pykspa | 36a3322c178aa5eec197d1df430d3dd30bab93c2609409367ca3fb2a25c89a7c

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	vhhorpeefrr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	vhhorpeefrr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	vhhorpeefrr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	vhhorpeefrr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	vhhorpeefrr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	abmxwcp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	abmxwcp.exe

Pykspa
Pykspa is a worm spreads via Skype uses DGA and it's written in C++.
worm pykspa
Pykspa family
pykspa

UAC bypass 3 TTPs 16 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abmxwcp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	abmxwcp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	vhhorpeefrr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abmxwcp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	abmxwcp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	vhhorpeefrr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	abmxwcp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	abmxwcp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	abmxwcp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vhhorpeefrr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	abmxwcp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vhhorpeefrr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vhhorpeefrr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vhhorpeefrr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vhhorpeefrr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	vhhorpeefrr.exe

Detect Pykspa worm 2 IoCs

worm

resource	yara_rule
behavioral2/files/0x000d000000023f09-4.dat	family_pykspa
behavioral2/files/0x0007000000024032-82.dat	family_pykspa

Adds policy Run key to start application 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\abmxwcp = "pbxtdushfwpwkuzvcj.exe"	abmxwcp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	vhhorpeefrr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	vhhorpeefrr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\trzh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ankhskjzyqkshsyvdly.exe"	vhhorpeefrr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	vhhorpeefrr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\trzh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pbxtdushfwpwkuzvcj.exe"	abmxwcp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	vhhorpeefrr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\abmxwcp = "crqpcwxpqkgqhucblvkji.exe"	vhhorpeefrr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\trzh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zjdxfuqdzofkwehb.exe"	vhhorpeefrr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	vhhorpeefrr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\trzh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zjdxfuqdzofkwehb.exe"	vhhorpeefrr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	abmxwcp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	abmxwcp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\trzh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ankhskjzyqkshsyvdly.exe"	abmxwcp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\abmxwcp = "zjdxfuqdzofkwehb.exe"	vhhorpeefrr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\trzh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\grmhqgdroewcpycxd.exe"	abmxwcp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\abmxwcp = "grmhqgdroewcpycxd.exe"	vhhorpeefrr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\abmxwcp = "grmhqgdroewcpycxd.exe"	vhhorpeefrr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\abmxwcp = "pbxtdushfwpwkuzvcj.exe"	abmxwcp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\abmxwcp = "zjdxfuqdzofkwehb.exe"	abmxwcp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\trzh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zjdxfuqdzofkwehb.exe"	vhhorpeefrr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\abmxwcp = "grmhqgdroewcpycxd.exe"	vhhorpeefrr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\abmxwcp = "ankhskjzyqkshsyvdly.exe"	vhhorpeefrr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\abmxwcp = "grmhqgdroewcpycxd.exe"	abmxwcp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\trzh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\crqpcwxpqkgqhucblvkji.exe"	abmxwcp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\trzh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nbzxjccttmhqgszxgpdb.exe"	vhhorpeefrr.exe

Blocklisted process makes network request 1 IoCs

flow	pid	Process
23	4064	Process not Found

Disables RegEdit via registry modification 6 IoCs

defense_evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	vhhorpeefrr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	vhhorpeefrr.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	abmxwcp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	abmxwcp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	abmxwcp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	abmxwcp.exe

Checks computer location settings 2 TTPs 37 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	ankhskjzyqkshsyvdly.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	ankhskjzyqkshsyvdly.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	crqpcwxpqkgqhucblvkji.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	pbxtdushfwpwkuzvcj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	zjdxfuqdzofkwehb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	grmhqgdroewcpycxd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	JaffaCakes118_930832249e4efce3d5bfeb3ac4109872.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	zjdxfuqdzofkwehb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	crqpcwxpqkgqhucblvkji.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	zjdxfuqdzofkwehb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	pbxtdushfwpwkuzvcj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	zjdxfuqdzofkwehb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	grmhqgdroewcpycxd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	zjdxfuqdzofkwehb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	zjdxfuqdzofkwehb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	crqpcwxpqkgqhucblvkji.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	nbzxjccttmhqgszxgpdb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	zjdxfuqdzofkwehb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	ankhskjzyqkshsyvdly.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	grmhqgdroewcpycxd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	ankhskjzyqkshsyvdly.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	nbzxjccttmhqgszxgpdb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	pbxtdushfwpwkuzvcj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	zjdxfuqdzofkwehb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	ankhskjzyqkshsyvdly.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	nbzxjccttmhqgszxgpdb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	zjdxfuqdzofkwehb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	ankhskjzyqkshsyvdly.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	zjdxfuqdzofkwehb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	ankhskjzyqkshsyvdly.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	ankhskjzyqkshsyvdly.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	ankhskjzyqkshsyvdly.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	crqpcwxpqkgqhucblvkji.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	vhhorpeefrr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	pbxtdushfwpwkuzvcj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	zjdxfuqdzofkwehb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	zjdxfuqdzofkwehb.exe

Executes dropped EXE 64 IoCs

pid	Process
4384	vhhorpeefrr.exe
2928	zjdxfuqdzofkwehb.exe
4860	crqpcwxpqkgqhucblvkji.exe
3984	grmhqgdroewcpycxd.exe
4620	zjdxfuqdzofkwehb.exe
416	zjdxfuqdzofkwehb.exe
5080	nbzxjccttmhqgszxgpdb.exe
4368	ankhskjzyqkshsyvdly.exe
344	vhhorpeefrr.exe
4320	crqpcwxpqkgqhucblvkji.exe
3532	vhhorpeefrr.exe
5040	vhhorpeefrr.exe
2540	abmxwcp.exe
3596	vhhorpeefrr.exe
4540	abmxwcp.exe
3468	grmhqgdroewcpycxd.exe
4348	ankhskjzyqkshsyvdly.exe
344	zjdxfuqdzofkwehb.exe
3408	nbzxjccttmhqgszxgpdb.exe
4676	grmhqgdroewcpycxd.exe
3472	zjdxfuqdzofkwehb.exe
1548	grmhqgdroewcpycxd.exe
3472	zjdxfuqdzofkwehb.exe
844	vhhorpeefrr.exe
4008	vhhorpeefrr.exe
2484	vhhorpeefrr.exe
1592	crqpcwxpqkgqhucblvkji.exe
2160	zjdxfuqdzofkwehb.exe
2604	pbxtdushfwpwkuzvcj.exe
220	vhhorpeefrr.exe
2664	zjdxfuqdzofkwehb.exe
3372	pbxtdushfwpwkuzvcj.exe
3376	grmhqgdroewcpycxd.exe
1592	zjdxfuqdzofkwehb.exe
2156	nbzxjccttmhqgszxgpdb.exe
1968	pbxtdushfwpwkuzvcj.exe
1496	ankhskjzyqkshsyvdly.exe
4408	grmhqgdroewcpycxd.exe
3348	nbzxjccttmhqgszxgpdb.exe
2216	vhhorpeefrr.exe
4940	vhhorpeefrr.exe
4692	vhhorpeefrr.exe
1516	vhhorpeefrr.exe
2688	vhhorpeefrr.exe
3472	vhhorpeefrr.exe
2228	nbzxjccttmhqgszxgpdb.exe
2300	vhhorpeefrr.exe
1484	crqpcwxpqkgqhucblvkji.exe
4080	grmhqgdroewcpycxd.exe
4852	grmhqgdroewcpycxd.exe
4856	nbzxjccttmhqgszxgpdb.exe
4376	vhhorpeefrr.exe
1808	zjdxfuqdzofkwehb.exe
2664	ankhskjzyqkshsyvdly.exe
4676	zjdxfuqdzofkwehb.exe
5176	crqpcwxpqkgqhucblvkji.exe
5360	crqpcwxpqkgqhucblvkji.exe
5376	ankhskjzyqkshsyvdly.exe
5384	zjdxfuqdzofkwehb.exe
5400	vhhorpeefrr.exe
5416	zjdxfuqdzofkwehb.exe
5456	pbxtdushfwpwkuzvcj.exe
5516	ankhskjzyqkshsyvdly.exe
5524	vhhorpeefrr.exe

Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs

defense_evasion

Safe Mode Boot

T1562.009

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc	abmxwcp.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power	abmxwcp.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys	abmxwcp.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc	abmxwcp.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager	abmxwcp.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys	abmxwcp.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

defense_evasion persistence privilege_escalation

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\gjwjkshnc = "ankhskjzyqkshsyvdly.exe ."	vhhorpeefrr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zdrfhqgndm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nbzxjccttmhqgszxgpdb.exe ."	abmxwcp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cbktq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ankhskjzyqkshsyvdly.exe"	vhhorpeefrr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\uzodgqhpgqc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\grmhqgdroewcpycxd.exe"	abmxwcp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cbktq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ankhskjzyqkshsyvdly.exe"	vhhorpeefrr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\gjwjkshnc = "ankhskjzyqkshsyvdly.exe ."	abmxwcp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\uzodgqhpgqc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nbzxjccttmhqgszxgpdb.exe"	abmxwcp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\prdppwkp = "ankhskjzyqkshsyvdly.exe"	abmxwcp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\uzodgqhpgqc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pbxtdushfwpwkuzvcj.exe"	vhhorpeefrr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cbktq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\grmhqgdroewcpycxd.exe"	abmxwcp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cbktq = "nbzxjccttmhqgszxgpdb.exe"	abmxwcp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\gjwjkshnc = "zjdxfuqdzofkwehb.exe ."	vhhorpeefrr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cbktq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\crqpcwxpqkgqhucblvkji.exe"	abmxwcp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zdrfhqgndm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pbxtdushfwpwkuzvcj.exe ."	abmxwcp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\nnxhfk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zjdxfuqdzofkwehb.exe ."	vhhorpeefrr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\uzodgqhpgqc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zjdxfuqdzofkwehb.exe"	abmxwcp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zdrfhqgndm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\grmhqgdroewcpycxd.exe ."	vhhorpeefrr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zdrfhqgndm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ankhskjzyqkshsyvdly.exe ."	abmxwcp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\gjwjkshnc = "zjdxfuqdzofkwehb.exe ."	vhhorpeefrr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zdrfhqgndm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zjdxfuqdzofkwehb.exe ."	vhhorpeefrr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\prdppwkp = "grmhqgdroewcpycxd.exe"	abmxwcp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\gjwjkshnc = "grmhqgdroewcpycxd.exe ."	vhhorpeefrr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\nnxhfk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zjdxfuqdzofkwehb.exe ."	vhhorpeefrr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nnxhfk = "crqpcwxpqkgqhucblvkji.exe ."	vhhorpeefrr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\uzodgqhpgqc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\grmhqgdroewcpycxd.exe"	vhhorpeefrr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\gjwjkshnc = "pbxtdushfwpwkuzvcj.exe ."	abmxwcp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\gjwjkshnc = "zjdxfuqdzofkwehb.exe ."	abmxwcp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cbktq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pbxtdushfwpwkuzvcj.exe"	vhhorpeefrr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nnxhfk = "zjdxfuqdzofkwehb.exe ."	abmxwcp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cbktq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nbzxjccttmhqgszxgpdb.exe"	abmxwcp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\nnxhfk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zjdxfuqdzofkwehb.exe ."	abmxwcp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cbktq = "grmhqgdroewcpycxd.exe"	vhhorpeefrr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\gjwjkshnc = "crqpcwxpqkgqhucblvkji.exe ."	vhhorpeefrr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zdrfhqgndm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ankhskjzyqkshsyvdly.exe ."	vhhorpeefrr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cbktq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ankhskjzyqkshsyvdly.exe"	abmxwcp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nnxhfk = "pbxtdushfwpwkuzvcj.exe ."	vhhorpeefrr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nnxhfk = "zjdxfuqdzofkwehb.exe ."	abmxwcp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cbktq = "zjdxfuqdzofkwehb.exe"	abmxwcp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nnxhfk = "crqpcwxpqkgqhucblvkji.exe ."	abmxwcp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nnxhfk = "crqpcwxpqkgqhucblvkji.exe ."	vhhorpeefrr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\uzodgqhpgqc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\crqpcwxpqkgqhucblvkji.exe"	vhhorpeefrr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cbktq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\crqpcwxpqkgqhucblvkji.exe"	vhhorpeefrr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cbktq = "nbzxjccttmhqgszxgpdb.exe"	vhhorpeefrr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nnxhfk = "ankhskjzyqkshsyvdly.exe ."	abmxwcp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cbktq = "crqpcwxpqkgqhucblvkji.exe"	vhhorpeefrr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\prdppwkp = "grmhqgdroewcpycxd.exe"	vhhorpeefrr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cbktq = "crqpcwxpqkgqhucblvkji.exe"	vhhorpeefrr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zdrfhqgndm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\grmhqgdroewcpycxd.exe ."	vhhorpeefrr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\prdppwkp = "zjdxfuqdzofkwehb.exe"	vhhorpeefrr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nnxhfk = "crqpcwxpqkgqhucblvkji.exe ."	vhhorpeefrr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nnxhfk = "ankhskjzyqkshsyvdly.exe ."	vhhorpeefrr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\prdppwkp = "crqpcwxpqkgqhucblvkji.exe"	abmxwcp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nnxhfk = "nbzxjccttmhqgszxgpdb.exe ."	vhhorpeefrr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\prdppwkp = "ankhskjzyqkshsyvdly.exe"	vhhorpeefrr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\prdppwkp = "ankhskjzyqkshsyvdly.exe"	vhhorpeefrr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cbktq = "zjdxfuqdzofkwehb.exe"	vhhorpeefrr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cbktq = "zjdxfuqdzofkwehb.exe"	abmxwcp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\uzodgqhpgqc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zjdxfuqdzofkwehb.exe"	vhhorpeefrr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zdrfhqgndm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nbzxjccttmhqgszxgpdb.exe ."	vhhorpeefrr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cbktq = "pbxtdushfwpwkuzvcj.exe"	abmxwcp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\nnxhfk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zjdxfuqdzofkwehb.exe ."	abmxwcp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\uzodgqhpgqc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zjdxfuqdzofkwehb.exe"	vhhorpeefrr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\nnxhfk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ankhskjzyqkshsyvdly.exe ."	abmxwcp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\nnxhfk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zjdxfuqdzofkwehb.exe ."	vhhorpeefrr.exe

Checks whether UAC is enabled 1 TTPs 14 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vhhorpeefrr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vhhorpeefrr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vhhorpeefrr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vhhorpeefrr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vhhorpeefrr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abmxwcp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	abmxwcp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	abmxwcp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vhhorpeefrr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vhhorpeefrr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vhhorpeefrr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abmxwcp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vhhorpeefrr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vhhorpeefrr.exe

Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 3 IoCs

Possible Turn off User Account Control's privilege elevation for standard users.

Executable Installer File Permissions Weakness

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	vhhorpeefrr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	abmxwcp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	abmxwcp.exe

Looks up external IP address via web service 7 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
67	www.whatismyip.ca
26	whatismyip.everdot.org
30	www.whatismyip.ca
33	www.showmyipaddress.com
43	whatismyipaddress.com
46	whatismyip.everdot.org
50	www.whatismyip.ca

Drops file in System32 directory 53 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\rzrjpcwhbodgqwxpsvdvntgalfshkuabtwzh.rxk	abmxwcp.exe
File opened for modification	C:\Windows\SysWOW64\zjdxfuqdzofkwehb.exe	vhhorpeefrr.exe
File opened for modification	C:\Windows\SysWOW64\grmhqgdroewcpycxd.exe	vhhorpeefrr.exe
File opened for modification	C:\Windows\SysWOW64\nbzxjccttmhqgszxgpdb.exe	vhhorpeefrr.exe
File opened for modification	C:\Windows\SysWOW64\tjjjxsunpkhskyhhsdttth.exe	vhhorpeefrr.exe
File opened for modification	C:\Windows\SysWOW64\zjdxfuqdzofkwehb.exe	vhhorpeefrr.exe
File opened for modification	C:\Windows\SysWOW64\nbzxjccttmhqgszxgpdb.exe	vhhorpeefrr.exe
File opened for modification	C:\Windows\SysWOW64\tjjjxsunpkhskyhhsdttth.exe	vhhorpeefrr.exe
File opened for modification	C:\Windows\SysWOW64\zjdxfuqdzofkwehb.exe	vhhorpeefrr.exe
File opened for modification	C:\Windows\SysWOW64\pbxtdushfwpwkuzvcj.exe	vhhorpeefrr.exe
File opened for modification	C:\Windows\SysWOW64\zjdxfuqdzofkwehb.exe	vhhorpeefrr.exe
File opened for modification	C:\Windows\SysWOW64\ankhskjzyqkshsyvdly.exe	abmxwcp.exe
File opened for modification	C:\Windows\SysWOW64\tjjjxsunpkhskyhhsdttth.exe	abmxwcp.exe
File opened for modification	C:\Windows\SysWOW64\pbxtdushfwpwkuzvcj.exe	vhhorpeefrr.exe
File opened for modification	C:\Windows\SysWOW64\nbzxjccttmhqgszxgpdb.exe	vhhorpeefrr.exe
File opened for modification	C:\Windows\SysWOW64\crqpcwxpqkgqhucblvkji.exe	vhhorpeefrr.exe
File opened for modification	C:\Windows\SysWOW64\grmhqgdroewcpycxd.exe	abmxwcp.exe
File opened for modification	C:\Windows\SysWOW64\pbxtdushfwpwkuzvcj.exe	abmxwcp.exe
File opened for modification	C:\Windows\SysWOW64\tjjjxsunpkhskyhhsdttth.exe	vhhorpeefrr.exe
File opened for modification	C:\Windows\SysWOW64\pbxtdushfwpwkuzvcj.exe	vhhorpeefrr.exe
File opened for modification	C:\Windows\SysWOW64\ankhskjzyqkshsyvdly.exe	vhhorpeefrr.exe
File opened for modification	C:\Windows\SysWOW64\zjdxfuqdzofkwehb.exe	abmxwcp.exe
File opened for modification	C:\Windows\SysWOW64\ankhskjzyqkshsyvdly.exe	abmxwcp.exe
File opened for modification	C:\Windows\SysWOW64\grmhqgdroewcpycxd.exe	vhhorpeefrr.exe
File opened for modification	C:\Windows\SysWOW64\grmhqgdroewcpycxd.exe	abmxwcp.exe
File opened for modification	C:\Windows\SysWOW64\nbzxjccttmhqgszxgpdb.exe	abmxwcp.exe
File opened for modification	C:\Windows\SysWOW64\grmhqgdroewcpycxd.exe	vhhorpeefrr.exe
File opened for modification	C:\Windows\SysWOW64\ankhskjzyqkshsyvdly.exe	vhhorpeefrr.exe
File opened for modification	C:\Windows\SysWOW64\crqpcwxpqkgqhucblvkji.exe	vhhorpeefrr.exe
File opened for modification	C:\Windows\SysWOW64\crqpcwxpqkgqhucblvkji.exe	abmxwcp.exe
File opened for modification	C:\Windows\SysWOW64\grmhqgdroewcpycxd.exe	vhhorpeefrr.exe
File opened for modification	C:\Windows\SysWOW64\zjdxfuqdzofkwehb.exe	abmxwcp.exe
File opened for modification	C:\Windows\SysWOW64\mjqxsuddmoskjeubtlipwrtcc.nrj	abmxwcp.exe
File created	C:\Windows\SysWOW64\mjqxsuddmoskjeubtlipwrtcc.nrj	abmxwcp.exe
File opened for modification	C:\Windows\SysWOW64\ankhskjzyqkshsyvdly.exe	vhhorpeefrr.exe
File opened for modification	C:\Windows\SysWOW64\nbzxjccttmhqgszxgpdb.exe	vhhorpeefrr.exe
File opened for modification	C:\Windows\SysWOW64\crqpcwxpqkgqhucblvkji.exe	vhhorpeefrr.exe
File opened for modification	C:\Windows\SysWOW64\pbxtdushfwpwkuzvcj.exe	vhhorpeefrr.exe
File opened for modification	C:\Windows\SysWOW64\ankhskjzyqkshsyvdly.exe	vhhorpeefrr.exe
File opened for modification	C:\Windows\SysWOW64\rzrjpcwhbodgqwxpsvdvntgalfshkuabtwzh.rxk	abmxwcp.exe
File opened for modification	C:\Windows\SysWOW64\grmhqgdroewcpycxd.exe	vhhorpeefrr.exe
File opened for modification	C:\Windows\SysWOW64\tjjjxsunpkhskyhhsdttth.exe	vhhorpeefrr.exe
File opened for modification	C:\Windows\SysWOW64\zjdxfuqdzofkwehb.exe	vhhorpeefrr.exe
File opened for modification	C:\Windows\SysWOW64\pbxtdushfwpwkuzvcj.exe	vhhorpeefrr.exe
File opened for modification	C:\Windows\SysWOW64\ankhskjzyqkshsyvdly.exe	vhhorpeefrr.exe
File opened for modification	C:\Windows\SysWOW64\nbzxjccttmhqgszxgpdb.exe	abmxwcp.exe
File opened for modification	C:\Windows\SysWOW64\tjjjxsunpkhskyhhsdttth.exe	abmxwcp.exe
File opened for modification	C:\Windows\SysWOW64\nbzxjccttmhqgszxgpdb.exe	vhhorpeefrr.exe
File opened for modification	C:\Windows\SysWOW64\crqpcwxpqkgqhucblvkji.exe	vhhorpeefrr.exe
File opened for modification	C:\Windows\SysWOW64\tjjjxsunpkhskyhhsdttth.exe	vhhorpeefrr.exe
File opened for modification	C:\Windows\SysWOW64\pbxtdushfwpwkuzvcj.exe	abmxwcp.exe
File opened for modification	C:\Windows\SysWOW64\crqpcwxpqkgqhucblvkji.exe	abmxwcp.exe
File opened for modification	C:\Windows\SysWOW64\crqpcwxpqkgqhucblvkji.exe	vhhorpeefrr.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\mjqxsuddmoskjeubtlipwrtcc.nrj	abmxwcp.exe
File created	C:\Program Files (x86)\mjqxsuddmoskjeubtlipwrtcc.nrj	abmxwcp.exe
File opened for modification	C:\Program Files (x86)\rzrjpcwhbodgqwxpsvdvntgalfshkuabtwzh.rxk	abmxwcp.exe
File created	C:\Program Files (x86)\rzrjpcwhbodgqwxpsvdvntgalfshkuabtwzh.rxk	abmxwcp.exe

