pykspa | 4f0cd14b4063d01bc2c427a00fc040219c633507cc6fd1819ab8222c60c5d2c0

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	zcqqxkq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	zcqqxkq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	bbygorkllli.exe

Pykspa
Pykspa is a worm spreads via Skype uses DGA and it's written in C++.
worm pykspa
Pykspa family
pykspa

UAC bypass 3 TTPs 25 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	zcqqxkq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	zcqqxkq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	zcqqxkq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	zcqqxkq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	zcqqxkq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	zcqqxkq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	zcqqxkq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	zcqqxkq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	bbygorkllli.exe

Detect Pykspa worm 2 IoCs

worm

resource	yara_rule
behavioral2/files/0x0010000000023f80-4.dat	family_pykspa
behavioral2/files/0x00070000000241be-107.dat	family_pykspa

Adds policy Run key to start application 2 TTPs 48 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zcqqxkq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fsqaroevfabhkymvu.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zcqqxkq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bsuideythglvcumzcnpgi.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zcqqxkq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zooatskdpmpxcsitudd.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zcqqxkq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ocbmectlwsubfujttb.exe"	zcqqxkq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zcqqxkq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ocbmectlwsubfujttb.exe"	zcqqxkq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yevyiyhrui = "ocbmectlwsubfujttb.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yevyiyhrui = "bsuideythglvcumzcnpgi.exe"	zcqqxkq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lkn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bsnikaspkflvcumzcnpgb.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yevyiyhrui = "zooatskdpmpxcsitudd.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yevyiyhrui = "mcdqkkdxkimvbsjvxhiy.exe"	zcqqxkq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zcqqxkq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fsqaroevfabhkymvu.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yevyiyhrui = "fsqaroevfabhkymvu.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mouano = "ykaqnyldtjkprerz.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yevyiyhrui = "ykhqgcrhqkkprerz.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mouano = "fsjaykyrizbhkymvu.exe"	bbygorkllli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yevyiyhrui = "zooatskdpmpxcsitudd.exe"	bbygorkllli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zcqqxkq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ykhqgcrhqkkprerz.exe"	zcqqxkq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yevyiyhrui = "mcdqkkdxkimvbsjvxhiy.exe"	bbygorkllli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yevyiyhrui = "bsuideythglvcumzcnpgi.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lkn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zohaaoezslpxcsitudd.exe"	bbygorkllli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	zcqqxkq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yevyiyhrui = "fsqaroevfabhkymvu.exe"	zcqqxkq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zcqqxkq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fsqaroevfabhkymvu.exe"	bbygorkllli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yevyiyhrui = "ocbmectlwsubfujttb.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zcqqxkq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zooatskdpmpxcsitudd.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zcqqxkq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ocbmectlwsubfujttb.exe"	bbygorkllli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	zcqqxkq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yevyiyhrui = "ocbmectlwsubfujttb.exe"	zcqqxkq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yevyiyhrui = "ocbmectlwsubfujttb.exe"	zcqqxkq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	bbygorkllli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	bbygorkllli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yevyiyhrui = "mcdqkkdxkimvbsjvxhiy.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zcqqxkq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fsqaroevfabhkymvu.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mouano = "bsnikaspkflvcumzcnpgb.exe"	bbygorkllli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lkn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fsjaykyrizbhkymvu.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yevyiyhrui = "fsqaroevfabhkymvu.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zcqqxkq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ykhqgcrhqkkprerz.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zcqqxkq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zooatskdpmpxcsitudd.exe"	zcqqxkq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zcqqxkq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bsuideythglvcumzcnpgi.exe"	zcqqxkq.exe

Disables RegEdit via registry modification 16 IoCs

defense_evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	bbygorkllli.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	zcqqxkq.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	bbygorkllli.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	bbygorkllli.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	bbygorkllli.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	bbygorkllli.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	zcqqxkq.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	bbygorkllli.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	bbygorkllli.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	bbygorkllli.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	zcqqxkq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	zcqqxkq.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	bbygorkllli.exe

Checks computer location settings 2 TTPs 62 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	zooatskdpmpxcsitudd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	fsqaroevfabhkymvu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	mcdqkkdxkimvbsjvxhiy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	fsqaroevfabhkymvu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	fsqaroevfabhkymvu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	ocbmectlwsubfujttb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	ocbmectlwsubfujttb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	zooatskdpmpxcsitudd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	ykhqgcrhqkkprerz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	bsuideythglvcumzcnpgi.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	bsuideythglvcumzcnpgi.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	ocbmectlwsubfujttb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	fsqaroevfabhkymvu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	ocbmectlwsubfujttb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	mcdqkkdxkimvbsjvxhiy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	mcdqkkdxkimvbsjvxhiy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	fsqaroevfabhkymvu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	ocbmectlwsubfujttb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	ocbmectlwsubfujttb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	mcdqkkdxkimvbsjvxhiy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	bsuideythglvcumzcnpgi.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	ykhqgcrhqkkprerz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	mcdqkkdxkimvbsjvxhiy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	ocbmectlwsubfujttb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	bsuideythglvcumzcnpgi.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	mcdqkkdxkimvbsjvxhiy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	ocbmectlwsubfujttb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	bsuideythglvcumzcnpgi.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	mcdqkkdxkimvbsjvxhiy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	bsuideythglvcumzcnpgi.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	ykhqgcrhqkkprerz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	ocbmectlwsubfujttb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	zooatskdpmpxcsitudd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	ocbmectlwsubfujttb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	fsqaroevfabhkymvu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	JaffaCakes118_93a97780416038bcd6b1b53e917bdf4f.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	mcdqkkdxkimvbsjvxhiy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	bsuideythglvcumzcnpgi.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	mcdqkkdxkimvbsjvxhiy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	zooatskdpmpxcsitudd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	fsqaroevfabhkymvu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	ykhqgcrhqkkprerz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	bbygorkllli.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	bbygorkllli.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	ocbmectlwsubfujttb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	zooatskdpmpxcsitudd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	ocbmectlwsubfujttb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	ocbmectlwsubfujttb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	ykhqgcrhqkkprerz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	bsuideythglvcumzcnpgi.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	zooatskdpmpxcsitudd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	mcdqkkdxkimvbsjvxhiy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	mcdqkkdxkimvbsjvxhiy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	mcdqkkdxkimvbsjvxhiy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	ykhqgcrhqkkprerz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	bsuideythglvcumzcnpgi.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	zooatskdpmpxcsitudd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	ocbmectlwsubfujttb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	zooatskdpmpxcsitudd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	bsuideythglvcumzcnpgi.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	bsuideythglvcumzcnpgi.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	mcdqkkdxkimvbsjvxhiy.exe

