pykspa | 2ba78cfc0247a07c1fb24e7ffebe1814bd0fe2e486785e978e229e4dd731432b

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	cfqwvcs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	cfqwvcs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	gncxrwpmqxm.exe

Pykspa
Pykspa is a worm spreads via Skype uses DGA and it's written in C++.
worm pykspa
Pykspa family
pykspa

UAC bypass 3 TTPs 20 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	cfqwvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	gncxrwpmqxm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	gncxrwpmqxm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	cfqwvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cfqwvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cfqwvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	gncxrwpmqxm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	cfqwvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	gncxrwpmqxm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	gncxrwpmqxm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	gncxrwpmqxm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	cfqwvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	gncxrwpmqxm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	gncxrwpmqxm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	gncxrwpmqxm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	cfqwvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	cfqwvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	gncxrwpmqxm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	gncxrwpmqxm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	gncxrwpmqxm.exe

Detect Pykspa worm 2 IoCs

worm

resource	yara_rule
behavioral2/files/0x00050000000227b2-4.dat	family_pykspa
behavioral2/files/0x00070000000242dd-106.dat	family_pykspa

Adds policy Run key to start application 2 TTPs 35 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\whaovkiskvaledb = "rfbscuvidrznjlmyyc.exe"	gncxrwpmqxm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\whaovkiskvaledb = "rfbscuvidrznjlmyyc.exe"	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\whaovkiskvaledb = "rfbscuvidrznjlmyyc.exe"	cfqwvcs.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tbrcgsnujrtb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ivqgpggsmzgtoppaz.exe"	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tbrcgsnujrtb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\crogrkmawlujgjlyzeg.exe"	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tbrcgsnujrtb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ivqgpggsmzgtoppaz.exe"	cfqwvcs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tbrcgsnujrtb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pfdwicfurhrhfjmacilb.exe"	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\whaovkiskvaledb = "rfbscuvidrznjlmyyc.exe"	cfqwvcs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\whaovkiskvaledb = "bnhweutexjpbvvue.exe"	cfqwvcs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tbrcgsnujrtb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ivqgpggsmzgtoppaz.exe"	cfqwvcs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tbrcgsnujrtb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bnhweutexjpbvvue.exe"	gncxrwpmqxm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tbrcgsnujrtb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ivqgpggsmzgtoppaz.exe"	gncxrwpmqxm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	cfqwvcs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\whaovkiskvaledb = "rfbscuvidrznjlmyyc.exe"	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tbrcgsnujrtb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bnhweutexjpbvvue.exe"	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tbrcgsnujrtb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ivqgpggsmzgtoppaz.exe"	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tbrcgsnujrtb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pfdwicfurhrhfjmacilb.exe"	cfqwvcs.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	cfqwvcs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\whaovkiskvaledb = "evuobwaqofqhglpehosji.exe"	cfqwvcs.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	gncxrwpmqxm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\whaovkiskvaledb = "evuobwaqofqhglpehosji.exe"	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tbrcgsnujrtb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pfdwicfurhrhfjmacilb.exe"	cfqwvcs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\whaovkiskvaledb = "bnhweutexjpbvvue.exe"	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\whaovkiskvaledb = "rfbscuvidrznjlmyyc.exe"	gncxrwpmqxm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\whaovkiskvaledb = "evuobwaqofqhglpehosji.exe"	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tbrcgsnujrtb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ivqgpggsmzgtoppaz.exe"	gncxrwpmqxm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	gncxrwpmqxm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\whaovkiskvaledb = "ivqgpggsmzgtoppaz.exe"	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\whaovkiskvaledb = "ivqgpggsmzgtoppaz.exe"	cfqwvcs.exe

Disables RegEdit via registry modification 13 IoCs

defense_evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	cfqwvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	cfqwvcs.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	gncxrwpmqxm.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	gncxrwpmqxm.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	gncxrwpmqxm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	cfqwvcs.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	gncxrwpmqxm.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	gncxrwpmqxm.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	gncxrwpmqxm.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	gncxrwpmqxm.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	gncxrwpmqxm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	gncxrwpmqxm.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	cfqwvcs.exe

Checks computer location settings 2 TTPs 50 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	evuobwaqofqhglpehosji.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	crogrkmawlujgjlyzeg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	evuobwaqofqhglpehosji.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	crogrkmawlujgjlyzeg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	JaffaCakes118_94de1d6ae38c18d132f69a221ea2407d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	bnhweutexjpbvvue.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	pfdwicfurhrhfjmacilb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	ivqgpggsmzgtoppaz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	pfdwicfurhrhfjmacilb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	crogrkmawlujgjlyzeg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	bnhweutexjpbvvue.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	rfbscuvidrznjlmyyc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	pfdwicfurhrhfjmacilb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	rfbscuvidrznjlmyyc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	bnhweutexjpbvvue.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	crogrkmawlujgjlyzeg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	rfbscuvidrznjlmyyc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	pfdwicfurhrhfjmacilb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	evuobwaqofqhglpehosji.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	evuobwaqofqhglpehosji.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	pfdwicfurhrhfjmacilb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	bnhweutexjpbvvue.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	ivqgpggsmzgtoppaz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	ivqgpggsmzgtoppaz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	crogrkmawlujgjlyzeg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	pfdwicfurhrhfjmacilb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	pfdwicfurhrhfjmacilb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	ivqgpggsmzgtoppaz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	rfbscuvidrznjlmyyc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	crogrkmawlujgjlyzeg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	ivqgpggsmzgtoppaz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	bnhweutexjpbvvue.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	crogrkmawlujgjlyzeg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	crogrkmawlujgjlyzeg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	bnhweutexjpbvvue.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	pfdwicfurhrhfjmacilb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	evuobwaqofqhglpehosji.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	rfbscuvidrznjlmyyc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	pfdwicfurhrhfjmacilb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	crogrkmawlujgjlyzeg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	crogrkmawlujgjlyzeg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	gncxrwpmqxm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	ivqgpggsmzgtoppaz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	bnhweutexjpbvvue.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	bnhweutexjpbvvue.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	evuobwaqofqhglpehosji.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	ivqgpggsmzgtoppaz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	evuobwaqofqhglpehosji.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	ivqgpggsmzgtoppaz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	rfbscuvidrznjlmyyc.exe

Executes dropped EXE 64 IoCs

pid	Process
2692	gncxrwpmqxm.exe
5240	pfdwicfurhrhfjmacilb.exe
1896	crogrkmawlujgjlyzeg.exe
4888	gncxrwpmqxm.exe
3772	evuobwaqofqhglpehosji.exe
3752	crogrkmawlujgjlyzeg.exe
1780	bnhweutexjpbvvue.exe
4776	gncxrwpmqxm.exe
3740	crogrkmawlujgjlyzeg.exe
60	gncxrwpmqxm.exe
2788	ivqgpggsmzgtoppaz.exe
1932	crogrkmawlujgjlyzeg.exe
4996	gncxrwpmqxm.exe
5460	cfqwvcs.exe
5772	cfqwvcs.exe
3748	crogrkmawlujgjlyzeg.exe
5844	ivqgpggsmzgtoppaz.exe
4912	evuobwaqofqhglpehosji.exe
6096	gncxrwpmqxm.exe
5556	crogrkmawlujgjlyzeg.exe
4488	rfbscuvidrznjlmyyc.exe
1336	gncxrwpmqxm.exe
2572	rfbscuvidrznjlmyyc.exe
1820	evuobwaqofqhglpehosji.exe
4716	crogrkmawlujgjlyzeg.exe
2276	rfbscuvidrznjlmyyc.exe
4664	crogrkmawlujgjlyzeg.exe
4992	gncxrwpmqxm.exe
2480	bnhweutexjpbvvue.exe
5572	bnhweutexjpbvvue.exe
1084	pfdwicfurhrhfjmacilb.exe
1044	ivqgpggsmzgtoppaz.exe
3272	crogrkmawlujgjlyzeg.exe
6004	bnhweutexjpbvvue.exe
5100	gncxrwpmqxm.exe
2344	gncxrwpmqxm.exe
1696	pfdwicfurhrhfjmacilb.exe
5172	ivqgpggsmzgtoppaz.exe
5428	ivqgpggsmzgtoppaz.exe
2896	gncxrwpmqxm.exe
1524	gncxrwpmqxm.exe
5216	gncxrwpmqxm.exe
720	gncxrwpmqxm.exe
1224	pfdwicfurhrhfjmacilb.exe
5068	evuobwaqofqhglpehosji.exe
1772	ivqgpggsmzgtoppaz.exe
876	bnhweutexjpbvvue.exe
2912	gncxrwpmqxm.exe
2272	gncxrwpmqxm.exe
852	crogrkmawlujgjlyzeg.exe
232	bnhweutexjpbvvue.exe
3984	gncxrwpmqxm.exe
4652	crogrkmawlujgjlyzeg.exe
5964	evuobwaqofqhglpehosji.exe
4028	bnhweutexjpbvvue.exe
1576	gncxrwpmqxm.exe
3084	bnhweutexjpbvvue.exe
5516	bnhweutexjpbvvue.exe
2980	crogrkmawlujgjlyzeg.exe
4632	rfbscuvidrznjlmyyc.exe
3556	gncxrwpmqxm.exe
2932	crogrkmawlujgjlyzeg.exe
3320	ivqgpggsmzgtoppaz.exe
3740	rfbscuvidrznjlmyyc.exe

Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs

defense_evasion

Safe Mode Boot

T1562.009

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys	cfqwvcs.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc	cfqwvcs.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power	cfqwvcs.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys	cfqwvcs.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc	cfqwvcs.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager	cfqwvcs.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

defense_evasion persistence privilege_escalation

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rfbscuvidrznjlmyyc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\evuobwaqofqhglpehosji.exe ."	cfqwvcs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sbsejwsaqzclc = "bnhweutexjpbvvue.exe"	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sbsejwsaqzclc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\crogrkmawlujgjlyzeg.exe"	cfqwvcs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\tdvioczizjnxpn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pfdwicfurhrhfjmacilb.exe ."	cfqwvcs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sbsejwsaqzclc = "ivqgpggsmzgtoppaz.exe"	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\crogrkmawlujgjlyzeg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bnhweutexjpbvvue.exe"	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sbsejwsaqzclc = "bnhweutexjpbvvue.exe"	cfqwvcs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ivqgpggsmzgtoppaz = "pfdwicfurhrhfjmacilb.exe ."	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\crogrkmawlujgjlyzeg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bnhweutexjpbvvue.exe"	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rfbscuvidrznjlmyyc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\crogrkmawlujgjlyzeg.exe ."	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\tdvioczizjnxpn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\crogrkmawlujgjlyzeg.exe ."	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ivqgpggsmzgtoppaz = "evuobwaqofqhglpehosji.exe ."	cfqwvcs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\crogrkmawlujgjlyzeg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\crogrkmawlujgjlyzeg.exe"	cfqwvcs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rfbscuvidrznjlmyyc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bnhweutexjpbvvue.exe ."	cfqwvcs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ivqgpggsmzgtoppaz = "pfdwicfurhrhfjmacilb.exe ."	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\crogrkmawlujgjlyzeg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rfbscuvidrznjlmyyc.exe"	cfqwvcs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rfbscuvidrznjlmyyc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ivqgpggsmzgtoppaz.exe ."	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sbsejwsaqzclc = "pfdwicfurhrhfjmacilb.exe"	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tdvioczizjnxpn = "bnhweutexjpbvvue.exe ."	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bnhweutexjpbvvue = "crogrkmawlujgjlyzeg.exe"	cfqwvcs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\tdvioczizjnxpn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bnhweutexjpbvvue.exe ."	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tdvioczizjnxpn = "evuobwaqofqhglpehosji.exe ."	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ivqgpggsmzgtoppaz = "ivqgpggsmzgtoppaz.exe ."	cfqwvcs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\tdvioczizjnxpn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\evuobwaqofqhglpehosji.exe ."	cfqwvcs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sbsejwsaqzclc = "crogrkmawlujgjlyzeg.exe"	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tdvioczizjnxpn = "crogrkmawlujgjlyzeg.exe ."	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ivqgpggsmzgtoppaz = "crogrkmawlujgjlyzeg.exe ."	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\crogrkmawlujgjlyzeg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bnhweutexjpbvvue.exe"	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sbsejwsaqzclc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ivqgpggsmzgtoppaz.exe"	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rfbscuvidrznjlmyyc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\crogrkmawlujgjlyzeg.exe ."	cfqwvcs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sbsejwsaqzclc = "bnhweutexjpbvvue.exe"	cfqwvcs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rfbscuvidrznjlmyyc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pfdwicfurhrhfjmacilb.exe ."	cfqwvcs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sbsejwsaqzclc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\evuobwaqofqhglpehosji.exe"	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\tdvioczizjnxpn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pfdwicfurhrhfjmacilb.exe ."	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sbsejwsaqzclc = "evuobwaqofqhglpehosji.exe"	cfqwvcs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sbsejwsaqzclc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\crogrkmawlujgjlyzeg.exe"	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\tdvioczizjnxpn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pfdwicfurhrhfjmacilb.exe ."	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ivqgpggsmzgtoppaz = "pfdwicfurhrhfjmacilb.exe ."	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ivqgpggsmzgtoppaz = "crogrkmawlujgjlyzeg.exe ."	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ivqgpggsmzgtoppaz = "ivqgpggsmzgtoppaz.exe ."	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\crogrkmawlujgjlyzeg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ivqgpggsmzgtoppaz.exe"	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rfbscuvidrznjlmyyc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bnhweutexjpbvvue.exe ."	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sbsejwsaqzclc = "pfdwicfurhrhfjmacilb.exe"	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rfbscuvidrznjlmyyc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\crogrkmawlujgjlyzeg.exe ."	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bnhweutexjpbvvue = "ivqgpggsmzgtoppaz.exe"	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bnhweutexjpbvvue = "pfdwicfurhrhfjmacilb.exe"	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tdvioczizjnxpn = "rfbscuvidrznjlmyyc.exe ."	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tdvioczizjnxpn = "bnhweutexjpbvvue.exe ."	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sbsejwsaqzclc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pfdwicfurhrhfjmacilb.exe"	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\tdvioczizjnxpn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bnhweutexjpbvvue.exe ."	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tdvioczizjnxpn = "rfbscuvidrznjlmyyc.exe ."	cfqwvcs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tdvioczizjnxpn = "rfbscuvidrznjlmyyc.exe ."	cfqwvcs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sbsejwsaqzclc = "evuobwaqofqhglpehosji.exe"	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bnhweutexjpbvvue = "evuobwaqofqhglpehosji.exe"	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bnhweutexjpbvvue = "rfbscuvidrznjlmyyc.exe"	cfqwvcs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bnhweutexjpbvvue = "evuobwaqofqhglpehosji.exe"	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rfbscuvidrznjlmyyc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ivqgpggsmzgtoppaz.exe ."	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\crogrkmawlujgjlyzeg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rfbscuvidrznjlmyyc.exe"	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sbsejwsaqzclc = "rfbscuvidrznjlmyyc.exe"	cfqwvcs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bnhweutexjpbvvue = "bnhweutexjpbvvue.exe"	cfqwvcs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ivqgpggsmzgtoppaz = "bnhweutexjpbvvue.exe ."	cfqwvcs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\crogrkmawlujgjlyzeg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ivqgpggsmzgtoppaz.exe"	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sbsejwsaqzclc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\crogrkmawlujgjlyzeg.exe"	gncxrwpmqxm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rfbscuvidrznjlmyyc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\evuobwaqofqhglpehosji.exe ."	gncxrwpmqxm.exe

Checks whether UAC is enabled 1 TTPs 22 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	gncxrwpmqxm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	gncxrwpmqxm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	gncxrwpmqxm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	gncxrwpmqxm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	gncxrwpmqxm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	gncxrwpmqxm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	gncxrwpmqxm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	gncxrwpmqxm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	gncxrwpmqxm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	gncxrwpmqxm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	gncxrwpmqxm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cfqwvcs.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cfqwvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	gncxrwpmqxm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	gncxrwpmqxm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	gncxrwpmqxm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	gncxrwpmqxm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	gncxrwpmqxm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	gncxrwpmqxm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	gncxrwpmqxm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cfqwvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cfqwvcs.exe

Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 3 IoCs

Possible Turn off User Account Control's privilege elevation for standard users.

Executable Installer File Permissions Weakness

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	gncxrwpmqxm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	cfqwvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	cfqwvcs.exe

Looks up external IP address via web service 8 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
67	whatismyip.everdot.org
23	whatismyipaddress.com
29	whatismyip.everdot.org
35	www.showmyipaddress.com
39	whatismyip.everdot.org
40	www.whatismyip.ca
43	whatismyip.everdot.org
66	www.whatismyip.ca