Drops file in Windows directory 53 IoCs

description	ioc	Process
File opened for modification	C:\Windows\grmhqgdroewcpycxd.exe	abmxwcp.exe
File opened for modification	C:\Windows\tjjjxsunpkhskyhhsdttth.exe	abmxwcp.exe
File opened for modification	C:\Windows\nbzxjccttmhqgszxgpdb.exe	abmxwcp.exe
File opened for modification	C:\Windows\tjjjxsunpkhskyhhsdttth.exe	abmxwcp.exe
File opened for modification	C:\Windows\grmhqgdroewcpycxd.exe	vhhorpeefrr.exe
File opened for modification	C:\Windows\nbzxjccttmhqgszxgpdb.exe	vhhorpeefrr.exe
File opened for modification	C:\Windows\pbxtdushfwpwkuzvcj.exe	abmxwcp.exe
File opened for modification	C:\Windows\pbxtdushfwpwkuzvcj.exe	abmxwcp.exe
File opened for modification	C:\Windows\pbxtdushfwpwkuzvcj.exe	vhhorpeefrr.exe
File opened for modification	C:\Windows\crqpcwxpqkgqhucblvkji.exe	vhhorpeefrr.exe
File opened for modification	C:\Windows\tjjjxsunpkhskyhhsdttth.exe	vhhorpeefrr.exe
File opened for modification	C:\Windows\pbxtdushfwpwkuzvcj.exe	vhhorpeefrr.exe
File opened for modification	C:\Windows\crqpcwxpqkgqhucblvkji.exe	vhhorpeefrr.exe
File opened for modification	C:\Windows\zjdxfuqdzofkwehb.exe	abmxwcp.exe
File opened for modification	C:\Windows\ankhskjzyqkshsyvdly.exe	abmxwcp.exe
File opened for modification	C:\Windows\nbzxjccttmhqgszxgpdb.exe	abmxwcp.exe
File opened for modification	C:\Windows\ankhskjzyqkshsyvdly.exe	vhhorpeefrr.exe
File opened for modification	C:\Windows\nbzxjccttmhqgszxgpdb.exe	vhhorpeefrr.exe
File opened for modification	C:\Windows\crqpcwxpqkgqhucblvkji.exe	vhhorpeefrr.exe
File opened for modification	C:\Windows\tjjjxsunpkhskyhhsdttth.exe	vhhorpeefrr.exe
File opened for modification	C:\Windows\crqpcwxpqkgqhucblvkji.exe	vhhorpeefrr.exe
File created	C:\Windows\rzrjpcwhbodgqwxpsvdvntgalfshkuabtwzh.rxk	abmxwcp.exe
File opened for modification	C:\Windows\grmhqgdroewcpycxd.exe	vhhorpeefrr.exe
File opened for modification	C:\Windows\crqpcwxpqkgqhucblvkji.exe	vhhorpeefrr.exe
File opened for modification	C:\Windows\grmhqgdroewcpycxd.exe	vhhorpeefrr.exe
File opened for modification	C:\Windows\zjdxfuqdzofkwehb.exe	vhhorpeefrr.exe
File opened for modification	C:\Windows\nbzxjccttmhqgszxgpdb.exe	vhhorpeefrr.exe
File opened for modification	C:\Windows\zjdxfuqdzofkwehb.exe	vhhorpeefrr.exe
File opened for modification	C:\Windows\tjjjxsunpkhskyhhsdttth.exe	vhhorpeefrr.exe
File opened for modification	C:\Windows\ankhskjzyqkshsyvdly.exe	vhhorpeefrr.exe
File opened for modification	C:\Windows\grmhqgdroewcpycxd.exe	vhhorpeefrr.exe
File opened for modification	C:\Windows\tjjjxsunpkhskyhhsdttth.exe	vhhorpeefrr.exe
File opened for modification	C:\Windows\zjdxfuqdzofkwehb.exe	abmxwcp.exe
File opened for modification	C:\Windows\grmhqgdroewcpycxd.exe	abmxwcp.exe
File opened for modification	C:\Windows\ankhskjzyqkshsyvdly.exe	abmxwcp.exe
File opened for modification	C:\Windows\rzrjpcwhbodgqwxpsvdvntgalfshkuabtwzh.rxk	abmxwcp.exe
File opened for modification	C:\Windows\zjdxfuqdzofkwehb.exe	vhhorpeefrr.exe
File opened for modification	C:\Windows\nbzxjccttmhqgszxgpdb.exe	vhhorpeefrr.exe
File opened for modification	C:\Windows\pbxtdushfwpwkuzvcj.exe	vhhorpeefrr.exe
File opened for modification	C:\Windows\crqpcwxpqkgqhucblvkji.exe	abmxwcp.exe
File opened for modification	C:\Windows\zjdxfuqdzofkwehb.exe	vhhorpeefrr.exe
File opened for modification	C:\Windows\ankhskjzyqkshsyvdly.exe	vhhorpeefrr.exe
File opened for modification	C:\Windows\nbzxjccttmhqgszxgpdb.exe	vhhorpeefrr.exe
File opened for modification	C:\Windows\ankhskjzyqkshsyvdly.exe	vhhorpeefrr.exe
File opened for modification	C:\Windows\zjdxfuqdzofkwehb.exe	vhhorpeefrr.exe
File opened for modification	C:\Windows\crqpcwxpqkgqhucblvkji.exe	abmxwcp.exe
File opened for modification	C:\Windows\mjqxsuddmoskjeubtlipwrtcc.nrj	abmxwcp.exe
File created	C:\Windows\mjqxsuddmoskjeubtlipwrtcc.nrj	abmxwcp.exe
File opened for modification	C:\Windows\pbxtdushfwpwkuzvcj.exe	vhhorpeefrr.exe
File opened for modification	C:\Windows\tjjjxsunpkhskyhhsdttth.exe	vhhorpeefrr.exe
File opened for modification	C:\Windows\pbxtdushfwpwkuzvcj.exe	vhhorpeefrr.exe
File opened for modification	C:\Windows\grmhqgdroewcpycxd.exe	vhhorpeefrr.exe
File opened for modification	C:\Windows\ankhskjzyqkshsyvdly.exe	vhhorpeefrr.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 44 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ankhskjzyqkshsyvdly.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	grmhqgdroewcpycxd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zjdxfuqdzofkwehb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nbzxjccttmhqgszxgpdb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zjdxfuqdzofkwehb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ankhskjzyqkshsyvdly.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pbxtdushfwpwkuzvcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crqpcwxpqkgqhucblvkji.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	abmxwcp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	grmhqgdroewcpycxd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pbxtdushfwpwkuzvcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pbxtdushfwpwkuzvcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crqpcwxpqkgqhucblvkji.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zjdxfuqdzofkwehb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vhhorpeefrr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crqpcwxpqkgqhucblvkji.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ankhskjzyqkshsyvdly.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zjdxfuqdzofkwehb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nbzxjccttmhqgszxgpdb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ankhskjzyqkshsyvdly.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ankhskjzyqkshsyvdly.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_930832249e4efce3d5bfeb3ac4109872.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	grmhqgdroewcpycxd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zjdxfuqdzofkwehb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zjdxfuqdzofkwehb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zjdxfuqdzofkwehb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nbzxjccttmhqgszxgpdb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zjdxfuqdzofkwehb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nbzxjccttmhqgszxgpdb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ankhskjzyqkshsyvdly.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ankhskjzyqkshsyvdly.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zjdxfuqdzofkwehb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ankhskjzyqkshsyvdly.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	grmhqgdroewcpycxd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zjdxfuqdzofkwehb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zjdxfuqdzofkwehb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crqpcwxpqkgqhucblvkji.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	grmhqgdroewcpycxd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zjdxfuqdzofkwehb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crqpcwxpqkgqhucblvkji.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zjdxfuqdzofkwehb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pbxtdushfwpwkuzvcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ankhskjzyqkshsyvdly.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crqpcwxpqkgqhucblvkji.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

pid	Process
1196	JaffaCakes118_930832249e4efce3d5bfeb3ac4109872.exe
1196	JaffaCakes118_930832249e4efce3d5bfeb3ac4109872.exe
1196	JaffaCakes118_930832249e4efce3d5bfeb3ac4109872.exe
1196	JaffaCakes118_930832249e4efce3d5bfeb3ac4109872.exe
1196	JaffaCakes118_930832249e4efce3d5bfeb3ac4109872.exe
1196	JaffaCakes118_930832249e4efce3d5bfeb3ac4109872.exe
1196	JaffaCakes118_930832249e4efce3d5bfeb3ac4109872.exe
1196	JaffaCakes118_930832249e4efce3d5bfeb3ac4109872.exe
1196	JaffaCakes118_930832249e4efce3d5bfeb3ac4109872.exe
1196	JaffaCakes118_930832249e4efce3d5bfeb3ac4109872.exe
1196	JaffaCakes118_930832249e4efce3d5bfeb3ac4109872.exe
1196	JaffaCakes118_930832249e4efce3d5bfeb3ac4109872.exe
1196	JaffaCakes118_930832249e4efce3d5bfeb3ac4109872.exe
1196	JaffaCakes118_930832249e4efce3d5bfeb3ac4109872.exe
1196	JaffaCakes118_930832249e4efce3d5bfeb3ac4109872.exe
1196	JaffaCakes118_930832249e4efce3d5bfeb3ac4109872.exe
1196	JaffaCakes118_930832249e4efce3d5bfeb3ac4109872.exe
1196	JaffaCakes118_930832249e4efce3d5bfeb3ac4109872.exe
1196	JaffaCakes118_930832249e4efce3d5bfeb3ac4109872.exe
1196	JaffaCakes118_930832249e4efce3d5bfeb3ac4109872.exe
1196	JaffaCakes118_930832249e4efce3d5bfeb3ac4109872.exe
1196	JaffaCakes118_930832249e4efce3d5bfeb3ac4109872.exe
1196	JaffaCakes118_930832249e4efce3d5bfeb3ac4109872.exe
1196	JaffaCakes118_930832249e4efce3d5bfeb3ac4109872.exe
1196	JaffaCakes118_930832249e4efce3d5bfeb3ac4109872.exe
1196	JaffaCakes118_930832249e4efce3d5bfeb3ac4109872.exe
1196	JaffaCakes118_930832249e4efce3d5bfeb3ac4109872.exe
1196	JaffaCakes118_930832249e4efce3d5bfeb3ac4109872.exe
1196	JaffaCakes118_930832249e4efce3d5bfeb3ac4109872.exe
1196	JaffaCakes118_930832249e4efce3d5bfeb3ac4109872.exe
1196	JaffaCakes118_930832249e4efce3d5bfeb3ac4109872.exe
1196	JaffaCakes118_930832249e4efce3d5bfeb3ac4109872.exe
1196	JaffaCakes118_930832249e4efce3d5bfeb3ac4109872.exe
1196	JaffaCakes118_930832249e4efce3d5bfeb3ac4109872.exe
1196	JaffaCakes118_930832249e4efce3d5bfeb3ac4109872.exe
1196	JaffaCakes118_930832249e4efce3d5bfeb3ac4109872.exe
2540	abmxwcp.exe
2540	abmxwcp.exe
1196	JaffaCakes118_930832249e4efce3d5bfeb3ac4109872.exe
1196	JaffaCakes118_930832249e4efce3d5bfeb3ac4109872.exe
1196	JaffaCakes118_930832249e4efce3d5bfeb3ac4109872.exe
1196	JaffaCakes118_930832249e4efce3d5bfeb3ac4109872.exe
1196	JaffaCakes118_930832249e4efce3d5bfeb3ac4109872.exe
1196	JaffaCakes118_930832249e4efce3d5bfeb3ac4109872.exe
1196	JaffaCakes118_930832249e4efce3d5bfeb3ac4109872.exe
1196	JaffaCakes118_930832249e4efce3d5bfeb3ac4109872.exe
1196	JaffaCakes118_930832249e4efce3d5bfeb3ac4109872.exe
1196	JaffaCakes118_930832249e4efce3d5bfeb3ac4109872.exe
1196	JaffaCakes118_930832249e4efce3d5bfeb3ac4109872.exe
1196	JaffaCakes118_930832249e4efce3d5bfeb3ac4109872.exe
1196	JaffaCakes118_930832249e4efce3d5bfeb3ac4109872.exe
1196	JaffaCakes118_930832249e4efce3d5bfeb3ac4109872.exe
1196	JaffaCakes118_930832249e4efce3d5bfeb3ac4109872.exe
1196	JaffaCakes118_930832249e4efce3d5bfeb3ac4109872.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2540	abmxwcp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1196 wrote to memory of 4384	1196	JaffaCakes118_930832249e4efce3d5bfeb3ac4109872.exe	93
PID 1196 wrote to memory of 4384	1196	JaffaCakes118_930832249e4efce3d5bfeb3ac4109872.exe	93
PID 1196 wrote to memory of 4384	1196	JaffaCakes118_930832249e4efce3d5bfeb3ac4109872.exe	93
PID 4928 wrote to memory of 2928	4928	cmd.exe	111
PID 4928 wrote to memory of 2928	4928	cmd.exe	111
PID 4928 wrote to memory of 2928	4928	cmd.exe	111
PID 4336 wrote to memory of 4860	4336	cmd.exe	113
PID 4336 wrote to memory of 4860	4336	cmd.exe	113
PID 4336 wrote to memory of 4860	4336	cmd.exe	113
PID 3644 wrote to memory of 3984	3644	cmd.exe	115
PID 3644 wrote to memory of 3984	3644	cmd.exe	115
PID 3644 wrote to memory of 3984	3644	cmd.exe	115
PID 4808 wrote to memory of 4620	4808	cmd.exe	116
PID 4808 wrote to memory of 4620	4808	cmd.exe	116
PID 4808 wrote to memory of 4620	4808	cmd.exe	116
PID 4976 wrote to memory of 416	4976	cmd.exe	117
PID 4976 wrote to memory of 416	4976	cmd.exe	117
PID 4976 wrote to memory of 416	4976	cmd.exe	117
PID 2776 wrote to memory of 5080	2776	cmd.exe	118
PID 2776 wrote to memory of 5080	2776	cmd.exe	118
PID 2776 wrote to memory of 5080	2776	cmd.exe	118
PID 956 wrote to memory of 4368	956	cmd.exe	368
PID 956 wrote to memory of 4368	956	cmd.exe	368
PID 956 wrote to memory of 4368	956	cmd.exe	368
PID 4288 wrote to memory of 4320	4288	cmd.exe	257
PID 4288 wrote to memory of 4320	4288	cmd.exe	257
PID 4288 wrote to memory of 4320	4288	cmd.exe	257
PID 4860 wrote to memory of 344	4860	crqpcwxpqkgqhucblvkji.exe	169
PID 4860 wrote to memory of 344	4860	crqpcwxpqkgqhucblvkji.exe	169
PID 4860 wrote to memory of 344	4860	crqpcwxpqkgqhucblvkji.exe	169
PID 4620 wrote to memory of 5040	4620	zjdxfuqdzofkwehb.exe	481
PID 4620 wrote to memory of 5040	4620	zjdxfuqdzofkwehb.exe	481
PID 4620 wrote to memory of 5040	4620	zjdxfuqdzofkwehb.exe	481
PID 4384 wrote to memory of 2540	4384	vhhorpeefrr.exe	125
PID 4384 wrote to memory of 2540	4384	vhhorpeefrr.exe	125
PID 4384 wrote to memory of 2540	4384	vhhorpeefrr.exe	125
PID 4368 wrote to memory of 3596	4368	ankhskjzyqkshsyvdly.exe	127
PID 4368 wrote to memory of 3596	4368	ankhskjzyqkshsyvdly.exe	127
PID 4368 wrote to memory of 3596	4368	ankhskjzyqkshsyvdly.exe	127
PID 4384 wrote to memory of 4540	4384	vhhorpeefrr.exe	128
PID 4384 wrote to memory of 4540	4384	vhhorpeefrr.exe	128
PID 4384 wrote to memory of 4540	4384	vhhorpeefrr.exe	128
PID 2596 wrote to memory of 3468	2596	cmd.exe	167
PID 2596 wrote to memory of 3468	2596	cmd.exe	167
PID 2596 wrote to memory of 3468	2596	cmd.exe	167
PID 876 wrote to memory of 4348	876	cmd.exe	387
PID 876 wrote to memory of 4348	876	cmd.exe	387
PID 876 wrote to memory of 4348	876	cmd.exe	387
PID 1804 wrote to memory of 344	1804	cmd.exe	169
PID 1804 wrote to memory of 344	1804	cmd.exe	169
PID 1804 wrote to memory of 344	1804	cmd.exe	169
PID 1896 wrote to memory of 3408	1896	cmd.exe	171
PID 1896 wrote to memory of 3408	1896	cmd.exe	171
PID 1896 wrote to memory of 3408	1896	cmd.exe	171
PID 2328 wrote to memory of 3472	2328	cmd.exe	605
PID 2328 wrote to memory of 3472	2328	cmd.exe	605
PID 2328 wrote to memory of 3472	2328	cmd.exe	605
PID 2604 wrote to memory of 4676	2604	cmd.exe	404
PID 2604 wrote to memory of 4676	2604	cmd.exe	404
PID 2604 wrote to memory of 4676	2604	cmd.exe	404
PID 3344 wrote to memory of 1548	3344	cmd.exe	215
PID 3344 wrote to memory of 1548	3344	cmd.exe	215
PID 3344 wrote to memory of 1548	3344	cmd.exe	215
PID 4584 wrote to memory of 3472	4584	cmd.exe	605

System policy modification 1 TTPs 44 IoCs

defense_evasion

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	vhhorpeefrr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	abmxwcp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	abmxwcp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	abmxwcp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	abmxwcp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vhhorpeefrr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vhhorpeefrr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	vhhorpeefrr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	vhhorpeefrr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	vhhorpeefrr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abmxwcp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	abmxwcp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	abmxwcp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	abmxwcp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	abmxwcp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	vhhorpeefrr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abmxwcp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	abmxwcp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	vhhorpeefrr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	vhhorpeefrr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	vhhorpeefrr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	vhhorpeefrr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	abmxwcp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	abmxwcp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	abmxwcp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	abmxwcp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	abmxwcp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vhhorpeefrr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	vhhorpeefrr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	vhhorpeefrr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	abmxwcp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	abmxwcp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	abmxwcp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	abmxwcp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	abmxwcp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	vhhorpeefrr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	abmxwcp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	abmxwcp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	vhhorpeefrr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vhhorpeefrr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	vhhorpeefrr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vhhorpeefrr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	vhhorpeefrr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	abmxwcp.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_930832249e4efce3d5bfeb3ac4109872.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_930832249e4efce3d5bfeb3ac4109872.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1196
- C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
  "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\jaffacakes118_930832249e4efce3d5bfeb3ac4109872.exe*"
  2⤵
  - Modifies WinLogon for persistence
  - UAC bypass
  - Adds policy Run key to start application
  - Disables RegEdit via registry modification
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Hijack Execution Flow: Executable Installer File Permissions Weakness
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:4384
- - C:\Users\Admin\AppData\Local\Temp\abmxwcp.exe
    "C:\Users\Admin\AppData\Local\Temp\abmxwcp.exe" "-C:\Users\Admin\AppData\Local\Temp\zjdxfuqdzofkwehb.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Impair Defenses: Safe Mode Boot
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Hijack Execution Flow: Executable Installer File Permissions Weakness
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:2540
- - C:\Users\Admin\AppData\Local\Temp\abmxwcp.exe
    "C:\Users\Admin\AppData\Local\Temp\abmxwcp.exe" "-C:\Users\Admin\AppData\Local\Temp\zjdxfuqdzofkwehb.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Hijack Execution Flow: Executable Installer File Permissions Weakness
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:4540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zjdxfuqdzofkwehb.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4928
- C:\Windows\zjdxfuqdzofkwehb.exe
  zjdxfuqdzofkwehb.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c crqpcwxpqkgqhucblvkji.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:4336
- C:\Windows\crqpcwxpqkgqhucblvkji.exe
  crqpcwxpqkgqhucblvkji.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4860
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\crqpcwxpqkgqhucblvkji.exe*."
    3⤵
    - Executes dropped EXE
    PID:344

