AppData\Local\Temp\csfatndxrjpxcsitudg.exe
  2⤵
  PID:3516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c iwharjxphxbhkymvu.exe
1⤵
PID:2504
- C:\Windows\iwharjxphxbhkymvu.exe
  iwharjxphxbhkymvu.exe
  2⤵
  PID:4536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rgsmexmfypubfujttb.exe .
1⤵
PID:2312
- C:\Users\Admin\AppData\Local\Temp\rgsmexmfypubfujttb.exe
  C:\Users\Admin\AppData\Local\Temp\rgsmexmfypubfujttb.exe .
  2⤵
  - Checks computer location settings
  PID:4420
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\rgsmexmfypubfujttb.exe*."
    3⤵
    PID:736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ewlidzrnjdlvcumzcnskz.exe
1⤵
PID:2368
- C:\Windows\ewlidzrnjdlvcumzcnskz.exe
  ewlidzrnjdlvcumzcnskz.exe
  2⤵
  PID:4936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ewlidzrnjdlvcumzcnskz.exe .
1⤵
PID:1872
- C:\Windows\ewlidzrnjdlvcumzcnskz.exe
  ewlidzrnjdlvcumzcnskz.exe .
  2⤵
  - Checks computer location settings
  PID:1632
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ewlidzrnjdlvcumzcnskz.exe*."
    3⤵
    PID:2016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iwharjxphxbhkymvu.exe
1⤵
PID:2784
- C:\Users\Admin\AppData\Local\Temp\iwharjxphxbhkymvu.exe
  C:\Users\Admin\AppData\Local\Temp\iwharjxphxbhkymvu.exe
  2⤵
  PID:2240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c csfatndxrjpxcsitudg.exe .
1⤵
PID:1532
- C:\Windows\csfatndxrjpxcsitudg.exe
  csfatndxrjpxcsitudg.exe .
  2⤵
  - Checks computer location settings
  PID:1540
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\csfatndxrjpxcsitudg.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:3000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c csfatndxrjpxcsitudg.exe
1⤵
PID:2960
- C:\Windows\csfatndxrjpxcsitudg.exe
  csfatndxrjpxcsitudg.exe
  2⤵
  PID:2444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iwharjxphxbhkymvu.exe .
1⤵
PID:4960
- C:\Users\Admin\AppData\Local\Temp\iwharjxphxbhkymvu.exe
  C:\Users\Admin\AppData\Local\Temp\iwharjxphxbhkymvu.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1284
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\iwharjxphxbhkymvu.exe*."
    3⤵
    PID:624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ewlidzrnjdlvcumzcnskz.exe .
1⤵
PID:2704
- C:\Windows\ewlidzrnjdlvcumzcnskz.exe
  ewlidzrnjdlvcumzcnskz.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4808
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ewlidzrnjdlvcumzcnskz.exe*."
    3⤵
    PID:388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rgsmexmfypubfujttb.exe
1⤵
PID:2156
- C:\Windows\rgsmexmfypubfujttb.exe
  rgsmexmfypubfujttb.exe
  2⤵
  PID:3648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\csfatndxrjpxcsitudg.exe
1⤵
PID:3136
- C:\Users\Admin\AppData\Local\Temp\csfatndxrjpxcsitudg.exe
  C:\Users\Admin\AppData\Local\Temp\csfatndxrjpxcsitudg.exe
  2⤵
  PID:4108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c csfatndxrjpxcsitudg.exe .
1⤵
PID:3208
- C:\Windows\csfatndxrjpxcsitudg.exe
  csfatndxrjpxcsitudg.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1768
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\csfatndxrjpxcsitudg.exe*."
    3⤵
    PID:872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iwharjxphxbhkymvu.exe .
1⤵
PID:1924
- C:\Users\Admin\AppData\Local\Temp\iwharjxphxbhkymvu.exe
  C:\Users\Admin\AppData\Local\Temp\iwharjxphxbhkymvu.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1472
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\iwharjxphxbhkymvu.exe*."
    3⤵
    PID:2712

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rgsmexmfypubfujttb.exe
1⤵
PID:1360
- C:\Users\Admin\AppData\Local\Temp\rgsmexmfypubfujttb.exe
  C:\Users\Admin\AppData\Local\Temp\rgsmexmfypubfujttb.exe
  2⤵
  PID:4672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\csfatndxrjpxcsitudg.exe .
1⤵
PID:4232
- C:\Users\Admin\AppData\Local\Temp\csfatndxrjpxcsitudg.exe
  C:\Users\Admin\AppData\Local\Temp\csfatndxrjpxcsitudg.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4612
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\csfatndxrjpxcsitudg.exe*."
    3⤵
    PID:4228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iwharjxphxbhkymvu.exe
1⤵
PID:804
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2740
- C:\Users\Admin\AppData\Local\Temp\iwharjxphxbhkymvu.exe
  C:\Users\Admin\AppData\Local\Temp\iwharjxphxbhkymvu.exe
  2⤵
  PID:4800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\csfatndxrjpxcsitudg.exe .
1⤵
PID:840
- C:\Users\Admin\AppData\Local\Temp\csfatndxrjpxcsitudg.exe
  C:\Users\Admin\AppData\Local\Temp\csfatndxrjpxcsitudg.exe .
  2⤵
  - Checks computer location settings
  PID:3876
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\csfatndxrjpxcsitudg.exe*."
    3⤵
    PID:4544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rgsmexmfypubfujttb.exe
1⤵
PID:2020
- C:\Users\Admin\AppData\Local\Temp\rgsmexmfypubfujttb.exe
  C:\Users\Admin\AppData\Local\Temp\rgsmexmfypubfujttb.exe
  2⤵
  PID:4040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\csfatndxrjpxcsitudg.exe .
1⤵
PID:392
- C:\Users\Admin\AppData\Local\Temp\csfatndxrjpxcsitudg.exe
  C:\Users\Admin\AppData\Local\Temp\csfatndxrjpxcsitudg.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3416
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\csfatndxrjpxcsitudg.exe*."
    3⤵
    PID:1284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c csfatndxrjpxcsitudg.exe
1⤵
PID:4100
- C:\Windows\csfatndxrjpxcsitudg.exe
  csfatndxrjpxcsitudg.exe
  2⤵
  PID:2628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rgsmexmfypubfujttb.exe .
1⤵
PID:4948
- C:\Windows\rgsmexmfypubfujttb.exe
  rgsmexmfypubfujttb.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:2848
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\rgsmexmfypubfujttb.exe*."
    3⤵
    PID:4668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c boyqgxkbshkprerz.exe
1⤵
PID:3108
- C:\Windows\boyqgxkbshkprerz.exe
  boyqgxkbshkprerz.exe
  2⤵
  PID:5052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c boyqgxkbshkprerz.exe .
1⤵
PID:2728
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1480
- C:\Windows\boyqgxkbshkprerz.exe
  boyqgxkbshkprerz.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1416
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\boyqgxkbshkprerz.exe*."
    3⤵
    PID:1280

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\boyqgxkbshkprerz.exe
1⤵
PID:3568
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1508
- C:\Users\Admin\AppData\Local\Temp\boyqgxkbshkprerz.exe
  C:\Users\Admin\AppData\Local\Temp\boyqgxkbshkprerz.exe
  2⤵
  PID:912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rgsmexmfypubfujttb.exe .
1⤵
PID:2260
- C:\Users\Admin\AppData\Local\Temp\rgsmexmfypubfujttb.exe
  C:\Users\Admin\AppData\Local\Temp\rgsmexmfypubfujttb.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:2476
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\rgsmexmfypubfujttb.exe*."
    3⤵
    PID:688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rgsmexmfypubfujttb.exe
1⤵
PID:1168
- C:\Users\Admin\AppData\Local\Temp\rgsmexmfypubfujttb.exe
  C:\Users\Admin\AppData\Local\Temp\rgsmexmfypubfujttb.exe
  2⤵
  PID:1896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ewlidzrnjdlvcumzcnskz.exe .
1⤵
PID:3916
- C:\Users\Admin\AppData\Local\Temp\ewlidzrnjdlvcumzcnskz.exe
  C:\Users\Admin\AppData\Local\Temp\ewlidzrnjdlvcumzcnskz.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3300
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ewlidzrnjdlvcumzcnskz.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c iwharjxphxbhkymvu.exe
1⤵
PID:4232
- C:\Windows\iwharjxphxbhkymvu.exe
  iwharjxphxbhkymvu.exe
  2⤵
  PID:2340

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ewlidzrnjdlvcumzcnskz.exe .
1⤵
PID:2184
- C:\Windows\ewlidzrnjdlvcumzcnskz.exe
  ewlidzrnjdlvcumzcnskz.exe .
  2⤵
  PID:3212
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ewlidzrnjdlvcumzcnskz.exe*."
    3⤵
    PID:4696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c boyqgxkbshkprerz.exe
1⤵
PID:3928
- C:\Windows\boyqgxkbshkprerz.exe
  boyqgxkbshkprerz.exe
  2⤵
  PID:4248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c iwharjxphxbhkymvu.exe .
1⤵
PID:4012
- C:\Windows\iwharjxphxbhkymvu.exe
  iwharjxphxbhkymvu.exe .
  2⤵
  - Checks computer location settings
  PID:5060
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\iwharjxphxbhkymvu.exe*."
    3⤵
    PID:5088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ewlidzrnjdlvcumzcnskz.exe
1⤵
PID:2384
- C:\Users\Admin\AppData\Local\Temp\ewlidzrnjdlvcumzcnskz.exe
  C:\Users\Admin\AppData\Local\Temp\ewlidzrnjdlvcumzcnskz.exe
  2⤵
  PID:1700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iwharjxphxbhkymvu.exe .
1⤵
PID:1928
- C:\Users\Admin\AppData\Local\Temp\iwharjxphxbhkymvu.exe
  C:\Users\Admin\AppData\Local\Temp\iwharjxphxbhkymvu.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4200
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\iwharjxphxbhkymvu.exe*."
    3⤵
    PID:1544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pguqkfwrmfmvbsjvxhlc.exe
1⤵
PID:3648
- C:\Users\Admin\AppData\Local\Temp\pguqkfwrmfmvbsjvxhlc.exe
  C:\Users\Admin\AppData\Local\Temp\pguqkfwrmfmvbsjvxhlc.exe
  2⤵
  PID:3356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iwharjxphxbhkymvu.exe .
1⤵
PID:4516
- C:\Users\Admin\AppData\Local\Temp\iwharjxphxbhkymvu.exe
  C:\Users\Admin\AppData\Local\Temp\iwharjxphxbhkymvu.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:2156
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\iwharjxphxbhkymvu.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c boyqgxkbshkprerz.exe
1⤵
PID:2568
- C:\Windows\boyqgxkbshkprerz.exe
  boyqgxkbshkprerz.exe
  2⤵
  PID:4612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c boyqgxkbshkprerz.exe .
1⤵
PID:2608
- C:\Windows\boyqgxkbshkprerz.exe
  boyqgxkbshkprerz.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:2676
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\boyqgxkbshkprerz.exe*."
    3⤵
    PID:2672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rgsmexmfypubfujttb.exe
1⤵
PID:4484
- C:\Windows\rgsmexmfypubfujttb.exe
  rgsmexmfypubfujttb.exe
  2⤵
  PID:1768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pguqkfwrmfmvbsjvxhlc.exe .
1⤵
PID:4536
- C:\Windows\pguqkfwrmfmvbsjvxhlc.exe
  pguqkfwrmfmvbsjvxhlc.exe .
  2⤵
  - Checks computer location settings
  PID:700
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\pguqkfwrmfmvbsjvxhlc.exe*."
    3⤵
    PID:2180