Executes dropped EXE 64 IoCs

pid	Process
3244	bbygorkllli.exe
4864	ykhqgcrhqkkprerz.exe
1348	fsqaroevfabhkymvu.exe
4636	bbygorkllli.exe
4744	mcdqkkdxkimvbsjvxhiy.exe
4544	bsuideythglvcumzcnpgi.exe
4688	bsuideythglvcumzcnpgi.exe
3328	bbygorkllli.exe
3968	mcdqkkdxkimvbsjvxhiy.exe
668	bbygorkllli.exe
3492	zooatskdpmpxcsitudd.exe
1516	bsuideythglvcumzcnpgi.exe
544	bbygorkllli.exe
3200	bbygorkllli.exe
1552	zcqqxkq.exe
3056	zcqqxkq.exe
4664	bbygorkllli.exe
636	bsuideythglvcumzcnpgi.exe
2484	bbygorkllli.exe
3816	bbygorkllli.exe
2060	zooatskdpmpxcsitudd.exe
3856	bbygorkllli.exe
4024	ykhqgcrhqkkprerz.exe
4412	ykhqgcrhqkkprerz.exe
3000	bsuideythglvcumzcnpgi.exe
2828	fsqaroevfabhkymvu.exe
2412	zooatskdpmpxcsitudd.exe
4556	ocbmectlwsubfujttb.exe
636	ocbmectlwsubfujttb.exe
4252	mcdqkkdxkimvbsjvxhiy.exe
3244	zooatskdpmpxcsitudd.exe
2788	ocbmectlwsubfujttb.exe
4748	zooatskdpmpxcsitudd.exe
4976	mcdqkkdxkimvbsjvxhiy.exe
3456	bbygorkllli.exe
3572	bbygorkllli.exe
3980	bbygorkllli.exe
712	ocbmectlwsubfujttb.exe
2008	ocbmectlwsubfujttb.exe
2716	fsqaroevfabhkymvu.exe
5016	bbygorkllli.exe
2064	bbygorkllli.exe
3572	bbygorkllli.exe
2588	bbygorkllli.exe
716	ykhqgcrhqkkprerz.exe
832	ocbmectlwsubfujttb.exe
1300	bsuideythglvcumzcnpgi.exe
4748	fsqaroevfabhkymvu.exe
1908	bbygorkllli.exe
4556	bsuideythglvcumzcnpgi.exe
4360	bbygorkllli.exe
3676	bbygorkllli.exe
1472	ocbmectlwsubfujttb.exe
3816	fsqaroevfabhkymvu.exe
3184	bbygorkllli.exe
3568	bbygorkllli.exe
4428	bbygorkllli.exe
3108	bbygorkllli.exe
2428	fsqaroevfabhkymvu.exe
3436	bsuideythglvcumzcnpgi.exe
2456	ykhqgcrhqkkprerz.exe
4412	bbygorkllli.exe
4976	ocbmectlwsubfujttb.exe
4936	ocbmectlwsubfujttb.exe

Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs

defense_evasion

Safe Mode Boot

T1562.009

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc	zcqqxkq.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager	zcqqxkq.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys	zcqqxkq.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc	zcqqxkq.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power	zcqqxkq.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys	zcqqxkq.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