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c grmhqgdroewcpycxd.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:3644
- C:\Windows\grmhqgdroewcpycxd.exe
  grmhqgdroewcpycxd.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ankhskjzyqkshsyvdly.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:956
- C:\Windows\ankhskjzyqkshsyvdly.exe
  ankhskjzyqkshsyvdly.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4368
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\ankhskjzyqkshsyvdly.exe*."
    3⤵
    - Executes dropped EXE
    PID:3596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zjdxfuqdzofkwehb.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4976
- C:\Users\Admin\AppData\Local\Temp\zjdxfuqdzofkwehb.exe
  C:\Users\Admin\AppData\Local\Temp\zjdxfuqdzofkwehb.exe
  2⤵
  - Executes dropped EXE
  PID:416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nbzxjccttmhqgszxgpdb.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:2776
- C:\Users\Admin\AppData\Local\Temp\nbzxjccttmhqgszxgpdb.exe
  C:\Users\Admin\AppData\Local\Temp\nbzxjccttmhqgszxgpdb.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5080
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\nbzxjccttmhqgszxgpdb.exe*."
    3⤵
    - Executes dropped EXE
    PID:3532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\crqpcwxpqkgqhucblvkji.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4288
- C:\Users\Admin\AppData\Local\Temp\crqpcwxpqkgqhucblvkji.exe
  C:\Users\Admin\AppData\Local\Temp\crqpcwxpqkgqhucblvkji.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zjdxfuqdzofkwehb.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:4808
- C:\Users\Admin\AppData\Local\Temp\zjdxfuqdzofkwehb.exe
  C:\Users\Admin\AppData\Local\Temp\zjdxfuqdzofkwehb.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4620
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\zjdxfuqdzofkwehb.exe*."
    3⤵
    - Executes dropped EXE
    PID:5040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c nbzxjccttmhqgszxgpdb.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:1896
- C:\Windows\nbzxjccttmhqgszxgpdb.exe
  nbzxjccttmhqgszxgpdb.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ankhskjzyqkshsyvdly.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:876
- C:\Windows\ankhskjzyqkshsyvdly.exe
  ankhskjzyqkshsyvdly.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4348
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\ankhskjzyqkshsyvdly.exe*."
    3⤵
    - Executes dropped EXE
    PID:4008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c grmhqgdroewcpycxd.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2596
- C:\Windows\grmhqgdroewcpycxd.exe
  grmhqgdroewcpycxd.exe
  2⤵
  - Executes dropped EXE
  PID:3468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zjdxfuqdzofkwehb.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:1804
- C:\Windows\zjdxfuqdzofkwehb.exe
  zjdxfuqdzofkwehb.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:344
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\zjdxfuqdzofkwehb.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\grmhqgdroewcpycxd.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2604
- C:\Users\Admin\AppData\Local\Temp\grmhqgdroewcpycxd.exe
  C:\Users\Admin\AppData\Local\Temp\grmhqgdroewcpycxd.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\grmhqgdroewcpycxd.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:3344
- C:\Users\Admin\AppData\Local\Temp\grmhqgdroewcpycxd.exe
  C:\Users\Admin\AppData\Local\Temp\grmhqgdroewcpycxd.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1548
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\grmhqgdroewcpycxd.exe*."
    3⤵
    - Executes dropped EXE
    PID:2484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zjdxfuqdzofkwehb.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2328
- C:\Windows\zjdxfuqdzofkwehb.exe
  zjdxfuqdzofkwehb.exe
  2⤵
  - Executes dropped EXE
  PID:3472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zjdxfuqdzofkwehb.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:4584
- C:\Windows\zjdxfuqdzofkwehb.exe
  zjdxfuqdzofkwehb.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3472
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\zjdxfuqdzofkwehb.exe*."
    3⤵
    - Executes dropped EXE
    PID:220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pbxtdushfwpwkuzvcj.exe
1⤵
PID:3672
- C:\Windows\pbxtdushfwpwkuzvcj.exe
  pbxtdushfwpwkuzvcj.exe
  2⤵
  - Executes dropped EXE
  PID:1968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c crqpcwxpqkgqhucblvkji.exe
1⤵
PID:2908
- C:\Windows\crqpcwxpqkgqhucblvkji.exe
  crqpcwxpqkgqhucblvkji.exe
  2⤵
  - Executes dropped EXE
  PID:1592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zjdxfuqdzofkwehb.exe .
1⤵
PID:2468
- C:\Windows\zjdxfuqdzofkwehb.exe
  zjdxfuqdzofkwehb.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2160
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\zjdxfuqdzofkwehb.exe*."
    3⤵
    - Executes dropped EXE
    PID:2216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pbxtdushfwpwkuzvcj.exe .
1⤵
PID:3732
- C:\Windows\pbxtdushfwpwkuzvcj.exe
  pbxtdushfwpwkuzvcj.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3372
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\pbxtdushfwpwkuzvcj.exe*."
    3⤵
    - Executes dropped EXE
    PID:1516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\grmhqgdroewcpycxd.exe
1⤵
PID:3532
- C:\Users\Admin\AppData\Local\Temp\grmhqgdroewcpycxd.exe
  C:\Users\Admin\AppData\Local\Temp\grmhqgdroewcpycxd.exe
  2⤵
  - Executes dropped EXE
  PID:4408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c grmhqgdroewcpycxd.exe
1⤵
PID:4548
- C:\Windows\grmhqgdroewcpycxd.exe
  grmhqgdroewcpycxd.exe
  2⤵
  - Executes dropped EXE
  PID:4080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pbxtdushfwpwkuzvcj.exe .
1⤵
PID:4280
- C:\Users\Admin\AppData\Local\Temp\pbxtdushfwpwkuzvcj.exe
  C:\Users\Admin\AppData\Local\Temp\pbxtdushfwpwkuzvcj.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2604
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\pbxtdushfwpwkuzvcj.exe*."
    3⤵
    - Executes dropped EXE
    PID:4940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ankhskjzyqkshsyvdly.exe .
1⤵
PID:5060
- C:\Windows\ankhskjzyqkshsyvdly.exe
  ankhskjzyqkshsyvdly.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:2404
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\ankhskjzyqkshsyvdly.exe*."
    3⤵
    PID:3288

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nbzxjccttmhqgszxgpdb.exe
1⤵
PID:2936
- C:\Users\Admin\AppData\Local\Temp\nbzxjccttmhqgszxgpdb.exe
  C:\Users\Admin\AppData\Local\Temp\nbzxjccttmhqgszxgpdb.exe
  2⤵
  - Executes dropped EXE
  PID:2156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ankhskjzyqkshsyvdly.exe .
1⤵
PID:2092
- C:\Users\Admin\AppData\Local\Temp\ankhskjzyqkshsyvdly.exe
  C:\Users\Admin\AppData\Local\Temp\ankhskjzyqkshsyvdly.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1496
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\ankhskjzyqkshsyvdly.exe*."
    3⤵
    - Executes dropped EXE
    PID:3472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nbzxjccttmhqgszxgpdb.exe
1⤵
PID:3836
- C:\Users\Admin\AppData\Local\Temp\nbzxjccttmhqgszxgpdb.exe
  C:\Users\Admin\AppData\Local\Temp\nbzxjccttmhqgszxgpdb.exe
  2⤵
  - Executes dropped EXE
  PID:3348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zjdxfuqdzofkwehb.exe .
1⤵
PID:4452
- C:\Users\Admin\AppData\Local\Temp\zjdxfuqdzofkwehb.exe
  C:\Users\Admin\AppData\Local\Temp\zjdxfuqdzofkwehb.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1592
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\zjdxfuqdzofkwehb.exe*."
    3⤵
    - Executes dropped EXE
    PID:2688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\grmhqgdroewcpycxd.exe
1⤵
PID:3576
- C:\Users\Admin\AppData\Local\Temp\grmhqgdroewcpycxd.exe
  C:\Users\Admin\AppData\Local\Temp\grmhqgdroewcpycxd.exe
  2⤵
  - Executes dropped EXE
  PID:3376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zjdxfuqdzofkwehb.exe .
1⤵
PID:400
- C:\Users\Admin\AppData\Local\Temp\zjdxfuqdzofkwehb.exe
  C:\Users\Admin\AppData\Local\Temp\zjdxfuqdzofkwehb.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2664
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\zjdxfuqdzofkwehb.exe*."
    3⤵
    - Executes dropped EXE
    PID:4692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c grmhqgdroewcpycxd.exe
1⤵
PID:3036
- C:\Windows\grmhqgdroewcpycxd.exe
  grmhqgdroewcpycxd.exe
  2⤵
  - Executes dropped EXE
  PID:4852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c nbzxjccttmhqgszxgpdb.exe .
1⤵
PID:4340
- C:\Windows\nbzxjccttmhqgszxgpdb.exe
  nbzxjccttmhqgszxgpdb.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2228
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\nbzxjccttmhqgszxgpdb.exe*."
    3⤵
    - Executes dropped EXE
    PID:2300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ankhskjzyqkshsyvdly.exe
1⤵
PID:4580
- C:\Windows\ankhskjzyqkshsyvdly.exe
  ankhskjzyqkshsyvdly.exe
  2⤵
  PID:3428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c crqpcwxpqkgqhucblvkji.exe .
1⤵
PID:3588
- C:\Windows\crqpcwxpqkgqhucblvkji.exe
  crqpcwxpqkgqhucblvkji.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1484
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\crqpcwxpqkgqhucblvkji.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:4376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c nbzxjccttmhqgszxgpdb.exe
1⤵
PID:3080
- C:\Windows\nbzxjccttmhqgszxgpdb.exe
  nbzxjccttmhqgszxgpdb.exe
  2⤵
  - Executes dropped EXE
  PID:4856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zjdxfuqdzofkwehb.exe
1⤵
PID:1040
- C:\Users\Admin\AppData\Local\Temp\zjdxfuqdzofkwehb.exe
  C:\Users\Admin\AppData\Local\Temp\zjdxfuqdzofkwehb.exe
  2⤵
  - Executes dropped EXE
  PID:4676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zjdxfuqdzofkwehb.exe
1⤵
PID:1548
- C:\Windows\zjdxfuqdzofkwehb.exe
  zjdxfuqdzofkwehb.exe
  2⤵
  - Executes dropped EXE
  PID:1808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ankhskjzyqkshsyvdly.exe .
1⤵
PID:1804
- C:\Users\Admin\AppData\Local\Temp\ankhskjzyqkshsyvdly.exe
  C:\Users\Admin\AppData\Local\Temp\ankhskjzyqkshsyvdly.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2664
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\ankhskjzyqkshsyvdly.exe*."
    3⤵
    - Executes dropped EXE
    PID:5400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c crqpcwxpqkgqhucblvkji.exe .
1⤵
PID:3776
- C:\Windows\crqpcwxpqkgqhucblvkji.exe
  crqpcwxpqkgqhucblvkji.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5176
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\crqpcwxpqkgqhucblvkji.exe*."
    3⤵
    - Executes dropped EXE
    PID:5524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ankhskjzyqkshsyvdly.exe .
1⤵
PID:1244
- C:\Windows\ankhskjzyqkshsyvdly.exe
  ankhskjzyqkshsyvdly.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:5684
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\ankhskjzyqkshsyvdly.exe*."
    3⤵
    PID:3912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ankhskjzyqkshsyvdly.exe
1⤵
PID:3616
- C:\Users\Admin\AppData\Local\Temp\ankhskjzyqkshsyvdly.exe
  C:\Users\Admin\AppData\Local\Temp\ankhskjzyqkshsyvdly.exe
  2⤵
  - Executes dropped EXE
  PID:5376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c crqpcwxpqkgqhucblvkji.exe
1⤵
PID:4956
- C:\Windows\crqpcwxpqkgqhucblvkji.exe
  crqpcwxpqkgqhucblvkji.exe
  2⤵
  - Executes dropped EXE
  PID:5360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ankhskjzyqkshsyvdly.exe
1⤵
PID:4564
- C:\Windows\ankhskjzyqkshsyvdly.exe
  ankhskjzyqkshsyvdly.exe
  2⤵
  PID:4044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zjdxfuqdzofkwehb.exe .
1⤵
PID:3896
- C:\Windows\zjdxfuqdzofkwehb.exe
  zjdxfuqdzofkwehb.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5416
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\zjdxfuqdzofkwehb.exe*."
    3⤵
    PID:5848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pbxtdushfwpwkuzvcj.exe .
1⤵
PID:2868
- C:\Windows\pbxtdushfwpwkuzvcj.exe
  pbxtdushfwpwkuzvcj.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5456
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\pbxtdushfwpwkuzvcj.exe*."
    3⤵
    PID:5804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zjdxfuqdzofkwehb.exe .
1⤵
PID:2436
- C:\Users\Admin\AppData\Local\Temp\zjdxfuqdzofkwehb.exe
  C:\Users\Admin\AppData\Local\Temp\zjdxfuqdzofkwehb.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5384
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\zjdxfuqdzofkwehb.exe*."
    3⤵
    PID:5792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zjdxfuqdzofkwehb.exe
1⤵
PID:1760
- C:\Users\Admin\AppData\Local\Temp\zjdxfuqdzofkwehb.exe
  C:\Users\Admin\AppData\Local\Temp\zjdxfuqdzofkwehb.exe
  2⤵
  PID:5704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nbzxjccttmhqgszxgpdb.exe
1⤵
PID:1984
- C:\Users\Admin\AppData\Local\Temp\nbzxjccttmhqgszxgpdb.exe
  C:\Users\Admin\AppData\Local\Temp\nbzxjccttmhqgszxgpdb.exe
  2⤵
  PID:5680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nbzxjccttmhqgszxgpdb.exe .
1⤵
PID:1004
- C:\Users\Admin\AppData\Local\Temp\nbzxjccttmhqgszxgpdb.exe
  C:\Users\Admin\AppData\Local\Temp\nbzxjccttmhqgszxgpdb.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:5620
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\nbzxjccttmhqgszxgpdb.exe*."
    3⤵
    PID:6128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ankhskjzyqkshsyvdly.exe .
1⤵
PID:4880
- C:\Users\Admin\AppData\Local\Temp\ankhskjzyqkshsyvdly.exe
  C:\Users\Admin\AppData\Local\Temp\ankhskjzyqkshsyvdly.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:5764
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\ankhskjzyqkshsyvdly.exe*."
    3⤵
    PID:6112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\crqpcwxpqkgqhucblvkji.exe
1⤵
PID:1660
- C:\Users\Admin\AppData\Local\Temp\crqpcwxpqkgqhucblvkji.exe
  C:\Users\Admin\AppData\Local\Temp\crqpcwxpqkgqhucblvkji.exe
  2⤵
  PID:5664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ankhskjzyqkshsyvdly.exe
1⤵
PID:324
- C:\Users\Admin\AppData\Local\Temp\ankhskjzyqkshsyvdly.exe
  C:\Users\Admin\AppData\Local\Temp\ankhskjzyqkshsyvdly.exe
  2⤵
  - Executes dropped EXE
  PID:5516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zjdxfuqdzofkwehb.exe .
1⤵
PID:1628
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4320
- C:\Users\Admin\AppData\Local\Temp\zjdxfuqdzofkwehb.exe
  C:\Users\Admin\AppData\Local\Temp\zjdxfuqdzofkwehb.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:5816
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\zjdxfuqdzofkwehb.exe*."
    3⤵
    PID:5096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ankhskjzyqkshsyvdly.exe .
1⤵
PID:2280
- C:\Users\Admin\AppData\Local\Temp\ankhskjzyqkshsyvdly.exe
  C:\Users\Admin\AppData\Local\Temp\ankhskjzyqkshsyvdly.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:5588
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\ankhskjzyqkshsyvdly.exe*."
    3⤵
    PID:5916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c crqpcwxpqkgqhucblvkji.exe
1⤵
PID:5444
- C:\Windows\crqpcwxpqkgqhucblvkji.exe
  crqpcwxpqkgqhucblvkji.exe
  2⤵
  PID:4752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c crqpcwxpqkgqhucblvkji.exe .
1⤵
PID:5608
- C:\Windows\crqpcwxpqkgqhucblvkji.exe
  crqpcwxpqkgqhucblvkji.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4468
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\crqpcwxpqkgqhucblvkji.exe*."
    3⤵
    PID:3828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ankhskjzyqkshsyvdly.exe
1⤵
PID:5876
- C:\Windows\ankhskjzyqkshsyvdly.exe
  ankhskjzyqkshsyvdly.exe
  2⤵
  PID:5644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zjdxfuqdzofkwehb.exe .
1⤵
PID:5952
- C:\Windows\zjdxfuqdzofkwehb.exe
  zjdxfuqdzofkwehb.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1696
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\zjdxfuqdzofkwehb.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:5404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pbxtdushfwpwkuzvcj.exe
1⤵
PID:6084
- C:\Users\Admin\AppData\Local\Temp\pbxtdushfwpwkuzvcj.exe
  C:\Users\Admin\AppData\Local\Temp\pbxtdushfwpwkuzvcj.exe
  2⤵
  PID:3620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\grmhqgdroewcpycxd.exe .
1⤵
PID:5044
- C:\Users\Admin\AppData\Local\Temp\grmhqgdroewcpycxd.exe
  C:\Users\Admin\AppData\Local\Temp\grmhqgdroewcpycxd.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1040
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\grmhqgdroewcpycxd.exe*."
    3⤵
    PID:5528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pbxtdushfwpwkuzvcj.exe
1⤵
PID:5292
- C:\Users\Admin\AppData\Local\Temp\pbxtdushfwpwkuzvcj.exe
  C:\Users\Admin\AppData\Local\Temp\pbxtdushfwpwkuzvcj.exe
  2⤵
  PID:2448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ankhskjzyqkshsyvdly.exe .
1⤵
PID:1128
- C:\Users\Admin\AppData\Local\Temp\ankhskjzyqkshsyvdly.exe
  C:\Users\Admin\AppData\Local\Temp\ankhskjzyqkshsyvdly.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:2664
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\ankhskjzyqkshsyvdly.exe*."
    3⤵
    PID:5556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zjdxfuqdzofkwehb.exe
1⤵
PID:3616
- C:\Windows\zjdxfuqdzofkwehb.exe
  zjdxfuqdzofkwehb.exe
  2⤵
  PID:5480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pbxtdushfwpwkuzvcj.exe .
1⤵
PID:5484
- C:\Windows\pbxtdushfwpwkuzvcj.exe
  pbxtdushfwpwkuzvcj.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:5780
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\pbxtdushfwpwkuzvcj.exe*."
    3⤵
    PID:5320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zjdxfuqdzofkwehb.exe
1⤵
PID:5212
- C:\Windows\zjdxfuqdzofkwehb.exe
  zjdxfuqdzofkwehb.exe
  2⤵
  PID:5920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c grmhqgdroewcpycxd.exe .
1⤵
PID:5592
- C:\Windows\grmhqgdroewcpycxd.exe
  grmhqgdroewcpycxd.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4676
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\grmhqgdroewcpycxd.exe*."
    3⤵
    PID:5840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\crqpcwxpqkgqhucblvkji.exe
1⤵
PID:5980
- C:\Users\Admin\AppData\Local\Temp\crqpcwxpqkgqhucblvkji.exe
  C:\Users\Admin\AppData\Local\Temp\crqpcwxpqkgqhucblvkji.exe
  2⤵
  PID:5784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zjdxfuqdzofkwehb.exe .
1⤵
PID:3676
- C:\Users\Admin\AppData\Local\Temp\zjdxfuqdzofkwehb.exe
  C:\Users\Admin\AppData\Local\Temp\zjdxfuqdzofkwehb.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:5116
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\zjdxfuqdzofkwehb.exe*."
    3⤵
    PID:1760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ankhskjzyqkshsyvdly.exe
1⤵
PID:2416
- C:\Users\Admin\AppData\Local\Temp\ankhskjzyqkshsyvdly.exe
  C:\Users\Admin\AppData\Local\Temp\ankhskjzyqkshsyvdly.exe
  2⤵
  PID:2436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zjdxfuqdzofkwehb.exe .
1⤵
PID:1484
- C:\Users\Admin\AppData\Local\Temp\zjdxfuqdzofkwehb.exe
  C:\Users\Admin\AppData\Local\Temp\zjdxfuqdzofkwehb.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:5764
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\zjdxfuqdzofkwehb.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c crqpcwxpqkgqhucblvkji.exe
1⤵
PID:2344
- C:\Windows\crqpcwxpqkgqhucblvkji.exe
  crqpcwxpqkgqhucblvkji.exe
  2⤵
  PID:748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c crqpcwxpqkgqhucblvkji.exe .
1⤵
PID:3080
- C:\Windows\crqpcwxpqkgqhucblvkji.exe
  crqpcwxpqkgqhucblvkji.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2328
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\crqpcwxpqkgqhucblvkji.exe*."
    3⤵
    PID:5488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c nbzxjccttmhqgszxgpdb.exe
1⤵
PID:5560
- C:\Windows\nbzxjccttmhqgszxgpdb.exe
  nbzxjccttmhqgszxgpdb.exe
  2⤵
  PID:4848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c nbzxjccttmhqgszxgpdb.exe .
1⤵
PID:3588
- C:\Windows\nbzxjccttmhqgszxgpdb.exe
  nbzxjccttmhqgszxgpdb.exe .
  2⤵
  PID:3488
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\nbzxjccttmhqgszxgpdb.exe*."
    3⤵
    PID:5316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\grmhqgdroewcpycxd.exe
1⤵
PID:4600
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4376
- C:\Users\Admin\AppData\Local\Temp\grmhqgdroewcpycxd.exe
  C:\Users\Admin\AppData\Local\Temp\grmhqgdroewcpycxd.exe
  2⤵
  PID:5168