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\boyqgxkbshkprerz.exe
1⤵
PID:4024
- C:\Users\Admin\AppData\Local\Temp\boyqgxkbshkprerz.exe
  C:\Users\Admin\AppData\Local\Temp\boyqgxkbshkprerz.exe
  2⤵
  PID:4464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\boyqgxkbshkprerz.exe .
1⤵
PID:2316
- C:\Users\Admin\AppData\Local\Temp\boyqgxkbshkprerz.exe
  C:\Users\Admin\AppData\Local\Temp\boyqgxkbshkprerz.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3904
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\boyqgxkbshkprerz.exe*."
    3⤵
    PID:3828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rgsmexmfypubfujttb.exe
1⤵
PID:3504
- C:\Users\Admin\AppData\Local\Temp\rgsmexmfypubfujttb.exe
  C:\Users\Admin\AppData\Local\Temp\rgsmexmfypubfujttb.exe
  2⤵
  PID:4284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\boyqgxkbshkprerz.exe .
1⤵
PID:4100
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4368
- C:\Users\Admin\AppData\Local\Temp\boyqgxkbshkprerz.exe
  C:\Users\Admin\AppData\Local\Temp\boyqgxkbshkprerz.exe .
  2⤵
  - Checks computer location settings
  PID:2384
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\boyqgxkbshkprerz.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:4936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c boyqgxkbshkprerz.exe
1⤵
PID:3876
- C:\Windows\boyqgxkbshkprerz.exe
  boyqgxkbshkprerz.exe
  2⤵
  PID:1132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pguqkfwrmfmvbsjvxhlc.exe .
1⤵
PID:3984
- C:\Windows\pguqkfwrmfmvbsjvxhlc.exe
  pguqkfwrmfmvbsjvxhlc.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1564
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\pguqkfwrmfmvbsjvxhlc.exe*."
    3⤵
    PID:3480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c csfatndxrjpxcsitudg.exe
1⤵
PID:3568
- C:\Windows\csfatndxrjpxcsitudg.exe
  csfatndxrjpxcsitudg.exe
  2⤵
  PID:1464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ewlidzrnjdlvcumzcnskz.exe .
1⤵
PID:1280
- C:\Windows\ewlidzrnjdlvcumzcnskz.exe
  ewlidzrnjdlvcumzcnskz.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:3084
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ewlidzrnjdlvcumzcnskz.exe*."
    3⤵
    PID:3756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ewlidzrnjdlvcumzcnskz.exe
1⤵
PID:1692
- C:\Users\Admin\AppData\Local\Temp\ewlidzrnjdlvcumzcnskz.exe
  C:\Users\Admin\AppData\Local\Temp\ewlidzrnjdlvcumzcnskz.exe
  2⤵
  PID:60

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rgsmexmfypubfujttb.exe .
1⤵
PID:4884
- C:\Users\Admin\AppData\Local\Temp\rgsmexmfypubfujttb.exe
  C:\Users\Admin\AppData\Local\Temp\rgsmexmfypubfujttb.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1168
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\rgsmexmfypubfujttb.exe*."
    3⤵
    PID:3300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iwharjxphxbhkymvu.exe
1⤵
PID:2704
- C:\Users\Admin\AppData\Local\Temp\iwharjxphxbhkymvu.exe
  C:\Users\Admin\AppData\Local\Temp\iwharjxphxbhkymvu.exe
  2⤵
  PID:3412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iwharjxphxbhkymvu.exe .
1⤵
PID:4800
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2016
- C:\Users\Admin\AppData\Local\Temp\iwharjxphxbhkymvu.exe
  C:\Users\Admin\AppData\Local\Temp\iwharjxphxbhkymvu.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4856
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\iwharjxphxbhkymvu.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:4676

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
- Blocklisted process makes network request
PID:2712

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rgsmexmfypubfujttb.exe
1⤵
PID:2636
- C:\Windows\rgsmexmfypubfujttb.exe
  rgsmexmfypubfujttb.exe
  2⤵
  PID:1740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ewlidzrnjdlvcumzcnskz.exe .
1⤵
PID:1512
- C:\Windows\ewlidzrnjdlvcumzcnskz.exe
  ewlidzrnjdlvcumzcnskz.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1032
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ewlidzrnjdlvcumzcnskz.exe*."
    3⤵
    PID:1284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ewlidzrnjdlvcumzcnskz.exe
1⤵
PID:5084
- C:\Windows\ewlidzrnjdlvcumzcnskz.exe
  ewlidzrnjdlvcumzcnskz.exe
  2⤵
  PID:3256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ewlidzrnjdlvcumzcnskz.exe .
1⤵
PID:4064
- C:\Windows\ewlidzrnjdlvcumzcnskz.exe
  ewlidzrnjdlvcumzcnskz.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1572
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ewlidzrnjdlvcumzcnskz.exe*."
    3⤵
    PID:1564

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\boyqgxkbshkprerz.exe
1⤵
PID:4988
- C:\Users\Admin\AppData\Local\Temp\boyqgxkbshkprerz.exe
  C:\Users\Admin\AppData\Local\Temp\boyqgxkbshkprerz.exe
  2⤵
  PID:3356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iwharjxphxbhkymvu.exe .
1⤵
PID:4832
- C:\Users\Admin\AppData\Local\Temp\iwharjxphxbhkymvu.exe
  C:\Users\Admin\AppData\Local\Temp\iwharjxphxbhkymvu.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4976
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\iwharjxphxbhkymvu.exe*."
    3⤵
    PID:1116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rgsmexmfypubfujttb.exe
1⤵
PID:1980
- C:\Users\Admin\AppData\Local\Temp\rgsmexmfypubfujttb.exe
  C:\Users\Admin\AppData\Local\Temp\rgsmexmfypubfujttb.exe
  2⤵
  PID:1908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pguqkfwrmfmvbsjvxhlc.exe .
1⤵
PID:60
- C:\Users\Admin\AppData\Local\Temp\pguqkfwrmfmvbsjvxhlc.exe
  C:\Users\Admin\AppData\Local\Temp\pguqkfwrmfmvbsjvxhlc.exe .
  2⤵
  PID:5020
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\pguqkfwrmfmvbsjvxhlc.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:1432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rgsmexmfypubfujttb.exe
1⤵
PID:2260
- C:\Windows\rgsmexmfypubfujttb.exe
  rgsmexmfypubfujttb.exe
  2⤵
  PID:4332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ewlidzrnjdlvcumzcnskz.exe .
1⤵
PID:2436
- C:\Windows\ewlidzrnjdlvcumzcnskz.exe
  ewlidzrnjdlvcumzcnskz.exe .
  2⤵
  PID:1216
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ewlidzrnjdlvcumzcnskz.exe*."
    3⤵
    PID:4904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ewlidzrnjdlvcumzcnskz.exe
1⤵
PID:3432
- C:\Windows\ewlidzrnjdlvcumzcnskz.exe
  ewlidzrnjdlvcumzcnskz.exe
  2⤵
  PID:4388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c csfatndxrjpxcsitudg.exe .
1⤵
PID:2340
- C:\Windows\csfatndxrjpxcsitudg.exe
  csfatndxrjpxcsitudg.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:2788
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\csfatndxrjpxcsitudg.exe*."
    3⤵
    PID:3256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\boyqgxkbshkprerz.exe
1⤵
PID:828
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1416
- C:\Users\Admin\AppData\Local\Temp\boyqgxkbshkprerz.exe
  C:\Users\Admin\AppData\Local\Temp\boyqgxkbshkprerz.exe
  2⤵
  PID:2804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pguqkfwrmfmvbsjvxhlc.exe .
1⤵
PID:2740
- C:\Users\Admin\AppData\Local\Temp\pguqkfwrmfmvbsjvxhlc.exe
  C:\Users\Admin\AppData\Local\Temp\pguqkfwrmfmvbsjvxhlc.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5084
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\pguqkfwrmfmvbsjvxhlc.exe*."
    3⤵
    PID:2444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\csfatndxrjpxcsitudg.exe
1⤵
PID:4988
- C:\Users\Admin\AppData\Local\Temp\csfatndxrjpxcsitudg.exe
  C:\Users\Admin\AppData\Local\Temp\csfatndxrjpxcsitudg.exe
  2⤵
  PID:4200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ewlidzrnjdlvcumzcnskz.exe .
1⤵
PID:4764
- C:\Users\Admin\AppData\Local\Temp\ewlidzrnjdlvcumzcnskz.exe
  C:\Users\Admin\AppData\Local\Temp\ewlidzrnjdlvcumzcnskz.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:3892
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ewlidzrnjdlvcumzcnskz.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:4476

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:872

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
PID:2096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c csfatndxrjpxcsitudg.exe
1⤵
PID:2676
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1788
- C:\Windows\csfatndxrjpxcsitudg.exe
  csfatndxrjpxcsitudg.exe
  2⤵
  PID:4484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c csfatndxrjpxcsitudg.exe .
1⤵
PID:4612
- C:\Windows\csfatndxrjpxcsitudg.exe
  csfatndxrjpxcsitudg.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4492
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\csfatndxrjpxcsitudg.exe*."
    3⤵
    PID:3480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c boyqgxkbshkprerz.exe
1⤵
PID:2260
- C:\Windows\boyqgxkbshkprerz.exe
  boyqgxkbshkprerz.exe
  2⤵
  PID:2660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pguqkfwrmfmvbsjvxhlc.exe
1⤵
PID:3916
- C:\Windows\pguqkfwrmfmvbsjvxhlc.exe
  pguqkfwrmfmvbsjvxhlc.exe
  2⤵
  PID:2184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c boyqgxkbshkprerz.exe
1⤵
PID:1380
- C:\Windows\boyqgxkbshkprerz.exe
  boyqgxkbshkprerz.exe
  2⤵
  PID:4864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pguqkfwrmfmvbsjvxhlc.exe .
1⤵
PID:4924
- C:\Windows\pguqkfwrmfmvbsjvxhlc.exe
  pguqkfwrmfmvbsjvxhlc.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1056
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\pguqkfwrmfmvbsjvxhlc.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:4904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c csfatndxrjpxcsitudg.exe .
1⤵
PID:2788
- C:\Windows\csfatndxrjpxcsitudg.exe
  csfatndxrjpxcsitudg.exe .
  2⤵
  - Checks computer location settings
  PID:4492
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\csfatndxrjpxcsitudg.exe*."
    3⤵
    PID:1464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ewlidzrnjdlvcumzcnskz.exe .
1⤵
PID:2028
- C:\Windows\ewlidzrnjdlvcumzcnskz.exe
  ewlidzrnjdlvcumzcnskz.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4228
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ewlidzrnjdlvcumzcnskz.exe*."
    3⤵
    PID:3996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ewlidzrnjdlvcumzcnskz.exe
1⤵
PID:1556
- C:\Users\Admin\AppData\Local\Temp\ewlidzrnjdlvcumzcnskz.exe
  C:\Users\Admin\AppData\Local\Temp\ewlidzrnjdlvcumzcnskz.exe
  2⤵
  PID:1464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pguqkfwrmfmvbsjvxhlc.exe
1⤵
PID:916
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5088
- C:\Windows\pguqkfwrmfmvbsjvxhlc.exe
  pguqkfwrmfmvbsjvxhlc.exe
  2⤵
  PID:3740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rgsmexmfypubfujttb.exe
1⤵
PID:3928
- C:\Windows\rgsmexmfypubfujttb.exe
  rgsmexmfypubfujttb.exe
  2⤵
  PID:4340