defense_evasion persistence privilege_escalation

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\qyrwialxcsop = "mcdqkkdxkimvbsjvxhiy.exe ."	bbygorkllli.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\fkaclairt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ykhqgcrhqkkprerz.exe ."	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\oshiqelt = "ykhqgcrhqkkprerz.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\oshiqelt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zooatskdpmpxcsitudd.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\qyrwialxcsop = "zooatskdpmpxcsitudd.exe ."	zcqqxkq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pysyleqdjaxzy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ocbmectlwsubfujttb.exe ."	zcqqxkq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\qyrwialxcsop = "bsuideythglvcumzcnpgi.exe ."	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pysyleqdjaxzy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bsuideythglvcumzcnpgi.exe ."	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\oshiqelt = "ykhqgcrhqkkprerz.exe"	zcqqxkq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sswa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ykaqnyldtjkprerz.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\oshiqelt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zooatskdpmpxcsitudd.exe"	zcqqxkq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taswhyitxmh = "zooatskdpmpxcsitudd.exe"	zcqqxkq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\qyrwialxcsop = "ocbmectlwsubfujttb.exe ."	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\fktcswcnw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ocumlynhzrubfujttb.exe ."	bbygorkllli.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bchmy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zohaaoezslpxcsitudd.exe ."	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\fkaclairt = "fsqaroevfabhkymvu.exe ."	bbygorkllli.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taswhyitxmh = "mcdqkkdxkimvbsjvxhiy.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zcjqegk = "bsnikaspkflvcumzcnpgb.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bchmy = "bsnikaspkflvcumzcnpgb.exe ."	bbygorkllli.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\qyrwialxcsop = "mcdqkkdxkimvbsjvxhiy.exe ."	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\oshiqelt = "zooatskdpmpxcsitudd.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bchmy = "ocumlynhzrubfujttb.exe ."	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pysyleqdjaxzy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ocbmectlwsubfujttb.exe ."	bbygorkllli.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\qyrwialxcsop = "bsuideythglvcumzcnpgi.exe ."	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qavcqkxlskillw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ocbmectlwsubfujttb.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pysyleqdjaxzy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ocbmectlwsubfujttb.exe ."	zcqqxkq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\qyrwialxcsop = "ocbmectlwsubfujttb.exe ."	zcqqxkq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qavcqkxlskillw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ykhqgcrhqkkprerz.exe"	zcqqxkq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\oshiqelt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bsuideythglvcumzcnpgi.exe"	zcqqxkq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\fkaclairt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ykhqgcrhqkkprerz.exe ."	zcqqxkq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taswhyitxmh = "fsqaroevfabhkymvu.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pysyleqdjaxzy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ocbmectlwsubfujttb.exe ."	bbygorkllli.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taswhyitxmh = "fsqaroevfabhkymvu.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qavcqkxlskillw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bsuideythglvcumzcnpgi.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\qyrwialxcsop = "zooatskdpmpxcsitudd.exe ."	zcqqxkq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\fkaclairt = "ykhqgcrhqkkprerz.exe ."	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qavcqkxlskillw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fsqaroevfabhkymvu.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zcjqegk = "fsjaykyrizbhkymvu.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\yeoypubnxh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ocumlynhzrubfujttb.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\fkaclairt = "fsqaroevfabhkymvu.exe ."	bbygorkllli.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\fkaclairt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bsuideythglvcumzcnpgi.exe ."	zcqqxkq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\oshiqelt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ykhqgcrhqkkprerz.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\fkaclairt = "fsqaroevfabhkymvu.exe ."	zcqqxkq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\oshiqelt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mcdqkkdxkimvbsjvxhiy.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\oshiqelt = "ocbmectlwsubfujttb.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\oshiqelt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bsuideythglvcumzcnpgi.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qavcqkxlskillw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bsuideythglvcumzcnpgi.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sswa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fsjaykyrizbhkymvu.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qavcqkxlskillw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fsqaroevfabhkymvu.exe"	zcqqxkq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\fktcswcnw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mcwqrgxtnhmvbsjvxhiy.exe ."	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qavcqkxlskillw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ocbmectlwsubfujttb.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\fkaclairt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bsuideythglvcumzcnpgi.exe ."	zcqqxkq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taswhyitxmh = "bsuideythglvcumzcnpgi.exe"	zcqqxkq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bchmy = "zohaaoezslpxcsitudd.exe ."	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pysyleqdjaxzy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mcdqkkdxkimvbsjvxhiy.exe ."	zcqqxkq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qavcqkxlskillw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mcdqkkdxkimvbsjvxhiy.exe"	zcqqxkq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\oshiqelt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ocbmectlwsubfujttb.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\oshiqelt = "fsqaroevfabhkymvu.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\fktcswcnw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bsnikaspkflvcumzcnpgb.exe ."	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pysyleqdjaxzy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bsuideythglvcumzcnpgi.exe ."	bbygorkllli.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\oshiqelt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fsqaroevfabhkymvu.exe"	zcqqxkq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\osaixafp = "mcwqrgxtnhmvbsjvxhiy.exe ."	bbygorkllli.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bchmy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ykaqnyldtjkprerz.exe ."	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pysyleqdjaxzy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ykhqgcrhqkkprerz.exe ."	bbygorkllli.exe

Checks whether UAC is enabled 1 TTPs 26 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	zcqqxkq.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	zcqqxkq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bbygorkllli.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bbygorkllli.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bbygorkllli.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bbygorkllli.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bbygorkllli.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bbygorkllli.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bbygorkllli.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bbygorkllli.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bbygorkllli.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	zcqqxkq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bbygorkllli.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bbygorkllli.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	zcqqxkq.exe

Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 4 IoCs

Possible Turn off User Account Control's privilege elevation for standard users.

Executable Installer File Permissions Weakness

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	zcqqxkq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	zcqqxkq.exe

Looks up external IP address via web service 9 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
36	whatismyipaddress.com
45	whatismyip.everdot.org
46	www.whatismyip.ca
51	whatismyip.everdot.org
29	www.showmyipaddress.com
40	whatismyip.everdot.org
22	www.whatismyip.ca
33	whatismyip.everdot.org
35	www.whatismyip.ca