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\grmhqgdroewcpycxd.exe .
1⤵
PID:5968
- C:\Users\Admin\AppData\Local\Temp\grmhqgdroewcpycxd.exe
  C:\Users\Admin\AppData\Local\Temp\grmhqgdroewcpycxd.exe .
  2⤵
  PID:1644
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\grmhqgdroewcpycxd.exe*."
    3⤵
    PID:5956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\grmhqgdroewcpycxd.exe
1⤵
PID:4268
- C:\Users\Admin\AppData\Local\Temp\grmhqgdroewcpycxd.exe
  C:\Users\Admin\AppData\Local\Temp\grmhqgdroewcpycxd.exe
  2⤵
  PID:5976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pbxtdushfwpwkuzvcj.exe .
1⤵
PID:4368
- C:\Users\Admin\AppData\Local\Temp\pbxtdushfwpwkuzvcj.exe
  C:\Users\Admin\AppData\Local\Temp\pbxtdushfwpwkuzvcj.exe .
  2⤵
  PID:4216
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\pbxtdushfwpwkuzvcj.exe*."
    3⤵
    PID:5436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zjdxfuqdzofkwehb.exe
1⤵
PID:4492
- C:\Windows\zjdxfuqdzofkwehb.exe
  zjdxfuqdzofkwehb.exe
  2⤵
  PID:5888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zjdxfuqdzofkwehb.exe .
1⤵
PID:5824
- C:\Windows\zjdxfuqdzofkwehb.exe
  zjdxfuqdzofkwehb.exe .
  2⤵
  PID:3908
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\zjdxfuqdzofkwehb.exe*."
    3⤵
    PID:2228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zjdxfuqdzofkwehb.exe
1⤵
PID:3912
- C:\Windows\zjdxfuqdzofkwehb.exe
  zjdxfuqdzofkwehb.exe
  2⤵
  PID:4288

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ankhskjzyqkshsyvdly.exe .
1⤵
PID:4528
- C:\Windows\ankhskjzyqkshsyvdly.exe
  ankhskjzyqkshsyvdly.exe .
  2⤵
  PID:1724
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\ankhskjzyqkshsyvdly.exe*."
    3⤵
    PID:5428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nbzxjccttmhqgszxgpdb.exe
1⤵
PID:3996
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4348
- C:\Users\Admin\AppData\Local\Temp\nbzxjccttmhqgszxgpdb.exe
  C:\Users\Admin\AppData\Local\Temp\nbzxjccttmhqgszxgpdb.exe
  2⤵
  PID:5460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\grmhqgdroewcpycxd.exe .
1⤵
PID:5440
- C:\Users\Admin\AppData\Local\Temp\grmhqgdroewcpycxd.exe
  C:\Users\Admin\AppData\Local\Temp\grmhqgdroewcpycxd.exe .
  2⤵
  PID:5456
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\grmhqgdroewcpycxd.exe*."
    3⤵
    PID:4856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nbzxjccttmhqgszxgpdb.exe
1⤵
PID:5884
- C:\Users\Admin\AppData\Local\Temp\nbzxjccttmhqgszxgpdb.exe
  C:\Users\Admin\AppData\Local\Temp\nbzxjccttmhqgszxgpdb.exe
  2⤵
  PID:5212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nbzxjccttmhqgszxgpdb.exe .
1⤵
PID:4112
- C:\Users\Admin\AppData\Local\Temp\nbzxjccttmhqgszxgpdb.exe
  C:\Users\Admin\AppData\Local\Temp\nbzxjccttmhqgszxgpdb.exe .
  2⤵
  PID:5648
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\nbzxjccttmhqgszxgpdb.exe*."
    3⤵
    PID:4464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pbxtdushfwpwkuzvcj.exe
1⤵
PID:5128
- C:\Windows\pbxtdushfwpwkuzvcj.exe
  pbxtdushfwpwkuzvcj.exe
  2⤵
  PID:4364

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
PID:4676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pbxtdushfwpwkuzvcj.exe .
1⤵
PID:5928
- C:\Windows\pbxtdushfwpwkuzvcj.exe
  pbxtdushfwpwkuzvcj.exe .
  2⤵
  PID:5152
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\pbxtdushfwpwkuzvcj.exe*."
    3⤵
    PID:4908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c grmhqgdroewcpycxd.exe
1⤵
PID:2436
- C:\Windows\grmhqgdroewcpycxd.exe
  grmhqgdroewcpycxd.exe
  2⤵
  PID:1428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ankhskjzyqkshsyvdly.exe .
1⤵
PID:5404
- C:\Windows\ankhskjzyqkshsyvdly.exe
  ankhskjzyqkshsyvdly.exe .
  2⤵
  PID:6108
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\ankhskjzyqkshsyvdly.exe*."
    3⤵
    PID:4144

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\grmhqgdroewcpycxd.exe
1⤵
PID:2868
- C:\Users\Admin\AppData\Local\Temp\grmhqgdroewcpycxd.exe
  C:\Users\Admin\AppData\Local\Temp\grmhqgdroewcpycxd.exe
  2⤵
  PID:5632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\grmhqgdroewcpycxd.exe .
1⤵
PID:4876
- C:\Users\Admin\AppData\Local\Temp\grmhqgdroewcpycxd.exe
  C:\Users\Admin\AppData\Local\Temp\grmhqgdroewcpycxd.exe .
  2⤵
  PID:2980
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\grmhqgdroewcpycxd.exe*."
    3⤵
    PID:5560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ankhskjzyqkshsyvdly.exe
1⤵
PID:4280
- C:\Users\Admin\AppData\Local\Temp\ankhskjzyqkshsyvdly.exe
  C:\Users\Admin\AppData\Local\Temp\ankhskjzyqkshsyvdly.exe
  2⤵
  PID:5536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zjdxfuqdzofkwehb.exe .
1⤵
PID:5348
- C:\Users\Admin\AppData\Local\Temp\zjdxfuqdzofkwehb.exe
  C:\Users\Admin\AppData\Local\Temp\zjdxfuqdzofkwehb.exe .
  2⤵
  PID:5432
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\zjdxfuqdzofkwehb.exe*."
    3⤵
    PID:4600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pbxtdushfwpwkuzvcj.exe
1⤵
PID:3828
- C:\Windows\pbxtdushfwpwkuzvcj.exe
  pbxtdushfwpwkuzvcj.exe
  2⤵
  PID:1896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ankhskjzyqkshsyvdly.exe
1⤵
PID:3496
- C:\Windows\ankhskjzyqkshsyvdly.exe
  ankhskjzyqkshsyvdly.exe
  2⤵
  PID:884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c grmhqgdroewcpycxd.exe .
1⤵
PID:5772
- C:\Windows\grmhqgdroewcpycxd.exe
  grmhqgdroewcpycxd.exe .
  2⤵
  PID:4528
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\grmhqgdroewcpycxd.exe*."
    3⤵
    PID:5624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c grmhqgdroewcpycxd.exe
1⤵
PID:5612
- C:\Windows\grmhqgdroewcpycxd.exe
  grmhqgdroewcpycxd.exe
  2⤵
  PID:4800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ankhskjzyqkshsyvdly.exe .
1⤵
PID:5180
- C:\Windows\ankhskjzyqkshsyvdly.exe
  ankhskjzyqkshsyvdly.exe .
  2⤵
  PID:5656
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\ankhskjzyqkshsyvdly.exe*."
    3⤵
    PID:5984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c crqpcwxpqkgqhucblvkji.exe .
1⤵
PID:1128
- C:\Windows\crqpcwxpqkgqhucblvkji.exe
  crqpcwxpqkgqhucblvkji.exe .
  2⤵
  PID:1412
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\crqpcwxpqkgqhucblvkji.exe*."
    3⤵
    PID:1516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pbxtdushfwpwkuzvcj.exe
1⤵
PID:5668
- C:\Windows\pbxtdushfwpwkuzvcj.exe
  pbxtdushfwpwkuzvcj.exe
  2⤵
  PID:1660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c nbzxjccttmhqgszxgpdb.exe
1⤵
PID:5888
- C:\Windows\nbzxjccttmhqgszxgpdb.exe
  nbzxjccttmhqgszxgpdb.exe
  2⤵
  PID:5224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c nbzxjccttmhqgszxgpdb.exe .
1⤵
PID:4808
- C:\Windows\nbzxjccttmhqgszxgpdb.exe
  nbzxjccttmhqgszxgpdb.exe .
  2⤵
  PID:736
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\nbzxjccttmhqgszxgpdb.exe*."
    3⤵
    PID:1956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c grmhqgdroewcpycxd.exe
1⤵
PID:2228
- C:\Windows\grmhqgdroewcpycxd.exe
  grmhqgdroewcpycxd.exe
  2⤵
  PID:3432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c grmhqgdroewcpycxd.exe .
1⤵
PID:2852
- C:\Windows\grmhqgdroewcpycxd.exe
  grmhqgdroewcpycxd.exe .
  2⤵
  PID:3420
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\grmhqgdroewcpycxd.exe*."
    3⤵
    PID:5732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\grmhqgdroewcpycxd.exe
1⤵
PID:4240
- C:\Users\Admin\AppData\Local\Temp\grmhqgdroewcpycxd.exe
  C:\Users\Admin\AppData\Local\Temp\grmhqgdroewcpycxd.exe
  2⤵
  PID:4760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pbxtdushfwpwkuzvcj.exe .
1⤵
PID:5568
- C:\Users\Admin\AppData\Local\Temp\pbxtdushfwpwkuzvcj.exe
  C:\Users\Admin\AppData\Local\Temp\pbxtdushfwpwkuzvcj.exe .
  2⤵
  PID:3620
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\pbxtdushfwpwkuzvcj.exe*."
    3⤵
    PID:5176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zjdxfuqdzofkwehb.exe
1⤵
PID:632
- C:\Users\Admin\AppData\Local\Temp\zjdxfuqdzofkwehb.exe
  C:\Users\Admin\AppData\Local\Temp\zjdxfuqdzofkwehb.exe
  2⤵
  PID:1008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ankhskjzyqkshsyvdly.exe .
1⤵
PID:4628
- C:\Windows\ankhskjzyqkshsyvdly.exe
  ankhskjzyqkshsyvdly.exe .
  2⤵
  PID:3020
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\ankhskjzyqkshsyvdly.exe*."
    3⤵
    PID:5608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nbzxjccttmhqgszxgpdb.exe
1⤵
PID:3584
- C:\Users\Admin\AppData\Local\Temp\nbzxjccttmhqgszxgpdb.exe
  C:\Users\Admin\AppData\Local\Temp\nbzxjccttmhqgszxgpdb.exe
  2⤵
  PID:5764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pbxtdushfwpwkuzvcj.exe .
1⤵
PID:2428
- C:\Users\Admin\AppData\Local\Temp\pbxtdushfwpwkuzvcj.exe
  C:\Users\Admin\AppData\Local\Temp\pbxtdushfwpwkuzvcj.exe .
  2⤵
  PID:4596
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\pbxtdushfwpwkuzvcj.exe*."
    3⤵
    PID:5316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pbxtdushfwpwkuzvcj.exe .
1⤵
PID:5892
- C:\Users\Admin\AppData\Local\Temp\pbxtdushfwpwkuzvcj.exe
  C:\Users\Admin\AppData\Local\Temp\pbxtdushfwpwkuzvcj.exe .
  2⤵
  PID:1628
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\pbxtdushfwpwkuzvcj.exe*."
    3⤵
    PID:4236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zjdxfuqdzofkwehb.exe
1⤵
PID:5516
- C:\Users\Admin\AppData\Local\Temp\zjdxfuqdzofkwehb.exe
  C:\Users\Admin\AppData\Local\Temp\zjdxfuqdzofkwehb.exe
  2⤵
  PID:2936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\grmhqgdroewcpycxd.exe .
1⤵
PID:5736
- C:\Users\Admin\AppData\Local\Temp\grmhqgdroewcpycxd.exe
  C:\Users\Admin\AppData\Local\Temp\grmhqgdroewcpycxd.exe .
  2⤵
  PID:5532
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\grmhqgdroewcpycxd.exe*."
    3⤵
    PID:4220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\crqpcwxpqkgqhucblvkji.exe
1⤵
PID:2156
- C:\Users\Admin\AppData\Local\Temp\crqpcwxpqkgqhucblvkji.exe
  C:\Users\Admin\AppData\Local\Temp\crqpcwxpqkgqhucblvkji.exe
  2⤵
  PID:400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pbxtdushfwpwkuzvcj.exe .
1⤵
PID:5040
- C:\Users\Admin\AppData\Local\Temp\pbxtdushfwpwkuzvcj.exe
  C:\Users\Admin\AppData\Local\Temp\pbxtdushfwpwkuzvcj.exe .
  2⤵
  PID:5528
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\pbxtdushfwpwkuzvcj.exe*."
    3⤵
    PID:5224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\grmhqgdroewcpycxd.exe
1⤵
PID:4548
- C:\Users\Admin\AppData\Local\Temp\grmhqgdroewcpycxd.exe
  C:\Users\Admin\AppData\Local\Temp\grmhqgdroewcpycxd.exe
  2⤵
  PID:3076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ankhskjzyqkshsyvdly.exe .
1⤵
PID:1484
- C:\Users\Admin\AppData\Local\Temp\ankhskjzyqkshsyvdly.exe
  C:\Users\Admin\AppData\Local\Temp\ankhskjzyqkshsyvdly.exe .
  2⤵
  PID:4332
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\ankhskjzyqkshsyvdly.exe*."
    3⤵
    PID:1960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c nbzxjccttmhqgszxgpdb.exe
1⤵
PID:4064
- C:\Windows\nbzxjccttmhqgszxgpdb.exe
  nbzxjccttmhqgszxgpdb.exe
  2⤵
  PID:2160

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zjdxfuqdzofkwehb.exe .
1⤵
PID:6096
- C:\Windows\zjdxfuqdzofkwehb.exe
  zjdxfuqdzofkwehb.exe .
  2⤵
  PID:3676
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\zjdxfuqdzofkwehb.exe*."
    3⤵
    PID:5664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c grmhqgdroewcpycxd.exe
1⤵
PID:5276
- C:\Windows\grmhqgdroewcpycxd.exe
  grmhqgdroewcpycxd.exe
  2⤵
  PID:5896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ankhskjzyqkshsyvdly.exe .
1⤵
PID:3476
- C:\Windows\ankhskjzyqkshsyvdly.exe
  ankhskjzyqkshsyvdly.exe .
  2⤵
  PID:6076
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\ankhskjzyqkshsyvdly.exe*."
    3⤵
    PID:5324

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zjdxfuqdzofkwehb.exe
1⤵
PID:5372
- C:\Users\Admin\AppData\Local\Temp\zjdxfuqdzofkwehb.exe
  C:\Users\Admin\AppData\Local\Temp\zjdxfuqdzofkwehb.exe
  2⤵
  PID:4120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zjdxfuqdzofkwehb.exe .
1⤵
PID:6100
- C:\Users\Admin\AppData\Local\Temp\zjdxfuqdzofkwehb.exe
  C:\Users\Admin\AppData\Local\Temp\zjdxfuqdzofkwehb.exe .
  2⤵
  PID:4368
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\zjdxfuqdzofkwehb.exe*."
    3⤵
    PID:5728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\crqpcwxpqkgqhucblvkji.exe
1⤵
PID:3988
- C:\Users\Admin\AppData\Local\Temp\crqpcwxpqkgqhucblvkji.exe
  C:\Users\Admin\AppData\Local\Temp\crqpcwxpqkgqhucblvkji.exe
  2⤵
  PID:3460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\grmhqgdroewcpycxd.exe .
1⤵
PID:4872
- C:\Users\Admin\AppData\Local\Temp\grmhqgdroewcpycxd.exe
  C:\Users\Admin\AppData\Local\Temp\grmhqgdroewcpycxd.exe .
  2⤵
  PID:5376
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\grmhqgdroewcpycxd.exe*."
    3⤵
    PID:4632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pbxtdushfwpwkuzvcj.exe
1⤵
PID:5704
- C:\Windows\pbxtdushfwpwkuzvcj.exe
  pbxtdushfwpwkuzvcj.exe
  2⤵
  PID:5608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c crqpcwxpqkgqhucblvkji.exe .
1⤵
PID:736
- C:\Windows\crqpcwxpqkgqhucblvkji.exe
  crqpcwxpqkgqhucblvkji.exe .
  2⤵
  PID:5340
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\crqpcwxpqkgqhucblvkji.exe*."
    3⤵
    PID:5852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c nbzxjccttmhqgszxgpdb.exe
1⤵
PID:3076
- C:\Windows\nbzxjccttmhqgszxgpdb.exe
  nbzxjccttmhqgszxgpdb.exe
  2⤵
  PID:4856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ankhskjzyqkshsyvdly.exe .
1⤵
PID:1244
- C:\Windows\ankhskjzyqkshsyvdly.exe
  ankhskjzyqkshsyvdly.exe .
  2⤵
  PID:5176
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\ankhskjzyqkshsyvdly.exe*."
    3⤵
    PID:5504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zjdxfuqdzofkwehb.exe
1⤵
PID:1480
- C:\Users\Admin\AppData\Local\Temp\zjdxfuqdzofkwehb.exe
  C:\Users\Admin\AppData\Local\Temp\zjdxfuqdzofkwehb.exe
  2⤵
  PID:5552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\crqpcwxpqkgqhucblvkji.exe .
1⤵
PID:5952
- C:\Users\Admin\AppData\Local\Temp\crqpcwxpqkgqhucblvkji.exe
  C:\Users\Admin\AppData\Local\Temp\crqpcwxpqkgqhucblvkji.exe .
  2⤵
  PID:6044
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\crqpcwxpqkgqhucblvkji.exe*."
    3⤵
    PID:884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nbzxjccttmhqgszxgpdb.exe
1⤵
PID:5712
- C:\Users\Admin\AppData\Local\Temp\nbzxjccttmhqgszxgpdb.exe
  C:\Users\Admin\AppData\Local\Temp\nbzxjccttmhqgszxgpdb.exe
  2⤵
  PID:3120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nbzxjccttmhqgszxgpdb.exe .
1⤵
PID:2148
- C:\Users\Admin\AppData\Local\Temp\nbzxjccttmhqgszxgpdb.exe
  C:\Users\Admin\AppData\Local\Temp\nbzxjccttmhqgszxgpdb.exe .
  2⤵
  PID:1960
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\nbzxjccttmhqgszxgpdb.exe*."
    3⤵
    PID:5152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c grmhqgdroewcpycxd.exe
1⤵
PID:2688
- C:\Windows\grmhqgdroewcpycxd.exe
  grmhqgdroewcpycxd.exe
  2⤵
  PID:5156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zjdxfuqdzofkwehb.exe .
1⤵
PID:6136
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5620
- C:\Windows\zjdxfuqdzofkwehb.exe
  zjdxfuqdzofkwehb.exe .
  2⤵
  PID:1660
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\zjdxfuqdzofkwehb.exe*."
    3⤵
    PID:5184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ankhskjzyqkshsyvdly.exe
1⤵
PID:2792
- C:\Windows\ankhskjzyqkshsyvdly.exe
  ankhskjzyqkshsyvdly.exe
  2⤵
  PID:4800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c nbzxjccttmhqgszxgpdb.exe .
1⤵
PID:1076
- C:\Windows\nbzxjccttmhqgszxgpdb.exe
  nbzxjccttmhqgszxgpdb.exe .
  2⤵
  PID:536
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\nbzxjccttmhqgszxgpdb.exe*."
    3⤵
    PID:4564