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\boyqgxkbshkprerz.exe .
1⤵
PID:3724
- C:\Users\Admin\AppData\Local\Temp\boyqgxkbshkprerz.exe
  C:\Users\Admin\AppData\Local\Temp\boyqgxkbshkprerz.exe .
  2⤵
  PID:620
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\boyqgxkbshkprerz.exe*."
    3⤵
    PID:1748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c iwharjxphxbhkymvu.exe .
1⤵
PID:4580
- C:\Windows\iwharjxphxbhkymvu.exe
  iwharjxphxbhkymvu.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3496
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\iwharjxphxbhkymvu.exe*."
    3⤵
    PID:1748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c boyqgxkbshkprerz.exe .
1⤵
PID:4552
- C:\Windows\boyqgxkbshkprerz.exe
  boyqgxkbshkprerz.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4340
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\boyqgxkbshkprerz.exe*."
    3⤵
    PID:412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iwharjxphxbhkymvu.exe
1⤵
PID:4968
- C:\Users\Admin\AppData\Local\Temp\iwharjxphxbhkymvu.exe
  C:\Users\Admin\AppData\Local\Temp\iwharjxphxbhkymvu.exe
  2⤵
  PID:3260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\csfatndxrjpxcsitudg.exe
1⤵
PID:5040
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1632
- C:\Users\Admin\AppData\Local\Temp\csfatndxrjpxcsitudg.exe
  C:\Users\Admin\AppData\Local\Temp\csfatndxrjpxcsitudg.exe
  2⤵
  PID:4620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\csfatndxrjpxcsitudg.exe .
1⤵
PID:4912
- C:\Users\Admin\AppData\Local\Temp\csfatndxrjpxcsitudg.exe
  C:\Users\Admin\AppData\Local\Temp\csfatndxrjpxcsitudg.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5064
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\csfatndxrjpxcsitudg.exe*."
    3⤵
    PID:1280

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\csfatndxrjpxcsitudg.exe .
1⤵
PID:4696
- C:\Users\Admin\AppData\Local\Temp\csfatndxrjpxcsitudg.exe
  C:\Users\Admin\AppData\Local\Temp\csfatndxrjpxcsitudg.exe .
  2⤵
  PID:2620
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\csfatndxrjpxcsitudg.exe*."
    3⤵
    PID:1380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rgsmexmfypubfujttb.exe
1⤵
PID:4436
- C:\Users\Admin\AppData\Local\Temp\rgsmexmfypubfujttb.exe
  C:\Users\Admin\AppData\Local\Temp\rgsmexmfypubfujttb.exe
  2⤵
  PID:2848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\boyqgxkbshkprerz.exe .
1⤵
PID:4796
- C:\Users\Admin\AppData\Local\Temp\boyqgxkbshkprerz.exe
  C:\Users\Admin\AppData\Local\Temp\boyqgxkbshkprerz.exe .
  2⤵
  PID:4544
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\boyqgxkbshkprerz.exe*."
    3⤵
    PID:4340

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pguqkfwrmfmvbsjvxhlc.exe
1⤵
PID:2564
- C:\Users\Admin\AppData\Local\Temp\pguqkfwrmfmvbsjvxhlc.exe
  C:\Users\Admin\AppData\Local\Temp\pguqkfwrmfmvbsjvxhlc.exe
  2⤵
  PID:4924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pguqkfwrmfmvbsjvxhlc.exe
1⤵
PID:4472
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3480
- C:\Users\Admin\AppData\Local\Temp\pguqkfwrmfmvbsjvxhlc.exe
  C:\Users\Admin\AppData\Local\Temp\pguqkfwrmfmvbsjvxhlc.exe
  2⤵
  PID:4996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iwharjxphxbhkymvu.exe .
1⤵
PID:4192
- C:\Users\Admin\AppData\Local\Temp\iwharjxphxbhkymvu.exe
  C:\Users\Admin\AppData\Local\Temp\iwharjxphxbhkymvu.exe .
  2⤵
  PID:388
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\iwharjxphxbhkymvu.exe*."
    3⤵
    PID:2544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\boyqgxkbshkprerz.exe .
1⤵
PID:4764
- C:\Users\Admin\AppData\Local\Temp\boyqgxkbshkprerz.exe
  C:\Users\Admin\AppData\Local\Temp\boyqgxkbshkprerz.exe .
  2⤵
  PID:2432
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\boyqgxkbshkprerz.exe*."
    3⤵
    PID:2252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ewlidzrnjdlvcumzcnskz.exe
1⤵
PID:452
- C:\Windows\ewlidzrnjdlvcumzcnskz.exe
  ewlidzrnjdlvcumzcnskz.exe
  2⤵
  PID:3960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ewlidzrnjdlvcumzcnskz.exe .
1⤵
PID:2236
- C:\Windows\ewlidzrnjdlvcumzcnskz.exe
  ewlidzrnjdlvcumzcnskz.exe .
  2⤵
  PID:1384
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ewlidzrnjdlvcumzcnskz.exe*."
    3⤵
    PID:4840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c csfatndxrjpxcsitudg.exe
1⤵
PID:1056
- C:\Windows\csfatndxrjpxcsitudg.exe
  csfatndxrjpxcsitudg.exe
  2⤵
  PID:5040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rgsmexmfypubfujttb.exe .
1⤵
PID:3496
- C:\Windows\rgsmexmfypubfujttb.exe
  rgsmexmfypubfujttb.exe .
  2⤵
  PID:2228
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\rgsmexmfypubfujttb.exe*."
    3⤵
    PID:1480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iwharjxphxbhkymvu.exe
1⤵
PID:1904
- C:\Users\Admin\AppData\Local\Temp\iwharjxphxbhkymvu.exe
  C:\Users\Admin\AppData\Local\Temp\iwharjxphxbhkymvu.exe
  2⤵
  PID:3920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rgsmexmfypubfujttb.exe .
1⤵
PID:2564
- C:\Users\Admin\AppData\Local\Temp\rgsmexmfypubfujttb.exe
  C:\Users\Admin\AppData\Local\Temp\rgsmexmfypubfujttb.exe .
  2⤵
  PID:1964
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\rgsmexmfypubfujttb.exe*."
    3⤵
    PID:2496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pguqkfwrmfmvbsjvxhlc.exe
1⤵
PID:3932
- C:\Users\Admin\AppData\Local\Temp\pguqkfwrmfmvbsjvxhlc.exe
  C:\Users\Admin\AppData\Local\Temp\pguqkfwrmfmvbsjvxhlc.exe
  2⤵
  PID:4984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pguqkfwrmfmvbsjvxhlc.exe .
1⤵
PID:2544
- C:\Users\Admin\AppData\Local\Temp\pguqkfwrmfmvbsjvxhlc.exe
  C:\Users\Admin\AppData\Local\Temp\pguqkfwrmfmvbsjvxhlc.exe .
  2⤵
  PID:2340
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\pguqkfwrmfmvbsjvxhlc.exe*."
    3⤵
    PID:2020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c iwharjxphxbhkymvu.exe
1⤵
PID:4004
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4988
- C:\Windows\iwharjxphxbhkymvu.exe
  iwharjxphxbhkymvu.exe
  2⤵
  PID:3008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c csfatndxrjpxcsitudg.exe .
1⤵
PID:2260
- C:\Windows\csfatndxrjpxcsitudg.exe
  csfatndxrjpxcsitudg.exe .
  2⤵
  PID:3836
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\csfatndxrjpxcsitudg.exe*."
    3⤵
    PID:412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c csfatndxrjpxcsitudg.exe
1⤵
PID:1568
- C:\Windows\csfatndxrjpxcsitudg.exe
  csfatndxrjpxcsitudg.exe
  2⤵
  PID:4228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rgsmexmfypubfujttb.exe .
1⤵
PID:1512
- C:\Windows\rgsmexmfypubfujttb.exe
  rgsmexmfypubfujttb.exe .
  2⤵
  PID:4332
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\rgsmexmfypubfujttb.exe*."
    3⤵
    PID:1204

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pguqkfwrmfmvbsjvxhlc.exe
1⤵
PID:688
- C:\Users\Admin\AppData\Local\Temp\pguqkfwrmfmvbsjvxhlc.exe
  C:\Users\Admin\AppData\Local\Temp\pguqkfwrmfmvbsjvxhlc.exe
  2⤵
  PID:2480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rgsmexmfypubfujttb.exe .
1⤵
PID:2644
- C:\Users\Admin\AppData\Local\Temp\rgsmexmfypubfujttb.exe
  C:\Users\Admin\AppData\Local\Temp\rgsmexmfypubfujttb.exe .
  2⤵
  PID:2436
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\rgsmexmfypubfujttb.exe*."
    3⤵
    PID:1896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iwharjxphxbhkymvu.exe
1⤵
PID:620
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3668
- C:\Users\Admin\AppData\Local\Temp\iwharjxphxbhkymvu.exe
  C:\Users\Admin\AppData\Local\Temp\iwharjxphxbhkymvu.exe
  2⤵
  PID:1656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\boyqgxkbshkprerz.exe .
1⤵
PID:4064
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4936
- C:\Users\Admin\AppData\Local\Temp\boyqgxkbshkprerz.exe
  C:\Users\Admin\AppData\Local\Temp\boyqgxkbshkprerz.exe .
  2⤵
  PID:4516
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\boyqgxkbshkprerz.exe*."
    3⤵
    PID:1588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c iwharjxphxbhkymvu.exe
1⤵
PID:3932
- C:\Windows\iwharjxphxbhkymvu.exe
  iwharjxphxbhkymvu.exe
  2⤵
  PID:4928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c iwharjxphxbhkymvu.exe .
1⤵
PID:3684
- C:\Windows\iwharjxphxbhkymvu.exe
  iwharjxphxbhkymvu.exe .
  2⤵
  PID:2544
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\iwharjxphxbhkymvu.exe*."
    3⤵
    PID:2240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c boyqgxkbshkprerz.exe
1⤵
PID:3060
- C:\Windows\boyqgxkbshkprerz.exe
  boyqgxkbshkprerz.exe
  2⤵
  PID:3384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rgsmexmfypubfujttb.exe .
1⤵
PID:4976
- C:\Windows\rgsmexmfypubfujttb.exe
  rgsmexmfypubfujttb.exe .
  2⤵
  PID:4856
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\rgsmexmfypubfujttb.exe*."
    3⤵
    PID:916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rgsmexmfypubfujttb.exe
1⤵
PID:408
- C:\Users\Admin\AppData\Local\Temp\rgsmexmfypubfujttb.exe
  C:\Users\Admin\AppData\Local\Temp\rgsmexmfypubfujttb.exe
  2⤵
  PID:5040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iwharjxphxbhkymvu.exe .
1⤵
PID:2848
- C:\Users\Admin\AppData\Local\Temp\iwharjxphxbhkymvu.exe
  C:\Users\Admin\AppData\Local\Temp\iwharjxphxbhkymvu.exe .
  2⤵
  PID:2360
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\iwharjxphxbhkymvu.exe*."
    3⤵
    PID:4248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iwharjxphxbhkymvu.exe
1⤵
PID:4484
- C:\Users\Admin\AppData\Local\Temp\iwharjxphxbhkymvu.exe
  C:\Users\Admin\AppData\Local\Temp\iwharjxphxbhkymvu.exe
  2⤵
  PID:220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ewlidzrnjdlvcumzcnskz.exe .
1⤵
PID:4040
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3568
- C:\Users\Admin\AppData\Local\Temp\ewlidzrnjdlvcumzcnskz.exe
  C:\Users\Admin\AppData\Local\Temp\ewlidzrnjdlvcumzcnskz.exe .
  2⤵
  PID:2564
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ewlidzrnjdlvcumzcnskz.exe*."
    3⤵
    PID:1752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c boyqgxkbshkprerz.exe
1⤵
PID:3296
- C:\Windows\boyqgxkbshkprerz.exe
  boyqgxkbshkprerz.exe
  2⤵
  PID:1412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pguqkfwrmfmvbsjvxhlc.exe .
1⤵
PID:3212
- C:\Windows\pguqkfwrmfmvbsjvxhlc.exe
  pguqkfwrmfmvbsjvxhlc.exe .
  2⤵
  PID:3984
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\pguqkfwrmfmvbsjvxhlc.exe*."
    3⤵
    PID:3308