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\skncyavrggmxfyrfjvyqti.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\zooatskdpmpxcsitudd.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\ykhqgcrhqkkprerz.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\skncyavrggmxfyrfjvyqti.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\ykhqgcrhqkkprerz.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\fsqaroevfabhkymvu.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\ocbmectlwsubfujttb.exe	zcqqxkq.exe
File opened for modification	C:\Windows\SysWOW64\bsuideythglvcumzcnpgi.exe	zcqqxkq.exe
File opened for modification	C:\Windows\SysWOW64\mcdqkkdxkimvbsjvxhiy.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\fsqaroevfabhkymvu.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\ykhqgcrhqkkprerz.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\skncyavrggmxfyrfjvyqti.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\bsuideythglvcumzcnpgi.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\skncyavrggmxfyrfjvyqti.exe	zcqqxkq.exe
File opened for modification	C:\Windows\SysWOW64\ykhqgcrhqkkprerz.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\ocbmectlwsubfujttb.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\mcdqkkdxkimvbsjvxhiy.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\skncyavrggmxfyrfjvyqti.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\fsqaroevfabhkymvu.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\ykhqgcrhqkkprerz.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\zooatskdpmpxcsitudd.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\skncyavrggmxfyrfjvyqti.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\ocbmectlwsubfujttb.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\ocbmectlwsubfujttb.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\mcdqkkdxkimvbsjvxhiy.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\mcdqkkdxkimvbsjvxhiy.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\fsqaroevfabhkymvu.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\zooatskdpmpxcsitudd.exe	zcqqxkq.exe
File created	C:\Windows\SysWOW64\cyfyyeddwakzlifxfvcyfy.edd	zcqqxkq.exe
File created	C:\Windows\SysWOW64\taswhyitxmhhemuxqrjqimxoyjncxxuck.ghz	zcqqxkq.exe
File opened for modification	C:\Windows\SysWOW64\bsuideythglvcumzcnpgi.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\fsqaroevfabhkymvu.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\bsuideythglvcumzcnpgi.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\bsuideythglvcumzcnpgi.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\bsuideythglvcumzcnpgi.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\fsqaroevfabhkymvu.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\ocbmectlwsubfujttb.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\zooatskdpmpxcsitudd.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\ykhqgcrhqkkprerz.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\zooatskdpmpxcsitudd.exe	zcqqxkq.exe
File opened for modification	C:\Windows\SysWOW64\mcdqkkdxkimvbsjvxhiy.exe	zcqqxkq.exe
File opened for modification	C:\Windows\SysWOW64\taswhyitxmhhemuxqrjqimxoyjncxxuck.ghz	zcqqxkq.exe
File opened for modification	C:\Windows\SysWOW64\zooatskdpmpxcsitudd.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\zooatskdpmpxcsitudd.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\mcdqkkdxkimvbsjvxhiy.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\fsqaroevfabhkymvu.exe	zcqqxkq.exe
File opened for modification	C:\Windows\SysWOW64\ocbmectlwsubfujttb.exe	zcqqxkq.exe
File opened for modification	C:\Windows\SysWOW64\ocbmectlwsubfujttb.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\zooatskdpmpxcsitudd.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\bsuideythglvcumzcnpgi.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\ykhqgcrhqkkprerz.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\bsuideythglvcumzcnpgi.exe	zcqqxkq.exe
File opened for modification	C:\Windows\SysWOW64\fsqaroevfabhkymvu.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\mcdqkkdxkimvbsjvxhiy.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\skncyavrggmxfyrfjvyqti.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\zooatskdpmpxcsitudd.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\mcdqkkdxkimvbsjvxhiy.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\skncyavrggmxfyrfjvyqti.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\mcdqkkdxkimvbsjvxhiy.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\fsqaroevfabhkymvu.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\zooatskdpmpxcsitudd.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\mcdqkkdxkimvbsjvxhiy.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\bsuideythglvcumzcnpgi.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\bsuideythglvcumzcnpgi.exe	bbygorkllli.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\cyfyyeddwakzlifxfvcyfy.edd	zcqqxkq.exe
File created	C:\Program Files (x86)\cyfyyeddwakzlifxfvcyfy.edd	zcqqxkq.exe
File opened for modification	C:\Program Files (x86)\taswhyitxmhhemuxqrjqimxoyjncxxuck.ghz	zcqqxkq.exe
File created	C:\Program Files (x86)\taswhyitxmhhemuxqrjqimxoyjncxxuck.ghz	zcqqxkq.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\zooatskdpmpxcsitudd.exe	zcqqxkq.exe
File opened for modification	C:\Windows\fsqaroevfabhkymvu.exe	bbygorkllli.exe
File opened for modification	C:\Windows\ocbmectlwsubfujttb.exe	bbygorkllli.exe
File opened for modification	C:\Windows\mcdqkkdxkimvbsjvxhiy.exe	bbygorkllli.exe
File opened for modification	C:\Windows\skncyavrggmxfyrfjvyqti.exe	bbygorkllli.exe
File opened for modification	C:\Windows\mcdqkkdxkimvbsjvxhiy.exe	bbygorkllli.exe
File opened for modification	C:\Windows\bsuideythglvcumzcnpgi.exe	bbygorkllli.exe
File opened for modification	C:\Windows\ykhqgcrhqkkprerz.exe	bbygorkllli.exe
File opened for modification	C:\Windows\skncyavrggmxfyrfjvyqti.exe	bbygorkllli.exe
File opened for modification	C:\Windows\skncyavrggmxfyrfjvyqti.exe	zcqqxkq.exe
File opened for modification	C:\Windows\zooatskdpmpxcsitudd.exe	zcqqxkq.exe
File opened for modification	C:\Windows\bsuideythglvcumzcnpgi.exe	zcqqxkq.exe
File opened for modification	C:\Windows\taswhyitxmhhemuxqrjqimxoyjncxxuck.ghz	zcqqxkq.exe
File opened for modification	C:\Windows\zooatskdpmpxcsitudd.exe	bbygorkllli.exe
File opened for modification	C:\Windows\ykhqgcrhqkkprerz.exe	bbygorkllli.exe
File opened for modification	C:\Windows\fsqaroevfabhkymvu.exe	bbygorkllli.exe
File opened for modification	C:\Windows\mcdqkkdxkimvbsjvxhiy.exe	bbygorkllli.exe
File opened for modification	C:\Windows\zooatskdpmpxcsitudd.exe	bbygorkllli.exe
File opened for modification	C:\Windows\skncyavrggmxfyrfjvyqti.exe	bbygorkllli.exe
File opened for modification	C:\Windows\skncyavrggmxfyrfjvyqti.exe	bbygorkllli.exe
File opened for modification	C:\Windows\mcdqkkdxkimvbsjvxhiy.exe	bbygorkllli.exe
File opened for modification	C:\Windows\bsuideythglvcumzcnpgi.exe	bbygorkllli.exe
File opened for modification	C:\Windows\mcdqkkdxkimvbsjvxhiy.exe	bbygorkllli.exe
File opened for modification	C:\Windows\ykhqgcrhqkkprerz.exe	bbygorkllli.exe
File opened for modification	C:\Windows\ocbmectlwsubfujttb.exe	bbygorkllli.exe
File opened for modification	C:\Windows\bsuideythglvcumzcnpgi.exe	bbygorkllli.exe
File opened for modification	C:\Windows\ykhqgcrhqkkprerz.exe	bbygorkllli.exe