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nbzxjccttmhqgszxgpdb.exe
1⤵
PID:3192
- C:\Users\Admin\AppData\Local\Temp\nbzxjccttmhqgszxgpdb.exe
  C:\Users\Admin\AppData\Local\Temp\nbzxjccttmhqgszxgpdb.exe
  2⤵
  PID:1740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\grmhqgdroewcpycxd.exe .
1⤵
PID:1708
- C:\Users\Admin\AppData\Local\Temp\grmhqgdroewcpycxd.exe
  C:\Users\Admin\AppData\Local\Temp\grmhqgdroewcpycxd.exe .
  2⤵
  PID:3380
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\grmhqgdroewcpycxd.exe*."
    3⤵
    PID:2936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nbzxjccttmhqgszxgpdb.exe
1⤵
PID:6140
- C:\Users\Admin\AppData\Local\Temp\nbzxjccttmhqgszxgpdb.exe
  C:\Users\Admin\AppData\Local\Temp\nbzxjccttmhqgszxgpdb.exe
  2⤵
  PID:1444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nbzxjccttmhqgszxgpdb.exe .
1⤵
PID:6096
- C:\Users\Admin\AppData\Local\Temp\nbzxjccttmhqgszxgpdb.exe
  C:\Users\Admin\AppData\Local\Temp\nbzxjccttmhqgszxgpdb.exe .
  2⤵
  PID:4528
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\nbzxjccttmhqgszxgpdb.exe*."
    3⤵
    PID:3824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zjdxfuqdzofkwehb.exe
1⤵
PID:5336
- C:\Windows\zjdxfuqdzofkwehb.exe
  zjdxfuqdzofkwehb.exe
  2⤵
  PID:5192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c nbzxjccttmhqgszxgpdb.exe .
1⤵
PID:1916
- C:\Windows\nbzxjccttmhqgszxgpdb.exe
  nbzxjccttmhqgszxgpdb.exe .
  2⤵
  PID:2228
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\nbzxjccttmhqgszxgpdb.exe*."
    3⤵
    PID:3144

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c nbzxjccttmhqgszxgpdb.exe
1⤵
PID:3472
- C:\Windows\nbzxjccttmhqgszxgpdb.exe
  nbzxjccttmhqgszxgpdb.exe
  2⤵
  PID:5852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ankhskjzyqkshsyvdly.exe .
1⤵
PID:4876
- C:\Windows\ankhskjzyqkshsyvdly.exe
  ankhskjzyqkshsyvdly.exe .
  2⤵
  PID:5960
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\ankhskjzyqkshsyvdly.exe*."
    3⤵
    PID:5504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nbzxjccttmhqgszxgpdb.exe
1⤵
PID:5188
- C:\Users\Admin\AppData\Local\Temp\nbzxjccttmhqgszxgpdb.exe
  C:\Users\Admin\AppData\Local\Temp\nbzxjccttmhqgszxgpdb.exe
  2⤵
  PID:1964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nbzxjccttmhqgszxgpdb.exe .
1⤵
PID:5016
- C:\Users\Admin\AppData\Local\Temp\nbzxjccttmhqgszxgpdb.exe
  C:\Users\Admin\AppData\Local\Temp\nbzxjccttmhqgszxgpdb.exe .
  2⤵
  PID:400
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\nbzxjccttmhqgszxgpdb.exe*."
    3⤵
    PID:4952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ankhskjzyqkshsyvdly.exe
1⤵
PID:5320
- C:\Users\Admin\AppData\Local\Temp\ankhskjzyqkshsyvdly.exe
  C:\Users\Admin\AppData\Local\Temp\ankhskjzyqkshsyvdly.exe
  2⤵
  PID:3208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pbxtdushfwpwkuzvcj.exe .
1⤵
PID:4596
- C:\Users\Admin\AppData\Local\Temp\pbxtdushfwpwkuzvcj.exe
  C:\Users\Admin\AppData\Local\Temp\pbxtdushfwpwkuzvcj.exe .
  2⤵
  PID:5132
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\pbxtdushfwpwkuzvcj.exe*."
    3⤵
    PID:5300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c grmhqgdroewcpycxd.exe
1⤵
PID:1292
- C:\Windows\grmhqgdroewcpycxd.exe
  grmhqgdroewcpycxd.exe
  2⤵
  PID:2356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zjdxfuqdzofkwehb.exe .
1⤵
PID:5088
- C:\Windows\zjdxfuqdzofkwehb.exe
  zjdxfuqdzofkwehb.exe .
  2⤵
  PID:5532
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\zjdxfuqdzofkwehb.exe*."
    3⤵
    PID:5136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c nbzxjccttmhqgszxgpdb.exe
1⤵
PID:5864
- C:\Windows\nbzxjccttmhqgszxgpdb.exe
  nbzxjccttmhqgszxgpdb.exe
  2⤵
  PID:5008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c crqpcwxpqkgqhucblvkji.exe .
1⤵
PID:3288
- C:\Windows\crqpcwxpqkgqhucblvkji.exe
  crqpcwxpqkgqhucblvkji.exe .
  2⤵
  PID:6124
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\crqpcwxpqkgqhucblvkji.exe*."
    3⤵
    PID:1160

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pbxtdushfwpwkuzvcj.exe
1⤵
PID:4672
- C:\Users\Admin\AppData\Local\Temp\pbxtdushfwpwkuzvcj.exe
  C:\Users\Admin\AppData\Local\Temp\pbxtdushfwpwkuzvcj.exe
  2⤵
  PID:6012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ankhskjzyqkshsyvdly.exe .
1⤵
PID:5540
- C:\Users\Admin\AppData\Local\Temp\ankhskjzyqkshsyvdly.exe
  C:\Users\Admin\AppData\Local\Temp\ankhskjzyqkshsyvdly.exe .
  2⤵
  PID:4600
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\ankhskjzyqkshsyvdly.exe*."
    3⤵
    PID:5372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\crqpcwxpqkgqhucblvkji.exe
1⤵
PID:3860
- C:\Users\Admin\AppData\Local\Temp\crqpcwxpqkgqhucblvkji.exe
  C:\Users\Admin\AppData\Local\Temp\crqpcwxpqkgqhucblvkji.exe
  2⤵
  PID:3500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ankhskjzyqkshsyvdly.exe .
1⤵
PID:5356
- C:\Users\Admin\AppData\Local\Temp\ankhskjzyqkshsyvdly.exe
  C:\Users\Admin\AppData\Local\Temp\ankhskjzyqkshsyvdly.exe .
  2⤵
  PID:1496
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\ankhskjzyqkshsyvdly.exe*."
    3⤵
    PID:5580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ankhskjzyqkshsyvdly.exe
1⤵
PID:1644
- C:\Windows\ankhskjzyqkshsyvdly.exe
  ankhskjzyqkshsyvdly.exe
  2⤵
  PID:1108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c nbzxjccttmhqgszxgpdb.exe .
1⤵
PID:6064
- C:\Windows\nbzxjccttmhqgszxgpdb.exe
  nbzxjccttmhqgszxgpdb.exe .
  2⤵
  PID:5052
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\nbzxjccttmhqgszxgpdb.exe*."
    3⤵
    PID:5908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ankhskjzyqkshsyvdly.exe
1⤵
PID:6112
- C:\Windows\ankhskjzyqkshsyvdly.exe
  ankhskjzyqkshsyvdly.exe
  2⤵
  PID:3144

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c nbzxjccttmhqgszxgpdb.exe
1⤵
PID:2928
- C:\Windows\nbzxjccttmhqgszxgpdb.exe
  nbzxjccttmhqgszxgpdb.exe
  2⤵
  PID:3176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ankhskjzyqkshsyvdly.exe .
1⤵
PID:4464
- C:\Windows\ankhskjzyqkshsyvdly.exe
  ankhskjzyqkshsyvdly.exe .
  2⤵
  PID:728
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\ankhskjzyqkshsyvdly.exe*."
    3⤵
    PID:468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zjdxfuqdzofkwehb.exe
1⤵
PID:4320
- C:\Users\Admin\AppData\Local\Temp\zjdxfuqdzofkwehb.exe
  C:\Users\Admin\AppData\Local\Temp\zjdxfuqdzofkwehb.exe
  2⤵
  PID:5920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ankhskjzyqkshsyvdly.exe .
1⤵
PID:4780
- C:\Windows\ankhskjzyqkshsyvdly.exe
  ankhskjzyqkshsyvdly.exe .
  2⤵
  PID:5320
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\ankhskjzyqkshsyvdly.exe*."
    3⤵
    PID:4028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ankhskjzyqkshsyvdly.exe
1⤵
PID:5932
- C:\Windows\ankhskjzyqkshsyvdly.exe
  ankhskjzyqkshsyvdly.exe
  2⤵
  PID:4080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ankhskjzyqkshsyvdly.exe .
1⤵
PID:5460
- C:\Users\Admin\AppData\Local\Temp\ankhskjzyqkshsyvdly.exe
  C:\Users\Admin\AppData\Local\Temp\ankhskjzyqkshsyvdly.exe .
  2⤵
  PID:1156
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\ankhskjzyqkshsyvdly.exe*."
    3⤵
    PID:1808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pbxtdushfwpwkuzvcj.exe
1⤵
PID:4876
- C:\Windows\pbxtdushfwpwkuzvcj.exe
  pbxtdushfwpwkuzvcj.exe
  2⤵
  PID:6040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c crqpcwxpqkgqhucblvkji.exe .
1⤵
PID:3988
- C:\Windows\crqpcwxpqkgqhucblvkji.exe
  crqpcwxpqkgqhucblvkji.exe .
  2⤵
  PID:1760
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\crqpcwxpqkgqhucblvkji.exe*."
    3⤵
    PID:1328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ankhskjzyqkshsyvdly.exe .
1⤵
PID:4212
- C:\Windows\ankhskjzyqkshsyvdly.exe
  ankhskjzyqkshsyvdly.exe .
  2⤵
  PID:5352
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\ankhskjzyqkshsyvdly.exe*."
    3⤵
    PID:3676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nbzxjccttmhqgszxgpdb.exe
1⤵
PID:5176
- C:\Users\Admin\AppData\Local\Temp\nbzxjccttmhqgszxgpdb.exe
  C:\Users\Admin\AppData\Local\Temp\nbzxjccttmhqgszxgpdb.exe
  2⤵
  PID:3940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\grmhqgdroewcpycxd.exe
1⤵
PID:5016
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5516
- C:\Users\Admin\AppData\Local\Temp\grmhqgdroewcpycxd.exe
  C:\Users\Admin\AppData\Local\Temp\grmhqgdroewcpycxd.exe
  2⤵
  PID:5260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pbxtdushfwpwkuzvcj.exe
1⤵
PID:5300
- C:\Windows\pbxtdushfwpwkuzvcj.exe
  pbxtdushfwpwkuzvcj.exe
  2⤵
  PID:5164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\crqpcwxpqkgqhucblvkji.exe .
1⤵
PID:3488
- C:\Users\Admin\AppData\Local\Temp\crqpcwxpqkgqhucblvkji.exe
  C:\Users\Admin\AppData\Local\Temp\crqpcwxpqkgqhucblvkji.exe .
  2⤵
  PID:5056
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\crqpcwxpqkgqhucblvkji.exe*."
    3⤵
    PID:5304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\crqpcwxpqkgqhucblvkji.exe .
1⤵
PID:4596
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5680
- C:\Users\Admin\AppData\Local\Temp\crqpcwxpqkgqhucblvkji.exe
  C:\Users\Admin\AppData\Local\Temp\crqpcwxpqkgqhucblvkji.exe .
  2⤵
  PID:5616
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\crqpcwxpqkgqhucblvkji.exe*."
    3⤵
    PID:4528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ankhskjzyqkshsyvdly.exe .
1⤵
PID:5124
- C:\Windows\ankhskjzyqkshsyvdly.exe
  ankhskjzyqkshsyvdly.exe .
  2⤵
  PID:6088
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\ankhskjzyqkshsyvdly.exe*."
    3⤵
    PID:1296

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\grmhqgdroewcpycxd.exe
1⤵
PID:5684
- C:\Users\Admin\AppData\Local\Temp\grmhqgdroewcpycxd.exe
  C:\Users\Admin\AppData\Local\Temp\grmhqgdroewcpycxd.exe
  2⤵
  PID:312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ankhskjzyqkshsyvdly.exe .
1⤵
PID:4004
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:844
- C:\Users\Admin\AppData\Local\Temp\ankhskjzyqkshsyvdly.exe
  C:\Users\Admin\AppData\Local\Temp\ankhskjzyqkshsyvdly.exe .
  2⤵
  PID:5944
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\ankhskjzyqkshsyvdly.exe*."
    3⤵
    PID:4960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nbzxjccttmhqgszxgpdb.exe
1⤵
PID:2160
- C:\Users\Admin\AppData\Local\Temp\nbzxjccttmhqgszxgpdb.exe
  C:\Users\Admin\AppData\Local\Temp\nbzxjccttmhqgszxgpdb.exe
  2⤵
  PID:884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zjdxfuqdzofkwehb.exe .
1⤵
PID:1660
- C:\Users\Admin\AppData\Local\Temp\zjdxfuqdzofkwehb.exe
  C:\Users\Admin\AppData\Local\Temp\zjdxfuqdzofkwehb.exe .
  2⤵
  PID:5296
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\zjdxfuqdzofkwehb.exe*."
    3⤵
    PID:5368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nbzxjccttmhqgszxgpdb.exe
1⤵
PID:3624
- C:\Users\Admin\AppData\Local\Temp\nbzxjccttmhqgszxgpdb.exe
  C:\Users\Admin\AppData\Local\Temp\nbzxjccttmhqgszxgpdb.exe
  2⤵
  PID:5360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ankhskjzyqkshsyvdly.exe .
1⤵
PID:2908
- C:\Users\Admin\AppData\Local\Temp\ankhskjzyqkshsyvdly.exe
  C:\Users\Admin\AppData\Local\Temp\ankhskjzyqkshsyvdly.exe .
  2⤵
  PID:3980
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\ankhskjzyqkshsyvdly.exe*."
    3⤵
    PID:5284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c crqpcwxpqkgqhucblvkji.exe
1⤵
PID:5868
- C:\Windows\crqpcwxpqkgqhucblvkji.exe
  crqpcwxpqkgqhucblvkji.exe
  2⤵
  PID:1848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zjdxfuqdzofkwehb.exe .
1⤵
PID:3712
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2228
- C:\Windows\zjdxfuqdzofkwehb.exe
  zjdxfuqdzofkwehb.exe .
  2⤵
  PID:4928
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\zjdxfuqdzofkwehb.exe*."
    3⤵
    PID:5952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c crqpcwxpqkgqhucblvkji.exe
1⤵
PID:1128
- C:\Windows\crqpcwxpqkgqhucblvkji.exe
  crqpcwxpqkgqhucblvkji.exe
  2⤵
  PID:6064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c grmhqgdroewcpycxd.exe .
1⤵
PID:5432
- C:\Windows\grmhqgdroewcpycxd.exe
  grmhqgdroewcpycxd.exe .
  2⤵
  PID:5044
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\grmhqgdroewcpycxd.exe*."
    3⤵
    PID:4464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\crqpcwxpqkgqhucblvkji.exe
1⤵
PID:2256
- C:\Users\Admin\AppData\Local\Temp\crqpcwxpqkgqhucblvkji.exe
  C:\Users\Admin\AppData\Local\Temp\crqpcwxpqkgqhucblvkji.exe
  2⤵
  PID:3372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ankhskjzyqkshsyvdly.exe .
1⤵
PID:5632
- C:\Users\Admin\AppData\Local\Temp\ankhskjzyqkshsyvdly.exe
  C:\Users\Admin\AppData\Local\Temp\ankhskjzyqkshsyvdly.exe .
  2⤵
  PID:1832
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\ankhskjzyqkshsyvdly.exe*."
    3⤵
    PID:5212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zjdxfuqdzofkwehb.exe
1⤵
PID:4320
- C:\Users\Admin\AppData\Local\Temp\zjdxfuqdzofkwehb.exe
  C:\Users\Admin\AppData\Local\Temp\zjdxfuqdzofkwehb.exe
  2⤵
  PID:5436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ankhskjzyqkshsyvdly.exe .
1⤵
PID:1156
- C:\Users\Admin\AppData\Local\Temp\ankhskjzyqkshsyvdly.exe
  C:\Users\Admin\AppData\Local\Temp\ankhskjzyqkshsyvdly.exe .
  2⤵
  PID:5184
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\ankhskjzyqkshsyvdly.exe*."
    3⤵
    PID:5984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pbxtdushfwpwkuzvcj.exe
1⤵
PID:5784
- C:\Windows\pbxtdushfwpwkuzvcj.exe
  pbxtdushfwpwkuzvcj.exe
  2⤵
  PID:2084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c crqpcwxpqkgqhucblvkji.exe .
1⤵
PID:1076
- C:\Windows\crqpcwxpqkgqhucblvkji.exe
  crqpcwxpqkgqhucblvkji.exe .
  2⤵
  PID:2628
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\crqpcwxpqkgqhucblvkji.exe*."
    3⤵
    PID:3208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c grmhqgdroewcpycxd.exe
1⤵
PID:2104
- C:\Windows\grmhqgdroewcpycxd.exe
  grmhqgdroewcpycxd.exe
  2⤵
  PID:4880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c nbzxjccttmhqgszxgpdb.exe .
1⤵
PID:312
- C:\Windows\nbzxjccttmhqgszxgpdb.exe
  nbzxjccttmhqgszxgpdb.exe .
  2⤵
  PID:652
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\nbzxjccttmhqgszxgpdb.exe*."
    3⤵
    PID:5808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ankhskjzyqkshsyvdly.exe
1⤵
PID:876
- C:\Users\Admin\AppData\Local\Temp\ankhskjzyqkshsyvdly.exe
  C:\Users\Admin\AppData\Local\Temp\ankhskjzyqkshsyvdly.exe
  2⤵
  PID:3576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pbxtdushfwpwkuzvcj.exe .
1⤵
PID:3764
- C:\Users\Admin\AppData\Local\Temp\pbxtdushfwpwkuzvcj.exe
  C:\Users\Admin\AppData\Local\Temp\pbxtdushfwpwkuzvcj.exe .
  2⤵
  PID:2484
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\pbxtdushfwpwkuzvcj.exe*."
    3⤵
    PID:3120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\crqpcwxpqkgqhucblvkji.exe
1⤵
PID:5176
- C:\Users\Admin\AppData\Local\Temp\crqpcwxpqkgqhucblvkji.exe
  C:\Users\Admin\AppData\Local\Temp\crqpcwxpqkgqhucblvkji.exe
  2⤵
  PID:1580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zjdxfuqdzofkwehb.exe .
1⤵
PID:5480
- C:\Users\Admin\AppData\Local\Temp\zjdxfuqdzofkwehb.exe
  C:\Users\Admin\AppData\Local\Temp\zjdxfuqdzofkwehb.exe .
  2⤵
  PID:5416
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\zjdxfuqdzofkwehb.exe*."
    3⤵
    PID:5596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zjdxfuqdzofkwehb.exe
1⤵
PID:4792
- C:\Windows\zjdxfuqdzofkwehb.exe
  zjdxfuqdzofkwehb.exe
  2⤵
  PID:4908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ankhskjzyqkshsyvdly.exe .
1⤵
PID:4368
- C:\Windows\ankhskjzyqkshsyvdly.exe
  ankhskjzyqkshsyvdly.exe .
  2⤵
  PID:5116
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\ankhskjzyqkshsyvdly.exe*."
    3⤵
    PID:2688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pbxtdushfwpwkuzvcj.exe
1⤵
PID:3780
- C:\Windows\pbxtdushfwpwkuzvcj.exe
  pbxtdushfwpwkuzvcj.exe
  2⤵
  PID:4004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pbxtdushfwpwkuzvcj.exe .
1⤵
PID:4280
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1968
- C:\Windows\pbxtdushfwpwkuzvcj.exe
  pbxtdushfwpwkuzvcj.exe .
  2⤵
  PID:5764
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\pbxtdushfwpwkuzvcj.exe*."
    3⤵
    PID:5448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ankhskjzyqkshsyvdly.exe
1⤵
PID:5028
- C:\Users\Admin\AppData\Local\Temp\ankhskjzyqkshsyvdly.exe
  C:\Users\Admin\AppData\Local\Temp\ankhskjzyqkshsyvdly.exe
  2⤵
  PID:5340