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c boyqgxkbshkprerz.exe
1⤵
PID:2476
- C:\Windows\boyqgxkbshkprerz.exe
  boyqgxkbshkprerz.exe
  2⤵
  PID:2380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c csfatndxrjpxcsitudg.exe .
1⤵
PID:3740
- C:\Windows\csfatndxrjpxcsitudg.exe
  csfatndxrjpxcsitudg.exe .
  2⤵
  PID:5040
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\csfatndxrjpxcsitudg.exe*."
    3⤵
    PID:2480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\csfatndxrjpxcsitudg.exe
1⤵
PID:3060
- C:\Users\Admin\AppData\Local\Temp\csfatndxrjpxcsitudg.exe
  C:\Users\Admin\AppData\Local\Temp\csfatndxrjpxcsitudg.exe
  2⤵
  PID:3892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rgsmexmfypubfujttb.exe .
1⤵
PID:412
- C:\Users\Admin\AppData\Local\Temp\rgsmexmfypubfujttb.exe
  C:\Users\Admin\AppData\Local\Temp\rgsmexmfypubfujttb.exe .
  2⤵
  PID:1120
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\rgsmexmfypubfujttb.exe*."
    3⤵
    PID:2360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\boyqgxkbshkprerz.exe
1⤵
PID:4580
- C:\Users\Admin\AppData\Local\Temp\boyqgxkbshkprerz.exe
  C:\Users\Admin\AppData\Local\Temp\boyqgxkbshkprerz.exe
  2⤵
  PID:1660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\csfatndxrjpxcsitudg.exe .
1⤵
PID:4960
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2344
- C:\Users\Admin\AppData\Local\Temp\csfatndxrjpxcsitudg.exe
  C:\Users\Admin\AppData\Local\Temp\csfatndxrjpxcsitudg.exe .
  2⤵
  PID:1980
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\csfatndxrjpxcsitudg.exe*."
    3⤵
    PID:1076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rgsmexmfypubfujttb.exe
1⤵
PID:3904
- C:\Windows\rgsmexmfypubfujttb.exe
  rgsmexmfypubfujttb.exe
  2⤵
  PID:4568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rgsmexmfypubfujttb.exe .
1⤵
PID:1904
- C:\Windows\rgsmexmfypubfujttb.exe
  rgsmexmfypubfujttb.exe .
  2⤵
  PID:2436
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\rgsmexmfypubfujttb.exe*."
    3⤵
    PID:4516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ewlidzrnjdlvcumzcnskz.exe
1⤵
PID:4780
- C:\Windows\ewlidzrnjdlvcumzcnskz.exe
  ewlidzrnjdlvcumzcnskz.exe
  2⤵
  PID:2320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c csfatndxrjpxcsitudg.exe .
1⤵
PID:2484
- C:\Windows\csfatndxrjpxcsitudg.exe
  csfatndxrjpxcsitudg.exe .
  2⤵
  PID:2316
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\csfatndxrjpxcsitudg.exe*."
    3⤵
    PID:4192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rgsmexmfypubfujttb.exe
1⤵
PID:880
- C:\Users\Admin\AppData\Local\Temp\rgsmexmfypubfujttb.exe
  C:\Users\Admin\AppData\Local\Temp\rgsmexmfypubfujttb.exe
  2⤵
  PID:4476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pguqkfwrmfmvbsjvxhlc.exe .
1⤵
PID:4436
- C:\Users\Admin\AppData\Local\Temp\pguqkfwrmfmvbsjvxhlc.exe
  C:\Users\Admin\AppData\Local\Temp\pguqkfwrmfmvbsjvxhlc.exe .
  2⤵
  PID:3832
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\pguqkfwrmfmvbsjvxhlc.exe*."
    3⤵
    PID:2160

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ewlidzrnjdlvcumzcnskz.exe
1⤵
PID:4840
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2236
- C:\Users\Admin\AppData\Local\Temp\ewlidzrnjdlvcumzcnskz.exe
  C:\Users\Admin\AppData\Local\Temp\ewlidzrnjdlvcumzcnskz.exe
  2⤵
  PID:3968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rgsmexmfypubfujttb.exe .
1⤵
PID:4576
- C:\Users\Admin\AppData\Local\Temp\rgsmexmfypubfujttb.exe
  C:\Users\Admin\AppData\Local\Temp\rgsmexmfypubfujttb.exe .
  2⤵
  PID:4340
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\rgsmexmfypubfujttb.exe*."
    3⤵
    PID:1940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c boyqgxkbshkprerz.exe
1⤵
PID:2284
- C:\Windows\boyqgxkbshkprerz.exe
  boyqgxkbshkprerz.exe
  2⤵
  PID:2220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c boyqgxkbshkprerz.exe .
1⤵
PID:3768
- C:\Windows\boyqgxkbshkprerz.exe
  boyqgxkbshkprerz.exe .
  2⤵
  PID:3136
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\boyqgxkbshkprerz.exe*."
    3⤵
    PID:3428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c csfatndxrjpxcsitudg.exe
1⤵
PID:4196
- C:\Windows\csfatndxrjpxcsitudg.exe
  csfatndxrjpxcsitudg.exe
  2⤵
  PID:2660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c iwharjxphxbhkymvu.exe .
1⤵
PID:3772
- C:\Windows\iwharjxphxbhkymvu.exe
  iwharjxphxbhkymvu.exe .
  2⤵
  PID:2432
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\iwharjxphxbhkymvu.exe*."
    3⤵
    PID:4696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pguqkfwrmfmvbsjvxhlc.exe
1⤵
PID:1588
- C:\Users\Admin\AppData\Local\Temp\pguqkfwrmfmvbsjvxhlc.exe
  C:\Users\Admin\AppData\Local\Temp\pguqkfwrmfmvbsjvxhlc.exe
  2⤵
  PID:1904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iwharjxphxbhkymvu.exe .
1⤵
PID:1540
- C:\Users\Admin\AppData\Local\Temp\iwharjxphxbhkymvu.exe
  C:\Users\Admin\AppData\Local\Temp\iwharjxphxbhkymvu.exe .
  2⤵
  PID:2156
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\iwharjxphxbhkymvu.exe*."
    3⤵
    PID:2556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\csfatndxrjpxcsitudg.exe
1⤵
PID:4144
- C:\Users\Admin\AppData\Local\Temp\csfatndxrjpxcsitudg.exe
  C:\Users\Admin\AppData\Local\Temp\csfatndxrjpxcsitudg.exe
  2⤵
  PID:4280