File opened for modification	C:\Windows\bsuideythglvcumzcnpgi.exe	bbygorkllli.exe
File created	C:\Windows\taswhyitxmhhemuxqrjqimxoyjncxxuck.ghz	zcqqxkq.exe
File opened for modification	C:\Windows\fsqaroevfabhkymvu.exe	bbygorkllli.exe
File opened for modification	C:\Windows\skncyavrggmxfyrfjvyqti.exe	bbygorkllli.exe
File opened for modification	C:\Windows\bsuideythglvcumzcnpgi.exe	bbygorkllli.exe
File opened for modification	C:\Windows\bsuideythglvcumzcnpgi.exe	bbygorkllli.exe
File opened for modification	C:\Windows\ocbmectlwsubfujttb.exe	zcqqxkq.exe
File opened for modification	C:\Windows\mcdqkkdxkimvbsjvxhiy.exe	zcqqxkq.exe
File opened for modification	C:\Windows\skncyavrggmxfyrfjvyqti.exe	bbygorkllli.exe
File opened for modification	C:\Windows\zooatskdpmpxcsitudd.exe	bbygorkllli.exe
File opened for modification	C:\Windows\mcdqkkdxkimvbsjvxhiy.exe	bbygorkllli.exe
File opened for modification	C:\Windows\fsqaroevfabhkymvu.exe	bbygorkllli.exe
File opened for modification	C:\Windows\ocbmectlwsubfujttb.exe	bbygorkllli.exe
File opened for modification	C:\Windows\ykhqgcrhqkkprerz.exe	bbygorkllli.exe
File opened for modification	C:\Windows\ykhqgcrhqkkprerz.exe	bbygorkllli.exe
File opened for modification	C:\Windows\fsqaroevfabhkymvu.exe	zcqqxkq.exe
File created	C:\Windows\cyfyyeddwakzlifxfvcyfy.edd	zcqqxkq.exe
File opened for modification	C:\Windows\ocbmectlwsubfujttb.exe	bbygorkllli.exe
File opened for modification	C:\Windows\fsqaroevfabhkymvu.exe	zcqqxkq.exe
File opened for modification	C:\Windows\ocbmectlwsubfujttb.exe	zcqqxkq.exe
File opened for modification	C:\Windows\skncyavrggmxfyrfjvyqti.exe	zcqqxkq.exe
File opened for modification	C:\Windows\fsqaroevfabhkymvu.exe	bbygorkllli.exe
File opened for modification	C:\Windows\mcdqkkdxkimvbsjvxhiy.exe	bbygorkllli.exe
File opened for modification	C:\Windows\mcdqkkdxkimvbsjvxhiy.exe	bbygorkllli.exe
File opened for modification	C:\Windows\mcdqkkdxkimvbsjvxhiy.exe	bbygorkllli.exe
File opened for modification	C:\Windows\skncyavrggmxfyrfjvyqti.exe	bbygorkllli.exe
File opened for modification	C:\Windows\bsuideythglvcumzcnpgi.exe	zcqqxkq.exe
File opened for modification	C:\Windows\cyfyyeddwakzlifxfvcyfy.edd	zcqqxkq.exe
File opened for modification	C:\Windows\ykhqgcrhqkkprerz.exe	bbygorkllli.exe
File opened for modification	C:\Windows\fsqaroevfabhkymvu.exe	bbygorkllli.exe
File opened for modification	C:\Windows\zooatskdpmpxcsitudd.exe	bbygorkllli.exe
File opened for modification	C:\Windows\bsuideythglvcumzcnpgi.exe	bbygorkllli.exe
File opened for modification	C:\Windows\skncyavrggmxfyrfjvyqti.exe	bbygorkllli.exe
File opened for modification	C:\Windows\ocbmectlwsubfujttb.exe	bbygorkllli.exe
File opened for modification	C:\Windows\fsqaroevfabhkymvu.exe	bbygorkllli.exe
File opened for modification	C:\Windows\ykhqgcrhqkkprerz.exe	zcqqxkq.exe
File opened for modification	C:\Windows\ocbmectlwsubfujttb.exe	bbygorkllli.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ocumlynhzrubfujttb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mcwqrgxtnhmvbsjvxhiy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zooatskdpmpxcsitudd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bsuideythglvcumzcnpgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mcdqkkdxkimvbsjvxhiy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ykhqgcrhqkkprerz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fsqaroevfabhkymvu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ocbmectlwsubfujttb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bsnikaspkflvcumzcnpgb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mcdqkkdxkimvbsjvxhiy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bsuideythglvcumzcnpgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ykhqgcrhqkkprerz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fsqaroevfabhkymvu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mcdqkkdxkimvbsjvxhiy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fsqaroevfabhkymvu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zooatskdpmpxcsitudd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zooatskdpmpxcsitudd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ykhqgcrhqkkprerz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fsjaykyrizbhkymvu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ocbmectlwsubfujttb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fsqaroevfabhkymvu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ocbmectlwsubfujttb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bbygorkllli.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zooatskdpmpxcsitudd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ocbmectlwsubfujttb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ykhqgcrhqkkprerz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bsuideythglvcumzcnpgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ocumlynhzrubfujttb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fsjaykyrizbhkymvu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ocumlynhzrubfujttb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ocbmectlwsubfujttb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mcdqkkdxkimvbsjvxhiy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ocbmectlwsubfujttb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zooatskdpmpxcsitudd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bsuideythglvcumzcnpgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ocbmectlwsubfujttb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ykhqgcrhqkkprerz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zohaaoezslpxcsitudd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mcdqkkdxkimvbsjvxhiy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bsuideythglvcumzcnpgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bsuideythglvcumzcnpgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bsuideythglvcumzcnpgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bsnikaspkflvcumzcnpgb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bsuideythglvcumzcnpgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mcdqkkdxkimvbsjvxhiy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zooatskdpmpxcsitudd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zooatskdpmpxcsitudd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ykhqgcrhqkkprerz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mcdqkkdxkimvbsjvxhiy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mcdqkkdxkimvbsjvxhiy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mcdqkkdxkimvbsjvxhiy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zohaaoezslpxcsitudd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mcwqrgxtnhmvbsjvxhiy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ocbmectlwsubfujttb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ocbmectlwsubfujttb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mcdqkkdxkimvbsjvxhiy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ocbmectlwsubfujttb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fsqaroevfabhkymvu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mcwqrgxtnhmvbsjvxhiy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bsnikaspkflvcumzcnpgb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ocbmectlwsubfujttb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zohaaoezslpxcsitudd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mcdqkkdxkimvbsjvxhiy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fsqaroevfabhkymvu.exe