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\bnhweutexjpbvvue.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\SysWOW64\ivqgpggsmzgtoppaz.exe	cfqwvcs.exe
File opened for modification	C:\Windows\SysWOW64\pfdwicfurhrhfjmacilb.exe	cfqwvcs.exe
File opened for modification	C:\Windows\SysWOW64\crogrkmawlujgjlyzeg.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\SysWOW64\vnniwsxonfrjjpukowbtto.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\SysWOW64\evuobwaqofqhglpehosji.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\SysWOW64\ivqgpggsmzgtoppaz.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\SysWOW64\ivqgpggsmzgtoppaz.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\SysWOW64\gbectsauwrgbenvovgojm.bai	cfqwvcs.exe
File opened for modification	C:\Windows\SysWOW64\bnhweutexjpbvvue.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\SysWOW64\vnniwsxonfrjjpukowbtto.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\SysWOW64\bnhweutexjpbvvue.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\SysWOW64\vnniwsxonfrjjpukowbtto.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\SysWOW64\evuobwaqofqhglpehosji.exe	cfqwvcs.exe
File opened for modification	C:\Windows\SysWOW64\pfdwicfurhrhfjmacilb.exe	cfqwvcs.exe
File created	C:\Windows\SysWOW64\gbectsauwrgbenvovgojm.bai	cfqwvcs.exe
File opened for modification	C:\Windows\SysWOW64\crogrkmawlujgjlyzeg.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\SysWOW64\bnhweutexjpbvvue.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\SysWOW64\evuobwaqofqhglpehosji.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\SysWOW64\rfbscuvidrznjlmyyc.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\SysWOW64\evuobwaqofqhglpehosji.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\SysWOW64\crogrkmawlujgjlyzeg.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\SysWOW64\pfdwicfurhrhfjmacilb.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\SysWOW64\evuobwaqofqhglpehosji.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\SysWOW64\rfbscuvidrznjlmyyc.exe	cfqwvcs.exe
File opened for modification	C:\Windows\SysWOW64\bnhweutexjpbvvue.exe	cfqwvcs.exe
File opened for modification	C:\Windows\SysWOW64\crogrkmawlujgjlyzeg.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\SysWOW64\bnhweutexjpbvvue.exe	cfqwvcs.exe
File opened for modification	C:\Windows\SysWOW64\crogrkmawlujgjlyzeg.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\SysWOW64\rfbscuvidrznjlmyyc.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\SysWOW64\pfdwicfurhrhfjmacilb.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\SysWOW64\pfdwicfurhrhfjmacilb.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\SysWOW64\crogrkmawlujgjlyzeg.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\SysWOW64\vnniwsxonfrjjpukowbtto.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\SysWOW64\bnhweutexjpbvvue.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\SysWOW64\rfbscuvidrznjlmyyc.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\SysWOW64\rfbscuvidrznjlmyyc.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\SysWOW64\rfbscuvidrznjlmyyc.exe	cfqwvcs.exe
File opened for modification	C:\Windows\SysWOW64\bhvegqjobhhnbvoskgzftceohmzfflzt.qie	cfqwvcs.exe
File opened for modification	C:\Windows\SysWOW64\vnniwsxonfrjjpukowbtto.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\SysWOW64\pfdwicfurhrhfjmacilb.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\SysWOW64\rfbscuvidrznjlmyyc.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\SysWOW64\rfbscuvidrznjlmyyc.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\SysWOW64\vnniwsxonfrjjpukowbtto.exe	cfqwvcs.exe
File opened for modification	C:\Windows\SysWOW64\ivqgpggsmzgtoppaz.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\SysWOW64\vnniwsxonfrjjpukowbtto.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\SysWOW64\ivqgpggsmzgtoppaz.exe	cfqwvcs.exe
File opened for modification	C:\Windows\SysWOW64\pfdwicfurhrhfjmacilb.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\SysWOW64\pfdwicfurhrhfjmacilb.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\SysWOW64\crogrkmawlujgjlyzeg.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\SysWOW64\vnniwsxonfrjjpukowbtto.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\SysWOW64\bnhweutexjpbvvue.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\SysWOW64\evuobwaqofqhglpehosji.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\SysWOW64\pfdwicfurhrhfjmacilb.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\SysWOW64\crogrkmawlujgjlyzeg.exe	cfqwvcs.exe
File opened for modification	C:\Windows\SysWOW64\vnniwsxonfrjjpukowbtto.exe	cfqwvcs.exe
File opened for modification	C:\Windows\SysWOW64\bnhweutexjpbvvue.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\SysWOW64\pfdwicfurhrhfjmacilb.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\SysWOW64\evuobwaqofqhglpehosji.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\SysWOW64\ivqgpggsmzgtoppaz.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\SysWOW64\pfdwicfurhrhfjmacilb.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\SysWOW64\evuobwaqofqhglpehosji.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\SysWOW64\ivqgpggsmzgtoppaz.exe	gncxrwpmqxm.exe
File created	C:\Windows\SysWOW64\bhvegqjobhhnbvoskgzftceohmzfflzt.qie	cfqwvcs.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\bhvegqjobhhnbvoskgzftceohmzfflzt.qie	cfqwvcs.exe
File opened for modification	C:\Program Files (x86)\gbectsauwrgbenvovgojm.bai	cfqwvcs.exe
File created	C:\Program Files (x86)\gbectsauwrgbenvovgojm.bai	cfqwvcs.exe
File opened for modification	C:\Program Files (x86)\bhvegqjobhhnbvoskgzftceohmzfflzt.qie	cfqwvcs.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\crogrkmawlujgjlyzeg.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\bnhweutexjpbvvue.exe	cfqwvcs.exe
File opened for modification	C:\Windows\rfbscuvidrznjlmyyc.exe	cfqwvcs.exe
File opened for modification	C:\Windows\pfdwicfurhrhfjmacilb.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\bnhweutexjpbvvue.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\ivqgpggsmzgtoppaz.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\crogrkmawlujgjlyzeg.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\evuobwaqofqhglpehosji.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\evuobwaqofqhglpehosji.exe	cfqwvcs.exe
File opened for modification	C:\Windows\crogrkmawlujgjlyzeg.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\bnhweutexjpbvvue.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\vnniwsxonfrjjpukowbtto.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\bnhweutexjpbvvue.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\ivqgpggsmzgtoppaz.exe	cfqwvcs.exe
File opened for modification	C:\Windows\evuobwaqofqhglpehosji.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\pfdwicfurhrhfjmacilb.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\rfbscuvidrznjlmyyc.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\bnhweutexjpbvvue.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\vnniwsxonfrjjpukowbtto.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\vnniwsxonfrjjpukowbtto.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\bnhweutexjpbvvue.exe	cfqwvcs.exe
File opened for modification	C:\Windows\gbectsauwrgbenvovgojm.bai	cfqwvcs.exe
File opened for modification	C:\Windows\vnniwsxonfrjjpukowbtto.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\bnhweutexjpbvvue.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\pfdwicfurhrhfjmacilb.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\pfdwicfurhrhfjmacilb.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\crogrkmawlujgjlyzeg.exe	cfqwvcs.exe
File opened for modification	C:\Windows\vnniwsxonfrjjpukowbtto.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\ivqgpggsmzgtoppaz.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\ivqgpggsmzgtoppaz.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\rfbscuvidrznjlmyyc.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\crogrkmawlujgjlyzeg.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\rfbscuvidrznjlmyyc.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\vnniwsxonfrjjpukowbtto.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\vnniwsxonfrjjpukowbtto.exe	cfqwvcs.exe
File opened for modification	C:\Windows\bhvegqjobhhnbvoskgzftceohmzfflzt.qie	cfqwvcs.exe
File opened for modification	C:\Windows\vnniwsxonfrjjpukowbtto.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\ivqgpggsmzgtoppaz.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\pfdwicfurhrhfjmacilb.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\crogrkmawlujgjlyzeg.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\vnniwsxonfrjjpukowbtto.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\pfdwicfurhrhfjmacilb.exe	cfqwvcs.exe
File opened for modification	C:\Windows\bnhweutexjpbvvue.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\rfbscuvidrznjlmyyc.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\pfdwicfurhrhfjmacilb.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\ivqgpggsmzgtoppaz.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\evuobwaqofqhglpehosji.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\ivqgpggsmzgtoppaz.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\ivqgpggsmzgtoppaz.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\vnniwsxonfrjjpukowbtto.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\rfbscuvidrznjlmyyc.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\pfdwicfurhrhfjmacilb.exe	cfqwvcs.exe
File opened for modification	C:\Windows\bnhweutexjpbvvue.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\evuobwaqofqhglpehosji.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\bnhweutexjpbvvue.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\evuobwaqofqhglpehosji.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\rfbscuvidrznjlmyyc.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\bnhweutexjpbvvue.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\crogrkmawlujgjlyzeg.exe	cfqwvcs.exe
File opened for modification	C:\Windows\rfbscuvidrznjlmyyc.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\crogrkmawlujgjlyzeg.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\evuobwaqofqhglpehosji.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\ivqgpggsmzgtoppaz.exe	gncxrwpmqxm.exe
File opened for modification	C:\Windows\rfbscuvidrznjlmyyc.exe	gncxrwpmqxm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 57 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pfdwicfurhrhfjmacilb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crogrkmawlujgjlyzeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ivqgpggsmzgtoppaz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bnhweutexjpbvvue.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crogrkmawlujgjlyzeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cfqwvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	evuobwaqofqhglpehosji.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crogrkmawlujgjlyzeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crogrkmawlujgjlyzeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	evuobwaqofqhglpehosji.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pfdwicfurhrhfjmacilb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	evuobwaqofqhglpehosji.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bnhweutexjpbvvue.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ivqgpggsmzgtoppaz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pfdwicfurhrhfjmacilb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ivqgpggsmzgtoppaz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bnhweutexjpbvvue.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ivqgpggsmzgtoppaz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ivqgpggsmzgtoppaz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bnhweutexjpbvvue.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rfbscuvidrznjlmyyc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rfbscuvidrznjlmyyc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pfdwicfurhrhfjmacilb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ivqgpggsmzgtoppaz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crogrkmawlujgjlyzeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	evuobwaqofqhglpehosji.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ivqgpggsmzgtoppaz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rfbscuvidrznjlmyyc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pfdwicfurhrhfjmacilb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bnhweutexjpbvvue.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pfdwicfurhrhfjmacilb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	evuobwaqofqhglpehosji.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pfdwicfurhrhfjmacilb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	evuobwaqofqhglpehosji.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_94de1d6ae38c18d132f69a221ea2407d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bnhweutexjpbvvue.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rfbscuvidrznjlmyyc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rfbscuvidrznjlmyyc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crogrkmawlujgjlyzeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pfdwicfurhrhfjmacilb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rfbscuvidrznjlmyyc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crogrkmawlujgjlyzeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pfdwicfurhrhfjmacilb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crogrkmawlujgjlyzeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ivqgpggsmzgtoppaz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crogrkmawlujgjlyzeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pfdwicfurhrhfjmacilb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	evuobwaqofqhglpehosji.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bnhweutexjpbvvue.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rfbscuvidrznjlmyyc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ivqgpggsmzgtoppaz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gncxrwpmqxm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bnhweutexjpbvvue.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pfdwicfurhrhfjmacilb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	evuobwaqofqhglpehosji.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crogrkmawlujgjlyzeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bnhweutexjpbvvue.exe

Suspicious behavior: EnumeratesProcesses 52 IoCs

pid	Process
5156	JaffaCakes118_94de1d6ae38c18d132f69a221ea2407d.exe
5156	JaffaCakes118_94de1d6ae38c18d132f69a221ea2407d.exe
5156	JaffaCakes118_94de1d6ae38c18d132f69a221ea2407d.exe
5156	JaffaCakes118_94de1d6ae38c18d132f69a221ea2407d.exe
5156	JaffaCakes118_94de1d6ae38c18d132f69a221ea2407d.exe
5156	JaffaCakes118_94de1d6ae38c18d132f69a221ea2407d.exe
5156	JaffaCakes118_94de1d6ae38c18d132f69a221ea2407d.exe
5156	JaffaCakes118_94de1d6ae38c18d132f69a221ea2407d.exe
5156	JaffaCakes118_94de1d6ae38c18d132f69a221ea2407d.exe
5156	JaffaCakes118_94de1d6ae38c18d132f69a221ea2407d.exe
5156	JaffaCakes118_94de1d6ae38c18d132f69a221ea2407d.exe
5156	JaffaCakes118_94de1d6ae38c18d132f69a221ea2407d.exe
5156	JaffaCakes118_94de1d6ae38c18d132f69a221ea2407d.exe
5156	JaffaCakes118_94de1d6ae38c18d132f69a221ea2407d.exe
5156	JaffaCakes118_94de1d6ae38c18d132f69a221ea2407d.exe
5156	JaffaCakes118_94de1d6ae38c18d132f69a221ea2407d.exe
5156	JaffaCakes118_94de1d6ae38c18d132f69a221ea2407d.exe
5156	JaffaCakes118_94de1d6ae38c18d132f69a221ea2407d.exe
5460	cfqwvcs.exe
5460	cfqwvcs.exe
5156	JaffaCakes118_94de1d6ae38c18d132f69a221ea2407d.exe
5156	JaffaCakes118_94de1d6ae38c18d132f69a221ea2407d.exe
5156	JaffaCakes118_94de1d6ae38c18d132f69a221ea2407d.exe
5156	JaffaCakes118_94de1d6ae38c18d132f69a221ea2407d.exe
5156	JaffaCakes118_94de1d6ae38c18d132f69a221ea2407d.exe
5156	JaffaCakes118_94de1d6ae38c18d132f69a221ea2407d.exe
5156	JaffaCakes118_94de1d6ae38c18d132f69a221ea2407d.exe
5156	JaffaCakes118_94de1d6ae38c18d132f69a221ea2407d.exe
5156	JaffaCakes118_94de1d6ae38c18d132f69a221ea2407d.exe
5156	JaffaCakes118_94de1d6ae38c18d132f69a221ea2407d.exe
5156	JaffaCakes118_94de1d6ae38c18d132f69a221ea2407d.exe
5156	JaffaCakes118_94de1d6ae38c18d132f69a221ea2407d.exe
5156	JaffaCakes118_94de1d6ae38c18d132f69a221ea2407d.exe
5156	JaffaCakes118_94de1d6ae38c18d132f69a221ea2407d.exe
5156	JaffaCakes118_94de1d6ae38c18d132f69a221ea2407d.exe
5156	JaffaCakes118_94de1d6ae38c18d132f69a221ea2407d.exe
5156	JaffaCakes118_94de1d6ae38c18d132f69a221ea2407d.exe
5156	JaffaCakes118_94de1d6ae38c18d132f69a221ea2407d.exe
5156	JaffaCakes118_94de1d6ae38c18d132f69a221ea2407d.exe
5156	JaffaCakes118_94de1d6ae38c18d132f69a221ea2407d.exe
5156	JaffaCakes118_94de1d6ae38c18d132f69a221ea2407d.exe
5156	JaffaCakes118_94de1d6ae38c18d132f69a221ea2407d.exe
5156	JaffaCakes118_94de1d6ae38c18d132f69a221ea2407d.exe
5156	JaffaCakes118_94de1d6ae38c18d132f69a221ea2407d.exe
5156	JaffaCakes118_94de1d6ae38c18d132f69a221ea2407d.exe
5156	JaffaCakes118_94de1d6ae38c18d132f69a221ea2407d.exe
5156	JaffaCakes118_94de1d6ae38c18d132f69a221ea2407d.exe
5156	JaffaCakes118_94de1d6ae38c18d132f69a221ea2407d.exe
5156	JaffaCakes118_94de1d6ae38c18d132f69a221ea2407d.exe
5156	JaffaCakes118_94de1d6ae38c18d132f69a221ea2407d.exe
5156	JaffaCakes118_94de1d6ae38c18d132f69a221ea2407d.exe
5156	JaffaCakes118_94de1d6ae38c18d132f69a221ea2407d.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	5460	cfqwvcs.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5156 wrote to memory of 2692	5156	JaffaCakes118_94de1d6ae38c18d132f69a221ea2407d.exe	88
PID 5156 wrote to memory of 2692	5156	JaffaCakes118_94de1d6ae38c18d132f69a221ea2407d.exe	88
PID 5156 wrote to memory of 2692	5156	JaffaCakes118_94de1d6ae38c18d132f69a221ea2407d.exe	88
PID 4752 wrote to memory of 5240	4752	cmd.exe	91
PID 4752 wrote to memory of 5240	4752	cmd.exe	91
PID 4752 wrote to memory of 5240	4752	cmd.exe	91
PID 2992 wrote to memory of 1896	2992	cmd.exe	94
PID 2992 wrote to memory of 1896	2992	cmd.exe	94
PID 2992 wrote to memory of 1896	2992	cmd.exe	94
PID 1896 wrote to memory of 4888	1896	crogrkmawlujgjlyzeg.exe	98
PID 1896 wrote to memory of 4888	1896	crogrkmawlujgjlyzeg.exe	98
PID 1896 wrote to memory of 4888	1896	crogrkmawlujgjlyzeg.exe	98
PID 1620 wrote to memory of 3772	1620	cmd.exe	100
PID 1620 wrote to memory of 3772	1620	cmd.exe	100
PID 1620 wrote to memory of 3772	1620	cmd.exe	100
PID 4920 wrote to memory of 3752	4920	cmd.exe	103
PID 4920 wrote to memory of 3752	4920	cmd.exe	103
PID 4920 wrote to memory of 3752	4920	cmd.exe	103
PID 3440 wrote to memory of 1780	3440	cmd.exe	219
PID 3440 wrote to memory of 1780	3440	cmd.exe	219
PID 3440 wrote to memory of 1780	3440	cmd.exe	219
PID 3752 wrote to memory of 4776	3752	crogrkmawlujgjlyzeg.exe	170
PID 3752 wrote to memory of 4776	3752	crogrkmawlujgjlyzeg.exe	170
PID 3752 wrote to memory of 4776	3752	crogrkmawlujgjlyzeg.exe	170
PID 3380 wrote to memory of 3740	3380	cmd.exe	272
PID 3380 wrote to memory of 3740	3380	cmd.exe	272
PID 3380 wrote to memory of 3740	3380	cmd.exe	272
PID 3740 wrote to memory of 60	3740	crogrkmawlujgjlyzeg.exe	114
PID 3740 wrote to memory of 60	3740	crogrkmawlujgjlyzeg.exe	114
PID 3740 wrote to memory of 60	3740	crogrkmawlujgjlyzeg.exe	114
PID 396 wrote to memory of 2788	396	cmd.exe	115
PID 396 wrote to memory of 2788	396	cmd.exe	115
PID 396 wrote to memory of 2788	396	cmd.exe	115
PID 4336 wrote to memory of 1932	4336	cmd.exe	116
PID 4336 wrote to memory of 1932	4336	cmd.exe	116
PID 4336 wrote to memory of 1932	4336	cmd.exe	116
PID 1932 wrote to memory of 4996	1932	crogrkmawlujgjlyzeg.exe	118
PID 1932 wrote to memory of 4996	1932	crogrkmawlujgjlyzeg.exe	118
PID 1932 wrote to memory of 4996	1932	crogrkmawlujgjlyzeg.exe	118
PID 2692 wrote to memory of 5460	2692	gncxrwpmqxm.exe	121
PID 2692 wrote to memory of 5460	2692	gncxrwpmqxm.exe	121
PID 2692 wrote to memory of 5460	2692	gncxrwpmqxm.exe	121
PID 2692 wrote to memory of 5772	2692	gncxrwpmqxm.exe	122
PID 2692 wrote to memory of 5772	2692	gncxrwpmqxm.exe	122
PID 2692 wrote to memory of 5772	2692	gncxrwpmqxm.exe	122
PID 544 wrote to memory of 3748	544	cmd.exe	196
PID 544 wrote to memory of 3748	544	cmd.exe	196
PID 544 wrote to memory of 3748	544	cmd.exe	196
PID 2704 wrote to memory of 5844	2704	cmd.exe	130
PID 2704 wrote to memory of 5844	2704	cmd.exe	130
PID 2704 wrote to memory of 5844	2704	cmd.exe	130
PID 1152 wrote to memory of 4912	1152	cmd.exe	315
PID 1152 wrote to memory of 4912	1152	cmd.exe	315
PID 1152 wrote to memory of 4912	1152	cmd.exe	315
PID 5844 wrote to memory of 6096	5844	ivqgpggsmzgtoppaz.exe	136
PID 5844 wrote to memory of 6096	5844	ivqgpggsmzgtoppaz.exe	136
PID 5844 wrote to memory of 6096	5844	ivqgpggsmzgtoppaz.exe	136
PID 2944 wrote to memory of 5556	2944	cmd.exe	139
PID 2944 wrote to memory of 5556	2944	cmd.exe	139
PID 2944 wrote to memory of 5556	2944	cmd.exe	139
PID 3152 wrote to memory of 4488	3152	cmd.exe	351
PID 3152 wrote to memory of 4488	3152	cmd.exe	351
PID 3152 wrote to memory of 4488	3152	cmd.exe	351
PID 4488 wrote to memory of 1336	4488	rfbscuvidrznjlmyyc.exe	153

System policy modification 1 TTPs 52 IoCs

defense_evasion

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cfqwvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cfqwvcs.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	gncxrwpmqxm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	cfqwvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	cfqwvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	cfqwvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	cfqwvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	cfqwvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	cfqwvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	cfqwvcs.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	gncxrwpmqxm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	gncxrwpmqxm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	gncxrwpmqxm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	gncxrwpmqxm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	gncxrwpmqxm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	cfqwvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	cfqwvcs.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	gncxrwpmqxm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	gncxrwpmqxm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	gncxrwpmqxm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	gncxrwpmqxm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	cfqwvcs.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	cfqwvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	gncxrwpmqxm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	gncxrwpmqxm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	gncxrwpmqxm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	gncxrwpmqxm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	cfqwvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	gncxrwpmqxm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	gncxrwpmqxm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	gncxrwpmqxm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	gncxrwpmqxm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cfqwvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	cfqwvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	gncxrwpmqxm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	gncxrwpmqxm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	gncxrwpmqxm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	gncxrwpmqxm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	cfqwvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	gncxrwpmqxm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	gncxrwpmqxm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	gncxrwpmqxm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	cfqwvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	gncxrwpmqxm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cfqwvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	gncxrwpmqxm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	cfqwvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	cfqwvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	cfqwvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	cfqwvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	cfqwvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	gncxrwpmqxm.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_94de1d6ae38c18d132f69a221ea2407d.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_94de1d6ae38c18d132f69a221ea2407d.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5156
- C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
  "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\jaffacakes118_94de1d6ae38c18d132f69a221ea2407d.exe*"
  2⤵
  - Modifies WinLogon for persistence
  - UAC bypass
  - Adds policy Run key to start application
  - Disables RegEdit via registry modification
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Hijack Execution Flow: Executable Installer File Permissions Weakness
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2692
- - C:\Users\Admin\AppData\Local\Temp\cfqwvcs.exe
    "C:\Users\Admin\AppData\Local\Temp\cfqwvcs.exe" "-c:\users\admin\appdata\local\temp\jaffacakes118_94de1d6ae38c18d132f69a221ea2407d.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Impair Defenses: Safe Mode Boot
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Hijack Execution Flow: Executable Installer File Permissions Weakness
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:5460
- - C:\Users\Admin\AppData\Local\Temp\cfqwvcs.exe
    "C:\Users\Admin\AppData\Local\Temp\cfqwvcs.exe" "-c:\users\admin\appdata\local\temp\jaffacakes118_94de1d6ae38c18d132f69a221ea2407d.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Hijack Execution Flow: Executable Installer File Permissions Weakness
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:5772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pfdwicfurhrhfjmacilb.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4752
- C:\Windows\pfdwicfurhrhfjmacilb.exe
  pfdwicfurhrhfjmacilb.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c crogrkmawlujgjlyzeg.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:2992
- C:\Windows\crogrkmawlujgjlyzeg.exe
  crogrkmawlujgjlyzeg.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1896
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\crogrkmawlujgjlyzeg.exe*."
    3⤵
    - Executes dropped EXE
    PID:4888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c evuobwaqofqhglpehosji.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:1620
- C:\Windows\evuobwaqofqhglpehosji.exe
  evuobwaqofqhglpehosji.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c crogrkmawlujgjlyzeg.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:4920
- C:\Windows\crogrkmawlujgjlyzeg.exe
  crogrkmawlujgjlyzeg.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3752
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\crogrkmawlujgjlyzeg.exe*."
    3⤵
    - Executes dropped EXE
    PID:4776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bnhweutexjpbvvue.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:3440
- C:\Users\Admin\AppData\Local\Temp\bnhweutexjpbvvue.exe
  C:\Users\Admin\AppData\Local\Temp\bnhweutexjpbvvue.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\crogrkmawlujgjlyzeg.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:3380
- C:\Users\Admin\AppData\Local\Temp\crogrkmawlujgjlyzeg.exe
  C:\Users\Admin\AppData\Local\Temp\crogrkmawlujgjlyzeg.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3740
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\crogrkmawlujgjlyzeg.exe*."
    3⤵
    - Executes dropped EXE
    PID:60