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c iwharjxphxbhkymvu.exe
1⤵
PID:4668
- C:\Windows\iwharjxphxbhkymvu.exe
  iwharjxphxbhkymvu.exe
  2⤵
  PID:4228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ewlidzrnjdlvcumzcnskz.exe .
1⤵
PID:4636
- C:\Users\Admin\AppData\Local\Temp\ewlidzrnjdlvcumzcnskz.exe
  C:\Users\Admin\AppData\Local\Temp\ewlidzrnjdlvcumzcnskz.exe .
  2⤵
  PID:3212
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ewlidzrnjdlvcumzcnskz.exe*."
    3⤵
    PID:3684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ewlidzrnjdlvcumzcnskz.exe
1⤵
PID:5100
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2444
- C:\Windows\ewlidzrnjdlvcumzcnskz.exe
  ewlidzrnjdlvcumzcnskz.exe
  2⤵
  PID:3992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pguqkfwrmfmvbsjvxhlc.exe .
1⤵
PID:2544
- C:\Windows\pguqkfwrmfmvbsjvxhlc.exe
  pguqkfwrmfmvbsjvxhlc.exe .
  2⤵
  PID:2568
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\pguqkfwrmfmvbsjvxhlc.exe*."
    3⤵
    PID:4452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c boyqgxkbshkprerz.exe .
1⤵
PID:3496
- C:\Windows\boyqgxkbshkprerz.exe
  boyqgxkbshkprerz.exe .
  2⤵
  PID:1660
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\boyqgxkbshkprerz.exe*."
    3⤵
    PID:1148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c csfatndxrjpxcsitudg.exe
1⤵
PID:4340
- C:\Windows\csfatndxrjpxcsitudg.exe
  csfatndxrjpxcsitudg.exe
  2⤵
  PID:1544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pguqkfwrmfmvbsjvxhlc.exe .
1⤵
PID:3836
- C:\Windows\pguqkfwrmfmvbsjvxhlc.exe
  pguqkfwrmfmvbsjvxhlc.exe .
  2⤵
  PID:1768
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\pguqkfwrmfmvbsjvxhlc.exe*."
    3⤵
    PID:2544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rgsmexmfypubfujttb.exe
1⤵
PID:1788
- C:\Windows\rgsmexmfypubfujttb.exe
  rgsmexmfypubfujttb.exe
  2⤵
  PID:4120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ewlidzrnjdlvcumzcnskz.exe .
1⤵
PID:1812
- C:\Windows\ewlidzrnjdlvcumzcnskz.exe
  ewlidzrnjdlvcumzcnskz.exe .
  2⤵
  PID:4968
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ewlidzrnjdlvcumzcnskz.exe*."
    3⤵
    PID:2432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\boyqgxkbshkprerz.exe
1⤵
PID:1360
- C:\Users\Admin\AppData\Local\Temp\boyqgxkbshkprerz.exe
  C:\Users\Admin\AppData\Local\Temp\boyqgxkbshkprerz.exe
  2⤵
  PID:2644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ewlidzrnjdlvcumzcnskz.exe .
1⤵
PID:4932
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2592
- C:\Users\Admin\AppData\Local\Temp\ewlidzrnjdlvcumzcnskz.exe
  C:\Users\Admin\AppData\Local\Temp\ewlidzrnjdlvcumzcnskz.exe .
  2⤵
  PID:2788
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ewlidzrnjdlvcumzcnskz.exe*."
    3⤵
    PID:2004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pguqkfwrmfmvbsjvxhlc.exe
1⤵
PID:4196
- C:\Users\Admin\AppData\Local\Temp\pguqkfwrmfmvbsjvxhlc.exe
  C:\Users\Admin\AppData\Local\Temp\pguqkfwrmfmvbsjvxhlc.exe
  2⤵
  PID:3928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iwharjxphxbhkymvu.exe .
1⤵
PID:4848
- C:\Users\Admin\AppData\Local\Temp\iwharjxphxbhkymvu.exe
  C:\Users\Admin\AppData\Local\Temp\iwharjxphxbhkymvu.exe .
  2⤵
  PID:804
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\iwharjxphxbhkymvu.exe*."
    3⤵
    PID:1464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c boyqgxkbshkprerz.exe
1⤵
PID:1964
- C:\Windows\boyqgxkbshkprerz.exe
  boyqgxkbshkprerz.exe
  2⤵
  PID:1572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ewlidzrnjdlvcumzcnskz.exe
1⤵
PID:3724
- C:\Users\Admin\AppData\Local\Temp\ewlidzrnjdlvcumzcnskz.exe
  C:\Users\Admin\AppData\Local\Temp\ewlidzrnjdlvcumzcnskz.exe
  2⤵
  PID:4120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rgsmexmfypubfujttb.exe .
1⤵
PID:3208
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2340
- C:\Windows\rgsmexmfypubfujttb.exe
  rgsmexmfypubfujttb.exe .
  2⤵
  PID:2020
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\rgsmexmfypubfujttb.exe*."
    3⤵
    PID:2480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pguqkfwrmfmvbsjvxhlc.exe .
1⤵
PID:2028
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4108
- C:\Users\Admin\AppData\Local\Temp\pguqkfwrmfmvbsjvxhlc.exe
  C:\Users\Admin\AppData\Local\Temp\pguqkfwrmfmvbsjvxhlc.exe .
  2⤵
  PID:4036
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\pguqkfwrmfmvbsjvxhlc.exe*."
    3⤵
    PID:3136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iwharjxphxbhkymvu.exe
1⤵
PID:4668
- C:\Users\Admin\AppData\Local\Temp\iwharjxphxbhkymvu.exe
  C:\Users\Admin\AppData\Local\Temp\iwharjxphxbhkymvu.exe
  2⤵
  PID:1456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c csfatndxrjpxcsitudg.exe
1⤵
PID:3736
- C:\Windows\csfatndxrjpxcsitudg.exe
  csfatndxrjpxcsitudg.exe
  2⤵
  PID:2504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rgsmexmfypubfujttb.exe .
1⤵
PID:4240
- C:\Users\Admin\AppData\Local\Temp\rgsmexmfypubfujttb.exe
  C:\Users\Admin\AppData\Local\Temp\rgsmexmfypubfujttb.exe .
  2⤵
  PID:3672
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\rgsmexmfypubfujttb.exe*."
    3⤵
    PID:2544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c iwharjxphxbhkymvu.exe .
1⤵
PID:2568
- C:\Windows\iwharjxphxbhkymvu.exe
  iwharjxphxbhkymvu.exe .
  2⤵
  PID:4452
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\iwharjxphxbhkymvu.exe*."
    3⤵
    PID:4696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pguqkfwrmfmvbsjvxhlc.exe
1⤵
PID:1836
- C:\Users\Admin\AppData\Local\Temp\pguqkfwrmfmvbsjvxhlc.exe
  C:\Users\Admin\AppData\Local\Temp\pguqkfwrmfmvbsjvxhlc.exe
  2⤵
  PID:4904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\csfatndxrjpxcsitudg.exe .
1⤵
PID:3920
- C:\Users\Admin\AppData\Local\Temp\csfatndxrjpxcsitudg.exe
  C:\Users\Admin\AppData\Local\Temp\csfatndxrjpxcsitudg.exe .
  2⤵
  PID:1904
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\csfatndxrjpxcsitudg.exe*."
    3⤵
    PID:1812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pguqkfwrmfmvbsjvxhlc.exe
1⤵
PID:4068
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1432
- C:\Users\Admin\AppData\Local\Temp\pguqkfwrmfmvbsjvxhlc.exe
  C:\Users\Admin\AppData\Local\Temp\pguqkfwrmfmvbsjvxhlc.exe
  2⤵
  PID:1188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rgsmexmfypubfujttb.exe .
1⤵
PID:4968
- C:\Users\Admin\AppData\Local\Temp\rgsmexmfypubfujttb.exe
  C:\Users\Admin\AppData\Local\Temp\rgsmexmfypubfujttb.exe .
  2⤵
  PID:3488
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\rgsmexmfypubfujttb.exe*."
    3⤵
    PID:4248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c csfatndxrjpxcsitudg.exe
1⤵
PID:4472
- C:\Windows\csfatndxrjpxcsitudg.exe
  csfatndxrjpxcsitudg.exe
  2⤵
  PID:4196

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c iwharjxphxbhkymvu.exe .
1⤵
PID:1952
- C:\Windows\iwharjxphxbhkymvu.exe
  iwharjxphxbhkymvu.exe .
  2⤵
  PID:3916
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\iwharjxphxbhkymvu.exe*."
    3⤵
    PID:840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ewlidzrnjdlvcumzcnskz.exe
1⤵
PID:4924
- C:\Windows\ewlidzrnjdlvcumzcnskz.exe
  ewlidzrnjdlvcumzcnskz.exe
  2⤵
  PID:1768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pguqkfwrmfmvbsjvxhlc.exe .
1⤵
PID:452
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4024
- C:\Windows\pguqkfwrmfmvbsjvxhlc.exe
  pguqkfwrmfmvbsjvxhlc.exe .
  2⤵
  PID:4516
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\pguqkfwrmfmvbsjvxhlc.exe*."
    3⤵
    PID:4144

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\csfatndxrjpxcsitudg.exe
1⤵
PID:1120
- C:\Users\Admin\AppData\Local\Temp\csfatndxrjpxcsitudg.exe
  C:\Users\Admin\AppData\Local\Temp\csfatndxrjpxcsitudg.exe
  2⤵
  PID:2476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\csfatndxrjpxcsitudg.exe .
1⤵
PID:4800
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3416
- C:\Users\Admin\AppData\Local\Temp\csfatndxrjpxcsitudg.exe
  C:\Users\Admin\AppData\Local\Temp\csfatndxrjpxcsitudg.exe .
  2⤵
  PID:1188
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\csfatndxrjpxcsitudg.exe*."
    3⤵
    PID:4332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pguqkfwrmfmvbsjvxhlc.exe
1⤵
PID:2028
- C:\Users\Admin\AppData\Local\Temp\pguqkfwrmfmvbsjvxhlc.exe
  C:\Users\Admin\AppData\Local\Temp\pguqkfwrmfmvbsjvxhlc.exe
  2⤵
  PID:880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pguqkfwrmfmvbsjvxhlc.exe .
1⤵
PID:1384
- C:\Users\Admin\AppData\Local\Temp\pguqkfwrmfmvbsjvxhlc.exe
  C:\Users\Admin\AppData\Local\Temp\pguqkfwrmfmvbsjvxhlc.exe .
  2⤵
  PID:3504
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\pguqkfwrmfmvbsjvxhlc.exe*."
    3⤵
    PID:2160

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rgsmexmfypubfujttb.exe
1⤵
PID:1700
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3308
- C:\Windows\rgsmexmfypubfujttb.exe
  rgsmexmfypubfujttb.exe
  2⤵
  PID:3904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c boyqgxkbshkprerz.exe .
1⤵
PID:3836
- C:\Windows\boyqgxkbshkprerz.exe
  boyqgxkbshkprerz.exe .
  2⤵
  PID:2788
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\boyqgxkbshkprerz.exe*."
    3⤵
    PID:2016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rgsmexmfypubfujttb.exe
1⤵
PID:2248
- C:\Windows\rgsmexmfypubfujttb.exe
  rgsmexmfypubfujttb.exe
  2⤵
  PID:2220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ewlidzrnjdlvcumzcnskz.exe .
1⤵
PID:2564
- C:\Windows\ewlidzrnjdlvcumzcnskz.exe
  ewlidzrnjdlvcumzcnskz.exe .
  2⤵
  PID:1924
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ewlidzrnjdlvcumzcnskz.exe*."
    3⤵
    PID:1852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\csfatndxrjpxcsitudg.exe
1⤵
PID:3664
- C:\Users\Admin\AppData\Local\Temp\csfatndxrjpxcsitudg.exe
  C:\Users\Admin\AppData\Local\Temp\csfatndxrjpxcsitudg.exe
  2⤵
  PID:2380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iwharjxphxbhkymvu.exe .
1⤵
PID:1940
- C:\Users\Admin\AppData\Local\Temp\iwharjxphxbhkymvu.exe
  C:\Users\Admin\AppData\Local\Temp\iwharjxphxbhkymvu.exe .
  2⤵
  PID:3216
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\iwharjxphxbhkymvu.exe*."
    3⤵
    PID:1952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pguqkfwrmfmvbsjvxhlc.exe
1⤵
PID:5044
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1768
- C:\Users\Admin\AppData\Local\Temp\pguqkfwrmfmvbsjvxhlc.exe
  C:\Users\Admin\AppData\Local\Temp\pguqkfwrmfmvbsjvxhlc.exe
  2⤵
  PID:1076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pguqkfwrmfmvbsjvxhlc.exe .
1⤵
PID:1596
- C:\Users\Admin\AppData\Local\Temp\pguqkfwrmfmvbsjvxhlc.exe
  C:\Users\Admin\AppData\Local\Temp\pguqkfwrmfmvbsjvxhlc.exe .
  2⤵
  PID:3136
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\pguqkfwrmfmvbsjvxhlc.exe*."
    3⤵
    PID:1120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c csfatndxrjpxcsitudg.exe
1⤵
PID:4764
- C:\Windows\csfatndxrjpxcsitudg.exe
  csfatndxrjpxcsitudg.exe
  2⤵
  PID:2340

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rgsmexmfypubfujttb.exe .
1⤵
PID:880
- C:\Windows\rgsmexmfypubfujttb.exe
  rgsmexmfypubfujttb.exe .
  2⤵
  PID:4960
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\rgsmexmfypubfujttb.exe*."
    3⤵
    PID:2344