Suspicious behavior: EnumeratesProcesses 52 IoCs

pid	Process
2320	JaffaCakes118_93a97780416038bcd6b1b53e917bdf4f.exe
2320	JaffaCakes118_93a97780416038bcd6b1b53e917bdf4f.exe
2320	JaffaCakes118_93a97780416038bcd6b1b53e917bdf4f.exe
2320	JaffaCakes118_93a97780416038bcd6b1b53e917bdf4f.exe
2320	JaffaCakes118_93a97780416038bcd6b1b53e917bdf4f.exe
2320	JaffaCakes118_93a97780416038bcd6b1b53e917bdf4f.exe
2320	JaffaCakes118_93a97780416038bcd6b1b53e917bdf4f.exe
2320	JaffaCakes118_93a97780416038bcd6b1b53e917bdf4f.exe
2320	JaffaCakes118_93a97780416038bcd6b1b53e917bdf4f.exe
2320	JaffaCakes118_93a97780416038bcd6b1b53e917bdf4f.exe
2320	JaffaCakes118_93a97780416038bcd6b1b53e917bdf4f.exe
2320	JaffaCakes118_93a97780416038bcd6b1b53e917bdf4f.exe
2320	JaffaCakes118_93a97780416038bcd6b1b53e917bdf4f.exe
2320	JaffaCakes118_93a97780416038bcd6b1b53e917bdf4f.exe
2320	JaffaCakes118_93a97780416038bcd6b1b53e917bdf4f.exe
2320	JaffaCakes118_93a97780416038bcd6b1b53e917bdf4f.exe
1552	zcqqxkq.exe
1552	zcqqxkq.exe
2320	JaffaCakes118_93a97780416038bcd6b1b53e917bdf4f.exe
2320	JaffaCakes118_93a97780416038bcd6b1b53e917bdf4f.exe
2320	JaffaCakes118_93a97780416038bcd6b1b53e917bdf4f.exe
2320	JaffaCakes118_93a97780416038bcd6b1b53e917bdf4f.exe
2320	JaffaCakes118_93a97780416038bcd6b1b53e917bdf4f.exe
2320	JaffaCakes118_93a97780416038bcd6b1b53e917bdf4f.exe
2320	JaffaCakes118_93a97780416038bcd6b1b53e917bdf4f.exe
2320	JaffaCakes118_93a97780416038bcd6b1b53e917bdf4f.exe
2320	JaffaCakes118_93a97780416038bcd6b1b53e917bdf4f.exe
2320	JaffaCakes118_93a97780416038bcd6b1b53e917bdf4f.exe
2320	JaffaCakes118_93a97780416038bcd6b1b53e917bdf4f.exe
2320	JaffaCakes118_93a97780416038bcd6b1b53e917bdf4f.exe
2320	JaffaCakes118_93a97780416038bcd6b1b53e917bdf4f.exe
2320	JaffaCakes118_93a97780416038bcd6b1b53e917bdf4f.exe
2320	JaffaCakes118_93a97780416038bcd6b1b53e917bdf4f.exe
2320	JaffaCakes118_93a97780416038bcd6b1b53e917bdf4f.exe
2320	JaffaCakes118_93a97780416038bcd6b1b53e917bdf4f.exe
2320	JaffaCakes118_93a97780416038bcd6b1b53e917bdf4f.exe
2320	JaffaCakes118_93a97780416038bcd6b1b53e917bdf4f.exe
2320	JaffaCakes118_93a97780416038bcd6b1b53e917bdf4f.exe
2320	JaffaCakes118_93a97780416038bcd6b1b53e917bdf4f.exe
2320	JaffaCakes118_93a97780416038bcd6b1b53e917bdf4f.exe
2320	JaffaCakes118_93a97780416038bcd6b1b53e917bdf4f.exe
2320	JaffaCakes118_93a97780416038bcd6b1b53e917bdf4f.exe
2320	JaffaCakes118_93a97780416038bcd6b1b53e917bdf4f.exe
2320	JaffaCakes118_93a97780416038bcd6b1b53e917bdf4f.exe
2320	JaffaCakes118_93a97780416038bcd6b1b53e917bdf4f.exe
2320	JaffaCakes118_93a97780416038bcd6b1b53e917bdf4f.exe
2320	JaffaCakes118_93a97780416038bcd6b1b53e917bdf4f.exe
2320	JaffaCakes118_93a97780416038bcd6b1b53e917bdf4f.exe
2320	JaffaCakes118_93a97780416038bcd6b1b53e917bdf4f.exe
2320	JaffaCakes118_93a97780416038bcd6b1b53e917bdf4f.exe
2320	JaffaCakes118_93a97780416038bcd6b1b53e917bdf4f.exe
2320	JaffaCakes118_93a97780416038bcd6b1b53e917bdf4f.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1552	zcqqxkq.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2320 wrote to memory of 3244	2320	JaffaCakes118_93a97780416038bcd6b1b53e917bdf4f.exe	91
PID 2320 wrote to memory of 3244	2320	JaffaCakes118_93a97780416038bcd6b1b53e917bdf4f.exe	91
PID 2320 wrote to memory of 3244	2320	JaffaCakes118_93a97780416038bcd6b1b53e917bdf4f.exe	91
PID 1976 wrote to memory of 4864	1976	cmd.exe	94