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ivqgpggsmzgtoppaz.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:396
- C:\Users\Admin\AppData\Local\Temp\ivqgpggsmzgtoppaz.exe
  C:\Users\Admin\AppData\Local\Temp\ivqgpggsmzgtoppaz.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\crogrkmawlujgjlyzeg.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:4336
- C:\Users\Admin\AppData\Local\Temp\crogrkmawlujgjlyzeg.exe
  C:\Users\Admin\AppData\Local\Temp\crogrkmawlujgjlyzeg.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1932
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\crogrkmawlujgjlyzeg.exe*."
    3⤵
    - Executes dropped EXE
    PID:4996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c crogrkmawlujgjlyzeg.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:544
- C:\Windows\crogrkmawlujgjlyzeg.exe
  crogrkmawlujgjlyzeg.exe
  2⤵
  - Executes dropped EXE
  PID:3748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ivqgpggsmzgtoppaz.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:2704
- C:\Windows\ivqgpggsmzgtoppaz.exe
  ivqgpggsmzgtoppaz.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5844
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\ivqgpggsmzgtoppaz.exe*."
    3⤵
    - Executes dropped EXE
    PID:6096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c evuobwaqofqhglpehosji.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:1152
- C:\Windows\evuobwaqofqhglpehosji.exe
  evuobwaqofqhglpehosji.exe
  2⤵
  - Executes dropped EXE
  PID:4912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c crogrkmawlujgjlyzeg.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2944
- C:\Windows\crogrkmawlujgjlyzeg.exe
  crogrkmawlujgjlyzeg.exe
  2⤵
  - Executes dropped EXE
  PID:5556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rfbscuvidrznjlmyyc.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:3152
- C:\Windows\rfbscuvidrznjlmyyc.exe
  rfbscuvidrznjlmyyc.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4488
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\rfbscuvidrznjlmyyc.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:1336

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c evuobwaqofqhglpehosji.exe .
1⤵
PID:5936
- C:\Windows\evuobwaqofqhglpehosji.exe
  evuobwaqofqhglpehosji.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1820
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\evuobwaqofqhglpehosji.exe*."
    3⤵
    - Executes dropped EXE
    PID:4992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\crogrkmawlujgjlyzeg.exe
1⤵
PID:1544
- C:\Users\Admin\AppData\Local\Temp\crogrkmawlujgjlyzeg.exe
  C:\Users\Admin\AppData\Local\Temp\crogrkmawlujgjlyzeg.exe
  2⤵
  - Executes dropped EXE
  PID:4716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rfbscuvidrznjlmyyc.exe
1⤵
PID:1520
- C:\Windows\rfbscuvidrznjlmyyc.exe
  rfbscuvidrznjlmyyc.exe
  2⤵
  - Executes dropped EXE
  PID:2276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rfbscuvidrznjlmyyc.exe
1⤵
PID:5204
- C:\Windows\rfbscuvidrznjlmyyc.exe
  rfbscuvidrznjlmyyc.exe
  2⤵
  - Executes dropped EXE
  PID:2572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bnhweutexjpbvvue.exe .
1⤵
PID:5568
- C:\Users\Admin\AppData\Local\Temp\bnhweutexjpbvvue.exe
  C:\Users\Admin\AppData\Local\Temp\bnhweutexjpbvvue.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2480
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\bnhweutexjpbvvue.exe*."
    3⤵
    - Executes dropped EXE
    PID:5100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bnhweutexjpbvvue.exe .
1⤵
PID:3256
- C:\Windows\bnhweutexjpbvvue.exe
  bnhweutexjpbvvue.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5572
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\bnhweutexjpbvvue.exe*."
    3⤵
    - Executes dropped EXE
    PID:2344

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\crogrkmawlujgjlyzeg.exe
1⤵
PID:5476
- C:\Users\Admin\AppData\Local\Temp\crogrkmawlujgjlyzeg.exe
  C:\Users\Admin\AppData\Local\Temp\crogrkmawlujgjlyzeg.exe
  2⤵
  - Executes dropped EXE
  PID:4664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\crogrkmawlujgjlyzeg.exe .
1⤵
PID:1592
- C:\Users\Admin\AppData\Local\Temp\crogrkmawlujgjlyzeg.exe
  C:\Users\Admin\AppData\Local\Temp\crogrkmawlujgjlyzeg.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3272
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\crogrkmawlujgjlyzeg.exe*."
    3⤵
    - Executes dropped EXE
    PID:5216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bnhweutexjpbvvue.exe
1⤵
PID:1608
- C:\Users\Admin\AppData\Local\Temp\bnhweutexjpbvvue.exe
  C:\Users\Admin\AppData\Local\Temp\bnhweutexjpbvvue.exe
  2⤵
  - Executes dropped EXE
  PID:6004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pfdwicfurhrhfjmacilb.exe .
1⤵
PID:4632
- C:\Users\Admin\AppData\Local\Temp\pfdwicfurhrhfjmacilb.exe
  C:\Users\Admin\AppData\Local\Temp\pfdwicfurhrhfjmacilb.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1084
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\pfdwicfurhrhfjmacilb.exe*."
    3⤵
    - Executes dropped EXE
    PID:2896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pfdwicfurhrhfjmacilb.exe
1⤵
PID:4804
- C:\Users\Admin\AppData\Local\Temp\pfdwicfurhrhfjmacilb.exe
  C:\Users\Admin\AppData\Local\Temp\pfdwicfurhrhfjmacilb.exe
  2⤵
  - Executes dropped EXE
  PID:1696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ivqgpggsmzgtoppaz.exe .
1⤵
PID:4828
- C:\Users\Admin\AppData\Local\Temp\ivqgpggsmzgtoppaz.exe
  C:\Users\Admin\AppData\Local\Temp\ivqgpggsmzgtoppaz.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1044
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\ivqgpggsmzgtoppaz.exe*."
    3⤵
    - Executes dropped EXE
    PID:1524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ivqgpggsmzgtoppaz.exe
1⤵
PID:4776
- C:\Windows\ivqgpggsmzgtoppaz.exe
  ivqgpggsmzgtoppaz.exe
  2⤵
  - Executes dropped EXE
  PID:5172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ivqgpggsmzgtoppaz.exe .
1⤵
PID:3456
- C:\Windows\ivqgpggsmzgtoppaz.exe
  ivqgpggsmzgtoppaz.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5428
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\ivqgpggsmzgtoppaz.exe*."
    3⤵
    - Executes dropped EXE
    PID:720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c evuobwaqofqhglpehosji.exe
1⤵
PID:4232
- C:\Windows\evuobwaqofqhglpehosji.exe
  evuobwaqofqhglpehosji.exe
  2⤵
  - Executes dropped EXE
  PID:5068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pfdwicfurhrhfjmacilb.exe .
1⤵
PID:2224
- C:\Windows\pfdwicfurhrhfjmacilb.exe
  pfdwicfurhrhfjmacilb.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1224
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\pfdwicfurhrhfjmacilb.exe*."
    3⤵
    - Executes dropped EXE
    PID:2272

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bnhweutexjpbvvue.exe
1⤵
PID:1660
- C:\Users\Admin\AppData\Local\Temp\bnhweutexjpbvvue.exe
  C:\Users\Admin\AppData\Local\Temp\bnhweutexjpbvvue.exe
  2⤵
  - Executes dropped EXE
  PID:876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ivqgpggsmzgtoppaz.exe .
1⤵
PID:2456
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3748
- C:\Users\Admin\AppData\Local\Temp\ivqgpggsmzgtoppaz.exe
  C:\Users\Admin\AppData\Local\Temp\ivqgpggsmzgtoppaz.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1772
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\ivqgpggsmzgtoppaz.exe*."
    3⤵
    - Executes dropped EXE
    PID:2912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\crogrkmawlujgjlyzeg.exe
1⤵
PID:4984
- C:\Users\Admin\AppData\Local\Temp\crogrkmawlujgjlyzeg.exe
  C:\Users\Admin\AppData\Local\Temp\crogrkmawlujgjlyzeg.exe
  2⤵
  - Executes dropped EXE
  PID:852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bnhweutexjpbvvue.exe .
1⤵
PID:5332
- C:\Users\Admin\AppData\Local\Temp\bnhweutexjpbvvue.exe
  C:\Users\Admin\AppData\Local\Temp\bnhweutexjpbvvue.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:232
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\bnhweutexjpbvvue.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:3984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c crogrkmawlujgjlyzeg.exe
1⤵
PID:5452
- C:\Windows\crogrkmawlujgjlyzeg.exe
  crogrkmawlujgjlyzeg.exe
  2⤵
  - Executes dropped EXE
  PID:4652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c evuobwaqofqhglpehosji.exe .
1⤵
PID:760
- C:\Windows\evuobwaqofqhglpehosji.exe
  evuobwaqofqhglpehosji.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5964
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\evuobwaqofqhglpehosji.exe*."
    3⤵
    - Executes dropped EXE
    PID:1576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bnhweutexjpbvvue.exe
1⤵
PID:1444
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1780
- C:\Windows\bnhweutexjpbvvue.exe
  bnhweutexjpbvvue.exe
  2⤵
  - Executes dropped EXE
  PID:4028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bnhweutexjpbvvue.exe
1⤵
PID:5848
- C:\Windows\bnhweutexjpbvvue.exe
  bnhweutexjpbvvue.exe
  2⤵
  - Executes dropped EXE
  PID:3084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rfbscuvidrznjlmyyc.exe .
1⤵
PID:1820
- C:\Windows\rfbscuvidrznjlmyyc.exe
  rfbscuvidrznjlmyyc.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4632
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\rfbscuvidrznjlmyyc.exe*."
    3⤵
    PID:6056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bnhweutexjpbvvue.exe
1⤵
PID:4992
- C:\Windows\bnhweutexjpbvvue.exe
  bnhweutexjpbvvue.exe
  2⤵
  - Executes dropped EXE
  PID:5516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c crogrkmawlujgjlyzeg.exe .
1⤵
PID:392
- C:\Windows\crogrkmawlujgjlyzeg.exe
  crogrkmawlujgjlyzeg.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2980
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\crogrkmawlujgjlyzeg.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:3556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ivqgpggsmzgtoppaz.exe
1⤵
PID:312
- C:\Users\Admin\AppData\Local\Temp\ivqgpggsmzgtoppaz.exe
  C:\Users\Admin\AppData\Local\Temp\ivqgpggsmzgtoppaz.exe
  2⤵
  - Executes dropped EXE
  PID:3320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c crogrkmawlujgjlyzeg.exe
1⤵
PID:2620
- C:\Windows\crogrkmawlujgjlyzeg.exe
  crogrkmawlujgjlyzeg.exe
  2⤵
  - Executes dropped EXE
  PID:2932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c crogrkmawlujgjlyzeg.exe .
1⤵
PID:4860
- C:\Windows\crogrkmawlujgjlyzeg.exe
  crogrkmawlujgjlyzeg.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:2436
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\crogrkmawlujgjlyzeg.exe*."
    3⤵
    PID:1384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rfbscuvidrznjlmyyc.exe .
1⤵
PID:4916
- C:\Users\Admin\AppData\Local\Temp\rfbscuvidrznjlmyyc.exe
  C:\Users\Admin\AppData\Local\Temp\rfbscuvidrznjlmyyc.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:2948
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\rfbscuvidrznjlmyyc.exe*."
    3⤵
    PID:6092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rfbscuvidrznjlmyyc.exe .
1⤵
PID:2180
- C:\Windows\rfbscuvidrznjlmyyc.exe
  rfbscuvidrznjlmyyc.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:2496
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\rfbscuvidrznjlmyyc.exe*."
    3⤵
    PID:6132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rfbscuvidrznjlmyyc.exe
1⤵
PID:1672
- C:\Users\Admin\AppData\Local\Temp\rfbscuvidrznjlmyyc.exe
  C:\Users\Admin\AppData\Local\Temp\rfbscuvidrznjlmyyc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rfbscuvidrznjlmyyc.exe
1⤵
PID:1040
- C:\Windows\rfbscuvidrznjlmyyc.exe
  rfbscuvidrznjlmyyc.exe
  2⤵
  PID:4444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\evuobwaqofqhglpehosji.exe .
1⤵
PID:2920
- C:\Users\Admin\AppData\Local\Temp\evuobwaqofqhglpehosji.exe
  C:\Users\Admin\AppData\Local\Temp\evuobwaqofqhglpehosji.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:2240
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\evuobwaqofqhglpehosji.exe*."
    3⤵
    PID:4440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ivqgpggsmzgtoppaz.exe .
1⤵
PID:5384
- C:\Windows\ivqgpggsmzgtoppaz.exe
  ivqgpggsmzgtoppaz.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:3764
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\ivqgpggsmzgtoppaz.exe*."
    3⤵
    PID:1620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\crogrkmawlujgjlyzeg.exe
1⤵
PID:5960
- C:\Users\Admin\AppData\Local\Temp\crogrkmawlujgjlyzeg.exe
  C:\Users\Admin\AppData\Local\Temp\crogrkmawlujgjlyzeg.exe
  2⤵
  PID:3996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bnhweutexjpbvvue.exe
1⤵
PID:4804
- C:\Users\Admin\AppData\Local\Temp\bnhweutexjpbvvue.exe
  C:\Users\Admin\AppData\Local\Temp\bnhweutexjpbvvue.exe
  2⤵
  PID:2456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pfdwicfurhrhfjmacilb.exe .
1⤵
PID:4516
- C:\Users\Admin\AppData\Local\Temp\pfdwicfurhrhfjmacilb.exe
  C:\Users\Admin\AppData\Local\Temp\pfdwicfurhrhfjmacilb.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:2924
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\pfdwicfurhrhfjmacilb.exe*."
    3⤵
    PID:1584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pfdwicfurhrhfjmacilb.exe .
1⤵
PID:4720
- C:\Users\Admin\AppData\Local\Temp\pfdwicfurhrhfjmacilb.exe
  C:\Users\Admin\AppData\Local\Temp\pfdwicfurhrhfjmacilb.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1080
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\pfdwicfurhrhfjmacilb.exe*."
    3⤵
    PID:5192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\crogrkmawlujgjlyzeg.exe
1⤵
PID:5184
- C:\Users\Admin\AppData\Local\Temp\crogrkmawlujgjlyzeg.exe
  C:\Users\Admin\AppData\Local\Temp\crogrkmawlujgjlyzeg.exe
  2⤵
  PID:5000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pfdwicfurhrhfjmacilb.exe .
1⤵
PID:4064
- C:\Users\Admin\AppData\Local\Temp\pfdwicfurhrhfjmacilb.exe
  C:\Users\Admin\AppData\Local\Temp\pfdwicfurhrhfjmacilb.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4964
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\pfdwicfurhrhfjmacilb.exe*."
    3⤵
    PID:4816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pfdwicfurhrhfjmacilb.exe
1⤵
PID:2992
- C:\Users\Admin\AppData\Local\Temp\pfdwicfurhrhfjmacilb.exe
  C:\Users\Admin\AppData\Local\Temp\pfdwicfurhrhfjmacilb.exe
  2⤵
  PID:2692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\evuobwaqofqhglpehosji.exe .
1⤵
PID:5068
- C:\Users\Admin\AppData\Local\Temp\evuobwaqofqhglpehosji.exe
  C:\Users\Admin\AppData\Local\Temp\evuobwaqofqhglpehosji.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4268
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\evuobwaqofqhglpehosji.exe*."
    3⤵
    PID:4744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ivqgpggsmzgtoppaz.exe
1⤵
PID:4496
- C:\Windows\ivqgpggsmzgtoppaz.exe
  ivqgpggsmzgtoppaz.exe
  2⤵
  PID:4244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bnhweutexjpbvvue.exe .
1⤵
PID:1712
- C:\Windows\bnhweutexjpbvvue.exe
  bnhweutexjpbvvue.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4556
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\bnhweutexjpbvvue.exe*."
    3⤵
    PID:4504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ivqgpggsmzgtoppaz.exe
1⤵
PID:464
- C:\Windows\ivqgpggsmzgtoppaz.exe
  ivqgpggsmzgtoppaz.exe
  2⤵
  PID:2032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pfdwicfurhrhfjmacilb.exe .
1⤵
PID:336
- C:\Windows\pfdwicfurhrhfjmacilb.exe
  pfdwicfurhrhfjmacilb.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4992
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\pfdwicfurhrhfjmacilb.exe*."
    3⤵
    PID:404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bnhweutexjpbvvue.exe
1⤵
PID:3316
- C:\Users\Admin\AppData\Local\Temp\bnhweutexjpbvvue.exe
  C:\Users\Admin\AppData\Local\Temp\bnhweutexjpbvvue.exe
  2⤵
  PID:2704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ivqgpggsmzgtoppaz.exe .
1⤵
PID:4852
- C:\Users\Admin\AppData\Local\Temp\ivqgpggsmzgtoppaz.exe
  C:\Users\Admin\AppData\Local\Temp\ivqgpggsmzgtoppaz.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4912
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\ivqgpggsmzgtoppaz.exe*."
    3⤵
    PID:3440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\crogrkmawlujgjlyzeg.exe
1⤵
PID:5420
- C:\Users\Admin\AppData\Local\Temp\crogrkmawlujgjlyzeg.exe
  C:\Users\Admin\AppData\Local\Temp\crogrkmawlujgjlyzeg.exe
  2⤵
  PID:3996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rfbscuvidrznjlmyyc.exe .
1⤵
PID:5112
- C:\Users\Admin\AppData\Local\Temp\rfbscuvidrznjlmyyc.exe
  C:\Users\Admin\AppData\Local\Temp\rfbscuvidrznjlmyyc.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4444
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\rfbscuvidrznjlmyyc.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:5532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bnhweutexjpbvvue.exe
1⤵
PID:1384
- C:\Windows\bnhweutexjpbvvue.exe
  bnhweutexjpbvvue.exe
  2⤵
  PID:3680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c evuobwaqofqhglpehosji.exe .
1⤵
PID:2948
- C:\Windows\evuobwaqofqhglpehosji.exe
  evuobwaqofqhglpehosji.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:2424
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\evuobwaqofqhglpehosji.exe*."
    3⤵
    PID:4860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pfdwicfurhrhfjmacilb.exe
1⤵
PID:4800
- C:\Windows\pfdwicfurhrhfjmacilb.exe
  pfdwicfurhrhfjmacilb.exe
  2⤵
  PID:5568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pfdwicfurhrhfjmacilb.exe .
1⤵
PID:1432
- C:\Windows\pfdwicfurhrhfjmacilb.exe
  pfdwicfurhrhfjmacilb.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1916
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\pfdwicfurhrhfjmacilb.exe*."
    3⤵
    PID:412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\crogrkmawlujgjlyzeg.exe
1⤵
PID:5044
- C:\Users\Admin\AppData\Local\Temp\crogrkmawlujgjlyzeg.exe
  C:\Users\Admin\AppData\Local\Temp\crogrkmawlujgjlyzeg.exe
  2⤵
  PID:928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\crogrkmawlujgjlyzeg.exe .
1⤵
PID:2944
- C:\Users\Admin\AppData\Local\Temp\crogrkmawlujgjlyzeg.exe
  C:\Users\Admin\AppData\Local\Temp\crogrkmawlujgjlyzeg.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:2880
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\crogrkmawlujgjlyzeg.exe*."
    3⤵
    PID:5812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pfdwicfurhrhfjmacilb.exe
1⤵
PID:5456
- C:\Users\Admin\AppData\Local\Temp\pfdwicfurhrhfjmacilb.exe
  C:\Users\Admin\AppData\Local\Temp\pfdwicfurhrhfjmacilb.exe
  2⤵
  PID:4488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bnhweutexjpbvvue.exe .
1⤵
PID:1080
- C:\Users\Admin\AppData\Local\Temp\bnhweutexjpbvvue.exe
  C:\Users\Admin\AppData\Local\Temp\bnhweutexjpbvvue.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:5884
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\bnhweutexjpbvvue.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:4028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c crogrkmawlujgjlyzeg.exe
1⤵
PID:3044
- C:\Windows\crogrkmawlujgjlyzeg.exe
  crogrkmawlujgjlyzeg.exe
  2⤵
  PID:1612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c crogrkmawlujgjlyzeg.exe .
1⤵
PID:3612
- C:\Windows\crogrkmawlujgjlyzeg.exe
  crogrkmawlujgjlyzeg.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:3816
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\crogrkmawlujgjlyzeg.exe*."
    3⤵
    PID:1708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rfbscuvidrznjlmyyc.exe
1⤵
PID:4908
- C:\Windows\rfbscuvidrznjlmyyc.exe
  rfbscuvidrznjlmyyc.exe
  2⤵
  PID:5244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pfdwicfurhrhfjmacilb.exe .
1⤵
PID:4588
- C:\Windows\pfdwicfurhrhfjmacilb.exe
  pfdwicfurhrhfjmacilb.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:3800
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\pfdwicfurhrhfjmacilb.exe*."
    3⤵
    PID:60