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rgsmexmfypubfujttb.exe
1⤵
PID:1544
- C:\Windows\rgsmexmfypubfujttb.exe
  rgsmexmfypubfujttb.exe
  2⤵
  PID:624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ewlidzrnjdlvcumzcnskz.exe .
1⤵
PID:4368
- C:\Windows\ewlidzrnjdlvcumzcnskz.exe
  ewlidzrnjdlvcumzcnskz.exe .
  2⤵
  PID:5060
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ewlidzrnjdlvcumzcnskz.exe*."
    3⤵
    PID:3868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\boyqgxkbshkprerz.exe
1⤵
PID:60
- C:\Users\Admin\AppData\Local\Temp\boyqgxkbshkprerz.exe
  C:\Users\Admin\AppData\Local\Temp\boyqgxkbshkprerz.exe
  2⤵
  PID:4956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ewlidzrnjdlvcumzcnskz.exe .
1⤵
PID:2284
- C:\Users\Admin\AppData\Local\Temp\ewlidzrnjdlvcumzcnskz.exe
  C:\Users\Admin\AppData\Local\Temp\ewlidzrnjdlvcumzcnskz.exe .
  2⤵
  PID:3264
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ewlidzrnjdlvcumzcnskz.exe*."
    3⤵
    PID:3712

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rgsmexmfypubfujttb.exe
1⤵
PID:2788
- C:\Users\Admin\AppData\Local\Temp\rgsmexmfypubfujttb.exe
  C:\Users\Admin\AppData\Local\Temp\rgsmexmfypubfujttb.exe
  2⤵
  PID:3832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iwharjxphxbhkymvu.exe .
1⤵
PID:4848
- C:\Users\Admin\AppData\Local\Temp\iwharjxphxbhkymvu.exe
  C:\Users\Admin\AppData\Local\Temp\iwharjxphxbhkymvu.exe .
  2⤵
  PID:1216
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\iwharjxphxbhkymvu.exe*."
    3⤵
    PID:4280

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c boyqgxkbshkprerz.exe
1⤵
PID:1480
- C:\Windows\boyqgxkbshkprerz.exe
  boyqgxkbshkprerz.exe
  2⤵
  PID:1540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c boyqgxkbshkprerz.exe .
1⤵
PID:1660
- C:\Windows\boyqgxkbshkprerz.exe
  boyqgxkbshkprerz.exe .
  2⤵
  PID:2636
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\boyqgxkbshkprerz.exe*."
    3⤵
    PID:1076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pguqkfwrmfmvbsjvxhlc.exe
1⤵
PID:2020
- C:\Windows\pguqkfwrmfmvbsjvxhlc.exe
  pguqkfwrmfmvbsjvxhlc.exe
  2⤵
  PID:4788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c csfatndxrjpxcsitudg.exe .
1⤵
PID:1412
- C:\Windows\csfatndxrjpxcsitudg.exe
  csfatndxrjpxcsitudg.exe .
  2⤵
  PID:2476
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\csfatndxrjpxcsitudg.exe*."
    3⤵
    PID:4392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\boyqgxkbshkprerz.exe
1⤵
PID:916
- C:\Users\Admin\AppData\Local\Temp\boyqgxkbshkprerz.exe
  C:\Users\Admin\AppData\Local\Temp\boyqgxkbshkprerz.exe
  2⤵
  PID:2252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rgsmexmfypubfujttb.exe .
1⤵
PID:1748
- C:\Users\Admin\AppData\Local\Temp\rgsmexmfypubfujttb.exe
  C:\Users\Admin\AppData\Local\Temp\rgsmexmfypubfujttb.exe .
  2⤵
  PID:3288
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\rgsmexmfypubfujttb.exe*."
    3⤵
    PID:2804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\boyqgxkbshkprerz.exe
1⤵
PID:4576
- C:\Users\Admin\AppData\Local\Temp\boyqgxkbshkprerz.exe
  C:\Users\Admin\AppData\Local\Temp\boyqgxkbshkprerz.exe
  2⤵
  PID:4108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pguqkfwrmfmvbsjvxhlc.exe .
1⤵
PID:1692
- C:\Users\Admin\AppData\Local\Temp\pguqkfwrmfmvbsjvxhlc.exe
  C:\Users\Admin\AppData\Local\Temp\pguqkfwrmfmvbsjvxhlc.exe .
  2⤵
  PID:1780
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\pguqkfwrmfmvbsjvxhlc.exe*."
    3⤵
    PID:3152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ewlidzrnjdlvcumzcnskz.exe
1⤵
PID:4712
- C:\Windows\ewlidzrnjdlvcumzcnskz.exe
  ewlidzrnjdlvcumzcnskz.exe
  2⤵
  PID:4100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ewlidzrnjdlvcumzcnskz.exe .
1⤵
PID:4092
- C:\Windows\ewlidzrnjdlvcumzcnskz.exe
  ewlidzrnjdlvcumzcnskz.exe .
  2⤵
  PID:5052
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ewlidzrnjdlvcumzcnskz.exe*."
    3⤵
    PID:3832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c boyqgxkbshkprerz.exe
1⤵
PID:3716
- C:\Windows\boyqgxkbshkprerz.exe
  boyqgxkbshkprerz.exe
  2⤵
  PID:3712

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pguqkfwrmfmvbsjvxhlc.exe .
1⤵
PID:2284
- C:\Windows\pguqkfwrmfmvbsjvxhlc.exe
  pguqkfwrmfmvbsjvxhlc.exe .
  2⤵
  PID:4136
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\pguqkfwrmfmvbsjvxhlc.exe*."
    3⤵
    PID:5040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iwharjxphxbhkymvu.exe
1⤵
PID:2788
- C:\Users\Admin\AppData\Local\Temp\iwharjxphxbhkymvu.exe
  C:\Users\Admin\AppData\Local\Temp\iwharjxphxbhkymvu.exe
  2⤵
  PID:3256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ewlidzrnjdlvcumzcnskz.exe .
1⤵
PID:3496
- C:\Users\Admin\AppData\Local\Temp\ewlidzrnjdlvcumzcnskz.exe
  C:\Users\Admin\AppData\Local\Temp\ewlidzrnjdlvcumzcnskz.exe .
  2⤵
  PID:3060
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ewlidzrnjdlvcumzcnskz.exe*."
    3⤵
    PID:3916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pguqkfwrmfmvbsjvxhlc.exe
1⤵
PID:1980
- C:\Users\Admin\AppData\Local\Temp\pguqkfwrmfmvbsjvxhlc.exe
  C:\Users\Admin\AppData\Local\Temp\pguqkfwrmfmvbsjvxhlc.exe
  2⤵
  PID:3772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ewlidzrnjdlvcumzcnskz.exe .
1⤵
PID:4632
- C:\Users\Admin\AppData\Local\Temp\ewlidzrnjdlvcumzcnskz.exe
  C:\Users\Admin\AppData\Local\Temp\ewlidzrnjdlvcumzcnskz.exe .
  2⤵
  PID:1660
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ewlidzrnjdlvcumzcnskz.exe*."
    3⤵
    PID:3244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c boyqgxkbshkprerz.exe
1⤵
PID:2252
- C:\Windows\boyqgxkbshkprerz.exe
  boyqgxkbshkprerz.exe
  2⤵
  PID:3988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ewlidzrnjdlvcumzcnskz.exe
1⤵
PID:2228
- C:\Windows\ewlidzrnjdlvcumzcnskz.exe
  ewlidzrnjdlvcumzcnskz.exe
  2⤵
  PID:1204