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zjdxfuqdzofkwehb.exe .
1⤵
PID:5472
- C:\Users\Admin\AppData\Local\Temp\zjdxfuqdzofkwehb.exe
  C:\Users\Admin\AppData\Local\Temp\zjdxfuqdzofkwehb.exe .
  2⤵
  PID:956
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\zjdxfuqdzofkwehb.exe*."
    3⤵
    PID:2928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ankhskjzyqkshsyvdly.exe
1⤵
PID:1080
- C:\Users\Admin\AppData\Local\Temp\ankhskjzyqkshsyvdly.exe
  C:\Users\Admin\AppData\Local\Temp\ankhskjzyqkshsyvdly.exe
  2⤵
  PID:5648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ankhskjzyqkshsyvdly.exe .
1⤵
PID:4628
- C:\Users\Admin\AppData\Local\Temp\ankhskjzyqkshsyvdly.exe
  C:\Users\Admin\AppData\Local\Temp\ankhskjzyqkshsyvdly.exe .
  2⤵
  PID:5044
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\ankhskjzyqkshsyvdly.exe*."
    3⤵
    PID:3712

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c grmhqgdroewcpycxd.exe
1⤵
PID:2436
- C:\Windows\grmhqgdroewcpycxd.exe
  grmhqgdroewcpycxd.exe
  2⤵
  PID:5940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c nbzxjccttmhqgszxgpdb.exe .
1⤵
PID:5060
- C:\Windows\nbzxjccttmhqgszxgpdb.exe
  nbzxjccttmhqgszxgpdb.exe .
  2⤵
  PID:772
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\nbzxjccttmhqgszxgpdb.exe*."
    3⤵
    PID:5592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c grmhqgdroewcpycxd.exe
1⤵
PID:4688
- C:\Windows\grmhqgdroewcpycxd.exe
  grmhqgdroewcpycxd.exe
  2⤵
  PID:1740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pbxtdushfwpwkuzvcj.exe .
1⤵
PID:2344
- C:\Windows\pbxtdushfwpwkuzvcj.exe
  pbxtdushfwpwkuzvcj.exe .
  2⤵
  PID:536
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\pbxtdushfwpwkuzvcj.exe*."
    3⤵
    PID:4336

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\crqpcwxpqkgqhucblvkji.exe
1⤵
PID:1984
- C:\Users\Admin\AppData\Local\Temp\crqpcwxpqkgqhucblvkji.exe
  C:\Users\Admin\AppData\Local\Temp\crqpcwxpqkgqhucblvkji.exe
  2⤵
  PID:1328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pbxtdushfwpwkuzvcj.exe .
1⤵
PID:3524
- C:\Users\Admin\AppData\Local\Temp\pbxtdushfwpwkuzvcj.exe
  C:\Users\Admin\AppData\Local\Temp\pbxtdushfwpwkuzvcj.exe .
  2⤵
  PID:5840
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\pbxtdushfwpwkuzvcj.exe*."
    3⤵
    PID:4604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\grmhqgdroewcpycxd.exe
1⤵
PID:1248
- C:\Users\Admin\AppData\Local\Temp\grmhqgdroewcpycxd.exe
  C:\Users\Admin\AppData\Local\Temp\grmhqgdroewcpycxd.exe
  2⤵
  PID:4116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zjdxfuqdzofkwehb.exe .
1⤵
PID:5796
- C:\Users\Admin\AppData\Local\Temp\zjdxfuqdzofkwehb.exe
  C:\Users\Admin\AppData\Local\Temp\zjdxfuqdzofkwehb.exe .
  2⤵
  PID:3988
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\zjdxfuqdzofkwehb.exe*."
    3⤵
    PID:3916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ankhskjzyqkshsyvdly.exe
1⤵
PID:4876
- C:\Windows\ankhskjzyqkshsyvdly.exe
  ankhskjzyqkshsyvdly.exe
  2⤵
  PID:1644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zjdxfuqdzofkwehb.exe .
1⤵
PID:4800
- C:\Windows\zjdxfuqdzofkwehb.exe
  zjdxfuqdzofkwehb.exe .
  2⤵
  PID:2160
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\zjdxfuqdzofkwehb.exe*."
    3⤵
    PID:5176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ankhskjzyqkshsyvdly.exe
1⤵
PID:4692
- C:\Windows\ankhskjzyqkshsyvdly.exe
  ankhskjzyqkshsyvdly.exe
  2⤵
  PID:812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zjdxfuqdzofkwehb.exe .
1⤵
PID:5644
- C:\Windows\zjdxfuqdzofkwehb.exe
  zjdxfuqdzofkwehb.exe .
  2⤵
  PID:6008
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\zjdxfuqdzofkwehb.exe*."
    3⤵
    PID:1296

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\grmhqgdroewcpycxd.exe
1⤵
PID:6140
- C:\Users\Admin\AppData\Local\Temp\grmhqgdroewcpycxd.exe
  C:\Users\Admin\AppData\Local\Temp\grmhqgdroewcpycxd.exe
  2⤵
  PID:1636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zjdxfuqdzofkwehb.exe .
1⤵
PID:1036
- C:\Users\Admin\AppData\Local\Temp\zjdxfuqdzofkwehb.exe
  C:\Users\Admin\AppData\Local\Temp\zjdxfuqdzofkwehb.exe .
  2⤵
  PID:4960
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\zjdxfuqdzofkwehb.exe*."
    3⤵
    PID:1860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\crqpcwxpqkgqhucblvkji.exe
1⤵
PID:2208
- C:\Users\Admin\AppData\Local\Temp\crqpcwxpqkgqhucblvkji.exe
  C:\Users\Admin\AppData\Local\Temp\crqpcwxpqkgqhucblvkji.exe
  2⤵
  PID:5348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\crqpcwxpqkgqhucblvkji.exe .
1⤵
PID:1960
- C:\Users\Admin\AppData\Local\Temp\crqpcwxpqkgqhucblvkji.exe
  C:\Users\Admin\AppData\Local\Temp\crqpcwxpqkgqhucblvkji.exe .
  2⤵
  PID:5584
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\crqpcwxpqkgqhucblvkji.exe*."
    3⤵
    PID:5136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pbxtdushfwpwkuzvcj.exe
1⤵
PID:6112
- C:\Windows\pbxtdushfwpwkuzvcj.exe
  pbxtdushfwpwkuzvcj.exe
  2⤵
  PID:5764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ankhskjzyqkshsyvdly.exe .
1⤵
PID:5656
- C:\Windows\ankhskjzyqkshsyvdly.exe
  ankhskjzyqkshsyvdly.exe .
  2⤵
  PID:3796
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\ankhskjzyqkshsyvdly.exe*."
    3⤵
    PID:3076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pbxtdushfwpwkuzvcj.exe
1⤵
PID:3268
- C:\Windows\pbxtdushfwpwkuzvcj.exe
  pbxtdushfwpwkuzvcj.exe
  2⤵
  PID:5388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ankhskjzyqkshsyvdly.exe
1⤵
PID:1592
- C:\Windows\ankhskjzyqkshsyvdly.exe
  ankhskjzyqkshsyvdly.exe
  2⤵
  PID:2760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pbxtdushfwpwkuzvcj.exe .
1⤵
PID:3404
- C:\Windows\pbxtdushfwpwkuzvcj.exe
  pbxtdushfwpwkuzvcj.exe .
  2⤵
  PID:2472
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\pbxtdushfwpwkuzvcj.exe*."
    3⤵
    PID:748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zjdxfuqdzofkwehb.exe
1⤵
PID:5452
- C:\Users\Admin\AppData\Local\Temp\zjdxfuqdzofkwehb.exe
  C:\Users\Admin\AppData\Local\Temp\zjdxfuqdzofkwehb.exe
  2⤵
  PID:1872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zjdxfuqdzofkwehb.exe .
1⤵
PID:3584
- C:\Windows\zjdxfuqdzofkwehb.exe
  zjdxfuqdzofkwehb.exe .
  2⤵
  PID:6016
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\zjdxfuqdzofkwehb.exe*."
    3⤵
    PID:5084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nbzxjccttmhqgszxgpdb.exe .
1⤵
PID:4568
- C:\Users\Admin\AppData\Local\Temp\nbzxjccttmhqgszxgpdb.exe
  C:\Users\Admin\AppData\Local\Temp\nbzxjccttmhqgszxgpdb.exe .
  2⤵
  PID:2328
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\nbzxjccttmhqgszxgpdb.exe*."
    3⤵
    PID:4604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c grmhqgdroewcpycxd.exe
1⤵
PID:228
- C:\Windows\grmhqgdroewcpycxd.exe
  grmhqgdroewcpycxd.exe
  2⤵
  PID:5784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c crqpcwxpqkgqhucblvkji.exe
1⤵
PID:2788
- C:\Windows\crqpcwxpqkgqhucblvkji.exe
  crqpcwxpqkgqhucblvkji.exe
  2⤵
  PID:460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zjdxfuqdzofkwehb.exe .
1⤵
PID:1168
- C:\Windows\zjdxfuqdzofkwehb.exe
  zjdxfuqdzofkwehb.exe .
  2⤵
  PID:6004
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\zjdxfuqdzofkwehb.exe*."
    3⤵
    PID:4800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nbzxjccttmhqgszxgpdb.exe
1⤵
PID:1808
- C:\Users\Admin\AppData\Local\Temp\nbzxjccttmhqgszxgpdb.exe
  C:\Users\Admin\AppData\Local\Temp\nbzxjccttmhqgszxgpdb.exe
  2⤵
  PID:5080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c nbzxjccttmhqgszxgpdb.exe .
1⤵
PID:4672
- C:\Windows\nbzxjccttmhqgszxgpdb.exe
  nbzxjccttmhqgszxgpdb.exe .
  2⤵
  PID:4876
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\nbzxjccttmhqgszxgpdb.exe*."
    3⤵
    PID:6044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pbxtdushfwpwkuzvcj.exe
1⤵
PID:4844
- C:\Users\Admin\AppData\Local\Temp\pbxtdushfwpwkuzvcj.exe
  C:\Users\Admin\AppData\Local\Temp\pbxtdushfwpwkuzvcj.exe
  2⤵
  PID:5292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nbzxjccttmhqgszxgpdb.exe .
1⤵
PID:972
- C:\Users\Admin\AppData\Local\Temp\nbzxjccttmhqgszxgpdb.exe
  C:\Users\Admin\AppData\Local\Temp\nbzxjccttmhqgszxgpdb.exe .
  2⤵
  PID:1908
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\nbzxjccttmhqgszxgpdb.exe*."
    3⤵
    PID:5584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nbzxjccttmhqgszxgpdb.exe .
1⤵
PID:3824
- C:\Users\Admin\AppData\Local\Temp\nbzxjccttmhqgszxgpdb.exe
  C:\Users\Admin\AppData\Local\Temp\nbzxjccttmhqgszxgpdb.exe .
  2⤵
  PID:5712
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\nbzxjccttmhqgszxgpdb.exe*."
    3⤵
    PID:3176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c grmhqgdroewcpycxd.exe
1⤵
PID:5636
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5792
- C:\Windows\grmhqgdroewcpycxd.exe
  grmhqgdroewcpycxd.exe
  2⤵
  PID:1032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zjdxfuqdzofkwehb.exe .
1⤵
PID:5440
- C:\Windows\zjdxfuqdzofkwehb.exe
  zjdxfuqdzofkwehb.exe .
  2⤵
  PID:3620
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\zjdxfuqdzofkwehb.exe*."
    3⤵
    PID:6100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nbzxjccttmhqgszxgpdb.exe
1⤵
PID:1144
- C:\Users\Admin\AppData\Local\Temp\nbzxjccttmhqgszxgpdb.exe
  C:\Users\Admin\AppData\Local\Temp\nbzxjccttmhqgszxgpdb.exe
  2⤵
  PID:6032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pbxtdushfwpwkuzvcj.exe
1⤵
PID:4432
- C:\Users\Admin\AppData\Local\Temp\pbxtdushfwpwkuzvcj.exe
  C:\Users\Admin\AppData\Local\Temp\pbxtdushfwpwkuzvcj.exe
  2⤵
  PID:5268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zjdxfuqdzofkwehb.exe .
1⤵
PID:3876
- C:\Users\Admin\AppData\Local\Temp\zjdxfuqdzofkwehb.exe
  C:\Users\Admin\AppData\Local\Temp\zjdxfuqdzofkwehb.exe .
  2⤵
  PID:6140
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\zjdxfuqdzofkwehb.exe*."
    3⤵
    PID:5296

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\crqpcwxpqkgqhucblvkji.exe .
1⤵
PID:872
- C:\Users\Admin\AppData\Local\Temp\crqpcwxpqkgqhucblvkji.exe
  C:\Users\Admin\AppData\Local\Temp\crqpcwxpqkgqhucblvkji.exe .
  2⤵
  PID:5872
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\crqpcwxpqkgqhucblvkji.exe*."
    3⤵
    PID:4936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\grmhqgdroewcpycxd.exe
1⤵
PID:3648
- C:\Users\Admin\AppData\Local\Temp\grmhqgdroewcpycxd.exe
  C:\Users\Admin\AppData\Local\Temp\grmhqgdroewcpycxd.exe
  2⤵
  PID:1008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\grmhqgdroewcpycxd.exe .
1⤵
PID:2156
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5816
- C:\Users\Admin\AppData\Local\Temp\grmhqgdroewcpycxd.exe
  C:\Users\Admin\AppData\Local\Temp\grmhqgdroewcpycxd.exe .
  2⤵
  PID:2776
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\grmhqgdroewcpycxd.exe*."
    3⤵
    PID:844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ankhskjzyqkshsyvdly.exe
1⤵
PID:5256
- C:\Windows\ankhskjzyqkshsyvdly.exe
  ankhskjzyqkshsyvdly.exe
  2⤵
  PID:3780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zjdxfuqdzofkwehb.exe .
1⤵
PID:5824
- C:\Windows\zjdxfuqdzofkwehb.exe
  zjdxfuqdzofkwehb.exe .
  2⤵
  PID:5508
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\zjdxfuqdzofkwehb.exe*."
    3⤵
    PID:3076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pbxtdushfwpwkuzvcj.exe
1⤵
PID:5444
- C:\Windows\pbxtdushfwpwkuzvcj.exe
  pbxtdushfwpwkuzvcj.exe
  2⤵
  PID:1544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ankhskjzyqkshsyvdly.exe .
1⤵
PID:5152
- C:\Windows\ankhskjzyqkshsyvdly.exe
  ankhskjzyqkshsyvdly.exe .
  2⤵
  PID:224
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\ankhskjzyqkshsyvdly.exe*."
    3⤵
    PID:5144

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zjdxfuqdzofkwehb.exe
1⤵
PID:4024
- C:\Users\Admin\AppData\Local\Temp\zjdxfuqdzofkwehb.exe
  C:\Users\Admin\AppData\Local\Temp\zjdxfuqdzofkwehb.exe
  2⤵
  PID:5472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pbxtdushfwpwkuzvcj.exe .
1⤵
PID:2792
- C:\Users\Admin\AppData\Local\Temp\pbxtdushfwpwkuzvcj.exe
  C:\Users\Admin\AppData\Local\Temp\pbxtdushfwpwkuzvcj.exe .
  2⤵
  PID:5432
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\pbxtdushfwpwkuzvcj.exe*."
    3⤵
    PID:1728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nbzxjccttmhqgszxgpdb.exe
1⤵
PID:5632
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1484
- C:\Users\Admin\AppData\Local\Temp\nbzxjccttmhqgszxgpdb.exe
  C:\Users\Admin\AppData\Local\Temp\nbzxjccttmhqgszxgpdb.exe
  2⤵
  PID:5452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\grmhqgdroewcpycxd.exe .
1⤵
PID:3372
- C:\Users\Admin\AppData\Local\Temp\grmhqgdroewcpycxd.exe
  C:\Users\Admin\AppData\Local\Temp\grmhqgdroewcpycxd.exe .
  2⤵
  PID:5496
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\grmhqgdroewcpycxd.exe*."
    3⤵
    PID:4868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c crqpcwxpqkgqhucblvkji.exe
1⤵
PID:2328
- C:\Windows\crqpcwxpqkgqhucblvkji.exe
  crqpcwxpqkgqhucblvkji.exe
  2⤵
  PID:3584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c grmhqgdroewcpycxd.exe .
1⤵
PID:5784
- C:\Windows\grmhqgdroewcpycxd.exe
  grmhqgdroewcpycxd.exe .
  2⤵
  PID:4192
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\grmhqgdroewcpycxd.exe*."
    3⤵
    PID:4080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c grmhqgdroewcpycxd.exe
1⤵
PID:4028
- C:\Windows\grmhqgdroewcpycxd.exe
  grmhqgdroewcpycxd.exe
  2⤵
  PID:1796

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ankhskjzyqkshsyvdly.exe .
1⤵
PID:2116
- C:\Windows\ankhskjzyqkshsyvdly.exe
  ankhskjzyqkshsyvdly.exe .
  2⤵
  PID:1804
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\ankhskjzyqkshsyvdly.exe*."
    3⤵
    PID:4224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pbxtdushfwpwkuzvcj.exe
1⤵
PID:5984
- C:\Users\Admin\AppData\Local\Temp\pbxtdushfwpwkuzvcj.exe
  C:\Users\Admin\AppData\Local\Temp\pbxtdushfwpwkuzvcj.exe
  2⤵
  PID:5548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\grmhqgdroewcpycxd.exe .
1⤵
PID:1032
- C:\Users\Admin\AppData\Local\Temp\grmhqgdroewcpycxd.exe
  C:\Users\Admin\AppData\Local\Temp\grmhqgdroewcpycxd.exe .
  2⤵
  PID:3776
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\grmhqgdroewcpycxd.exe*."
    3⤵
    PID:5896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pbxtdushfwpwkuzvcj.exe
1⤵
PID:4908
- C:\Users\Admin\AppData\Local\Temp\pbxtdushfwpwkuzvcj.exe
  C:\Users\Admin\AppData\Local\Temp\pbxtdushfwpwkuzvcj.exe
  2⤵
  PID:6100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\crqpcwxpqkgqhucblvkji.exe .
1⤵
PID:3972
- C:\Users\Admin\AppData\Local\Temp\crqpcwxpqkgqhucblvkji.exe
  C:\Users\Admin\AppData\Local\Temp\crqpcwxpqkgqhucblvkji.exe .
  2⤵
  PID:5884
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\crqpcwxpqkgqhucblvkji.exe*."
    3⤵
    PID:4348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ankhskjzyqkshsyvdly.exe
1⤵
PID:4456
- C:\Windows\ankhskjzyqkshsyvdly.exe
  ankhskjzyqkshsyvdly.exe
  2⤵
  PID:3496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ankhskjzyqkshsyvdly.exe .
1⤵
PID:1496
- C:\Windows\ankhskjzyqkshsyvdly.exe
  ankhskjzyqkshsyvdly.exe .
  2⤵
  PID:5396
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\ankhskjzyqkshsyvdly.exe*."
    3⤵
    PID:1328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zjdxfuqdzofkwehb.exe
1⤵
PID:6096
- C:\Windows\zjdxfuqdzofkwehb.exe
  zjdxfuqdzofkwehb.exe
  2⤵
  PID:2740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ankhskjzyqkshsyvdly.exe .
1⤵
PID:5644
- C:\Windows\ankhskjzyqkshsyvdly.exe
  ankhskjzyqkshsyvdly.exe .
  2⤵
  PID:5736
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\ankhskjzyqkshsyvdly.exe*."
    3⤵
    PID:5164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\crqpcwxpqkgqhucblvkji.exe
1⤵
PID:5128
- C:\Users\Admin\AppData\Local\Temp\crqpcwxpqkgqhucblvkji.exe
  C:\Users\Admin\AppData\Local\Temp\crqpcwxpqkgqhucblvkji.exe
  2⤵
  PID:1112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ankhskjzyqkshsyvdly.exe .
1⤵
PID:312
- C:\Users\Admin\AppData\Local\Temp\ankhskjzyqkshsyvdly.exe
  C:\Users\Admin\AppData\Local\Temp\ankhskjzyqkshsyvdly.exe .
  2⤵
  PID:3432
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\ankhskjzyqkshsyvdly.exe*."
    3⤵
    PID:2152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\crqpcwxpqkgqhucblvkji.exe
1⤵
PID:3988
- C:\Users\Admin\AppData\Local\Temp\crqpcwxpqkgqhucblvkji.exe
  C:\Users\Admin\AppData\Local\Temp\crqpcwxpqkgqhucblvkji.exe
  2⤵
  PID:3380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\grmhqgdroewcpycxd.exe .
1⤵
PID:5176
- C:\Users\Admin\AppData\Local\Temp\grmhqgdroewcpycxd.exe
  C:\Users\Admin\AppData\Local\Temp\grmhqgdroewcpycxd.exe .
  2⤵
  PID:1544
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\grmhqgdroewcpycxd.exe*."
    3⤵
    PID:5340