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rfbscuvidrznjlmyyc.exe
1⤵
PID:5776
- C:\Users\Admin\AppData\Local\Temp\rfbscuvidrznjlmyyc.exe
  C:\Users\Admin\AppData\Local\Temp\rfbscuvidrznjlmyyc.exe
  2⤵
  PID:4684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\evuobwaqofqhglpehosji.exe .
1⤵
PID:4400
- C:\Users\Admin\AppData\Local\Temp\evuobwaqofqhglpehosji.exe
  C:\Users\Admin\AppData\Local\Temp\evuobwaqofqhglpehosji.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1504
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\evuobwaqofqhglpehosji.exe*."
    3⤵
    PID:1780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\evuobwaqofqhglpehosji.exe
1⤵
PID:1892
- C:\Users\Admin\AppData\Local\Temp\evuobwaqofqhglpehosji.exe
  C:\Users\Admin\AppData\Local\Temp\evuobwaqofqhglpehosji.exe
  2⤵
  PID:3572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pfdwicfurhrhfjmacilb.exe .
1⤵
PID:2632
- C:\Users\Admin\AppData\Local\Temp\pfdwicfurhrhfjmacilb.exe
  C:\Users\Admin\AppData\Local\Temp\pfdwicfurhrhfjmacilb.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:3284
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\pfdwicfurhrhfjmacilb.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pfdwicfurhrhfjmacilb.exe
1⤵
PID:5708
- C:\Windows\pfdwicfurhrhfjmacilb.exe
  pfdwicfurhrhfjmacilb.exe
  2⤵
  PID:6020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rfbscuvidrznjlmyyc.exe .
1⤵
PID:1444
- C:\Windows\rfbscuvidrznjlmyyc.exe
  rfbscuvidrznjlmyyc.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1972
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\rfbscuvidrznjlmyyc.exe*."
    3⤵
    PID:2516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pfdwicfurhrhfjmacilb.exe
1⤵
PID:944
- C:\Windows\pfdwicfurhrhfjmacilb.exe
  pfdwicfurhrhfjmacilb.exe
  2⤵
  PID:1516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c crogrkmawlujgjlyzeg.exe .
1⤵
PID:5880
- C:\Windows\crogrkmawlujgjlyzeg.exe
  crogrkmawlujgjlyzeg.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1420
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\crogrkmawlujgjlyzeg.exe*."
    3⤵
    PID:1128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\crogrkmawlujgjlyzeg.exe
1⤵
PID:1140
- C:\Users\Admin\AppData\Local\Temp\crogrkmawlujgjlyzeg.exe
  C:\Users\Admin\AppData\Local\Temp\crogrkmawlujgjlyzeg.exe
  2⤵
  PID:4456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\evuobwaqofqhglpehosji.exe .
1⤵
PID:3644
- C:\Users\Admin\AppData\Local\Temp\evuobwaqofqhglpehosji.exe
  C:\Users\Admin\AppData\Local\Temp\evuobwaqofqhglpehosji.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:2604
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\evuobwaqofqhglpehosji.exe*."
    3⤵
    PID:5908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bnhweutexjpbvvue.exe
1⤵
PID:2060
- C:\Users\Admin\AppData\Local\Temp\bnhweutexjpbvvue.exe
  C:\Users\Admin\AppData\Local\Temp\bnhweutexjpbvvue.exe
  2⤵
  PID:2424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ivqgpggsmzgtoppaz.exe .
1⤵
PID:2468
- C:\Users\Admin\AppData\Local\Temp\ivqgpggsmzgtoppaz.exe
  C:\Users\Admin\AppData\Local\Temp\ivqgpggsmzgtoppaz.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:5524
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\ivqgpggsmzgtoppaz.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:2116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c evuobwaqofqhglpehosji.exe
1⤵
PID:5868
- C:\Windows\evuobwaqofqhglpehosji.exe
  evuobwaqofqhglpehosji.exe
  2⤵
  PID:5572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bnhweutexjpbvvue.exe .
1⤵
PID:920
- C:\Windows\bnhweutexjpbvvue.exe
  bnhweutexjpbvvue.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:3380
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\bnhweutexjpbvvue.exe*."
    3⤵
    PID:1472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bnhweutexjpbvvue.exe
1⤵
PID:5440
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4652
- C:\Windows\bnhweutexjpbvvue.exe
  bnhweutexjpbvvue.exe
  2⤵
  PID:5576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ivqgpggsmzgtoppaz.exe .
1⤵
PID:5116
- C:\Windows\ivqgpggsmzgtoppaz.exe
  ivqgpggsmzgtoppaz.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1824
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\ivqgpggsmzgtoppaz.exe*."
    3⤵
    PID:1896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ivqgpggsmzgtoppaz.exe
1⤵
PID:4712
- C:\Users\Admin\AppData\Local\Temp\ivqgpggsmzgtoppaz.exe
  C:\Users\Admin\AppData\Local\Temp\ivqgpggsmzgtoppaz.exe
  2⤵
  PID:3480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bnhweutexjpbvvue.exe .
1⤵
PID:1028
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5516
- C:\Users\Admin\AppData\Local\Temp\bnhweutexjpbvvue.exe
  C:\Users\Admin\AppData\Local\Temp\bnhweutexjpbvvue.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1332
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\bnhweutexjpbvvue.exe*."
    3⤵
    PID:1344

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pfdwicfurhrhfjmacilb.exe
1⤵
PID:1612
- C:\Users\Admin\AppData\Local\Temp\pfdwicfurhrhfjmacilb.exe
  C:\Users\Admin\AppData\Local\Temp\pfdwicfurhrhfjmacilb.exe
  2⤵
  PID:5236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bnhweutexjpbvvue.exe .
1⤵
PID:2896
- C:\Users\Admin\AppData\Local\Temp\bnhweutexjpbvvue.exe
  C:\Users\Admin\AppData\Local\Temp\bnhweutexjpbvvue.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4576
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\bnhweutexjpbvvue.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:5384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c evuobwaqofqhglpehosji.exe
1⤵
PID:1836
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3816
- C:\Windows\evuobwaqofqhglpehosji.exe
  evuobwaqofqhglpehosji.exe
  2⤵
  PID:5556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pfdwicfurhrhfjmacilb.exe .
1⤵
PID:1608
- C:\Windows\pfdwicfurhrhfjmacilb.exe
  pfdwicfurhrhfjmacilb.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3524
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\pfdwicfurhrhfjmacilb.exe*."
    3⤵
    PID:5476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c evuobwaqofqhglpehosji.exe
1⤵
PID:4516
- C:\Windows\evuobwaqofqhglpehosji.exe
  evuobwaqofqhglpehosji.exe
  2⤵
  PID:3268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rfbscuvidrznjlmyyc.exe
1⤵
PID:4920
- C:\Windows\rfbscuvidrznjlmyyc.exe
  rfbscuvidrznjlmyyc.exe
  2⤵
  PID:2704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bnhweutexjpbvvue.exe
1⤵
PID:2640
- C:\Windows\bnhweutexjpbvvue.exe
  bnhweutexjpbvvue.exe
  2⤵
  PID:1272

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pfdwicfurhrhfjmacilb.exe .
1⤵
PID:3000
- C:\Windows\pfdwicfurhrhfjmacilb.exe
  pfdwicfurhrhfjmacilb.exe .
  2⤵
  PID:2244
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\pfdwicfurhrhfjmacilb.exe*."
    3⤵
    PID:2848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c crogrkmawlujgjlyzeg.exe .
1⤵
PID:984
- C:\Windows\crogrkmawlujgjlyzeg.exe
  crogrkmawlujgjlyzeg.exe .
  2⤵
  PID:2608
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\crogrkmawlujgjlyzeg.exe*."
    3⤵
    PID:4884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rfbscuvidrznjlmyyc.exe .
1⤵
PID:536
- C:\Windows\rfbscuvidrznjlmyyc.exe
  rfbscuvidrznjlmyyc.exe .
  2⤵
  PID:2520
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\rfbscuvidrznjlmyyc.exe*."
    3⤵
    PID:3900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bnhweutexjpbvvue.exe
1⤵
PID:2952
- C:\Users\Admin\AppData\Local\Temp\bnhweutexjpbvvue.exe
  C:\Users\Admin\AppData\Local\Temp\bnhweutexjpbvvue.exe
  2⤵
  PID:5676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bnhweutexjpbvvue.exe
1⤵
PID:2512
- C:\Windows\bnhweutexjpbvvue.exe
  bnhweutexjpbvvue.exe
  2⤵
  PID:1384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bnhweutexjpbvvue.exe .
1⤵
PID:3636
- C:\Users\Admin\AppData\Local\Temp\bnhweutexjpbvvue.exe
  C:\Users\Admin\AppData\Local\Temp\bnhweutexjpbvvue.exe .
  2⤵
  PID:4668
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\bnhweutexjpbvvue.exe*."
    3⤵
    PID:1324

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pfdwicfurhrhfjmacilb.exe
1⤵
PID:6040
- C:\Windows\pfdwicfurhrhfjmacilb.exe
  pfdwicfurhrhfjmacilb.exe
  2⤵
  PID:5524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rfbscuvidrznjlmyyc.exe .
1⤵
PID:5380
- C:\Windows\rfbscuvidrznjlmyyc.exe
  rfbscuvidrznjlmyyc.exe .
  2⤵
  PID:3480
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\rfbscuvidrznjlmyyc.exe*."
    3⤵
    PID:4568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c crogrkmawlujgjlyzeg.exe .
1⤵
PID:3992
- C:\Windows\crogrkmawlujgjlyzeg.exe
  crogrkmawlujgjlyzeg.exe .
  2⤵
  PID:5388
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\crogrkmawlujgjlyzeg.exe*."
    3⤵
    PID:4804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ivqgpggsmzgtoppaz.exe
1⤵
PID:1444
- C:\Users\Admin\AppData\Local\Temp\ivqgpggsmzgtoppaz.exe
  C:\Users\Admin\AppData\Local\Temp\ivqgpggsmzgtoppaz.exe
  2⤵
  PID:1804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pfdwicfurhrhfjmacilb.exe
1⤵
PID:812
- C:\Users\Admin\AppData\Local\Temp\pfdwicfurhrhfjmacilb.exe
  C:\Users\Admin\AppData\Local\Temp\pfdwicfurhrhfjmacilb.exe
  2⤵
  PID:5628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\crogrkmawlujgjlyzeg.exe .
1⤵
PID:4560
- C:\Users\Admin\AppData\Local\Temp\crogrkmawlujgjlyzeg.exe
  C:\Users\Admin\AppData\Local\Temp\crogrkmawlujgjlyzeg.exe .
  2⤵
  PID:768
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\crogrkmawlujgjlyzeg.exe*."
    3⤵
    PID:4896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bnhweutexjpbvvue.exe .
1⤵
PID:6012
- C:\Users\Admin\AppData\Local\Temp\bnhweutexjpbvvue.exe
  C:\Users\Admin\AppData\Local\Temp\bnhweutexjpbvvue.exe .
  2⤵
  PID:1576
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\bnhweutexjpbvvue.exe*."
    3⤵
    PID:4404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\evuobwaqofqhglpehosji.exe
1⤵
PID:2524
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2424
- C:\Users\Admin\AppData\Local\Temp\evuobwaqofqhglpehosji.exe
  C:\Users\Admin\AppData\Local\Temp\evuobwaqofqhglpehosji.exe
  2⤵
  PID:4140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ivqgpggsmzgtoppaz.exe .
1⤵
PID:3996
- C:\Users\Admin\AppData\Local\Temp\ivqgpggsmzgtoppaz.exe
  C:\Users\Admin\AppData\Local\Temp\ivqgpggsmzgtoppaz.exe .
  2⤵
  PID:1212
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\ivqgpggsmzgtoppaz.exe*."
    3⤵
    PID:4576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\crogrkmawlujgjlyzeg.exe
1⤵
PID:3852
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2344
- C:\Users\Admin\AppData\Local\Temp\crogrkmawlujgjlyzeg.exe
  C:\Users\Admin\AppData\Local\Temp\crogrkmawlujgjlyzeg.exe
  2⤵
  PID:4268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ivqgpggsmzgtoppaz.exe
1⤵
PID:5432
- C:\Users\Admin\AppData\Local\Temp\ivqgpggsmzgtoppaz.exe
  C:\Users\Admin\AppData\Local\Temp\ivqgpggsmzgtoppaz.exe
  2⤵
  PID:5916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pfdwicfurhrhfjmacilb.exe .
1⤵
PID:1164
- C:\Users\Admin\AppData\Local\Temp\pfdwicfurhrhfjmacilb.exe
  C:\Users\Admin\AppData\Local\Temp\pfdwicfurhrhfjmacilb.exe .
  2⤵
  PID:5888
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\pfdwicfurhrhfjmacilb.exe*."
    3⤵
    PID:2428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pfdwicfurhrhfjmacilb.exe .
1⤵
PID:3764
- C:\Users\Admin\AppData\Local\Temp\pfdwicfurhrhfjmacilb.exe
  C:\Users\Admin\AppData\Local\Temp\pfdwicfurhrhfjmacilb.exe .
  2⤵
  PID:5924
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\pfdwicfurhrhfjmacilb.exe*."
    3⤵
    PID:4732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c crogrkmawlujgjlyzeg.exe
1⤵
PID:3320
- C:\Windows\crogrkmawlujgjlyzeg.exe
  crogrkmawlujgjlyzeg.exe
  2⤵
  PID:4632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ivqgpggsmzgtoppaz.exe .
1⤵
PID:3396
- C:\Windows\ivqgpggsmzgtoppaz.exe
  ivqgpggsmzgtoppaz.exe .
  2⤵
  PID:5684
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\ivqgpggsmzgtoppaz.exe*."
    3⤵
    PID:1524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bnhweutexjpbvvue.exe
1⤵
PID:5708
- C:\Windows\bnhweutexjpbvvue.exe
  bnhweutexjpbvvue.exe
  2⤵
  PID:1128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pfdwicfurhrhfjmacilb.exe .
1⤵
PID:5804
- C:\Windows\pfdwicfurhrhfjmacilb.exe
  pfdwicfurhrhfjmacilb.exe .
  2⤵
  PID:1516
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\pfdwicfurhrhfjmacilb.exe*."
    3⤵
    PID:5208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\evuobwaqofqhglpehosji.exe
1⤵
PID:5092
- C:\Users\Admin\AppData\Local\Temp\evuobwaqofqhglpehosji.exe
  C:\Users\Admin\AppData\Local\Temp\evuobwaqofqhglpehosji.exe
  2⤵
  PID:3680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rfbscuvidrznjlmyyc.exe .
1⤵
PID:4052
- C:\Users\Admin\AppData\Local\Temp\rfbscuvidrznjlmyyc.exe
  C:\Users\Admin\AppData\Local\Temp\rfbscuvidrznjlmyyc.exe .
  2⤵
  PID:5340
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\rfbscuvidrznjlmyyc.exe*."
    3⤵
    PID:2608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rfbscuvidrznjlmyyc.exe
1⤵
PID:4072
- C:\Users\Admin\AppData\Local\Temp\rfbscuvidrznjlmyyc.exe
  C:\Users\Admin\AppData\Local\Temp\rfbscuvidrznjlmyyc.exe
  2⤵
  PID:920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bnhweutexjpbvvue.exe .
1⤵
PID:5836
- C:\Users\Admin\AppData\Local\Temp\bnhweutexjpbvvue.exe
  C:\Users\Admin\AppData\Local\Temp\bnhweutexjpbvvue.exe .
  2⤵
  PID:6040
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\bnhweutexjpbvvue.exe*."
    3⤵
    PID:5184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pfdwicfurhrhfjmacilb.exe
1⤵
PID:3828
- C:\Windows\pfdwicfurhrhfjmacilb.exe
  pfdwicfurhrhfjmacilb.exe
  2⤵
  PID:2664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c crogrkmawlujgjlyzeg.exe .
1⤵
PID:4224
- C:\Windows\crogrkmawlujgjlyzeg.exe
  crogrkmawlujgjlyzeg.exe .
  2⤵
  PID:4900
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\crogrkmawlujgjlyzeg.exe*."
    3⤵
    PID:4488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rfbscuvidrznjlmyyc.exe
1⤵
PID:5456
- C:\Windows\rfbscuvidrznjlmyyc.exe
  rfbscuvidrznjlmyyc.exe
  2⤵
  PID:5916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pfdwicfurhrhfjmacilb.exe .
1⤵
PID:872
- C:\Windows\pfdwicfurhrhfjmacilb.exe
  pfdwicfurhrhfjmacilb.exe .
  2⤵
  PID:2132
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\pfdwicfurhrhfjmacilb.exe*."
    3⤵
    PID:2316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\evuobwaqofqhglpehosji.exe
1⤵
PID:3744
- C:\Users\Admin\AppData\Local\Temp\evuobwaqofqhglpehosji.exe
  C:\Users\Admin\AppData\Local\Temp\evuobwaqofqhglpehosji.exe
  2⤵
  PID:3748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rfbscuvidrznjlmyyc.exe .
1⤵
PID:4076
- C:\Users\Admin\AppData\Local\Temp\rfbscuvidrznjlmyyc.exe
  C:\Users\Admin\AppData\Local\Temp\rfbscuvidrznjlmyyc.exe .
  2⤵
  PID:3956
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\rfbscuvidrznjlmyyc.exe*."
    3⤵
    PID:4804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\crogrkmawlujgjlyzeg.exe
1⤵
PID:5244
- C:\Users\Admin\AppData\Local\Temp\crogrkmawlujgjlyzeg.exe
  C:\Users\Admin\AppData\Local\Temp\crogrkmawlujgjlyzeg.exe
  2⤵
  PID:636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\crogrkmawlujgjlyzeg.exe .
1⤵
PID:3424
- C:\Users\Admin\AppData\Local\Temp\crogrkmawlujgjlyzeg.exe
  C:\Users\Admin\AppData\Local\Temp\crogrkmawlujgjlyzeg.exe .
  2⤵
  PID:5076
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\crogrkmawlujgjlyzeg.exe*."
    3⤵
    PID:3612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rfbscuvidrznjlmyyc.exe
1⤵
PID:5204
- C:\Windows\rfbscuvidrznjlmyyc.exe
  rfbscuvidrznjlmyyc.exe
  2⤵
  PID:3852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c evuobwaqofqhglpehosji.exe .
1⤵
PID:1828
- C:\Windows\evuobwaqofqhglpehosji.exe
  evuobwaqofqhglpehosji.exe .
  2⤵
  PID:4048
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\evuobwaqofqhglpehosji.exe*."
    3⤵
    PID:5056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c evuobwaqofqhglpehosji.exe
1⤵
PID:4560
- C:\Windows\evuobwaqofqhglpehosji.exe
  evuobwaqofqhglpehosji.exe
  2⤵
  PID:4360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rfbscuvidrznjlmyyc.exe .
1⤵
PID:1692
- C:\Windows\rfbscuvidrznjlmyyc.exe
  rfbscuvidrznjlmyyc.exe .
  2⤵
  PID:3764
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\rfbscuvidrznjlmyyc.exe*."
    3⤵
    PID:2428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ivqgpggsmzgtoppaz.exe
1⤵
PID:5380
- C:\Users\Admin\AppData\Local\Temp\ivqgpggsmzgtoppaz.exe
  C:\Users\Admin\AppData\Local\Temp\ivqgpggsmzgtoppaz.exe
  2⤵
  PID:2704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\crogrkmawlujgjlyzeg.exe .
1⤵
PID:4776
- C:\Users\Admin\AppData\Local\Temp\crogrkmawlujgjlyzeg.exe
  C:\Users\Admin\AppData\Local\Temp\crogrkmawlujgjlyzeg.exe .
  2⤵
  PID:6036
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\crogrkmawlujgjlyzeg.exe*."
    3⤵
    PID:3284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rfbscuvidrznjlmyyc.exe
1⤵
PID:5920
- C:\Users\Admin\AppData\Local\Temp\rfbscuvidrznjlmyyc.exe
  C:\Users\Admin\AppData\Local\Temp\rfbscuvidrznjlmyyc.exe
  2⤵
  PID:3728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bnhweutexjpbvvue.exe .
1⤵
PID:5844
- C:\Users\Admin\AppData\Local\Temp\bnhweutexjpbvvue.exe
  C:\Users\Admin\AppData\Local\Temp\bnhweutexjpbvvue.exe .
  2⤵
  PID:1492
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\bnhweutexjpbvvue.exe*."
    3⤵
    PID:3396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bnhweutexjpbvvue.exe
1⤵
PID:1808
- C:\Windows\bnhweutexjpbvvue.exe
  bnhweutexjpbvvue.exe
  2⤵
  PID:2372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pfdwicfurhrhfjmacilb.exe .
1⤵
PID:2876
- C:\Windows\pfdwicfurhrhfjmacilb.exe
  pfdwicfurhrhfjmacilb.exe .
  2⤵
  PID:880
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\pfdwicfurhrhfjmacilb.exe*."
    3⤵
    PID:5900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pfdwicfurhrhfjmacilb.exe
1⤵
PID:760
- C:\Windows\pfdwicfurhrhfjmacilb.exe
  pfdwicfurhrhfjmacilb.exe
  2⤵
  PID:1324