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c iwharjxphxbhkymvu.exe
1⤵
PID:3572
- C:\Windows\iwharjxphxbhkymvu.exe
  iwharjxphxbhkymvu.exe
  2⤵
  PID:3208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c iwharjxphxbhkymvu.exe .
1⤵
PID:1928
- C:\Windows\iwharjxphxbhkymvu.exe
  iwharjxphxbhkymvu.exe .
  2⤵
  PID:392
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\iwharjxphxbhkymvu.exe*."
    3⤵
    PID:3356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c boyqgxkbshkprerz.exe .
1⤵
PID:4912
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4764
- C:\Windows\boyqgxkbshkprerz.exe
  boyqgxkbshkprerz.exe .
  2⤵
  PID:4232
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\boyqgxkbshkprerz.exe*."
    3⤵
    PID:3488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rgsmexmfypubfujttb.exe .
1⤵
PID:4040
- C:\Windows\rgsmexmfypubfujttb.exe
  rgsmexmfypubfujttb.exe .
  2⤵
  PID:3444
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\rgsmexmfypubfujttb.exe*."
    3⤵
    PID:4580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c boyqgxkbshkprerz.exe
1⤵
PID:4420
- C:\Windows\boyqgxkbshkprerz.exe
  boyqgxkbshkprerz.exe
  2⤵
  PID:3984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rgsmexmfypubfujttb.exe
1⤵
PID:880
- C:\Windows\rgsmexmfypubfujttb.exe
  rgsmexmfypubfujttb.exe
  2⤵
  PID:2156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pguqkfwrmfmvbsjvxhlc.exe
1⤵
PID:4408
- C:\Windows\pguqkfwrmfmvbsjvxhlc.exe
  pguqkfwrmfmvbsjvxhlc.exe
  2⤵
  PID:3496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pguqkfwrmfmvbsjvxhlc.exe .
1⤵
PID:5060
- C:\Windows\pguqkfwrmfmvbsjvxhlc.exe
  pguqkfwrmfmvbsjvxhlc.exe .
  2⤵
  PID:4572
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\pguqkfwrmfmvbsjvxhlc.exe*."
    3⤵
    PID:2960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rgsmexmfypubfujttb.exe .
1⤵
PID:4712
- C:\Windows\rgsmexmfypubfujttb.exe
  rgsmexmfypubfujttb.exe .
  2⤵
  PID:2380
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\rgsmexmfypubfujttb.exe*."
    3⤵
    PID:3496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c boyqgxkbshkprerz.exe .
1⤵
PID:388
- C:\Windows\boyqgxkbshkprerz.exe
  boyqgxkbshkprerz.exe .
  2⤵
  PID:1656
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\boyqgxkbshkprerz.exe*."
    3⤵
    PID:1936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rgsmexmfypubfujttb.exe
1⤵
PID:3092
- C:\Users\Admin\AppData\Local\Temp\rgsmexmfypubfujttb.exe
  C:\Users\Admin\AppData\Local\Temp\rgsmexmfypubfujttb.exe
  2⤵
  PID:1596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rgsmexmfypubfujttb.exe
1⤵
PID:5088
- C:\Users\Admin\AppData\Local\Temp\rgsmexmfypubfujttb.exe
  C:\Users\Admin\AppData\Local\Temp\rgsmexmfypubfujttb.exe
  2⤵
  PID:3300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pguqkfwrmfmvbsjvxhlc.exe
1⤵
PID:4988
- C:\Users\Admin\AppData\Local\Temp\pguqkfwrmfmvbsjvxhlc.exe
  C:\Users\Admin\AppData\Local\Temp\pguqkfwrmfmvbsjvxhlc.exe
  2⤵
  PID:1812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iwharjxphxbhkymvu.exe .
1⤵
PID:212
- C:\Users\Admin\AppData\Local\Temp\iwharjxphxbhkymvu.exe
  C:\Users\Admin\AppData\Local\Temp\iwharjxphxbhkymvu.exe .
  2⤵
  PID:4452
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\iwharjxphxbhkymvu.exe*."
    3⤵
    PID:1536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iwharjxphxbhkymvu.exe .
1⤵
PID:3724
- C:\Users\Admin\AppData\Local\Temp\iwharjxphxbhkymvu.exe
  C:\Users\Admin\AppData\Local\Temp\iwharjxphxbhkymvu.exe .
  2⤵
  PID:1148
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\iwharjxphxbhkymvu.exe*."
    3⤵
    PID:4248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\boyqgxkbshkprerz.exe .
1⤵
PID:1852
- C:\Users\Admin\AppData\Local\Temp\boyqgxkbshkprerz.exe
  C:\Users\Admin\AppData\Local\Temp\boyqgxkbshkprerz.exe .
  2⤵
  PID:3672
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\boyqgxkbshkprerz.exe*."
    3⤵
    PID:1936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iwharjxphxbhkymvu.exe
1⤵
PID:1752
- C:\Users\Admin\AppData\Local\Temp\iwharjxphxbhkymvu.exe
  C:\Users\Admin\AppData\Local\Temp\iwharjxphxbhkymvu.exe
  2⤵
  PID:4620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pguqkfwrmfmvbsjvxhlc.exe
1⤵
PID:2160
- C:\Users\Admin\AppData\Local\Temp\pguqkfwrmfmvbsjvxhlc.exe
  C:\Users\Admin\AppData\Local\Temp\pguqkfwrmfmvbsjvxhlc.exe
  2⤵
  PID:4928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iwharjxphxbhkymvu.exe
1⤵
PID:3152
- C:\Users\Admin\AppData\Local\Temp\iwharjxphxbhkymvu.exe
  C:\Users\Admin\AppData\Local\Temp\iwharjxphxbhkymvu.exe
  2⤵
  PID:3488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iwharjxphxbhkymvu.exe .
1⤵
PID:3120
- C:\Users\Admin\AppData\Local\Temp\iwharjxphxbhkymvu.exe
  C:\Users\Admin\AppData\Local\Temp\iwharjxphxbhkymvu.exe .
  2⤵
  PID:3300
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\iwharjxphxbhkymvu.exe*."
    3⤵
    PID:1372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iwharjxphxbhkymvu.exe .
1⤵
PID:1464
- C:\Users\Admin\AppData\Local\Temp\iwharjxphxbhkymvu.exe
  C:\Users\Admin\AppData\Local\Temp\iwharjxphxbhkymvu.exe .
  2⤵
  PID:2132
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\iwharjxphxbhkymvu.exe*."
    3⤵
    PID:4572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ewlidzrnjdlvcumzcnskz.exe .
1⤵
PID:2764
- C:\Users\Admin\AppData\Local\Temp\ewlidzrnjdlvcumzcnskz.exe
  C:\Users\Admin\AppData\Local\Temp\ewlidzrnjdlvcumzcnskz.exe .
  2⤵
  PID:1456
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ewlidzrnjdlvcumzcnskz.exe*."
    3⤵
    PID:620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ewlidzrnjdlvcumzcnskz.exe
1⤵
PID:3740
- C:\Windows\ewlidzrnjdlvcumzcnskz.exe
  ewlidzrnjdlvcumzcnskz.exe
  2⤵
  PID:1384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ewlidzrnjdlvcumzcnskz.exe .
1⤵
PID:4932
- C:\Windows\ewlidzrnjdlvcumzcnskz.exe
  ewlidzrnjdlvcumzcnskz.exe .
  2⤵
  PID:4568
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ewlidzrnjdlvcumzcnskz.exe*."
    3⤵
    PID:4840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c iwharjxphxbhkymvu.exe
1⤵
PID:2484
- C:\Windows\iwharjxphxbhkymvu.exe
  iwharjxphxbhkymvu.exe
  2⤵
  PID:2240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c boyqgxkbshkprerz.exe .
1⤵
PID:2408
- C:\Windows\boyqgxkbshkprerz.exe
  boyqgxkbshkprerz.exe .
  2⤵
  PID:4788
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\boyqgxkbshkprerz.exe*."
    3⤵
    PID:1596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ewlidzrnjdlvcumzcnskz.exe
1⤵
PID:4552
- C:\Users\Admin\AppData\Local\Temp\ewlidzrnjdlvcumzcnskz.exe
  C:\Users\Admin\AppData\Local\Temp\ewlidzrnjdlvcumzcnskz.exe
  2⤵
  PID:1188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iwharjxphxbhkymvu.exe .
1⤵
PID:1924
- C:\Users\Admin\AppData\Local\Temp\iwharjxphxbhkymvu.exe
  C:\Users\Admin\AppData\Local\Temp\iwharjxphxbhkymvu.exe .
  2⤵
  PID:2384
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\iwharjxphxbhkymvu.exe*."
    3⤵
    PID:5036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rgsmexmfypubfujttb.exe
1⤵
PID:4832
- C:\Users\Admin\AppData\Local\Temp\rgsmexmfypubfujttb.exe
  C:\Users\Admin\AppData\Local\Temp\rgsmexmfypubfujttb.exe
  2⤵
  PID:1588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pguqkfwrmfmvbsjvxhlc.exe .
1⤵
PID:2676
- C:\Users\Admin\AppData\Local\Temp\pguqkfwrmfmvbsjvxhlc.exe
  C:\Users\Admin\AppData\Local\Temp\pguqkfwrmfmvbsjvxhlc.exe .
  2⤵
  PID:3296
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\pguqkfwrmfmvbsjvxhlc.exe*."
    3⤵
    PID:2312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ewlidzrnjdlvcumzcnskz.exe
1⤵
PID:5084
- C:\Windows\ewlidzrnjdlvcumzcnskz.exe
  ewlidzrnjdlvcumzcnskz.exe
  2⤵
  PID:1328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rgsmexmfypubfujttb.exe .
1⤵
PID:1656
- C:\Windows\rgsmexmfypubfujttb.exe
  rgsmexmfypubfujttb.exe .
  2⤵
  PID:4108
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\rgsmexmfypubfujttb.exe*."
    3⤵
    PID:1480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c iwharjxphxbhkymvu.exe
1⤵
PID:1508
- C:\Windows\iwharjxphxbhkymvu.exe
  iwharjxphxbhkymvu.exe
  2⤵
  PID:1032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pguqkfwrmfmvbsjvxhlc.exe .
1⤵
PID:412
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2016
- C:\Windows\pguqkfwrmfmvbsjvxhlc.exe
  pguqkfwrmfmvbsjvxhlc.exe .
  2⤵
  PID:3260
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\pguqkfwrmfmvbsjvxhlc.exe*."
    3⤵
    PID:840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\csfatndxrjpxcsitudg.exe
1⤵
PID:2684
- C:\Users\Admin\AppData\Local\Temp\csfatndxrjpxcsitudg.exe
  C:\Users\Admin\AppData\Local\Temp\csfatndxrjpxcsitudg.exe
  2⤵
  PID:1120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rgsmexmfypubfujttb.exe .
1⤵
PID:4544
- C:\Users\Admin\AppData\Local\Temp\rgsmexmfypubfujttb.exe
  C:\Users\Admin\AppData\Local\Temp\rgsmexmfypubfujttb.exe .
  2⤵
  PID:1056
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\rgsmexmfypubfujttb.exe*."
    3⤵
    PID:3216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iwharjxphxbhkymvu.exe
1⤵
PID:2284
- C:\Users\Admin\AppData\Local\Temp\iwharjxphxbhkymvu.exe
  C:\Users\Admin\AppData\Local\Temp\iwharjxphxbhkymvu.exe
  2⤵
  PID:4032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ewlidzrnjdlvcumzcnskz.exe .
1⤵
PID:3928
- C:\Users\Admin\AppData\Local\Temp\ewlidzrnjdlvcumzcnskz.exe
  C:\Users\Admin\AppData\Local\Temp\ewlidzrnjdlvcumzcnskz.exe .
  2⤵
  PID:4516
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ewlidzrnjdlvcumzcnskz.exe*."
    3⤵
    PID:1880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c iwharjxphxbhkymvu.exe
1⤵
PID:2040
- C:\Windows\iwharjxphxbhkymvu.exe
  iwharjxphxbhkymvu.exe
  2⤵
  PID:3724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rgsmexmfypubfujttb.exe .
1⤵
PID:3264
- C:\Windows\rgsmexmfypubfujttb.exe
  rgsmexmfypubfujttb.exe .
  2⤵
  PID:4552
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\rgsmexmfypubfujttb.exe*."
    3⤵
    PID:2020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c iwharjxphxbhkymvu.exe
1⤵
PID:1676
- C:\Windows\iwharjxphxbhkymvu.exe
  iwharjxphxbhkymvu.exe
  2⤵
  PID:1668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c boyqgxkbshkprerz.exe .
1⤵
PID:2480
- C:\Windows\boyqgxkbshkprerz.exe
  boyqgxkbshkprerz.exe .
  2⤵
  PID:3432
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\boyqgxkbshkprerz.exe*."
    3⤵
    PID:4696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rgsmexmfypubfujttb.exe
1⤵
PID:2340
- C:\Users\Admin\AppData\Local\Temp\rgsmexmfypubfujttb.exe
  C:\Users\Admin\AppData\Local\Temp\rgsmexmfypubfujttb.exe
  2⤵
  PID:1316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rgsmexmfypubfujttb.exe .
1⤵
PID:2960
- C:\Users\Admin\AppData\Local\Temp\rgsmexmfypubfujttb.exe
  C:\Users\Admin\AppData\Local\Temp\rgsmexmfypubfujttb.exe .
  2⤵
  PID:772
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\rgsmexmfypubfujttb.exe*."
    3⤵
    PID:4408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iwharjxphxbhkymvu.exe
1⤵
PID:4868
- C:\Users\Admin\AppData\Local\Temp\iwharjxphxbhkymvu.exe
  C:\Users\Admin\AppData\Local\Temp\iwharjxphxbhkymvu.exe
  2⤵
  PID:868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rgsmexmfypubfujttb.exe .
1⤵
PID:3000
- C:\Users\Admin\AppData\Local\Temp\rgsmexmfypubfujttb.exe
  C:\Users\Admin\AppData\Local\Temp\rgsmexmfypubfujttb.exe .
  2⤵
  PID:2432
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\rgsmexmfypubfujttb.exe*."
    3⤵
    PID:2184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rgsmexmfypubfujttb.exe
1⤵
PID:4576
- C:\Windows\rgsmexmfypubfujttb.exe
  rgsmexmfypubfujttb.exe
  2⤵
  PID:2556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rgsmexmfypubfujttb.exe .
1⤵
PID:3256
- C:\Windows\rgsmexmfypubfujttb.exe
  rgsmexmfypubfujttb.exe .
  2⤵
  PID:1284
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\rgsmexmfypubfujttb.exe*."
    3⤵
    PID:1980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c csfatndxrjpxcsitudg.exe
1⤵
PID:4636
- C:\Windows\csfatndxrjpxcsitudg.exe
  csfatndxrjpxcsitudg.exe
  2⤵
  PID:4032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pguqkfwrmfmvbsjvxhlc.exe .
1⤵
PID:2816
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:624
- C:\Windows\pguqkfwrmfmvbsjvxhlc.exe
  pguqkfwrmfmvbsjvxhlc.exe .
  2⤵
  PID:4796
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\pguqkfwrmfmvbsjvxhlc.exe*."
    3⤵
    PID:3492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ewlidzrnjdlvcumzcnskz.exe
1⤵
PID:2472
- C:\Users\Admin\AppData\Local\Temp\ewlidzrnjdlvcumzcnskz.exe
  C:\Users\Admin\AppData\Local\Temp\ewlidzrnjdlvcumzcnskz.exe
  2⤵
  PID:2924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pguqkfwrmfmvbsjvxhlc.exe .
1⤵
PID:1536
- C:\Users\Admin\AppData\Local\Temp\pguqkfwrmfmvbsjvxhlc.exe
  C:\Users\Admin\AppData\Local\Temp\pguqkfwrmfmvbsjvxhlc.exe .
  2⤵
  PID:3724
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\pguqkfwrmfmvbsjvxhlc.exe*."
    3⤵
    PID:3664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iwharjxphxbhkymvu.exe
1⤵
PID:3240
- C:\Users\Admin\AppData\Local\Temp\iwharjxphxbhkymvu.exe
  C:\Users\Admin\AppData\Local\Temp\iwharjxphxbhkymvu.exe
  2⤵
  PID:3772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iwharjxphxbhkymvu.exe .
1⤵
PID:3456
- C:\Users\Admin\AppData\Local\Temp\iwharjxphxbhkymvu.exe
  C:\Users\Admin\AppData\Local\Temp\iwharjxphxbhkymvu.exe .
  2⤵
  PID:1216
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\iwharjxphxbhkymvu.exe*."
    3⤵
    PID:4572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c csfatndxrjpxcsitudg.exe
1⤵
PID:4696
- C:\Windows\csfatndxrjpxcsitudg.exe
  csfatndxrjpxcsitudg.exe
  2⤵
  PID:1432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pguqkfwrmfmvbsjvxhlc.exe .
1⤵
PID:3212
- C:\Windows\pguqkfwrmfmvbsjvxhlc.exe
  pguqkfwrmfmvbsjvxhlc.exe .
  2⤵
  PID:4960
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\pguqkfwrmfmvbsjvxhlc.exe*."
    3⤵
    PID:4120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pguqkfwrmfmvbsjvxhlc.exe
1⤵
PID:4872
- C:\Windows\pguqkfwrmfmvbsjvxhlc.exe
  pguqkfwrmfmvbsjvxhlc.exe
  2⤵
  PID:1328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c boyqgxkbshkprerz.exe .
1⤵
PID:3768
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4800
- C:\Windows\boyqgxkbshkprerz.exe
  boyqgxkbshkprerz.exe .
  2⤵
  PID:2432
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\boyqgxkbshkprerz.exe*."
    3⤵
    PID:2556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iwharjxphxbhkymvu.exe
1⤵
PID:1964
- C:\Users\Admin\AppData\Local\Temp\iwharjxphxbhkymvu.exe
  C:\Users\Admin\AppData\Local\Temp\iwharjxphxbhkymvu.exe
  2⤵
  PID:4064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iwharjxphxbhkymvu.exe .
1⤵
PID:4004
- C:\Users\Admin\AppData\Local\Temp\iwharjxphxbhkymvu.exe
  C:\Users\Admin\AppData\Local\Temp\iwharjxphxbhkymvu.exe .
  2⤵
  PID:1544
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\iwharjxphxbhkymvu.exe*."
    3⤵
    PID:2476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pguqkfwrmfmvbsjvxhlc.exe
1⤵
PID:2592
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5060
- C:\Users\Admin\AppData\Local\Temp\pguqkfwrmfmvbsjvxhlc.exe
  C:\Users\Admin\AppData\Local\Temp\pguqkfwrmfmvbsjvxhlc.exe
  2⤵
  PID:1136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ewlidzrnjdlvcumzcnskz.exe .
1⤵
PID:2636
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2016
- C:\Users\Admin\AppData\Local\Temp\ewlidzrnjdlvcumzcnskz.exe
  C:\Users\Admin\AppData\Local\Temp\ewlidzrnjdlvcumzcnskz.exe .
  2⤵
  PID:3244
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ewlidzrnjdlvcumzcnskz.exe*."
    3⤵
    PID:2788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c boyqgxkbshkprerz.exe
1⤵
PID:4988
- C:\Windows\boyqgxkbshkprerz.exe
  boyqgxkbshkprerz.exe
  2⤵
  PID:4144