PID 1976 wrote to memory of 4864	1976	cmd.exe	94
PID 1976 wrote to memory of 4864	1976	cmd.exe	94
PID 3564 wrote to memory of 1348	3564	cmd.exe	98
PID 3564 wrote to memory of 1348	3564	cmd.exe	98
PID 3564 wrote to memory of 1348	3564	cmd.exe	98
PID 1348 wrote to memory of 4636	1348	fsqaroevfabhkymvu.exe	102
PID 1348 wrote to memory of 4636	1348	fsqaroevfabhkymvu.exe	102
PID 1348 wrote to memory of 4636	1348	fsqaroevfabhkymvu.exe	102
PID 2484 wrote to memory of 4744	2484	cmd.exe	105
PID 2484 wrote to memory of 4744	2484	cmd.exe	105
PID 2484 wrote to memory of 4744	2484	cmd.exe	105
PID 4788 wrote to memory of 4544	4788	cmd.exe	108
PID 4788 wrote to memory of 4544	4788	cmd.exe	108
PID 4788 wrote to memory of 4544	4788	cmd.exe	108
PID 2240 wrote to memory of 4688	2240	cmd.exe	236
PID 2240 wrote to memory of 4688	2240	cmd.exe	236
PID 2240 wrote to memory of 4688	2240	cmd.exe	236
PID 4544 wrote to memory of 3328	4544	bsuideythglvcumzcnpgi.exe	141
PID 4544 wrote to memory of 3328	4544	bsuideythglvcumzcnpgi.exe	141
PID 4544 wrote to memory of 3328	4544	bsuideythglvcumzcnpgi.exe	141
PID 392 wrote to memory of 3968	392	cmd.exe	113
PID 392 wrote to memory of 3968	392	cmd.exe	113
PID 392 wrote to memory of 3968	392	cmd.exe	113
PID 3968 wrote to memory of 668	3968	mcdqkkdxkimvbsjvxhiy.exe	115
PID 3968 wrote to memory of 668	3968	mcdqkkdxkimvbsjvxhiy.exe	115
PID 3968 wrote to memory of 668	3968	mcdqkkdxkimvbsjvxhiy.exe	115
PID 2640 wrote to memory of 3492	2640	cmd.exe	172
PID 2640 wrote to memory of 3492	2640	cmd.exe	172
PID 2640 wrote to memory of 3492	2640	cmd.exe	172
PID 2008 wrote to memory of 1516	2008	cmd.exe	267
PID 2008 wrote to memory of 1516	2008	cmd.exe	267
PID 2008 wrote to memory of 1516	2008	cmd.exe	267
PID 1516 wrote to memory of 544	1516	bsuideythglvcumzcnpgi.exe	321
PID 1516 wrote to memory of 544	1516	bsuideythglvcumzcnpgi.exe	321
PID 1516 wrote to memory of 544	1516	bsuideythglvcumzcnpgi.exe	321
PID 4428 wrote to memory of 4920	4428	cmd.exe	400
PID 4428 wrote to memory of 4920	4428	cmd.exe	400
PID 4428 wrote to memory of 4920	4428	cmd.exe	400
PID 3536 wrote to memory of 4192	3536	cmd.exe	127
PID 3536 wrote to memory of 4192	3536	cmd.exe	127
PID 3536 wrote to memory of 4192	3536	cmd.exe	127
PID 4192 wrote to memory of 3200	4192	ocumlynhzrubfujttb.exe	132
PID 4192 wrote to memory of 3200	4192	ocumlynhzrubfujttb.exe	132
PID 4192 wrote to memory of 3200	4192	ocumlynhzrubfujttb.exe	132
PID 1976 wrote to memory of 2504	1976	cmd.exe	316
PID 1976 wrote to memory of 2504	1976	cmd.exe	316
PID 1976 wrote to memory of 2504	1976	cmd.exe	316
PID 3540 wrote to memory of 4348	3540	cmd.exe	136
PID 3540 wrote to memory of 4348	3540	cmd.exe	136
PID 3540 wrote to memory of 4348	3540	cmd.exe	136
PID 3244 wrote to memory of 1552	3244	bbygorkllli.exe	137
PID 3244 wrote to memory of 1552	3244	bbygorkllli.exe	137
PID 3244 wrote to memory of 1552	3244	bbygorkllli.exe	137
PID 3244 wrote to memory of 3056	3244	bbygorkllli.exe	139
PID 3244 wrote to memory of 3056	3244	bbygorkllli.exe	139
PID 3244 wrote to memory of 3056	3244	bbygorkllli.exe	139
PID 4348 wrote to memory of 4664	4348	fsjaykyrizbhkymvu.exe	425
PID 4348 wrote to memory of 4664	4348	fsjaykyrizbhkymvu.exe	425
PID 4348 wrote to memory of 4664	4348	fsjaykyrizbhkymvu.exe	425
PID 3812 wrote to memory of 4248	3812	cmd.exe	145