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ivqgpggsmzgtoppaz.exe .
1⤵
PID:2240
- C:\Windows\ivqgpggsmzgtoppaz.exe
  ivqgpggsmzgtoppaz.exe .
  2⤵
  PID:3300
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\ivqgpggsmzgtoppaz.exe*."
    3⤵
    PID:4796

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ivqgpggsmzgtoppaz.exe
1⤵
PID:6040
- C:\Users\Admin\AppData\Local\Temp\ivqgpggsmzgtoppaz.exe
  C:\Users\Admin\AppData\Local\Temp\ivqgpggsmzgtoppaz.exe
  2⤵
  PID:2016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\crogrkmawlujgjlyzeg.exe .
1⤵
PID:1976
- C:\Users\Admin\AppData\Local\Temp\crogrkmawlujgjlyzeg.exe
  C:\Users\Admin\AppData\Local\Temp\crogrkmawlujgjlyzeg.exe .
  2⤵
  PID:628
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\crogrkmawlujgjlyzeg.exe*."
    3⤵
    PID:5628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pfdwicfurhrhfjmacilb.exe
1⤵
PID:5500
- C:\Users\Admin\AppData\Local\Temp\pfdwicfurhrhfjmacilb.exe
  C:\Users\Admin\AppData\Local\Temp\pfdwicfurhrhfjmacilb.exe
  2⤵
  PID:3152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ivqgpggsmzgtoppaz.exe .
1⤵
PID:1804
- C:\Users\Admin\AppData\Local\Temp\ivqgpggsmzgtoppaz.exe
  C:\Users\Admin\AppData\Local\Temp\ivqgpggsmzgtoppaz.exe .
  2⤵
  PID:836
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\ivqgpggsmzgtoppaz.exe*."
    3⤵
    PID:388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c evuobwaqofqhglpehosji.exe
1⤵
PID:5452
- C:\Windows\evuobwaqofqhglpehosji.exe
  evuobwaqofqhglpehosji.exe
  2⤵
  PID:5932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c evuobwaqofqhglpehosji.exe .
1⤵
PID:2924
- C:\Windows\evuobwaqofqhglpehosji.exe
  evuobwaqofqhglpehosji.exe .
  2⤵
  PID:4704
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\evuobwaqofqhglpehosji.exe*."
    3⤵
    PID:2536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bnhweutexjpbvvue.exe
1⤵
PID:3956
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1332
- C:\Windows\bnhweutexjpbvvue.exe
  bnhweutexjpbvvue.exe
  2⤵
  PID:1028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bnhweutexjpbvvue.exe .
1⤵
PID:636
- C:\Windows\bnhweutexjpbvvue.exe
  bnhweutexjpbvvue.exe .
  2⤵
  PID:5076
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\bnhweutexjpbvvue.exe*."
    3⤵
    PID:928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rfbscuvidrznjlmyyc.exe
1⤵
PID:4496
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4684
- C:\Users\Admin\AppData\Local\Temp\rfbscuvidrznjlmyyc.exe
  C:\Users\Admin\AppData\Local\Temp\rfbscuvidrznjlmyyc.exe
  2⤵
  PID:2056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\crogrkmawlujgjlyzeg.exe .
1⤵
PID:1344
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4456
- C:\Users\Admin\AppData\Local\Temp\crogrkmawlujgjlyzeg.exe
  C:\Users\Admin\AppData\Local\Temp\crogrkmawlujgjlyzeg.exe .
  2⤵
  PID:4732
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\crogrkmawlujgjlyzeg.exe*."
    3⤵
    PID:3572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\evuobwaqofqhglpehosji.exe
1⤵
PID:5428
- C:\Users\Admin\AppData\Local\Temp\evuobwaqofqhglpehosji.exe
  C:\Users\Admin\AppData\Local\Temp\evuobwaqofqhglpehosji.exe
  2⤵
  PID:4068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\crogrkmawlujgjlyzeg.exe .
1⤵
PID:5020
- C:\Users\Admin\AppData\Local\Temp\crogrkmawlujgjlyzeg.exe
  C:\Users\Admin\AppData\Local\Temp\crogrkmawlujgjlyzeg.exe .
  2⤵
  PID:6012
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\crogrkmawlujgjlyzeg.exe*."
    3⤵
    PID:1224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c crogrkmawlujgjlyzeg.exe
1⤵
PID:1472
- C:\Windows\crogrkmawlujgjlyzeg.exe
  crogrkmawlujgjlyzeg.exe
  2⤵
  PID:4352

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
PID:4632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ivqgpggsmzgtoppaz.exe
1⤵
PID:1772
- C:\Windows\ivqgpggsmzgtoppaz.exe
  ivqgpggsmzgtoppaz.exe
  2⤵
  PID:4828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ivqgpggsmzgtoppaz.exe .
1⤵
PID:1504
- C:\Windows\ivqgpggsmzgtoppaz.exe
  ivqgpggsmzgtoppaz.exe .
  2⤵
  PID:5236
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\ivqgpggsmzgtoppaz.exe*."
    3⤵
    PID:4448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ivqgpggsmzgtoppaz.exe .
1⤵
PID:1544
- C:\Windows\ivqgpggsmzgtoppaz.exe
  ivqgpggsmzgtoppaz.exe .
  2⤵
  PID:1808
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\ivqgpggsmzgtoppaz.exe*."
    3⤵
    PID:2240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rfbscuvidrznjlmyyc.exe
1⤵
PID:1660
- C:\Windows\rfbscuvidrznjlmyyc.exe
  rfbscuvidrznjlmyyc.exe
  2⤵
  PID:1516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c crogrkmawlujgjlyzeg.exe .
1⤵
PID:5908
- C:\Windows\crogrkmawlujgjlyzeg.exe
  crogrkmawlujgjlyzeg.exe .
  2⤵
  PID:5512
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\crogrkmawlujgjlyzeg.exe*."
    3⤵
    PID:4588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bnhweutexjpbvvue.exe
1⤵
PID:5604
- C:\Windows\bnhweutexjpbvvue.exe
  bnhweutexjpbvvue.exe
  2⤵
  PID:5532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ivqgpggsmzgtoppaz.exe
1⤵
PID:2848
- C:\Windows\ivqgpggsmzgtoppaz.exe
  ivqgpggsmzgtoppaz.exe
  2⤵
  PID:1204

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ivqgpggsmzgtoppaz.exe
1⤵
PID:1048
- C:\Users\Admin\AppData\Local\Temp\ivqgpggsmzgtoppaz.exe
  C:\Users\Admin\AppData\Local\Temp\ivqgpggsmzgtoppaz.exe
  2⤵
  PID:5944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pfdwicfurhrhfjmacilb.exe .
1⤵
PID:1168
- C:\Windows\pfdwicfurhrhfjmacilb.exe
  pfdwicfurhrhfjmacilb.exe .
  2⤵
  PID:4744
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\pfdwicfurhrhfjmacilb.exe*."
    3⤵
    PID:1156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ivqgpggsmzgtoppaz.exe .
1⤵
PID:4296
- C:\Users\Admin\AppData\Local\Temp\ivqgpggsmzgtoppaz.exe
  C:\Users\Admin\AppData\Local\Temp\ivqgpggsmzgtoppaz.exe .
  2⤵
  PID:5116
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\ivqgpggsmzgtoppaz.exe*."
    3⤵
    PID:3956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ivqgpggsmzgtoppaz.exe
1⤵
PID:2460
- C:\Users\Admin\AppData\Local\Temp\ivqgpggsmzgtoppaz.exe
  C:\Users\Admin\AppData\Local\Temp\ivqgpggsmzgtoppaz.exe
  2⤵
  PID:2268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pfdwicfurhrhfjmacilb.exe .
1⤵
PID:4176
- C:\Windows\pfdwicfurhrhfjmacilb.exe
  pfdwicfurhrhfjmacilb.exe .
  2⤵
  PID:4576
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\pfdwicfurhrhfjmacilb.exe*."
    3⤵
    PID:5640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\crogrkmawlujgjlyzeg.exe .
1⤵
PID:3984
- C:\Users\Admin\AppData\Local\Temp\crogrkmawlujgjlyzeg.exe
  C:\Users\Admin\AppData\Local\Temp\crogrkmawlujgjlyzeg.exe .
  2⤵
  PID:384
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\crogrkmawlujgjlyzeg.exe*."
    3⤵
    PID:5024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pfdwicfurhrhfjmacilb.exe
1⤵
PID:1976
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4244
- C:\Windows\pfdwicfurhrhfjmacilb.exe
  pfdwicfurhrhfjmacilb.exe
  2⤵
  PID:2980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ivqgpggsmzgtoppaz.exe
1⤵
PID:4488
- C:\Users\Admin\AppData\Local\Temp\ivqgpggsmzgtoppaz.exe
  C:\Users\Admin\AppData\Local\Temp\ivqgpggsmzgtoppaz.exe
  2⤵
  PID:5204

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c evuobwaqofqhglpehosji.exe .
1⤵
PID:2272
- C:\Windows\evuobwaqofqhglpehosji.exe
  evuobwaqofqhglpehosji.exe .
  2⤵
  PID:312
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\evuobwaqofqhglpehosji.exe*."
    3⤵
    PID:5576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\evuobwaqofqhglpehosji.exe .
1⤵
PID:2844
- C:\Users\Admin\AppData\Local\Temp\evuobwaqofqhglpehosji.exe
  C:\Users\Admin\AppData\Local\Temp\evuobwaqofqhglpehosji.exe .
  2⤵
  PID:5080
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\evuobwaqofqhglpehosji.exe*."
    3⤵
    PID:1828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pfdwicfurhrhfjmacilb.exe
1⤵
PID:3748
- C:\Users\Admin\AppData\Local\Temp\pfdwicfurhrhfjmacilb.exe
  C:\Users\Admin\AppData\Local\Temp\pfdwicfurhrhfjmacilb.exe
  2⤵
  PID:2872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ivqgpggsmzgtoppaz.exe
1⤵
PID:3888
- C:\Users\Admin\AppData\Local\Temp\ivqgpggsmzgtoppaz.exe
  C:\Users\Admin\AppData\Local\Temp\ivqgpggsmzgtoppaz.exe
  2⤵
  PID:720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\crogrkmawlujgjlyzeg.exe .
1⤵
PID:5856
- C:\Users\Admin\AppData\Local\Temp\crogrkmawlujgjlyzeg.exe
  C:\Users\Admin\AppData\Local\Temp\crogrkmawlujgjlyzeg.exe .
  2⤵
  PID:5108
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\crogrkmawlujgjlyzeg.exe*."
    3⤵
    PID:5092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pfdwicfurhrhfjmacilb.exe .
1⤵
PID:5452
- C:\Users\Admin\AppData\Local\Temp\pfdwicfurhrhfjmacilb.exe
  C:\Users\Admin\AppData\Local\Temp\pfdwicfurhrhfjmacilb.exe .
  2⤵
  PID:100
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\pfdwicfurhrhfjmacilb.exe*."
    3⤵
    PID:4968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pfdwicfurhrhfjmacilb.exe
1⤵
PID:3340
- C:\Users\Admin\AppData\Local\Temp\pfdwicfurhrhfjmacilb.exe
  C:\Users\Admin\AppData\Local\Temp\pfdwicfurhrhfjmacilb.exe
  2⤵
  PID:2480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\crogrkmawlujgjlyzeg.exe .
1⤵
PID:4228
- C:\Users\Admin\AppData\Local\Temp\crogrkmawlujgjlyzeg.exe
  C:\Users\Admin\AppData\Local\Temp\crogrkmawlujgjlyzeg.exe .
  2⤵
  PID:232
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\crogrkmawlujgjlyzeg.exe*."
    3⤵
    PID:5284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rfbscuvidrznjlmyyc.exe
1⤵
PID:1836
- C:\Windows\rfbscuvidrznjlmyyc.exe
  rfbscuvidrznjlmyyc.exe
  2⤵
  PID:1892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rfbscuvidrznjlmyyc.exe .
1⤵
PID:5920
- C:\Windows\rfbscuvidrznjlmyyc.exe
  rfbscuvidrznjlmyyc.exe .
  2⤵
  PID:3800
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\rfbscuvidrznjlmyyc.exe*."
    3⤵
    PID:4920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ivqgpggsmzgtoppaz.exe
1⤵
PID:4656
- C:\Windows\ivqgpggsmzgtoppaz.exe
  ivqgpggsmzgtoppaz.exe
  2⤵
  PID:3300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rfbscuvidrznjlmyyc.exe .
1⤵
PID:4272
- C:\Windows\rfbscuvidrznjlmyyc.exe
  rfbscuvidrznjlmyyc.exe .
  2⤵
  PID:6000
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\rfbscuvidrznjlmyyc.exe*."
    3⤵
    PID:1492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bnhweutexjpbvvue.exe
1⤵
PID:5628
- C:\Users\Admin\AppData\Local\Temp\bnhweutexjpbvvue.exe
  C:\Users\Admin\AppData\Local\Temp\bnhweutexjpbvvue.exe
  2⤵
  PID:5848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pfdwicfurhrhfjmacilb.exe .
1⤵
PID:3312
- C:\Users\Admin\AppData\Local\Temp\pfdwicfurhrhfjmacilb.exe
  C:\Users\Admin\AppData\Local\Temp\pfdwicfurhrhfjmacilb.exe .
  2⤵
  PID:2576
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\pfdwicfurhrhfjmacilb.exe*."
    3⤵
    PID:5396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pfdwicfurhrhfjmacilb.exe
1⤵
PID:540
- C:\Users\Admin\AppData\Local\Temp\pfdwicfurhrhfjmacilb.exe
  C:\Users\Admin\AppData\Local\Temp\pfdwicfurhrhfjmacilb.exe
  2⤵
  PID:2520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pfdwicfurhrhfjmacilb.exe .
1⤵
PID:2372
- C:\Users\Admin\AppData\Local\Temp\pfdwicfurhrhfjmacilb.exe
  C:\Users\Admin\AppData\Local\Temp\pfdwicfurhrhfjmacilb.exe .
  2⤵
  PID:1520
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\pfdwicfurhrhfjmacilb.exe*."
    3⤵
    PID:1484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pfdwicfurhrhfjmacilb.exe
1⤵
PID:4916
- C:\Windows\pfdwicfurhrhfjmacilb.exe
  pfdwicfurhrhfjmacilb.exe
  2⤵
  PID:920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ivqgpggsmzgtoppaz.exe .
1⤵
PID:3484
- C:\Windows\ivqgpggsmzgtoppaz.exe
  ivqgpggsmzgtoppaz.exe .
  2⤵
  PID:4268
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\ivqgpggsmzgtoppaz.exe*."
    3⤵
    PID:4280

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c evuobwaqofqhglpehosji.exe
1⤵
PID:768
- C:\Windows\evuobwaqofqhglpehosji.exe
  evuobwaqofqhglpehosji.exe
  2⤵
  PID:3996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rfbscuvidrznjlmyyc.exe .
1⤵
PID:388
- C:\Windows\rfbscuvidrznjlmyyc.exe
  rfbscuvidrznjlmyyc.exe .
  2⤵
  PID:5868
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\rfbscuvidrznjlmyyc.exe*."
    3⤵
    PID:3888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pfdwicfurhrhfjmacilb.exe
1⤵
PID:3636
- C:\Users\Admin\AppData\Local\Temp\pfdwicfurhrhfjmacilb.exe
  C:\Users\Admin\AppData\Local\Temp\pfdwicfurhrhfjmacilb.exe
  2⤵
  PID:5784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pfdwicfurhrhfjmacilb.exe .
1⤵
PID:4484
- C:\Users\Admin\AppData\Local\Temp\pfdwicfurhrhfjmacilb.exe
  C:\Users\Admin\AppData\Local\Temp\pfdwicfurhrhfjmacilb.exe .
  2⤵
  PID:216
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\pfdwicfurhrhfjmacilb.exe*."
    3⤵
    PID:2272