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ewlidzrnjdlvcumzcnskz.exe .
1⤵
PID:2332
- C:\Windows\ewlidzrnjdlvcumzcnskz.exe
  ewlidzrnjdlvcumzcnskz.exe .
  2⤵
  PID:2040
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ewlidzrnjdlvcumzcnskz.exe*."
    3⤵
    PID:2408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c boyqgxkbshkprerz.exe
1⤵
PID:3664
- C:\Windows\boyqgxkbshkprerz.exe
  boyqgxkbshkprerz.exe
  2⤵
  PID:3136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rgsmexmfypubfujttb.exe .
1⤵
PID:3240
- C:\Windows\rgsmexmfypubfujttb.exe
  rgsmexmfypubfujttb.exe .
  2⤵
  PID:2544
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\rgsmexmfypubfujttb.exe*."
    3⤵
    PID:3304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pguqkfwrmfmvbsjvxhlc.exe
1⤵
PID:4788
- C:\Windows\pguqkfwrmfmvbsjvxhlc.exe
  pguqkfwrmfmvbsjvxhlc.exe
  2⤵
  PID:2644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c csfatndxrjpxcsitudg.exe
1⤵
PID:1216
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3300
- C:\Windows\csfatndxrjpxcsitudg.exe
  csfatndxrjpxcsitudg.exe
  2⤵
  PID:8

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iwharjxphxbhkymvu.exe
1⤵
PID:3456
- C:\Users\Admin\AppData\Local\Temp\iwharjxphxbhkymvu.exe
  C:\Users\Admin\AppData\Local\Temp\iwharjxphxbhkymvu.exe
  2⤵
  PID:1928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ewlidzrnjdlvcumzcnskz.exe .
1⤵
PID:2848
- C:\Users\Admin\AppData\Local\Temp\ewlidzrnjdlvcumzcnskz.exe
  C:\Users\Admin\AppData\Local\Temp\ewlidzrnjdlvcumzcnskz.exe .
  2⤵
  PID:5064
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ewlidzrnjdlvcumzcnskz.exe*."
    3⤵
    PID:1836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pguqkfwrmfmvbsjvxhlc.exe .
1⤵
PID:4696
- C:\Windows\pguqkfwrmfmvbsjvxhlc.exe
  pguqkfwrmfmvbsjvxhlc.exe .
  2⤵
  PID:1328
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\pguqkfwrmfmvbsjvxhlc.exe*."
    3⤵
    PID:4864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ewlidzrnjdlvcumzcnskz.exe .
1⤵
PID:4876
- C:\Windows\ewlidzrnjdlvcumzcnskz.exe
  ewlidzrnjdlvcumzcnskz.exe .
  2⤵
  PID:2684
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ewlidzrnjdlvcumzcnskz.exe*."
    3⤵
    PID:4544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c iwharjxphxbhkymvu.exe
1⤵
PID:3208
- C:\Windows\iwharjxphxbhkymvu.exe
  iwharjxphxbhkymvu.exe
  2⤵
  PID:5100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pguqkfwrmfmvbsjvxhlc.exe
1⤵
PID:1120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rgsmexmfypubfujttb.exe
1⤵
PID:3736
- C:\Users\Admin\AppData\Local\Temp\rgsmexmfypubfujttb.exe
  C:\Users\Admin\AppData\Local\Temp\rgsmexmfypubfujttb.exe
  2⤵
  PID:4472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pguqkfwrmfmvbsjvxhlc.exe .
1⤵
PID:4240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c boyqgxkbshkprerz.exe .
1⤵
PID:3668
- C:\Windows\boyqgxkbshkprerz.exe
  boyqgxkbshkprerz.exe .
  2⤵
  PID:1812
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\boyqgxkbshkprerz.exe*."
    3⤵
    PID:2740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rgsmexmfypubfujttb.exe .
1⤵
PID:1244
- C:\Users\Admin\AppData\Local\Temp\rgsmexmfypubfujttb.exe
  C:\Users\Admin\AppData\Local\Temp\rgsmexmfypubfujttb.exe .
  2⤵
  PID:4936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pguqkfwrmfmvbsjvxhlc.exe
1⤵
PID:4548
- C:\Users\Admin\AppData\Local\Temp\pguqkfwrmfmvbsjvxhlc.exe
  C:\Users\Admin\AppData\Local\Temp\pguqkfwrmfmvbsjvxhlc.exe
  2⤵
  PID:1692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ewlidzrnjdlvcumzcnskz.exe
1⤵
PID:4436
- C:\Users\Admin\AppData\Local\Temp\ewlidzrnjdlvcumzcnskz.exe
  C:\Users\Admin\AppData\Local\Temp\ewlidzrnjdlvcumzcnskz.exe
  2⤵
  PID:2376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\boyqgxkbshkprerz.exe .
1⤵
PID:3496
- C:\Users\Admin\AppData\Local\Temp\boyqgxkbshkprerz.exe
  C:\Users\Admin\AppData\Local\Temp\boyqgxkbshkprerz.exe .
  2⤵
  PID:1588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\boyqgxkbshkprerz.exe .
1⤵
PID:2764
- C:\Users\Admin\AppData\Local\Temp\boyqgxkbshkprerz.exe
  C:\Users\Admin\AppData\Local\Temp\boyqgxkbshkprerz.exe .
  2⤵
  PID:828
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\boyqgxkbshkprerz.exe*."
    3⤵
    PID:1564

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\boyqgxkbshkprerz.exe
1⤵
PID:2532
- C:\Users\Admin\AppData\Local\Temp\boyqgxkbshkprerz.exe
  C:\Users\Admin\AppData\Local\Temp\boyqgxkbshkprerz.exe
  2⤵
  PID:3412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\csfatndxrjpxcsitudg.exe
1⤵
PID:4924
- C:\Users\Admin\AppData\Local\Temp\csfatndxrjpxcsitudg.exe
  C:\Users\Admin\AppData\Local\Temp\csfatndxrjpxcsitudg.exe
  2⤵
  PID:1360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pguqkfwrmfmvbsjvxhlc.exe .
1⤵
PID:3608
- C:\Users\Admin\AppData\Local\Temp\pguqkfwrmfmvbsjvxhlc.exe
  C:\Users\Admin\AppData\Local\Temp\pguqkfwrmfmvbsjvxhlc.exe .
  2⤵
  PID:3444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pguqkfwrmfmvbsjvxhlc.exe .
1⤵
PID:3928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bsnikaspkflvcumzcnpgb.exe
1⤵
PID:1852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zohaaoezslpxcsitudd.exe .
1⤵
PID:3456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rgsmexmfypubfujttb.exe
1⤵
PID:220
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Winlogon Helper DLL

T1547.004

Hijack Execution Flow

T1574

Executable Installer File Permissions Weakness

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Winlogon Helper DLL

T1547.004

Hijack Execution Flow

T1574

Executable Installer File Permissions Weakness

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hijack Execution Flow

T1574

Executable Installer File Permissions Weakness

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Safe Mode Boot

T1562.009

Modify Registry