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c grmhqgdroewcpycxd.exe
1⤵
PID:1416
- C:\Windows\grmhqgdroewcpycxd.exe
  grmhqgdroewcpycxd.exe
  2⤵
  PID:5388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c crqpcwxpqkgqhucblvkji.exe .
1⤵
PID:4280
- C:\Windows\crqpcwxpqkgqhucblvkji.exe
  crqpcwxpqkgqhucblvkji.exe .
  2⤵
  PID:5216
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\crqpcwxpqkgqhucblvkji.exe*."
    3⤵
    PID:4932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c nbzxjccttmhqgszxgpdb.exe
1⤵
PID:3672
- C:\Windows\nbzxjccttmhqgszxgpdb.exe
  nbzxjccttmhqgszxgpdb.exe
  2⤵
  PID:5404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c crqpcwxpqkgqhucblvkji.exe .
1⤵
PID:988
- C:\Windows\crqpcwxpqkgqhucblvkji.exe
  crqpcwxpqkgqhucblvkji.exe .
  2⤵
  PID:5612
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\crqpcwxpqkgqhucblvkji.exe*."
    3⤵
    PID:1080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\crqpcwxpqkgqhucblvkji.exe
1⤵
PID:772
- C:\Users\Admin\AppData\Local\Temp\crqpcwxpqkgqhucblvkji.exe
  C:\Users\Admin\AppData\Local\Temp\crqpcwxpqkgqhucblvkji.exe
  2⤵
  PID:1128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\grmhqgdroewcpycxd.exe .
1⤵
PID:4408
- C:\Users\Admin\AppData\Local\Temp\grmhqgdroewcpycxd.exe
  C:\Users\Admin\AppData\Local\Temp\grmhqgdroewcpycxd.exe .
  2⤵
  PID:4440
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\grmhqgdroewcpycxd.exe*."
    3⤵
    PID:3584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\grmhqgdroewcpycxd.exe
1⤵
PID:2216
- C:\Users\Admin\AppData\Local\Temp\grmhqgdroewcpycxd.exe
  C:\Users\Admin\AppData\Local\Temp\grmhqgdroewcpycxd.exe
  2⤵
  PID:4040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ankhskjzyqkshsyvdly.exe .
1⤵
PID:728
- C:\Users\Admin\AppData\Local\Temp\ankhskjzyqkshsyvdly.exe
  C:\Users\Admin\AppData\Local\Temp\ankhskjzyqkshsyvdly.exe .
  2⤵
  PID:2324
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\ankhskjzyqkshsyvdly.exe*."
    3⤵
    PID:5456

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k wusvcs -p -s WaaSMedicSvc
1⤵
PID:5360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zjdxfuqdzofkwehb.exe
1⤵
PID:6032
- C:\Windows\zjdxfuqdzofkwehb.exe
  zjdxfuqdzofkwehb.exe
  2⤵
  PID:5892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c nbzxjccttmhqgszxgpdb.exe .
1⤵
PID:5708
- C:\Windows\nbzxjccttmhqgszxgpdb.exe
  nbzxjccttmhqgszxgpdb.exe .
  2⤵
  PID:5480
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\nbzxjccttmhqgszxgpdb.exe*."
    3⤵
    PID:3488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ankhskjzyqkshsyvdly.exe
1⤵
PID:4360
- C:\Windows\ankhskjzyqkshsyvdly.exe
  ankhskjzyqkshsyvdly.exe
  2⤵
  PID:3768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c crqpcwxpqkgqhucblvkji.exe .
1⤵
PID:5712
- C:\Windows\crqpcwxpqkgqhucblvkji.exe
  crqpcwxpqkgqhucblvkji.exe .
  2⤵
  PID:516
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\crqpcwxpqkgqhucblvkji.exe*."
    3⤵
    PID:736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zjdxfuqdzofkwehb.exe
1⤵
PID:3616
- C:\Users\Admin\AppData\Local\Temp\zjdxfuqdzofkwehb.exe
  C:\Users\Admin\AppData\Local\Temp\zjdxfuqdzofkwehb.exe
  2⤵
  PID:944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\crqpcwxpqkgqhucblvkji.exe .
1⤵
PID:5148
- C:\Users\Admin\AppData\Local\Temp\crqpcwxpqkgqhucblvkji.exe
  C:\Users\Admin\AppData\Local\Temp\crqpcwxpqkgqhucblvkji.exe .
  2⤵
  PID:5272
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\crqpcwxpqkgqhucblvkji.exe*."
    3⤵
    PID:6008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zjdxfuqdzofkwehb.exe
1⤵
PID:4432
- C:\Users\Admin\AppData\Local\Temp\zjdxfuqdzofkwehb.exe
  C:\Users\Admin\AppData\Local\Temp\zjdxfuqdzofkwehb.exe
  2⤵
  PID:1708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zjdxfuqdzofkwehb.exe .
1⤵
PID:3000
- C:\Users\Admin\AppData\Local\Temp\zjdxfuqdzofkwehb.exe
  C:\Users\Admin\AppData\Local\Temp\zjdxfuqdzofkwehb.exe .
  2⤵
  PID:3896
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\zjdxfuqdzofkwehb.exe*."
    3⤵
    PID:3648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c nbzxjccttmhqgszxgpdb.exe
1⤵
PID:2776
- C:\Windows\nbzxjccttmhqgszxgpdb.exe
  nbzxjccttmhqgszxgpdb.exe
  2⤵
  PID:4044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pbxtdushfwpwkuzvcj.exe .
1⤵
PID:5644
- C:\Windows\pbxtdushfwpwkuzvcj.exe
  pbxtdushfwpwkuzvcj.exe .
  2⤵
  PID:844
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\pbxtdushfwpwkuzvcj.exe*."
    3⤵
    PID:3780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c grmhqgdroewcpycxd.exe
1⤵
PID:2628
- C:\Windows\grmhqgdroewcpycxd.exe
  grmhqgdroewcpycxd.exe
  2⤵
  PID:3924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ankhskjzyqkshsyvdly.exe
1⤵
PID:560
- C:\Windows\ankhskjzyqkshsyvdly.exe
  ankhskjzyqkshsyvdly.exe
  2⤵
  PID:5588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zjdxfuqdzofkwehb.exe .
1⤵
PID:3964
- C:\Windows\zjdxfuqdzofkwehb.exe
  zjdxfuqdzofkwehb.exe .
  2⤵
  PID:5392
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\zjdxfuqdzofkwehb.exe*."
    3⤵
    PID:3808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pbxtdushfwpwkuzvcj.exe
1⤵
PID:2292
- C:\Users\Admin\AppData\Local\Temp\pbxtdushfwpwkuzvcj.exe
  C:\Users\Admin\AppData\Local\Temp\pbxtdushfwpwkuzvcj.exe
  2⤵
  PID:1564

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c crqpcwxpqkgqhucblvkji.exe .
1⤵
PID:5536
- C:\Windows\crqpcwxpqkgqhucblvkji.exe
  crqpcwxpqkgqhucblvkji.exe .
  2⤵
  PID:5152
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\crqpcwxpqkgqhucblvkji.exe*."
    3⤵
    PID:5504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ankhskjzyqkshsyvdly.exe .
1⤵
PID:3196
- C:\Users\Admin\AppData\Local\Temp\ankhskjzyqkshsyvdly.exe
  C:\Users\Admin\AppData\Local\Temp\ankhskjzyqkshsyvdly.exe .
  2⤵
  PID:2900
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\ankhskjzyqkshsyvdly.exe*."
    3⤵
    PID:988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c crqpcwxpqkgqhucblvkji.exe
1⤵
PID:1916
- C:\Windows\crqpcwxpqkgqhucblvkji.exe
  crqpcwxpqkgqhucblvkji.exe
  2⤵
  PID:4848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zjdxfuqdzofkwehb.exe
1⤵
PID:4280
- C:\Windows\zjdxfuqdzofkwehb.exe
  zjdxfuqdzofkwehb.exe
  2⤵
  PID:4176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ankhskjzyqkshsyvdly.exe .
1⤵
PID:2300
- C:\Windows\ankhskjzyqkshsyvdly.exe
  ankhskjzyqkshsyvdly.exe .
  2⤵
  PID:4080
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\ankhskjzyqkshsyvdly.exe*."
    3⤵
    PID:3972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zjdxfuqdzofkwehb.exe
1⤵
PID:4688
- C:\Users\Admin\AppData\Local\Temp\zjdxfuqdzofkwehb.exe
  C:\Users\Admin\AppData\Local\Temp\zjdxfuqdzofkwehb.exe
  2⤵
  PID:2328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ankhskjzyqkshsyvdly.exe
1⤵
PID:4588
- C:\Users\Admin\AppData\Local\Temp\ankhskjzyqkshsyvdly.exe
  C:\Users\Admin\AppData\Local\Temp\ankhskjzyqkshsyvdly.exe
  2⤵
  PID:5352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c grmhqgdroewcpycxd.exe .
1⤵
PID:6124
- C:\Windows\grmhqgdroewcpycxd.exe
  grmhqgdroewcpycxd.exe .
  2⤵
  PID:5828
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\grmhqgdroewcpycxd.exe*."
    3⤵
    PID:5840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zjdxfuqdzofkwehb.exe .
1⤵
PID:2908
- C:\Users\Admin\AppData\Local\Temp\zjdxfuqdzofkwehb.exe
  C:\Users\Admin\AppData\Local\Temp\zjdxfuqdzofkwehb.exe .
  2⤵
  PID:4908
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\zjdxfuqdzofkwehb.exe*."
    3⤵
    PID:4844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nbzxjccttmhqgszxgpdb.exe .
1⤵
PID:4408
- C:\Users\Admin\AppData\Local\Temp\nbzxjccttmhqgszxgpdb.exe
  C:\Users\Admin\AppData\Local\Temp\nbzxjccttmhqgszxgpdb.exe .
  2⤵
  PID:60
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\nbzxjccttmhqgszxgpdb.exe*."
    3⤵
    PID:6100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zjdxfuqdzofkwehb.exe
1⤵
PID:4116
- C:\Windows\zjdxfuqdzofkwehb.exe
  zjdxfuqdzofkwehb.exe
  2⤵
  PID:5168

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zjdxfuqdzofkwehb.exe .
1⤵
PID:3036
- C:\Windows\zjdxfuqdzofkwehb.exe
  zjdxfuqdzofkwehb.exe .
  2⤵
  PID:4216
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\zjdxfuqdzofkwehb.exe*."
    3⤵
    PID:6012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\crqpcwxpqkgqhucblvkji.exe
1⤵
PID:2256
- C:\Users\Admin\AppData\Local\Temp\crqpcwxpqkgqhucblvkji.exe
  C:\Users\Admin\AppData\Local\Temp\crqpcwxpqkgqhucblvkji.exe
  2⤵
  PID:1328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\grmhqgdroewcpycxd.exe
1⤵
PID:2028
- C:\Users\Admin\AppData\Local\Temp\grmhqgdroewcpycxd.exe
  C:\Users\Admin\AppData\Local\Temp\grmhqgdroewcpycxd.exe
  2⤵
  PID:2664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\grmhqgdroewcpycxd.exe .
1⤵
PID:5480
- C:\Users\Admin\AppData\Local\Temp\grmhqgdroewcpycxd.exe
  C:\Users\Admin\AppData\Local\Temp\grmhqgdroewcpycxd.exe .
  2⤵
  PID:5560
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\grmhqgdroewcpycxd.exe*."
    3⤵
    PID:2104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\crqpcwxpqkgqhucblvkji.exe .
1⤵
PID:4320
- C:\Users\Admin\AppData\Local\Temp\crqpcwxpqkgqhucblvkji.exe
  C:\Users\Admin\AppData\Local\Temp\crqpcwxpqkgqhucblvkji.exe .
  2⤵
  PID:6104
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\crqpcwxpqkgqhucblvkji.exe*."
    3⤵
    PID:1644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\crqpcwxpqkgqhucblvkji.exe
1⤵
PID:5200
- C:\Users\Admin\AppData\Local\Temp\crqpcwxpqkgqhucblvkji.exe
  C:\Users\Admin\AppData\Local\Temp\crqpcwxpqkgqhucblvkji.exe
  2⤵
  PID:5460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\crqpcwxpqkgqhucblvkji.exe .
1⤵
PID:5348
- C:\Users\Admin\AppData\Local\Temp\crqpcwxpqkgqhucblvkji.exe
  C:\Users\Admin\AppData\Local\Temp\crqpcwxpqkgqhucblvkji.exe .
  2⤵
  PID:5764
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\crqpcwxpqkgqhucblvkji.exe*."
    3⤵
    PID:2296

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c nbzxjccttmhqgszxgpdb.exe
1⤵
PID:4220
- C:\Windows\nbzxjccttmhqgszxgpdb.exe
  nbzxjccttmhqgszxgpdb.exe
  2⤵
  PID:3432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ankhskjzyqkshsyvdly.exe .
1⤵
PID:4528
- C:\Windows\ankhskjzyqkshsyvdly.exe
  ankhskjzyqkshsyvdly.exe .
  2⤵
  PID:5644
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\ankhskjzyqkshsyvdly.exe*."
    3⤵
    PID:3468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zjdxfuqdzofkwehb.exe
1⤵
PID:3924
- C:\Windows\zjdxfuqdzofkwehb.exe
  zjdxfuqdzofkwehb.exe
  2⤵
  PID:3380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ankhskjzyqkshsyvdly.exe .
1⤵
PID:5144
- C:\Windows\ankhskjzyqkshsyvdly.exe
  ankhskjzyqkshsyvdly.exe .
  2⤵
  PID:2556
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\ankhskjzyqkshsyvdly.exe*."
    3⤵
    PID:4348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\grmhqgdroewcpycxd.exe
1⤵
PID:4124
- C:\Users\Admin\AppData\Local\Temp\grmhqgdroewcpycxd.exe
  C:\Users\Admin\AppData\Local\Temp\grmhqgdroewcpycxd.exe
  2⤵
  PID:5812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pbxtdushfwpwkuzvcj.exe .
1⤵
PID:5508
- C:\Users\Admin\AppData\Local\Temp\pbxtdushfwpwkuzvcj.exe
  C:\Users\Admin\AppData\Local\Temp\pbxtdushfwpwkuzvcj.exe .
  2⤵
  PID:4604
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\pbxtdushfwpwkuzvcj.exe*."
    3⤵
    PID:4628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ankhskjzyqkshsyvdly.exe
1⤵
PID:2900
- C:\Users\Admin\AppData\Local\Temp\ankhskjzyqkshsyvdly.exe
  C:\Users\Admin\AppData\Local\Temp\ankhskjzyqkshsyvdly.exe
  2⤵
  PID:3576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zjdxfuqdzofkwehb.exe .
1⤵
PID:4752
- C:\Users\Admin\AppData\Local\Temp\zjdxfuqdzofkwehb.exe
  C:\Users\Admin\AppData\Local\Temp\zjdxfuqdzofkwehb.exe .
  2⤵
  PID:4848
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\zjdxfuqdzofkwehb.exe*."
    3⤵
    PID:5552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c grmhqgdroewcpycxd.exe
1⤵
PID:5484
- C:\Windows\grmhqgdroewcpycxd.exe
  grmhqgdroewcpycxd.exe
  2⤵
  PID:5428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ankhskjzyqkshsyvdly.exe .
1⤵
PID:5632
- C:\Windows\ankhskjzyqkshsyvdly.exe
  ankhskjzyqkshsyvdly.exe .
  2⤵
  PID:1872
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\ankhskjzyqkshsyvdly.exe*."
    3⤵
    PID:5520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pbxtdushfwpwkuzvcj.exe
1⤵
PID:956
- C:\Windows\pbxtdushfwpwkuzvcj.exe
  pbxtdushfwpwkuzvcj.exe
  2⤵
  PID:5412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c crqpcwxpqkgqhucblvkji.exe .
1⤵
PID:5896
- C:\Windows\crqpcwxpqkgqhucblvkji.exe
  crqpcwxpqkgqhucblvkji.exe .
  2⤵
  PID:5160
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\crqpcwxpqkgqhucblvkji.exe*."
    3⤵
    PID:2300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nbzxjccttmhqgszxgpdb.exe
1⤵
PID:5280
- C:\Users\Admin\AppData\Local\Temp\nbzxjccttmhqgszxgpdb.exe
  C:\Users\Admin\AppData\Local\Temp\nbzxjccttmhqgszxgpdb.exe
  2⤵
  PID:5676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nbzxjccttmhqgszxgpdb.exe .
1⤵
PID:5084
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5400
- C:\Users\Admin\AppData\Local\Temp\nbzxjccttmhqgszxgpdb.exe
  C:\Users\Admin\AppData\Local\Temp\nbzxjccttmhqgszxgpdb.exe .
  2⤵
  PID:3404
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\nbzxjccttmhqgszxgpdb.exe*."
    3⤵
    PID:4800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ankhskjzyqkshsyvdly.exe
1⤵
PID:5888
- C:\Users\Admin\AppData\Local\Temp\ankhskjzyqkshsyvdly.exe
  C:\Users\Admin\AppData\Local\Temp\ankhskjzyqkshsyvdly.exe
  2⤵
  PID:5904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ankhskjzyqkshsyvdly.exe .
1⤵
PID:3080
- C:\Users\Admin\AppData\Local\Temp\ankhskjzyqkshsyvdly.exe
  C:\Users\Admin\AppData\Local\Temp\ankhskjzyqkshsyvdly.exe .
  2⤵
  PID:868
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\ankhskjzyqkshsyvdly.exe*."
    3⤵
    PID:5488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pbxtdushfwpwkuzvcj.exe
1⤵
PID:4548
- C:\Windows\pbxtdushfwpwkuzvcj.exe
  pbxtdushfwpwkuzvcj.exe
  2⤵
  PID:5712