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bnhweutexjpbvvue.exe
1⤵
PID:220
- C:\Users\Admin\AppData\Local\Temp\bnhweutexjpbvvue.exe
  C:\Users\Admin\AppData\Local\Temp\bnhweutexjpbvvue.exe
  2⤵
  PID:2316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bnhweutexjpbvvue.exe .
1⤵
PID:5448
- C:\Users\Admin\AppData\Local\Temp\bnhweutexjpbvvue.exe
  C:\Users\Admin\AppData\Local\Temp\bnhweutexjpbvvue.exe .
  2⤵
  PID:1864
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\bnhweutexjpbvvue.exe*."
    3⤵
    PID:1592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pfdwicfurhrhfjmacilb.exe
1⤵
PID:5092
- C:\Windows\pfdwicfurhrhfjmacilb.exe
  pfdwicfurhrhfjmacilb.exe
  2⤵
  PID:928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rfbscuvidrznjlmyyc.exe .
1⤵
PID:5856
- C:\Windows\rfbscuvidrznjlmyyc.exe
  rfbscuvidrznjlmyyc.exe .
  2⤵
  PID:780
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\rfbscuvidrznjlmyyc.exe*."
    3⤵
    PID:3300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c crogrkmawlujgjlyzeg.exe
1⤵
PID:5336
- C:\Windows\crogrkmawlujgjlyzeg.exe
  crogrkmawlujgjlyzeg.exe
  2⤵
  PID:4468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pfdwicfurhrhfjmacilb.exe .
1⤵
PID:4828
- C:\Windows\pfdwicfurhrhfjmacilb.exe
  pfdwicfurhrhfjmacilb.exe .
  2⤵
  PID:384
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\pfdwicfurhrhfjmacilb.exe*."
    3⤵
    PID:3828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rfbscuvidrznjlmyyc.exe
1⤵
PID:2708
- C:\Users\Admin\AppData\Local\Temp\rfbscuvidrznjlmyyc.exe
  C:\Users\Admin\AppData\Local\Temp\rfbscuvidrznjlmyyc.exe
  2⤵
  PID:1544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bnhweutexjpbvvue.exe .
1⤵
PID:1936
- C:\Users\Admin\AppData\Local\Temp\bnhweutexjpbvvue.exe
  C:\Users\Admin\AppData\Local\Temp\bnhweutexjpbvvue.exe .
  2⤵
  PID:5944
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\bnhweutexjpbvvue.exe*."
    3⤵
    PID:2696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\crogrkmawlujgjlyzeg.exe
1⤵
PID:4964
- C:\Users\Admin\AppData\Local\Temp\crogrkmawlujgjlyzeg.exe
  C:\Users\Admin\AppData\Local\Temp\crogrkmawlujgjlyzeg.exe
  2⤵
  PID:3788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\crogrkmawlujgjlyzeg.exe .
1⤵
PID:5584
- C:\Users\Admin\AppData\Local\Temp\crogrkmawlujgjlyzeg.exe
  C:\Users\Admin\AppData\Local\Temp\crogrkmawlujgjlyzeg.exe .
  2⤵
  PID:5532
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\crogrkmawlujgjlyzeg.exe*."
    3⤵
    PID:5676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ivqgpggsmzgtoppaz.exe
1⤵
PID:2432
- C:\Windows\ivqgpggsmzgtoppaz.exe
  ivqgpggsmzgtoppaz.exe
  2⤵
  PID:5312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rfbscuvidrznjlmyyc.exe .
1⤵
PID:6120
- C:\Windows\rfbscuvidrznjlmyyc.exe
  rfbscuvidrznjlmyyc.exe .
  2⤵
  PID:1496
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\rfbscuvidrznjlmyyc.exe*."
    3⤵
    PID:5872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rfbscuvidrznjlmyyc.exe
1⤵
PID:4080
- C:\Windows\rfbscuvidrznjlmyyc.exe
  rfbscuvidrznjlmyyc.exe
  2⤵
  PID:5192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rfbscuvidrznjlmyyc.exe .
1⤵
PID:5068
- C:\Windows\rfbscuvidrznjlmyyc.exe
  rfbscuvidrznjlmyyc.exe .
  2⤵
  PID:1384
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\rfbscuvidrznjlmyyc.exe*."
    3⤵
    PID:5048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pfdwicfurhrhfjmacilb.exe
1⤵
PID:1272
- C:\Users\Admin\AppData\Local\Temp\pfdwicfurhrhfjmacilb.exe
  C:\Users\Admin\AppData\Local\Temp\pfdwicfurhrhfjmacilb.exe
  2⤵
  PID:6064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\evuobwaqofqhglpehosji.exe .
1⤵
PID:5256
- C:\Users\Admin\AppData\Local\Temp\evuobwaqofqhglpehosji.exe
  C:\Users\Admin\AppData\Local\Temp\evuobwaqofqhglpehosji.exe .
  2⤵
  PID:3748
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\evuobwaqofqhglpehosji.exe*."
    3⤵
    PID:5432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ivqgpggsmzgtoppaz.exe
1⤵
PID:4608
- C:\Users\Admin\AppData\Local\Temp\ivqgpggsmzgtoppaz.exe
  C:\Users\Admin\AppData\Local\Temp\ivqgpggsmzgtoppaz.exe
  2⤵
  PID:4860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pfdwicfurhrhfjmacilb.exe .
1⤵
PID:5228
- C:\Users\Admin\AppData\Local\Temp\pfdwicfurhrhfjmacilb.exe
  C:\Users\Admin\AppData\Local\Temp\pfdwicfurhrhfjmacilb.exe .
  2⤵
  PID:100
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\pfdwicfurhrhfjmacilb.exe*."
    3⤵
    PID:4048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c evuobwaqofqhglpehosji.exe
1⤵
PID:2924
- C:\Windows\evuobwaqofqhglpehosji.exe
  evuobwaqofqhglpehosji.exe
  2⤵
  PID:2272

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bnhweutexjpbvvue.exe .
1⤵
PID:4484
- C:\Windows\bnhweutexjpbvvue.exe
  bnhweutexjpbvvue.exe .
  2⤵
  PID:1892
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\bnhweutexjpbvvue.exe*."
    3⤵
    PID:4444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rfbscuvidrznjlmyyc.exe
1⤵
PID:548
- C:\Windows\rfbscuvidrznjlmyyc.exe
  rfbscuvidrznjlmyyc.exe
  2⤵
  PID:1748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pfdwicfurhrhfjmacilb.exe .
1⤵
PID:5880
- C:\Windows\pfdwicfurhrhfjmacilb.exe
  pfdwicfurhrhfjmacilb.exe .
  2⤵
  PID:5284
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\pfdwicfurhrhfjmacilb.exe*."
    3⤵
    PID:780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\crogrkmawlujgjlyzeg.exe
1⤵
PID:4504
- C:\Users\Admin\AppData\Local\Temp\crogrkmawlujgjlyzeg.exe
  C:\Users\Admin\AppData\Local\Temp\crogrkmawlujgjlyzeg.exe
  2⤵
  PID:5776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rfbscuvidrznjlmyyc.exe .
1⤵
PID:5316
- C:\Users\Admin\AppData\Local\Temp\rfbscuvidrznjlmyyc.exe
  C:\Users\Admin\AppData\Local\Temp\rfbscuvidrznjlmyyc.exe .
  2⤵
  PID:4152
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\rfbscuvidrznjlmyyc.exe*."
    3⤵
    PID:2640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\crogrkmawlujgjlyzeg.exe
1⤵
PID:2244
- C:\Users\Admin\AppData\Local\Temp\crogrkmawlujgjlyzeg.exe
  C:\Users\Admin\AppData\Local\Temp\crogrkmawlujgjlyzeg.exe
  2⤵
  PID:2916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ivqgpggsmzgtoppaz.exe .
1⤵
PID:2304
- C:\Users\Admin\AppData\Local\Temp\ivqgpggsmzgtoppaz.exe
  C:\Users\Admin\AppData\Local\Temp\ivqgpggsmzgtoppaz.exe .
  2⤵
  PID:4596
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\ivqgpggsmzgtoppaz.exe*."
    3⤵
    PID:3084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c evuobwaqofqhglpehosji.exe
1⤵
PID:3680
- C:\Windows\evuobwaqofqhglpehosji.exe
  evuobwaqofqhglpehosji.exe
  2⤵
  PID:4272

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rfbscuvidrznjlmyyc.exe
1⤵
PID:536
- C:\Windows\rfbscuvidrznjlmyyc.exe
  rfbscuvidrznjlmyyc.exe
  2⤵
  PID:2620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c crogrkmawlujgjlyzeg.exe .
1⤵
PID:6072
- C:\Windows\crogrkmawlujgjlyzeg.exe
  crogrkmawlujgjlyzeg.exe .
  2⤵
  PID:5532
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\crogrkmawlujgjlyzeg.exe*."
    3⤵
    PID:5692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c crogrkmawlujgjlyzeg.exe .
1⤵
PID:952
- C:\Windows\crogrkmawlujgjlyzeg.exe
  crogrkmawlujgjlyzeg.exe .
  2⤵
  PID:2552
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\crogrkmawlujgjlyzeg.exe*."
    3⤵
    PID:2036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pfdwicfurhrhfjmacilb.exe
1⤵
PID:4912
- C:\Windows\pfdwicfurhrhfjmacilb.exe
  pfdwicfurhrhfjmacilb.exe
  2⤵
  PID:4668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c crogrkmawlujgjlyzeg.exe
1⤵
PID:1468
- C:\Windows\crogrkmawlujgjlyzeg.exe
  crogrkmawlujgjlyzeg.exe
  2⤵
  PID:976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ivqgpggsmzgtoppaz.exe .
1⤵
PID:5172
- C:\Windows\ivqgpggsmzgtoppaz.exe
  ivqgpggsmzgtoppaz.exe .
  2⤵
  PID:2480
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\ivqgpggsmzgtoppaz.exe*."
    3⤵
    PID:1140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pfdwicfurhrhfjmacilb.exe .
1⤵
PID:1712
- C:\Windows\pfdwicfurhrhfjmacilb.exe
  pfdwicfurhrhfjmacilb.exe .
  2⤵
  PID:2148
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\pfdwicfurhrhfjmacilb.exe*."
    3⤵
    PID:1484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\crogrkmawlujgjlyzeg.exe
1⤵
PID:5872
- C:\Users\Admin\AppData\Local\Temp\crogrkmawlujgjlyzeg.exe
  C:\Users\Admin\AppData\Local\Temp\crogrkmawlujgjlyzeg.exe
  2⤵
  PID:3520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bnhweutexjpbvvue.exe
1⤵
PID:4080
- C:\Users\Admin\AppData\Local\Temp\bnhweutexjpbvvue.exe
  C:\Users\Admin\AppData\Local\Temp\bnhweutexjpbvvue.exe
  2⤵
  PID:4280

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rfbscuvidrznjlmyyc.exe
1⤵
PID:1944
- C:\Windows\rfbscuvidrznjlmyyc.exe
  rfbscuvidrznjlmyyc.exe
  2⤵
  PID:2132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\crogrkmawlujgjlyzeg.exe .
1⤵
PID:4400
- C:\Users\Admin\AppData\Local\Temp\crogrkmawlujgjlyzeg.exe
  C:\Users\Admin\AppData\Local\Temp\crogrkmawlujgjlyzeg.exe .
  2⤵
  PID:6092
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\crogrkmawlujgjlyzeg.exe*."
    3⤵
    PID:4840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bnhweutexjpbvvue.exe .
1⤵
PID:5724
- C:\Users\Admin\AppData\Local\Temp\bnhweutexjpbvvue.exe
  C:\Users\Admin\AppData\Local\Temp\bnhweutexjpbvvue.exe .
  2⤵
  PID:3316
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\bnhweutexjpbvvue.exe*."
    3⤵
    PID:1864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bnhweutexjpbvvue.exe .
1⤵
PID:5404
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3996
- C:\Windows\bnhweutexjpbvvue.exe
  bnhweutexjpbvvue.exe .
  2⤵
  PID:4448
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\bnhweutexjpbvvue.exe*."
    3⤵
    PID:1572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bnhweutexjpbvvue.exe
1⤵
PID:3120
- C:\Users\Admin\AppData\Local\Temp\bnhweutexjpbvvue.exe
  C:\Users\Admin\AppData\Local\Temp\bnhweutexjpbvvue.exe
  2⤵
  PID:5672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\crogrkmawlujgjlyzeg.exe
1⤵
PID:3732
- C:\Users\Admin\AppData\Local\Temp\crogrkmawlujgjlyzeg.exe
  C:\Users\Admin\AppData\Local\Temp\crogrkmawlujgjlyzeg.exe
  2⤵
  PID:4704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ivqgpggsmzgtoppaz.exe
1⤵
PID:6016
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1896
- C:\Windows\ivqgpggsmzgtoppaz.exe
  ivqgpggsmzgtoppaz.exe
  2⤵
  PID:1516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\crogrkmawlujgjlyzeg.exe .
1⤵
PID:312
- C:\Users\Admin\AppData\Local\Temp\crogrkmawlujgjlyzeg.exe
  C:\Users\Admin\AppData\Local\Temp\crogrkmawlujgjlyzeg.exe .
  2⤵
  PID:3712
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\crogrkmawlujgjlyzeg.exe*."
    3⤵
    PID:3648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rfbscuvidrznjlmyyc.exe .
1⤵
PID:528
- C:\Users\Admin\AppData\Local\Temp\rfbscuvidrznjlmyyc.exe
  C:\Users\Admin\AppData\Local\Temp\rfbscuvidrznjlmyyc.exe .
  2⤵
  PID:5316
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\rfbscuvidrznjlmyyc.exe*."
    3⤵
    PID:392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pfdwicfurhrhfjmacilb.exe .
1⤵
PID:4992
- C:\Windows\pfdwicfurhrhfjmacilb.exe
  pfdwicfurhrhfjmacilb.exe .
  2⤵
  PID:3300
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\pfdwicfurhrhfjmacilb.exe*."
    3⤵
    PID:872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\evuobwaqofqhglpehosji.exe
1⤵
PID:1672
- C:\Users\Admin\AppData\Local\Temp\evuobwaqofqhglpehosji.exe
  C:\Users\Admin\AppData\Local\Temp\evuobwaqofqhglpehosji.exe
  2⤵
  PID:4320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\evuobwaqofqhglpehosji.exe .
1⤵
PID:232
- C:\Users\Admin\AppData\Local\Temp\evuobwaqofqhglpehosji.exe
  C:\Users\Admin\AppData\Local\Temp\evuobwaqofqhglpehosji.exe .
  2⤵
  PID:384
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\evuobwaqofqhglpehosji.exe*."
    3⤵
    PID:1288

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rfbscuvidrznjlmyyc.exe
1⤵
PID:4504
- C:\Users\Admin\AppData\Local\Temp\rfbscuvidrznjlmyyc.exe
  C:\Users\Admin\AppData\Local\Temp\rfbscuvidrznjlmyyc.exe
  2⤵
  PID:2988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rfbscuvidrznjlmyyc.exe .
1⤵
PID:5092
- C:\Users\Admin\AppData\Local\Temp\rfbscuvidrznjlmyyc.exe
  C:\Users\Admin\AppData\Local\Temp\rfbscuvidrznjlmyyc.exe .
  2⤵
  PID:4652
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\rfbscuvidrznjlmyyc.exe*."
    3⤵
    PID:5216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pfdwicfurhrhfjmacilb.exe
1⤵
PID:1204
- C:\Windows\pfdwicfurhrhfjmacilb.exe
  pfdwicfurhrhfjmacilb.exe
  2⤵
  PID:4624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bnhweutexjpbvvue.exe .
1⤵
PID:2848
- C:\Windows\bnhweutexjpbvvue.exe
  bnhweutexjpbvvue.exe .
  2⤵
  PID:4884
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\bnhweutexjpbvvue.exe*."
    3⤵
    PID:6048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pfdwicfurhrhfjmacilb.exe
1⤵
PID:5048
- C:\Windows\pfdwicfurhrhfjmacilb.exe
  pfdwicfurhrhfjmacilb.exe
  2⤵
  PID:880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c crogrkmawlujgjlyzeg.exe .
1⤵
PID:1416
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4964
- C:\Windows\crogrkmawlujgjlyzeg.exe
  crogrkmawlujgjlyzeg.exe .
  2⤵
  PID:1224
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\crogrkmawlujgjlyzeg.exe*."
    3⤵
    PID:1168

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pfdwicfurhrhfjmacilb.exe
1⤵
PID:3608
- C:\Users\Admin\AppData\Local\Temp\pfdwicfurhrhfjmacilb.exe
  C:\Users\Admin\AppData\Local\Temp\pfdwicfurhrhfjmacilb.exe
  2⤵
  PID:4180

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ivqgpggsmzgtoppaz.exe .
1⤵
PID:1468
- C:\Users\Admin\AppData\Local\Temp\ivqgpggsmzgtoppaz.exe
  C:\Users\Admin\AppData\Local\Temp\ivqgpggsmzgtoppaz.exe .
  2⤵
  PID:5228
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\ivqgpggsmzgtoppaz.exe*."
    3⤵
    PID:2496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rfbscuvidrznjlmyyc.exe
1⤵
PID:3340
- C:\Users\Admin\AppData\Local\Temp\rfbscuvidrznjlmyyc.exe
  C:\Users\Admin\AppData\Local\Temp\rfbscuvidrznjlmyyc.exe
  2⤵
  PID:3084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rfbscuvidrznjlmyyc.exe .
1⤵
PID:2948
- C:\Users\Admin\AppData\Local\Temp\rfbscuvidrznjlmyyc.exe
  C:\Users\Admin\AppData\Local\Temp\rfbscuvidrznjlmyyc.exe .
  2⤵
  PID:844
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\rfbscuvidrznjlmyyc.exe*."
    3⤵
    PID:4488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rfbscuvidrznjlmyyc.exe
1⤵
PID:5572
- C:\Windows\rfbscuvidrznjlmyyc.exe
  rfbscuvidrznjlmyyc.exe
  2⤵
  PID:1712

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pfdwicfurhrhfjmacilb.exe .
1⤵
PID:3652
- C:\Windows\pfdwicfurhrhfjmacilb.exe
  pfdwicfurhrhfjmacilb.exe .
  2⤵
  PID:3004
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\pfdwicfurhrhfjmacilb.exe*."
    3⤵
    PID:6040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c evuobwaqofqhglpehosji.exe
1⤵
PID:5672
- C:\Windows\evuobwaqofqhglpehosji.exe
  evuobwaqofqhglpehosji.exe
  2⤵
  PID:3556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c evuobwaqofqhglpehosji.exe .
1⤵
PID:4448
- C:\Windows\evuobwaqofqhglpehosji.exe
  evuobwaqofqhglpehosji.exe .
  2⤵
  PID:1748
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\evuobwaqofqhglpehosji.exe*."
    3⤵
    PID:3284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pfdwicfurhrhfjmacilb.exe
1⤵
PID:784
- C:\Users\Admin\AppData\Local\Temp\pfdwicfurhrhfjmacilb.exe
  C:\Users\Admin\AppData\Local\Temp\pfdwicfurhrhfjmacilb.exe
  2⤵
  PID:3948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bnhweutexjpbvvue.exe .
1⤵
PID:3732
- C:\Users\Admin\AppData\Local\Temp\bnhweutexjpbvvue.exe
  C:\Users\Admin\AppData\Local\Temp\bnhweutexjpbvvue.exe .
  2⤵
  PID:5184
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\bnhweutexjpbvvue.exe*."
    3⤵
    PID:1772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ivqgpggsmzgtoppaz.exe
1⤵
PID:3396
- C:\Users\Admin\AppData\Local\Temp\ivqgpggsmzgtoppaz.exe
  C:\Users\Admin\AppData\Local\Temp\ivqgpggsmzgtoppaz.exe
  2⤵
  PID:2992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pfdwicfurhrhfjmacilb.exe .
1⤵
PID:4152
- C:\Users\Admin\AppData\Local\Temp\pfdwicfurhrhfjmacilb.exe
  C:\Users\Admin\AppData\Local\Temp\pfdwicfurhrhfjmacilb.exe .
  2⤵
  PID:1420
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\pfdwicfurhrhfjmacilb.exe*."
    3⤵
    PID:388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ivqgpggsmzgtoppaz.exe
1⤵
PID:5412
- C:\Windows\ivqgpggsmzgtoppaz.exe
  ivqgpggsmzgtoppaz.exe
  2⤵
  PID:2160

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c evuobwaqofqhglpehosji.exe .
1⤵
PID:1892
- C:\Windows\evuobwaqofqhglpehosji.exe
  evuobwaqofqhglpehosji.exe .
  2⤵
  PID:3612
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\evuobwaqofqhglpehosji.exe*."
    3⤵
    PID:4640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c evuobwaqofqhglpehosji.exe
1⤵
PID:5516
- C:\Windows\evuobwaqofqhglpehosji.exe
  evuobwaqofqhglpehosji.exe
  2⤵
  PID:2912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pfdwicfurhrhfjmacilb.exe .
1⤵
PID:1288
- C:\Windows\pfdwicfurhrhfjmacilb.exe
  pfdwicfurhrhfjmacilb.exe .
  2⤵
  PID:5932
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\pfdwicfurhrhfjmacilb.exe*."
    3⤵
    PID:5512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\evuobwaqofqhglpehosji.exe
1⤵
PID:1144
- C:\Users\Admin\AppData\Local\Temp\evuobwaqofqhglpehosji.exe
  C:\Users\Admin\AppData\Local\Temp\evuobwaqofqhglpehosji.exe
  2⤵
  PID:1608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\evuobwaqofqhglpehosji.exe .
1⤵
PID:5216
- C:\Users\Admin\AppData\Local\Temp\evuobwaqofqhglpehosji.exe
  C:\Users\Admin\AppData\Local\Temp\evuobwaqofqhglpehosji.exe .
  2⤵
  PID:5532
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\evuobwaqofqhglpehosji.exe*."
    3⤵
    PID:5936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\crogrkmawlujgjlyzeg.exe
1⤵
PID:5580
- C:\Users\Admin\AppData\Local\Temp\crogrkmawlujgjlyzeg.exe
  C:\Users\Admin\AppData\Local\Temp\crogrkmawlujgjlyzeg.exe
  2⤵
  PID:880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ivqgpggsmzgtoppaz.exe .
1⤵
PID:5584
- C:\Users\Admin\AppData\Local\Temp\ivqgpggsmzgtoppaz.exe
  C:\Users\Admin\AppData\Local\Temp\ivqgpggsmzgtoppaz.exe .
  2⤵
  PID:5480
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\ivqgpggsmzgtoppaz.exe*."
    3⤵
    PID:2744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bnhweutexjpbvvue.exe
1⤵
PID:3608
- C:\Windows\bnhweutexjpbvvue.exe
  bnhweutexjpbvvue.exe
  2⤵
  PID:2520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c crogrkmawlujgjlyzeg.exe .
1⤵
PID:1224
- C:\Windows\crogrkmawlujgjlyzeg.exe
  crogrkmawlujgjlyzeg.exe .
  2⤵
  PID:4976
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\crogrkmawlujgjlyzeg.exe*."
    3⤵
    PID:3900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ivqgpggsmzgtoppaz.exe
1⤵
PID:4560
- C:\Windows\ivqgpggsmzgtoppaz.exe
  ivqgpggsmzgtoppaz.exe
  2⤵
  PID:4812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c evuobwaqofqhglpehosji.exe .
1⤵
PID:5752
- C:\Windows\evuobwaqofqhglpehosji.exe
  evuobwaqofqhglpehosji.exe .
  2⤵
  PID:4380
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\evuobwaqofqhglpehosji.exe*."
    3⤵
    PID:3344

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bnhweutexjpbvvue.exe
1⤵
PID:5660
- C:\Users\Admin\AppData\Local\Temp\bnhweutexjpbvvue.exe
  C:\Users\Admin\AppData\Local\Temp\bnhweutexjpbvvue.exe
  2⤵
  PID:944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rfbscuvidrznjlmyyc.exe .
1⤵
PID:2148
- C:\Users\Admin\AppData\Local\Temp\rfbscuvidrznjlmyyc.exe
  C:\Users\Admin\AppData\Local\Temp\rfbscuvidrznjlmyyc.exe .
  2⤵
  PID:5044
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\rfbscuvidrznjlmyyc.exe*."
    3⤵
    PID:2872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ivqgpggsmzgtoppaz.exe
1⤵
PID:5916
- C:\Users\Admin\AppData\Local\Temp\ivqgpggsmzgtoppaz.exe
  C:\Users\Admin\AppData\Local\Temp\ivqgpggsmzgtoppaz.exe
  2⤵
  PID:5448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rfbscuvidrznjlmyyc.exe .
1⤵
PID:4732
- C:\Users\Admin\AppData\Local\Temp\rfbscuvidrznjlmyyc.exe
  C:\Users\Admin\AppData\Local\Temp\rfbscuvidrznjlmyyc.exe .
  2⤵
  PID:4572
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\rfbscuvidrznjlmyyc.exe*."
    3⤵
    PID:4212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ivqgpggsmzgtoppaz.exe
1⤵
PID:784
- C:\Windows\ivqgpggsmzgtoppaz.exe
  ivqgpggsmzgtoppaz.exe
  2⤵
  PID:5788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c crogrkmawlujgjlyzeg.exe .
1⤵
PID:3284
- C:\Windows\crogrkmawlujgjlyzeg.exe
  crogrkmawlujgjlyzeg.exe .
  2⤵
  PID:4000
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\crogrkmawlujgjlyzeg.exe*."
    3⤵
    PID:3732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c evuobwaqofqhglpehosji.exe
1⤵
PID:4952
- C:\Windows\evuobwaqofqhglpehosji.exe
  evuobwaqofqhglpehosji.exe
  2⤵
  PID:400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c evuobwaqofqhglpehosji.exe .
1⤵
PID:1292
- C:\Windows\evuobwaqofqhglpehosji.exe
  evuobwaqofqhglpehosji.exe .
  2⤵
  PID:1840
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\evuobwaqofqhglpehosji.exe*."
    3⤵
    PID:5316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ivqgpggsmzgtoppaz.exe
1⤵
PID:1500
- C:\Users\Admin\AppData\Local\Temp\ivqgpggsmzgtoppaz.exe
  C:\Users\Admin\AppData\Local\Temp\ivqgpggsmzgtoppaz.exe
  2⤵
  PID:3680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pfdwicfurhrhfjmacilb.exe .
1⤵
PID:4152
- C:\Users\Admin\AppData\Local\Temp\pfdwicfurhrhfjmacilb.exe
  C:\Users\Admin\AppData\Local\Temp\pfdwicfurhrhfjmacilb.exe .
  2⤵
  PID:4776
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\pfdwicfurhrhfjmacilb.exe*."
    3⤵
    PID:636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pfdwicfurhrhfjmacilb.exe
1⤵
PID:392
- C:\Users\Admin\AppData\Local\Temp\pfdwicfurhrhfjmacilb.exe
  C:\Users\Admin\AppData\Local\Temp\pfdwicfurhrhfjmacilb.exe
  2⤵
  PID:4640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pfdwicfurhrhfjmacilb.exe .
1⤵
PID:3788
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:928
- C:\Users\Admin\AppData\Local\Temp\pfdwicfurhrhfjmacilb.exe
  C:\Users\Admin\AppData\Local\Temp\pfdwicfurhrhfjmacilb.exe .
  2⤵
  PID:2316
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\pfdwicfurhrhfjmacilb.exe*."
    3⤵
    PID:5208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rfbscuvidrznjlmyyc.exe
1⤵
PID:6112
- C:\Windows\rfbscuvidrznjlmyyc.exe
  rfbscuvidrznjlmyyc.exe
  2⤵
  PID:6132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bnhweutexjpbvvue.exe
1⤵
PID:1204
- C:\Windows\bnhweutexjpbvvue.exe
  bnhweutexjpbvvue.exe
  2⤵
  PID:1936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c evuobwaqofqhglpehosji.exe .
1⤵
PID:5472
- C:\Windows\evuobwaqofqhglpehosji.exe
  evuobwaqofqhglpehosji.exe .
  2⤵
  PID:4256
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\evuobwaqofqhglpehosji.exe*."
    3⤵
    PID:3900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c evuobwaqofqhglpehosji.exe .
1⤵
PID:5848
- C:\Windows\evuobwaqofqhglpehosji.exe
  evuobwaqofqhglpehosji.exe .
  2⤵
  PID:2372
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\evuobwaqofqhglpehosji.exe*."
    3⤵
    PID:4844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rfbscuvidrznjlmyyc.exe
1⤵
PID:3044
- C:\Windows\rfbscuvidrznjlmyyc.exe
  rfbscuvidrznjlmyyc.exe
  2⤵
  PID:3748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ivqgpggsmzgtoppaz.exe .
1⤵
PID:3304
- C:\Windows\ivqgpggsmzgtoppaz.exe
  ivqgpggsmzgtoppaz.exe .
  2⤵
  PID:5848
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\ivqgpggsmzgtoppaz.exe*."
    3⤵
    PID:4448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ivqgpggsmzgtoppaz.exe
1⤵
PID:5204
- C:\Windows\ivqgpggsmzgtoppaz.exe
  ivqgpggsmzgtoppaz.exe
  2⤵
  PID:2152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ivqgpggsmzgtoppaz.exe
1⤵
PID:976
- C:\Users\Admin\AppData\Local\Temp\ivqgpggsmzgtoppaz.exe
  C:\Users\Admin\AppData\Local\Temp\ivqgpggsmzgtoppaz.exe
  2⤵
  PID:3764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bnhweutexjpbvvue.exe .
1⤵
PID:5568
- C:\Windows\bnhweutexjpbvvue.exe
  bnhweutexjpbvvue.exe .
  2⤵
  PID:1104
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\bnhweutexjpbvvue.exe*."
    3⤵
    PID:1572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\crogrkmawlujgjlyzeg.exe .
1⤵
PID:4388
- C:\Users\Admin\AppData\Local\Temp\crogrkmawlujgjlyzeg.exe
  C:\Users\Admin\AppData\Local\Temp\crogrkmawlujgjlyzeg.exe .
  2⤵
  PID:4620
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\crogrkmawlujgjlyzeg.exe*."
    3⤵
    PID:3320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bnhweutexjpbvvue.exe
1⤵
PID:3576
- C:\Users\Admin\AppData\Local\Temp\bnhweutexjpbvvue.exe
  C:\Users\Admin\AppData\Local\Temp\bnhweutexjpbvvue.exe
  2⤵
  PID:5572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ivqgpggsmzgtoppaz.exe .
1⤵
PID:4220
- C:\Users\Admin\AppData\Local\Temp\ivqgpggsmzgtoppaz.exe
  C:\Users\Admin\AppData\Local\Temp\ivqgpggsmzgtoppaz.exe .
  2⤵
  PID:4732
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\ivqgpggsmzgtoppaz.exe*."
    3⤵
    PID:1516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pfdwicfurhrhfjmacilb.exe
1⤵
PID:3520
- C:\Windows\pfdwicfurhrhfjmacilb.exe
  pfdwicfurhrhfjmacilb.exe
  2⤵
  PID:3732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bnhweutexjpbvvue.exe
1⤵
PID:1432
- C:\Users\Admin\AppData\Local\Temp\bnhweutexjpbvvue.exe
  C:\Users\Admin\AppData\Local\Temp\bnhweutexjpbvvue.exe
  2⤵
  PID:4704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bnhweutexjpbvvue.exe .
1⤵
PID:5988
- C:\Users\Admin\AppData\Local\Temp\bnhweutexjpbvvue.exe
  C:\Users\Admin\AppData\Local\Temp\bnhweutexjpbvvue.exe .
  2⤵
  PID:4828
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\bnhweutexjpbvvue.exe*."
    3⤵
    PID:1808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pfdwicfurhrhfjmacilb.exe
1⤵
PID:5256
- C:\Users\Admin\AppData\Local\Temp\pfdwicfurhrhfjmacilb.exe
  C:\Users\Admin\AppData\Local\Temp\pfdwicfurhrhfjmacilb.exe
  2⤵
  PID:5272

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c crogrkmawlujgjlyzeg.exe .
1⤵
PID:1520
- C:\Windows\crogrkmawlujgjlyzeg.exe
  crogrkmawlujgjlyzeg.exe .
  2⤵
  PID:4968
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\crogrkmawlujgjlyzeg.exe*."
    3⤵
    PID:5876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rfbscuvidrznjlmyyc.exe .
1⤵
PID:3636
- C:\Users\Admin\AppData\Local\Temp\rfbscuvidrznjlmyyc.exe
  C:\Users\Admin\AppData\Local\Temp\rfbscuvidrznjlmyyc.exe .
  2⤵
  PID:1504
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\rfbscuvidrznjlmyyc.exe*."
    3⤵
    PID:4708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c evuobwaqofqhglpehosji.exe
1⤵
PID:4920
- C:\Windows\evuobwaqofqhglpehosji.exe
  evuobwaqofqhglpehosji.exe
  2⤵
  PID:1804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c evuobwaqofqhglpehosji.exe .
1⤵
PID:5880
- C:\Windows\evuobwaqofqhglpehosji.exe
  evuobwaqofqhglpehosji.exe .
  2⤵
  PID:1836
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\evuobwaqofqhglpehosji.exe*."
    3⤵
    PID:2272

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\evuobwaqofqhglpehosji.exe
1⤵
PID:5576
- C:\Users\Admin\AppData\Local\Temp\evuobwaqofqhglpehosji.exe
  C:\Users\Admin\AppData\Local\Temp\evuobwaqofqhglpehosji.exe
  2⤵
  PID:2116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ivqgpggsmzgtoppaz.exe .
1⤵
PID:5676
- C:\Users\Admin\AppData\Local\Temp\ivqgpggsmzgtoppaz.exe
  C:\Users\Admin\AppData\Local\Temp\ivqgpggsmzgtoppaz.exe .
  2⤵
  PID:2368
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\ivqgpggsmzgtoppaz.exe*."
    3⤵
    PID:4336

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pfdwicfurhrhfjmacilb.exe
1⤵
PID:5528
- C:\Users\Admin\AppData\Local\Temp\pfdwicfurhrhfjmacilb.exe
  C:\Users\Admin\AppData\Local\Temp\pfdwicfurhrhfjmacilb.exe
  2⤵
  PID:1608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\crogrkmawlujgjlyzeg.exe .
1⤵
PID:1824
- C:\Users\Admin\AppData\Local\Temp\crogrkmawlujgjlyzeg.exe
  C:\Users\Admin\AppData\Local\Temp\crogrkmawlujgjlyzeg.exe .
  2⤵
  PID:5236
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\crogrkmawlujgjlyzeg.exe*."
    3⤵
    PID:4608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c crogrkmawlujgjlyzeg.exe
1⤵
PID:5888
- C:\Windows\crogrkmawlujgjlyzeg.exe
  crogrkmawlujgjlyzeg.exe
  2⤵
  PID:1620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pfdwicfurhrhfjmacilb.exe .
1⤵
PID:2408
- C:\Windows\pfdwicfurhrhfjmacilb.exe
  pfdwicfurhrhfjmacilb.exe .
  2⤵
  PID:4580
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\pfdwicfurhrhfjmacilb.exe*."
    3⤵
    PID:2132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ivqgpggsmzgtoppaz.exe
1⤵
PID:3440
- C:\Windows\ivqgpggsmzgtoppaz.exe
  ivqgpggsmzgtoppaz.exe
  2⤵
  PID:5284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pfdwicfurhrhfjmacilb.exe .
1⤵
PID:1204
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2032
- C:\Windows\pfdwicfurhrhfjmacilb.exe
  pfdwicfurhrhfjmacilb.exe .
  2⤵
  PID:4844
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\pfdwicfurhrhfjmacilb.exe*."
    3⤵
    PID:1712

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ivqgpggsmzgtoppaz.exe
1⤵
PID:5796
- C:\Users\Admin\AppData\Local\Temp\ivqgpggsmzgtoppaz.exe
  C:\Users\Admin\AppData\Local\Temp\ivqgpggsmzgtoppaz.exe
  2⤵
  PID:4928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\crogrkmawlujgjlyzeg.exe .
1⤵
PID:2524
- C:\Users\Admin\AppData\Local\Temp\crogrkmawlujgjlyzeg.exe
  C:\Users\Admin\AppData\Local\Temp\crogrkmawlujgjlyzeg.exe .
  2⤵
  PID:1932
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\crogrkmawlujgjlyzeg.exe*."
    3⤵
    PID:5208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rfbscuvidrznjlmyyc.exe
1⤵
PID:3924
- C:\Users\Admin\AppData\Local\Temp\rfbscuvidrznjlmyyc.exe
  C:\Users\Admin\AppData\Local\Temp\rfbscuvidrznjlmyyc.exe
  2⤵
  PID:1576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bnhweutexjpbvvue.exe .
1⤵
PID:4600
- C:\Users\Admin\AppData\Local\Temp\bnhweutexjpbvvue.exe
  C:\Users\Admin\AppData\Local\Temp\bnhweutexjpbvvue.exe .
  2⤵
  PID:2480
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\bnhweutexjpbvvue.exe*."
    3⤵
    PID:5384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rfbscuvidrznjlmyyc.exe
1⤵
PID:5788
- C:\Windows\rfbscuvidrznjlmyyc.exe
  rfbscuvidrznjlmyyc.exe
  2⤵
  PID:1124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c evuobwaqofqhglpehosji.exe .
1⤵
PID:4632
- C:\Windows\evuobwaqofqhglpehosji.exe
  evuobwaqofqhglpehosji.exe .
  2⤵
  PID:5020
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\evuobwaqofqhglpehosji.exe*."
    3⤵
    PID:1292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ivqgpggsmzgtoppaz.exe
1⤵
PID:1648
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2604
- C:\Windows\ivqgpggsmzgtoppaz.exe
  ivqgpggsmzgtoppaz.exe
  2⤵
  PID:652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c evuobwaqofqhglpehosji.exe .
1⤵
PID:1064
- C:\Windows\evuobwaqofqhglpehosji.exe
  evuobwaqofqhglpehosji.exe .
  2⤵
  PID:1888
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\evuobwaqofqhglpehosji.exe*."
    3⤵
    PID:4708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\evuobwaqofqhglpehosji.exe
1⤵
PID:944
- C:\Users\Admin\AppData\Local\Temp\evuobwaqofqhglpehosji.exe
  C:\Users\Admin\AppData\Local\Temp\evuobwaqofqhglpehosji.exe
  2⤵
  PID:2912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\crogrkmawlujgjlyzeg.exe .
1⤵
PID:5316
- C:\Users\Admin\AppData\Local\Temp\crogrkmawlujgjlyzeg.exe
  C:\Users\Admin\AppData\Local\Temp\crogrkmawlujgjlyzeg.exe .
  2⤵
  PID:1492
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\crogrkmawlujgjlyzeg.exe*."
    3⤵
    PID:1360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\evuobwaqofqhglpehosji.exe
1⤵
PID:1456
- C:\Users\Admin\AppData\Local\Temp\evuobwaqofqhglpehosji.exe
  C:\Users\Admin\AppData\Local\Temp\evuobwaqofqhglpehosji.exe
  2⤵
  PID:2924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rfbscuvidrznjlmyyc.exe .
1⤵
PID:1040
- C:\Users\Admin\AppData\Local\Temp\rfbscuvidrznjlmyyc.exe
  C:\Users\Admin\AppData\Local\Temp\rfbscuvidrznjlmyyc.exe .
  2⤵
  PID:1708
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\rfbscuvidrznjlmyyc.exe*."
    3⤵
    PID:4444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rfbscuvidrznjlmyyc.exe
1⤵
PID:1288
- C:\Windows\rfbscuvidrznjlmyyc.exe
  rfbscuvidrznjlmyyc.exe
  2⤵
  PID:5576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c evuobwaqofqhglpehosji.exe .
1⤵
PID:4068
- C:\Windows\evuobwaqofqhglpehosji.exe
  evuobwaqofqhglpehosji.exe .
  2⤵
  PID:544
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\evuobwaqofqhglpehosji.exe*."
    3⤵
    PID:1544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rfbscuvidrznjlmyyc.exe
1⤵
PID:3000
- C:\Windows\rfbscuvidrznjlmyyc.exe
  rfbscuvidrznjlmyyc.exe
  2⤵
  PID:5252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bnhweutexjpbvvue.exe .
1⤵
PID:4160
- C:\Windows\bnhweutexjpbvvue.exe
  bnhweutexjpbvvue.exe .
  2⤵
  PID:5532
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\bnhweutexjpbvvue.exe*."
    3⤵
    PID:1824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rfbscuvidrznjlmyyc.exe
1⤵
PID:5112
- C:\Users\Admin\AppData\Local\Temp\rfbscuvidrznjlmyyc.exe
  C:\Users\Admin\AppData\Local\Temp\rfbscuvidrznjlmyyc.exe
  2⤵
  PID:5084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pfdwicfurhrhfjmacilb.exe .
1⤵
PID:5860
- C:\Users\Admin\AppData\Local\Temp\pfdwicfurhrhfjmacilb.exe
  C:\Users\Admin\AppData\Local\Temp\pfdwicfurhrhfjmacilb.exe .
  2⤵
  PID:1840
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\pfdwicfurhrhfjmacilb.exe*."
    3⤵
    PID:5380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ivqgpggsmzgtoppaz.exe
1⤵
PID:1416
- C:\Users\Admin\AppData\Local\Temp\ivqgpggsmzgtoppaz.exe
  C:\Users\Admin\AppData\Local\Temp\ivqgpggsmzgtoppaz.exe
  2⤵
  PID:4844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bnhweutexjpbvvue.exe .
1⤵
PID:2408
- C:\Users\Admin\AppData\Local\Temp\bnhweutexjpbvvue.exe
  C:\Users\Admin\AppData\Local\Temp\bnhweutexjpbvvue.exe .
  2⤵
  PID:2920
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\bnhweutexjpbvvue.exe*."
    3⤵
    PID:548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c evuobwaqofqhglpehosji.exe
1⤵
PID:4216
- C:\Windows\evuobwaqofqhglpehosji.exe
  evuobwaqofqhglpehosji.exe
  2⤵
  PID:5968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bnhweutexjpbvvue.exe .
1⤵
PID:1780
- C:\Windows\bnhweutexjpbvvue.exe
  bnhweutexjpbvvue.exe .
  2⤵
  PID:4080
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\bnhweutexjpbvvue.exe*."
    3⤵
    PID:2152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bnhweutexjpbvvue.exe
1⤵
PID:5848
- C:\Windows\bnhweutexjpbvvue.exe
  bnhweutexjpbvvue.exe
  2⤵
  PID:3960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ivqgpggsmzgtoppaz.exe .
1⤵
PID:4108
- C:\Windows\ivqgpggsmzgtoppaz.exe
  ivqgpggsmzgtoppaz.exe .
  2⤵
  PID:2844
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\ivqgpggsmzgtoppaz.exe*."
    3⤵
    PID:1124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ivqgpggsmzgtoppaz.exe
1⤵
PID:4620
- C:\Users\Admin\AppData\Local\Temp\ivqgpggsmzgtoppaz.exe
  C:\Users\Admin\AppData\Local\Temp\ivqgpggsmzgtoppaz.exe
  2⤵
  PID:5916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bnhweutexjpbvvue.exe .
1⤵
PID:4180
- C:\Users\Admin\AppData\Local\Temp\bnhweutexjpbvvue.exe
  C:\Users\Admin\AppData\Local\Temp\bnhweutexjpbvvue.exe .
  2⤵
  PID:4320
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\bnhweutexjpbvvue.exe*."
    3⤵
    PID:60