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c crqpcwxpqkgqhucblvkji.exe .
1⤵
PID:1620
- C:\Windows\crqpcwxpqkgqhucblvkji.exe
  crqpcwxpqkgqhucblvkji.exe .
  2⤵
  PID:3912
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\crqpcwxpqkgqhucblvkji.exe*."
    3⤵
    PID:2468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pbxtdushfwpwkuzvcj.exe
1⤵
PID:5460
- C:\Windows\pbxtdushfwpwkuzvcj.exe
  pbxtdushfwpwkuzvcj.exe
  2⤵
  PID:5916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c grmhqgdroewcpycxd.exe .
1⤵
PID:2740
- C:\Windows\grmhqgdroewcpycxd.exe
  grmhqgdroewcpycxd.exe .
  2⤵
  PID:1644
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\grmhqgdroewcpycxd.exe*."
    3⤵
    PID:6116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\crqpcwxpqkgqhucblvkji.exe
1⤵
PID:4880
- C:\Users\Admin\AppData\Local\Temp\crqpcwxpqkgqhucblvkji.exe
  C:\Users\Admin\AppData\Local\Temp\crqpcwxpqkgqhucblvkji.exe
  2⤵
  PID:4008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ankhskjzyqkshsyvdly.exe .
1⤵
PID:5116
- C:\Users\Admin\AppData\Local\Temp\ankhskjzyqkshsyvdly.exe
  C:\Users\Admin\AppData\Local\Temp\ankhskjzyqkshsyvdly.exe .
  2⤵
  PID:3476
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\ankhskjzyqkshsyvdly.exe*."
    3⤵
    PID:5256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\crqpcwxpqkgqhucblvkji.exe
1⤵
PID:3780
- C:\Users\Admin\AppData\Local\Temp\crqpcwxpqkgqhucblvkji.exe
  C:\Users\Admin\AppData\Local\Temp\crqpcwxpqkgqhucblvkji.exe
  2⤵
  PID:6120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nbzxjccttmhqgszxgpdb.exe .
1⤵
PID:1144
- C:\Users\Admin\AppData\Local\Temp\nbzxjccttmhqgszxgpdb.exe
  C:\Users\Admin\AppData\Local\Temp\nbzxjccttmhqgszxgpdb.exe .
  2⤵
  PID:5644
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\nbzxjccttmhqgszxgpdb.exe*."
    3⤵
    PID:5156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c grmhqgdroewcpycxd.exe
1⤵
PID:5588
- C:\Windows\grmhqgdroewcpycxd.exe
  grmhqgdroewcpycxd.exe
  2⤵
  PID:5500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c grmhqgdroewcpycxd.exe .
1⤵
PID:6112
- C:\Windows\grmhqgdroewcpycxd.exe
  grmhqgdroewcpycxd.exe .
  2⤵
  PID:3808
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\grmhqgdroewcpycxd.exe*."
    3⤵
    PID:2108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c grmhqgdroewcpycxd.exe
1⤵
PID:5132
- C:\Windows\grmhqgdroewcpycxd.exe
  grmhqgdroewcpycxd.exe
  2⤵
  PID:4488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pbxtdushfwpwkuzvcj.exe .
1⤵
PID:6048
- C:\Windows\pbxtdushfwpwkuzvcj.exe
  pbxtdushfwpwkuzvcj.exe .
  2⤵
  PID:5320
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\pbxtdushfwpwkuzvcj.exe*."
    3⤵
    PID:4468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ankhskjzyqkshsyvdly.exe
1⤵
PID:1484
- C:\Users\Admin\AppData\Local\Temp\ankhskjzyqkshsyvdly.exe
  C:\Users\Admin\AppData\Local\Temp\ankhskjzyqkshsyvdly.exe
  2⤵
  PID:2720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\crqpcwxpqkgqhucblvkji.exe .
1⤵
PID:4460
- C:\Users\Admin\AppData\Local\Temp\crqpcwxpqkgqhucblvkji.exe
  C:\Users\Admin\AppData\Local\Temp\crqpcwxpqkgqhucblvkji.exe .
  2⤵
  PID:3984
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\crqpcwxpqkgqhucblvkji.exe*."
    3⤵
    PID:5692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pbxtdushfwpwkuzvcj.exe
1⤵
PID:972
- C:\Users\Admin\AppData\Local\Temp\pbxtdushfwpwkuzvcj.exe
  C:\Users\Admin\AppData\Local\Temp\pbxtdushfwpwkuzvcj.exe
  2⤵
  PID:704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\grmhqgdroewcpycxd.exe .
1⤵
PID:1004
- C:\Users\Admin\AppData\Local\Temp\grmhqgdroewcpycxd.exe
  C:\Users\Admin\AppData\Local\Temp\grmhqgdroewcpycxd.exe .
  2⤵
  PID:1984
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\grmhqgdroewcpycxd.exe*."
    3⤵
    PID:5252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c crqpcwxpqkgqhucblvkji.exe
1⤵
PID:1108
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5684
- C:\Windows\crqpcwxpqkgqhucblvkji.exe
  crqpcwxpqkgqhucblvkji.exe
  2⤵
  PID:2172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zjdxfuqdzofkwehb.exe .
1⤵
PID:956
- C:\Windows\zjdxfuqdzofkwehb.exe
  zjdxfuqdzofkwehb.exe .
  2⤵
  PID:5632
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\zjdxfuqdzofkwehb.exe*."
    3⤵
    PID:1348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pbxtdushfwpwkuzvcj.exe
1⤵
PID:3208
- C:\Windows\pbxtdushfwpwkuzvcj.exe
  pbxtdushfwpwkuzvcj.exe
  2⤵
  PID:468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pbxtdushfwpwkuzvcj.exe .
1⤵
PID:4844
- C:\Windows\pbxtdushfwpwkuzvcj.exe
  pbxtdushfwpwkuzvcj.exe .
  2⤵
  PID:1212
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\pbxtdushfwpwkuzvcj.exe*."
    3⤵
    PID:4176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pbxtdushfwpwkuzvcj.exe
1⤵
PID:6044
- C:\Users\Admin\AppData\Local\Temp\pbxtdushfwpwkuzvcj.exe
  C:\Users\Admin\AppData\Local\Temp\pbxtdushfwpwkuzvcj.exe
  2⤵
  PID:5904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nbzxjccttmhqgszxgpdb.exe .
1⤵
PID:5912
- C:\Users\Admin\AppData\Local\Temp\nbzxjccttmhqgszxgpdb.exe
  C:\Users\Admin\AppData\Local\Temp\nbzxjccttmhqgszxgpdb.exe .
  2⤵
  PID:5552
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\nbzxjccttmhqgszxgpdb.exe*."
    3⤵
    PID:2908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\grmhqgdroewcpycxd.exe
1⤵
PID:868
- C:\Users\Admin\AppData\Local\Temp\grmhqgdroewcpycxd.exe
  C:\Users\Admin\AppData\Local\Temp\grmhqgdroewcpycxd.exe
  2⤵
  PID:2780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pbxtdushfwpwkuzvcj.exe .
1⤵
PID:3080
- C:\Users\Admin\AppData\Local\Temp\pbxtdushfwpwkuzvcj.exe
  C:\Users\Admin\AppData\Local\Temp\pbxtdushfwpwkuzvcj.exe .
  2⤵
  PID:4912
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\pbxtdushfwpwkuzvcj.exe*."
    3⤵
    PID:2256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c nbzxjccttmhqgszxgpdb.exe
1⤵
PID:5560
- C:\Windows\nbzxjccttmhqgszxgpdb.exe
  nbzxjccttmhqgszxgpdb.exe
  2⤵
  PID:5808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c nbzxjccttmhqgszxgpdb.exe .
1⤵
PID:5708
- C:\Windows\nbzxjccttmhqgszxgpdb.exe
  nbzxjccttmhqgszxgpdb.exe .
  2⤵
  PID:4760
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\nbzxjccttmhqgszxgpdb.exe*."
    3⤵
    PID:3756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c crqpcwxpqkgqhucblvkji.exe
1⤵
PID:5908
- C:\Windows\crqpcwxpqkgqhucblvkji.exe
  crqpcwxpqkgqhucblvkji.exe
  2⤵
  PID:6004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c nbzxjccttmhqgszxgpdb.exe
1⤵
PID:3432
- C:\Windows\nbzxjccttmhqgszxgpdb.exe
  nbzxjccttmhqgszxgpdb.exe
  2⤵
  PID:5372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c crqpcwxpqkgqhucblvkji.exe .
1⤵
PID:3824
- C:\Windows\crqpcwxpqkgqhucblvkji.exe
  crqpcwxpqkgqhucblvkji.exe .
  2⤵
  PID:5384
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\crqpcwxpqkgqhucblvkji.exe*."
    3⤵
    PID:1416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c grmhqgdroewcpycxd.exe .
1⤵
PID:5884
- C:\Windows\grmhqgdroewcpycxd.exe
  grmhqgdroewcpycxd.exe .
  2⤵
  PID:4564
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\grmhqgdroewcpycxd.exe*."
    3⤵
    PID:1160

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zjdxfuqdzofkwehb.exe
1⤵
PID:3532
- C:\Windows\zjdxfuqdzofkwehb.exe
  zjdxfuqdzofkwehb.exe
  2⤵
  PID:3648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\grmhqgdroewcpycxd.exe
1⤵
PID:5116
- C:\Users\Admin\AppData\Local\Temp\grmhqgdroewcpycxd.exe
  C:\Users\Admin\AppData\Local\Temp\grmhqgdroewcpycxd.exe
  2⤵
  PID:2792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c nbzxjccttmhqgszxgpdb.exe .
1⤵
PID:5180
- C:\Windows\nbzxjccttmhqgszxgpdb.exe
  nbzxjccttmhqgszxgpdb.exe .
  2⤵
  PID:872
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\nbzxjccttmhqgszxgpdb.exe*."
    3⤵
    PID:3848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\grmhqgdroewcpycxd.exe .
1⤵
PID:1100
- C:\Users\Admin\AppData\Local\Temp\grmhqgdroewcpycxd.exe
  C:\Users\Admin\AppData\Local\Temp\grmhqgdroewcpycxd.exe .
  2⤵
  PID:5556
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\grmhqgdroewcpycxd.exe*."
    3⤵
    PID:516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\grmhqgdroewcpycxd.exe
1⤵
PID:560
- C:\Users\Admin\AppData\Local\Temp\grmhqgdroewcpycxd.exe
  C:\Users\Admin\AppData\Local\Temp\grmhqgdroewcpycxd.exe
  2⤵
  PID:3196

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c crqpcwxpqkgqhucblvkji.exe
1⤵
PID:5716
- C:\Windows\crqpcwxpqkgqhucblvkji.exe
  crqpcwxpqkgqhucblvkji.exe
  2⤵
  PID:5624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ankhskjzyqkshsyvdly.exe .
1⤵
PID:5144
- C:\Users\Admin\AppData\Local\Temp\ankhskjzyqkshsyvdly.exe
  C:\Users\Admin\AppData\Local\Temp\ankhskjzyqkshsyvdly.exe .
  2⤵
  PID:4524
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\ankhskjzyqkshsyvdly.exe*."
    3⤵
    PID:5172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ankhskjzyqkshsyvdly.exe .
1⤵
PID:2556
- C:\Windows\ankhskjzyqkshsyvdly.exe
  ankhskjzyqkshsyvdly.exe .
  2⤵
  PID:3140
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\ankhskjzyqkshsyvdly.exe*."
    3⤵
    PID:1212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ankhskjzyqkshsyvdly.exe
1⤵
PID:3980
- C:\Users\Admin\AppData\Local\Temp\ankhskjzyqkshsyvdly.exe
  C:\Users\Admin\AppData\Local\Temp\ankhskjzyqkshsyvdly.exe
  2⤵
  PID:884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\crqpcwxpqkgqhucblvkji.exe .
1⤵
PID:5720
- C:\Users\Admin\AppData\Local\Temp\crqpcwxpqkgqhucblvkji.exe
  C:\Users\Admin\AppData\Local\Temp\crqpcwxpqkgqhucblvkji.exe .
  2⤵
  PID:5352
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\crqpcwxpqkgqhucblvkji.exe*."
    3⤵
    PID:5160

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c crqpcwxpqkgqhucblvkji.exe
1⤵
PID:6056
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4468
- C:\Windows\crqpcwxpqkgqhucblvkji.exe
  crqpcwxpqkgqhucblvkji.exe
  2⤵
  PID:5280

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ankhskjzyqkshsyvdly.exe
1⤵
PID:5204
- C:\Users\Admin\AppData\Local\Temp\ankhskjzyqkshsyvdly.exe
  C:\Users\Admin\AppData\Local\Temp\ankhskjzyqkshsyvdly.exe
  2⤵
  PID:736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pbxtdushfwpwkuzvcj.exe .
1⤵
PID:3928
- C:\Users\Admin\AppData\Local\Temp\pbxtdushfwpwkuzvcj.exe
  C:\Users\Admin\AppData\Local\Temp\pbxtdushfwpwkuzvcj.exe .
  2⤵
  PID:2028
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\pbxtdushfwpwkuzvcj.exe*."
    3⤵
    PID:4360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c crqpcwxpqkgqhucblvkji.exe .
1⤵
PID:4112
- C:\Windows\crqpcwxpqkgqhucblvkji.exe
  crqpcwxpqkgqhucblvkji.exe .
  2⤵
  PID:5552
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\crqpcwxpqkgqhucblvkji.exe*."
    3⤵
    PID:4792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\grmhqgdroewcpycxd.exe
1⤵
PID:5548
- C:\Users\Admin\AppData\Local\Temp\grmhqgdroewcpycxd.exe
  C:\Users\Admin\AppData\Local\Temp\grmhqgdroewcpycxd.exe
  2⤵
  PID:3016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pbxtdushfwpwkuzvcj.exe .
1⤵
PID:5444
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1760
- C:\Users\Admin\AppData\Local\Temp\pbxtdushfwpwkuzvcj.exe
  C:\Users\Admin\AppData\Local\Temp\pbxtdushfwpwkuzvcj.exe .
  2⤵
  PID:3644
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\pbxtdushfwpwkuzvcj.exe*."
    3⤵
    PID:4960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\grmhqgdroewcpycxd.exe
1⤵
PID:4696
- C:\Users\Admin\AppData\Local\Temp\grmhqgdroewcpycxd.exe
  C:\Users\Admin\AppData\Local\Temp\grmhqgdroewcpycxd.exe
  2⤵
  PID:3052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ankhskjzyqkshsyvdly.exe .
1⤵
PID:5052
- C:\Users\Admin\AppData\Local\Temp\ankhskjzyqkshsyvdly.exe
  C:\Users\Admin\AppData\Local\Temp\ankhskjzyqkshsyvdly.exe .
  2⤵
  PID:3588
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\ankhskjzyqkshsyvdly.exe*."
    3⤵
    PID:4548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c grmhqgdroewcpycxd.exe
1⤵
PID:5952
- C:\Windows\grmhqgdroewcpycxd.exe
  grmhqgdroewcpycxd.exe
  2⤵
  PID:4912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pbxtdushfwpwkuzvcj.exe .
1⤵
PID:3080
- C:\Windows\pbxtdushfwpwkuzvcj.exe
  pbxtdushfwpwkuzvcj.exe .
  2⤵
  PID:6012
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\pbxtdushfwpwkuzvcj.exe*."
    3⤵
    PID:4320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c nbzxjccttmhqgszxgpdb.exe
1⤵
PID:892
- C:\Windows\nbzxjccttmhqgszxgpdb.exe
  nbzxjccttmhqgszxgpdb.exe
  2⤵
  PID:3616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pbxtdushfwpwkuzvcj.exe .
1⤵
PID:2152
- C:\Windows\pbxtdushfwpwkuzvcj.exe
  pbxtdushfwpwkuzvcj.exe .
  2⤵
  PID:3176
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\pbxtdushfwpwkuzvcj.exe*."
    3⤵
    PID:3268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\grmhqgdroewcpycxd.exe
1⤵
PID:3468
- C:\Users\Admin\AppData\Local\Temp\grmhqgdroewcpycxd.exe
  C:\Users\Admin\AppData\Local\Temp\grmhqgdroewcpycxd.exe
  2⤵
  PID:5356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ankhskjzyqkshsyvdly.exe .
1⤵
PID:5844
- C:\Users\Admin\AppData\Local\Temp\ankhskjzyqkshsyvdly.exe
  C:\Users\Admin\AppData\Local\Temp\ankhskjzyqkshsyvdly.exe .
  2⤵
  PID:5852
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\ankhskjzyqkshsyvdly.exe*."
    3⤵
    PID:4564

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ankhskjzyqkshsyvdly.exe
1⤵
PID:400
- C:\Users\Admin\AppData\Local\Temp\ankhskjzyqkshsyvdly.exe
  C:\Users\Admin\AppData\Local\Temp\ankhskjzyqkshsyvdly.exe
  2⤵
  PID:5700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ankhskjzyqkshsyvdly.exe .
1⤵
PID:5152
- C:\Users\Admin\AppData\Local\Temp\ankhskjzyqkshsyvdly.exe
  C:\Users\Admin\AppData\Local\Temp\ankhskjzyqkshsyvdly.exe .
  2⤵
  PID:5040
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\ankhskjzyqkshsyvdly.exe*."
    3⤵
    PID:4368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pbxtdushfwpwkuzvcj.exe
1⤵
PID:4376
- C:\Windows\pbxtdushfwpwkuzvcj.exe
  pbxtdushfwpwkuzvcj.exe
  2⤵
  PID:5536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c nbzxjccttmhqgszxgpdb.exe .
1⤵
PID:652
- C:\Windows\nbzxjccttmhqgszxgpdb.exe
  nbzxjccttmhqgszxgpdb.exe .
  2⤵
  PID:1248
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\nbzxjccttmhqgszxgpdb.exe*."
    3⤵
    PID:3964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pbxtdushfwpwkuzvcj.exe
1⤵
PID:1328
- C:\Windows\pbxtdushfwpwkuzvcj.exe
  pbxtdushfwpwkuzvcj.exe
  2⤵
  PID:4240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c grmhqgdroewcpycxd.exe .
1⤵
PID:2160
- C:\Windows\grmhqgdroewcpycxd.exe
  grmhqgdroewcpycxd.exe .
  2⤵
  PID:1128
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\grmhqgdroewcpycxd.exe*."
    3⤵
    PID:3804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ankhskjzyqkshsyvdly.exe
1⤵
PID:5716
- C:\Users\Admin\AppData\Local\Temp\ankhskjzyqkshsyvdly.exe
  C:\Users\Admin\AppData\Local\Temp\ankhskjzyqkshsyvdly.exe
  2⤵
  PID:5172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ankhskjzyqkshsyvdly.exe .
1⤵
PID:4588
- C:\Users\Admin\AppData\Local\Temp\ankhskjzyqkshsyvdly.exe
  C:\Users\Admin\AppData\Local\Temp\ankhskjzyqkshsyvdly.exe .
  2⤵
  PID:5232
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\ankhskjzyqkshsyvdly.exe*."
    3⤵
    PID:1916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\grmhqgdroewcpycxd.exe
1⤵
PID:3596
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5644
- C:\Users\Admin\AppData\Local\Temp\grmhqgdroewcpycxd.exe
  C:\Users\Admin\AppData\Local\Temp\grmhqgdroewcpycxd.exe
  2⤵
  PID:5016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\grmhqgdroewcpycxd.exe .
1⤵
PID:1008
- C:\Users\Admin\AppData\Local\Temp\grmhqgdroewcpycxd.exe
  C:\Users\Admin\AppData\Local\Temp\grmhqgdroewcpycxd.exe .
  2⤵
  PID:3016
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\grmhqgdroewcpycxd.exe*."
    3⤵
    PID:4440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pbxtdushfwpwkuzvcj.exe
1⤵
PID:5288
- C:\Windows\pbxtdushfwpwkuzvcj.exe
  pbxtdushfwpwkuzvcj.exe
  2⤵
  PID:5920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ankhskjzyqkshsyvdly.exe .
1⤵
PID:6112
- C:\Windows\ankhskjzyqkshsyvdly.exe
  ankhskjzyqkshsyvdly.exe .
  2⤵
  PID:1796
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\ankhskjzyqkshsyvdly.exe*."
    3⤵
    PID:2652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zjdxfuqdzofkwehb.exe
1⤵
PID:4124
- C:\Windows\zjdxfuqdzofkwehb.exe
  zjdxfuqdzofkwehb.exe
  2⤵
  PID:5864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zjdxfuqdzofkwehb.exe .
1⤵
PID:540
- C:\Windows\zjdxfuqdzofkwehb.exe
  zjdxfuqdzofkwehb.exe .
  2⤵
  PID:2356
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\windows\zjdxfuqdzofkwehb.exe*."
    3⤵
    PID:5252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\crqpcwxpqkgqhucblvkji.exe
1⤵
PID:3908
- C:\Users\Admin\AppData\Local\Temp\crqpcwxpqkgqhucblvkji.exe
  C:\Users\Admin\AppData\Local\Temp\crqpcwxpqkgqhucblvkji.exe
  2⤵
  PID:1904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\grmhqgdroewcpycxd.exe .
1⤵
PID:3076
- C:\Users\Admin\AppData\Local\Temp\grmhqgdroewcpycxd.exe
  C:\Users\Admin\AppData\Local\Temp\grmhqgdroewcpycxd.exe .
  2⤵
  PID:5208
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\grmhqgdroewcpycxd.exe*."
    3⤵
    PID:4116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nbzxjccttmhqgszxgpdb.exe
1⤵
PID:1692
- C:\Users\Admin\AppData\Local\Temp\nbzxjccttmhqgszxgpdb.exe
  C:\Users\Admin\AppData\Local\Temp\nbzxjccttmhqgszxgpdb.exe
  2⤵
  PID:5984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pbxtdushfwpwkuzvcj.exe .
1⤵
PID:5528
- C:\Users\Admin\AppData\Local\Temp\pbxtdushfwpwkuzvcj.exe
  C:\Users\Admin\AppData\Local\Temp\pbxtdushfwpwkuzvcj.exe .
  2⤵
  PID:5484
- - C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhhorpeefrr.exe" "c:\users\admin\appdata\local\temp\pbxtdushfwpwkuzvcj.exe*."
    3⤵
    PID:1520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pbxtdushfwpwkuzvcj.exe
1⤵
PID:3768
- C:\Windows\pbxtdushfwpwkuzvcj.exe
  pbxtdushfwpwkuzvcj.exe
  2⤵
  PID:2760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c nbzxjccttmhqgszxgpdb.exe .
1⤵
PID:3616
- C:\Windows\nbzxjccttmhqgszxgpdb.exe
  nbzxjccttmhqgszxgpdb.exe .
  2⤵
  PID:4692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c grmhqgdroewcpycxd.exe
1⤵
PID:3776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pbxtdushfwpwkuzvcj.exe .
1⤵
PID:3960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Winlogon Helper DLL

T1547.004

Hijack Execution Flow

T1574

Executable Installer File Permissions Weakness

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Winlogon Helper DLL

T1547.004

Hijack Execution Flow

T1574

Executable Installer File Permissions Weakness

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hijack Execution Flow

T1574

Executable Installer File Permissions Weakness

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Safe Mode Boot

T1562.009

Modify Registry