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\evuobwaqofqhglpehosji.exe
1⤵
PID:4560
- C:\Users\Admin\AppData\Local\Temp\evuobwaqofqhglpehosji.exe
  C:\Users\Admin\AppData\Local\Temp\evuobwaqofqhglpehosji.exe
  2⤵
  PID:652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bnhweutexjpbvvue.exe .
1⤵
PID:4864
- C:\Users\Admin\AppData\Local\Temp\bnhweutexjpbvvue.exe
  C:\Users\Admin\AppData\Local\Temp\bnhweutexjpbvvue.exe .
  2⤵
  PID:4440
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\bnhweutexjpbvvue.exe*."
    3⤵
    PID:2948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ivqgpggsmzgtoppaz.exe
1⤵
PID:812
- C:\Windows\ivqgpggsmzgtoppaz.exe
  ivqgpggsmzgtoppaz.exe
  2⤵
  PID:636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ivqgpggsmzgtoppaz.exe .
1⤵
PID:4832
- C:\Windows\ivqgpggsmzgtoppaz.exe
  ivqgpggsmzgtoppaz.exe .
  2⤵
  PID:3424
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\ivqgpggsmzgtoppaz.exe*."
    3⤵
    PID:5828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c crogrkmawlujgjlyzeg.exe
1⤵
PID:4968
- C:\Windows\crogrkmawlujgjlyzeg.exe
  crogrkmawlujgjlyzeg.exe
  2⤵
  PID:4448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ivqgpggsmzgtoppaz.exe .
1⤵
PID:3332
- C:\Windows\ivqgpggsmzgtoppaz.exe
  ivqgpggsmzgtoppaz.exe .
  2⤵
  PID:5160
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\ivqgpggsmzgtoppaz.exe*."
    3⤵
    PID:4572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bnhweutexjpbvvue.exe
1⤵
PID:3256
- C:\Users\Admin\AppData\Local\Temp\bnhweutexjpbvvue.exe
  C:\Users\Admin\AppData\Local\Temp\bnhweutexjpbvvue.exe
  2⤵
  PID:3088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bnhweutexjpbvvue.exe .
1⤵
PID:400
- C:\Users\Admin\AppData\Local\Temp\bnhweutexjpbvvue.exe
  C:\Users\Admin\AppData\Local\Temp\bnhweutexjpbvvue.exe .
  2⤵
  PID:1620
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\bnhweutexjpbvvue.exe*."
    3⤵
    PID:1976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ivqgpggsmzgtoppaz.exe
1⤵
PID:4644
- C:\Users\Admin\AppData\Local\Temp\ivqgpggsmzgtoppaz.exe
  C:\Users\Admin\AppData\Local\Temp\ivqgpggsmzgtoppaz.exe
  2⤵
  PID:2572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bnhweutexjpbvvue.exe .
1⤵
PID:5044
- C:\Users\Admin\AppData\Local\Temp\bnhweutexjpbvvue.exe
  C:\Users\Admin\AppData\Local\Temp\bnhweutexjpbvvue.exe .
  2⤵
  PID:4392
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\bnhweutexjpbvvue.exe*."
    3⤵
    PID:3912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pfdwicfurhrhfjmacilb.exe
1⤵
PID:3900
- C:\Windows\pfdwicfurhrhfjmacilb.exe
  pfdwicfurhrhfjmacilb.exe
  2⤵
  PID:2992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pfdwicfurhrhfjmacilb.exe
1⤵
PID:1472
- C:\Windows\pfdwicfurhrhfjmacilb.exe
  pfdwicfurhrhfjmacilb.exe
  2⤵
  PID:4804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c crogrkmawlujgjlyzeg.exe .
1⤵
PID:4584
- C:\Windows\crogrkmawlujgjlyzeg.exe
  crogrkmawlujgjlyzeg.exe .
  2⤵
  PID:3300
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\crogrkmawlujgjlyzeg.exe*."
    3⤵
    PID:5452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c evuobwaqofqhglpehosji.exe .
1⤵
PID:6064
- C:\Windows\evuobwaqofqhglpehosji.exe
  evuobwaqofqhglpehosji.exe .
  2⤵
  PID:984
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\evuobwaqofqhglpehosji.exe*."
    3⤵
    PID:1128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c crogrkmawlujgjlyzeg.exe
1⤵
PID:5796
- C:\Windows\crogrkmawlujgjlyzeg.exe
  crogrkmawlujgjlyzeg.exe
  2⤵
  PID:4916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pfdwicfurhrhfjmacilb.exe .
1⤵
PID:3548
- C:\Windows\pfdwicfurhrhfjmacilb.exe
  pfdwicfurhrhfjmacilb.exe .
  2⤵
  PID:1084
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\pfdwicfurhrhfjmacilb.exe*."
    3⤵
    PID:768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rfbscuvidrznjlmyyc.exe
1⤵
PID:5480
- C:\Windows\rfbscuvidrznjlmyyc.exe
  rfbscuvidrznjlmyyc.exe
  2⤵
  PID:3084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pfdwicfurhrhfjmacilb.exe
1⤵
PID:5288
- C:\Users\Admin\AppData\Local\Temp\pfdwicfurhrhfjmacilb.exe
  C:\Users\Admin\AppData\Local\Temp\pfdwicfurhrhfjmacilb.exe
  2⤵
  PID:3560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c evuobwaqofqhglpehosji.exe .
1⤵
PID:3456
- C:\Windows\evuobwaqofqhglpehosji.exe
  evuobwaqofqhglpehosji.exe .
  2⤵
  PID:1032
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\evuobwaqofqhglpehosji.exe*."
    3⤵
    PID:1836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\evuobwaqofqhglpehosji.exe .
1⤵
PID:1612
- C:\Users\Admin\AppData\Local\Temp\evuobwaqofqhglpehosji.exe
  C:\Users\Admin\AppData\Local\Temp\evuobwaqofqhglpehosji.exe .
  2⤵
  PID:4600
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\evuobwaqofqhglpehosji.exe*."
    3⤵
    PID:4560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\crogrkmawlujgjlyzeg.exe
1⤵
PID:4112
- C:\Users\Admin\AppData\Local\Temp\crogrkmawlujgjlyzeg.exe
  C:\Users\Admin\AppData\Local\Temp\crogrkmawlujgjlyzeg.exe
  2⤵
  PID:3300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\crogrkmawlujgjlyzeg.exe .
1⤵
PID:5720
- C:\Users\Admin\AppData\Local\Temp\crogrkmawlujgjlyzeg.exe
  C:\Users\Admin\AppData\Local\Temp\crogrkmawlujgjlyzeg.exe .
  2⤵
  PID:5452
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\crogrkmawlujgjlyzeg.exe*."
    3⤵
    PID:1840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\crogrkmawlujgjlyzeg.exe
1⤵
PID:4868
- C:\Users\Admin\AppData\Local\Temp\crogrkmawlujgjlyzeg.exe
  C:\Users\Admin\AppData\Local\Temp\crogrkmawlujgjlyzeg.exe
  2⤵
  PID:5060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\crogrkmawlujgjlyzeg.exe .
1⤵
PID:976
- C:\Users\Admin\AppData\Local\Temp\crogrkmawlujgjlyzeg.exe
  C:\Users\Admin\AppData\Local\Temp\crogrkmawlujgjlyzeg.exe .
  2⤵
  PID:2408
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\crogrkmawlujgjlyzeg.exe*."
    3⤵
    PID:4176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\crogrkmawlujgjlyzeg.exe
1⤵
PID:4468
- C:\Users\Admin\AppData\Local\Temp\crogrkmawlujgjlyzeg.exe
  C:\Users\Admin\AppData\Local\Temp\crogrkmawlujgjlyzeg.exe
  2⤵
  PID:4812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c crogrkmawlujgjlyzeg.exe
1⤵
PID:4996
- C:\Windows\crogrkmawlujgjlyzeg.exe
  crogrkmawlujgjlyzeg.exe
  2⤵
  PID:3492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pfdwicfurhrhfjmacilb.exe .
1⤵
PID:2916
- C:\Users\Admin\AppData\Local\Temp\pfdwicfurhrhfjmacilb.exe
  C:\Users\Admin\AppData\Local\Temp\pfdwicfurhrhfjmacilb.exe .
  2⤵
  PID:4884
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\pfdwicfurhrhfjmacilb.exe*."
    3⤵
    PID:2928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rfbscuvidrznjlmyyc.exe .
1⤵
PID:2520
- C:\Windows\rfbscuvidrznjlmyyc.exe
  rfbscuvidrznjlmyyc.exe .
  2⤵
  PID:4480
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\rfbscuvidrznjlmyyc.exe*."
    3⤵
    PID:2368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ivqgpggsmzgtoppaz.exe
1⤵
PID:4952
- C:\Windows\ivqgpggsmzgtoppaz.exe
  ivqgpggsmzgtoppaz.exe
  2⤵
  PID:3888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rfbscuvidrznjlmyyc.exe .
1⤵
PID:3524
- C:\Windows\rfbscuvidrznjlmyyc.exe
  rfbscuvidrznjlmyyc.exe .
  2⤵
  PID:5576
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\rfbscuvidrznjlmyyc.exe*."
    3⤵
    PID:4400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pfdwicfurhrhfjmacilb.exe
1⤵
PID:1080
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3572
- C:\Users\Admin\AppData\Local\Temp\pfdwicfurhrhfjmacilb.exe
  C:\Users\Admin\AppData\Local\Temp\pfdwicfurhrhfjmacilb.exe
  2⤵
  PID:536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pfdwicfurhrhfjmacilb.exe
1⤵
PID:1496
- C:\Windows\pfdwicfurhrhfjmacilb.exe
  pfdwicfurhrhfjmacilb.exe
  2⤵
  PID:920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bnhweutexjpbvvue.exe .
1⤵
PID:1924
- C:\Users\Admin\AppData\Local\Temp\bnhweutexjpbvvue.exe
  C:\Users\Admin\AppData\Local\Temp\bnhweutexjpbvvue.exe .
  2⤵
  PID:5752
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\bnhweutexjpbvvue.exe*."
    3⤵
    PID:4712

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pfdwicfurhrhfjmacilb.exe .
1⤵
PID:3648
- C:\Windows\pfdwicfurhrhfjmacilb.exe
  pfdwicfurhrhfjmacilb.exe .
  2⤵
  PID:4068
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\pfdwicfurhrhfjmacilb.exe*."
    3⤵
    PID:2628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\crogrkmawlujgjlyzeg.exe
1⤵
PID:5812
- C:\Users\Admin\AppData\Local\Temp\crogrkmawlujgjlyzeg.exe
  C:\Users\Admin\AppData\Local\Temp\crogrkmawlujgjlyzeg.exe
  2⤵
  PID:2340

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bnhweutexjpbvvue.exe
1⤵
PID:4572
- C:\Windows\bnhweutexjpbvvue.exe
  bnhweutexjpbvvue.exe
  2⤵
  PID:3144

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\crogrkmawlujgjlyzeg.exe .
1⤵
PID:4336
- C:\Users\Admin\AppData\Local\Temp\crogrkmawlujgjlyzeg.exe
  C:\Users\Admin\AppData\Local\Temp\crogrkmawlujgjlyzeg.exe .
  2⤵
  PID:4772
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\crogrkmawlujgjlyzeg.exe*."
    3⤵
    PID:3380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bnhweutexjpbvvue.exe .
1⤵
PID:3916
- C:\Windows\bnhweutexjpbvvue.exe
  bnhweutexjpbvvue.exe .
  2⤵
  PID:3800
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\bnhweutexjpbvvue.exe*."
    3⤵
    PID:4280

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rfbscuvidrznjlmyyc.exe
1⤵
PID:5252
- C:\Users\Admin\AppData\Local\Temp\rfbscuvidrznjlmyyc.exe
  C:\Users\Admin\AppData\Local\Temp\rfbscuvidrznjlmyyc.exe
  2⤵
  PID:5284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\evuobwaqofqhglpehosji.exe .
1⤵
PID:1648
- C:\Users\Admin\AppData\Local\Temp\evuobwaqofqhglpehosji.exe
  C:\Users\Admin\AppData\Local\Temp\evuobwaqofqhglpehosji.exe .
  2⤵
  PID:2992
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\evuobwaqofqhglpehosji.exe*."
    3⤵
    PID:3904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pfdwicfurhrhfjmacilb.exe
1⤵
PID:3192
- C:\Users\Admin\AppData\Local\Temp\pfdwicfurhrhfjmacilb.exe
  C:\Users\Admin\AppData\Local\Temp\pfdwicfurhrhfjmacilb.exe
  2⤵
  PID:636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ivqgpggsmzgtoppaz.exe .
1⤵
PID:5932
- C:\Users\Admin\AppData\Local\Temp\ivqgpggsmzgtoppaz.exe
  C:\Users\Admin\AppData\Local\Temp\ivqgpggsmzgtoppaz.exe .
  2⤵
  PID:388
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\ivqgpggsmzgtoppaz.exe*."
    3⤵
    PID:4320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bnhweutexjpbvvue.exe
1⤵
PID:4796
- C:\Windows\bnhweutexjpbvvue.exe
  bnhweutexjpbvvue.exe
  2⤵
  PID:3312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bnhweutexjpbvvue.exe .
1⤵
PID:1132
- C:\Windows\bnhweutexjpbvvue.exe
  bnhweutexjpbvvue.exe .
  2⤵
  PID:1672
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\bnhweutexjpbvvue.exe*."
    3⤵
    PID:3492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c evuobwaqofqhglpehosji.exe
1⤵
PID:5584
- C:\Windows\evuobwaqofqhglpehosji.exe
  evuobwaqofqhglpehosji.exe
  2⤵
  PID:1932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ivqgpggsmzgtoppaz.exe .
1⤵
PID:3528
- C:\Windows\ivqgpggsmzgtoppaz.exe
  ivqgpggsmzgtoppaz.exe .
  2⤵
  PID:5056
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\ivqgpggsmzgtoppaz.exe*."
    3⤵
    PID:1572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pfdwicfurhrhfjmacilb.exe
1⤵
PID:1436
- C:\Users\Admin\AppData\Local\Temp\pfdwicfurhrhfjmacilb.exe
  C:\Users\Admin\AppData\Local\Temp\pfdwicfurhrhfjmacilb.exe
  2⤵
  PID:1492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\evuobwaqofqhglpehosji.exe .
1⤵
PID:2444
- C:\Users\Admin\AppData\Local\Temp\evuobwaqofqhglpehosji.exe
  C:\Users\Admin\AppData\Local\Temp\evuobwaqofqhglpehosji.exe .
  2⤵
  PID:4724
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\evuobwaqofqhglpehosji.exe*."
    3⤵
    PID:2572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rfbscuvidrznjlmyyc.exe
1⤵
PID:1740
- C:\Users\Admin\AppData\Local\Temp\rfbscuvidrznjlmyyc.exe
  C:\Users\Admin\AppData\Local\Temp\rfbscuvidrznjlmyyc.exe
  2⤵
  PID:1280

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\evuobwaqofqhglpehosji.exe .
1⤵
PID:2692
- C:\Users\Admin\AppData\Local\Temp\evuobwaqofqhglpehosji.exe
  C:\Users\Admin\AppData\Local\Temp\evuobwaqofqhglpehosji.exe .
  2⤵
  PID:6124
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\evuobwaqofqhglpehosji.exe*."
    3⤵
    PID:2924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rfbscuvidrznjlmyyc.exe
1⤵
PID:4736
- C:\Windows\rfbscuvidrznjlmyyc.exe
  rfbscuvidrznjlmyyc.exe
  2⤵
  PID:844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bnhweutexjpbvvue.exe .
1⤵
PID:4844
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1708
- C:\Windows\bnhweutexjpbvvue.exe
  bnhweutexjpbvvue.exe .
  2⤵
  PID:4624
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\bnhweutexjpbvvue.exe*."
    3⤵
    PID:336

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c evuobwaqofqhglpehosji.exe
1⤵
PID:6024
- C:\Windows\evuobwaqofqhglpehosji.exe
  evuobwaqofqhglpehosji.exe
  2⤵
  PID:456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bnhweutexjpbvvue.exe .
1⤵
PID:2944
- C:\Windows\bnhweutexjpbvvue.exe
  bnhweutexjpbvvue.exe .
  2⤵
  PID:3904
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\bnhweutexjpbvvue.exe*."
    3⤵
    PID:1584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bnhweutexjpbvvue.exe
1⤵
PID:2512
- C:\Users\Admin\AppData\Local\Temp\bnhweutexjpbvvue.exe
  C:\Users\Admin\AppData\Local\Temp\bnhweutexjpbvvue.exe
  2⤵
  PID:5132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pfdwicfurhrhfjmacilb.exe .
1⤵
PID:3064
- C:\Users\Admin\AppData\Local\Temp\pfdwicfurhrhfjmacilb.exe
  C:\Users\Admin\AppData\Local\Temp\pfdwicfurhrhfjmacilb.exe .
  2⤵
  PID:5868
- - C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
    "C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\pfdwicfurhrhfjmacilb.exe*."
    3⤵
    PID:652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ivqgpggsmzgtoppaz.exe
1⤵
PID:628
- C:\Users\Admin\AppData\Local\Temp\ivqgpggsmzgtoppaz.exe
  C:\Users\Admin\AppData\Local\Temp\ivqgpggsmzgtoppaz.exe
  2⤵
  PID:4652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rfbscuvidrznjlmyyc.exe .
1⤵
PID:388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Winlogon Helper DLL

T1547.004

Hijack Execution Flow

T1574

Executable Installer File Permissions Weakness

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Winlogon Helper DLL

T1547.004

Hijack Execution Flow

T1574

Executable Installer File Permissions Weakness

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hijack Execution Flow

T1574

Executable Installer File Permissions Weakness

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Safe Mode Boot

T1562.009

Modify Registry