System policy modification 1 TTPs 64 IoCs

defense_evasion

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bbygorkllli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	bbygorkllli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	zcqqxkq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	zcqqxkq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	zcqqxkq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	zcqqxkq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	bbygorkllli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	zcqqxkq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	zcqqxkq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	bbygorkllli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bbygorkllli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	zcqqxkq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	zcqqxkq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bbygorkllli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	zcqqxkq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bbygorkllli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	zcqqxkq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	zcqqxkq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	zcqqxkq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	zcqqxkq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bbygorkllli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	zcqqxkq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	bbygorkllli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	zcqqxkq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	bbygorkllli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	zcqqxkq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	bbygorkllli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	zcqqxkq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	zcqqxkq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	zcqqxkq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	zcqqxkq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	zcqqxkq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	zcqqxkq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	zcqqxkq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	zcqqxkq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bbygorkllli.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_93a97780416038bcd6b1b53e917bdf4f.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_93a97780416038bcd6b1b53e917bdf4f.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2320
- C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
  "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\jaffacakes118_93a97780416038bcd6b1b53e917bdf4f.exe*"
  2⤵
  - Modifies WinLogon for persistence
  - UAC bypass
  - Adds policy Run key to start application
  - Disables RegEdit via registry modification
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Hijack Execution Flow: Executable Installer File Permissions Weakness
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:3244
- - C:\Users\Admin\AppData\Local\Temp\zcqqxkq.exe
    "C:\Users\Admin\AppData\Local\Temp\zcqqxkq.exe" "-c:\users\admin\appdata\local\temp\jaffacakes118_93a97780416038bcd6b1b53e917bdf4f.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Impair Defenses: Safe Mode Boot
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Hijack Execution Flow: Executable Installer File Permissions Weakness
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:1552
- - C:\Users\Admin\AppData\Local\Temp\zcqqxkq.exe
    "C:\Users\Admin\AppData\Local\Temp\zcqqxkq.exe" "-c:\users\admin\appdata\local\temp\jaffacakes118_93a97780416038bcd6b1b53e917bdf4f.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Hijack Execution Flow: Executable Installer File Permissions Weakness
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:3056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ykhqgcrhqkkprerz.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:1976
- C:\Windows\ykhqgcrhqkkprerz.exe
  ykhqgcrhqkkprerz.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fsqaroevfabhkymvu.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:3564
- C:\Windows\fsqaroevfabhkymvu.exe
  fsqaroevfabhkymvu.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1348
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\fsqaroevfabhkymvu.exe*."
    3⤵
    - Executes dropped EXE
    PID:4636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mcdqkkdxkimvbsjvxhiy.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2484
- C:\Windows\mcdqkkdxkimvbsjvxhiy.exe
  mcdqkkdxkimvbsjvxhiy.exe
  2⤵
  - Executes dropped EXE
  PID:4744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bsuideythglvcumzcnpgi.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:4788
- C:\Windows\bsuideythglvcumzcnpgi.exe
  bsuideythglvcumzcnpgi.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4544
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\bsuideythglvcumzcnpgi.exe*."
    3⤵
    - Executes dropped EXE
    PID:3328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bsuideythglvcumzcnpgi.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2240
- C:\Users\Admin\AppData\Local\Temp\bsuideythglvcumzcnpgi.exe
  C:\Users\Admin\AppData\Local\Temp\bsuideythglvcumzcnpgi.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mcdqkkdxkimvbsjvxhiy.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:392
- C:\Users\Admin\AppData\Local\Temp\mcdqkkdxkimvbsjvxhiy.exe
  C:\Users\Admin\AppData\Local\Temp\mcdqkkdxkimvbsjvxhiy.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3968
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\mcdqkkdxkimvbsjvxhiy.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Checks computer location settings
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Hijack Execution Flow: Executable Installer File Permissions Weakness
    - System policy modification
    PID:668
  - - C:\Users\Admin\AppData\Local\Temp\bchmy.exe
      "C:\Users\Admin\AppData\Local\Temp\bchmy.exe" "-c:\users\admin\appdata\local\temp\mcdqkkdxkimvbsjvxhiy.exe"
      4⤵
      PID:544
  - - C:\Users\Admin\AppData\Local\Temp\bchmy.exe
      "C:\Users\Admin\AppData\Local\Temp\bchmy.exe" "-c:\users\admin\appdata\local\temp\mcdqkkdxkimvbsjvxhiy.exe"
      4⤵
      PID:464
  - - C:\Users\Admin\AppData\Local\Temp\bchmy.exe
      "C:\Users\Admin\AppData\Local\Temp\bchmy.exe" "-c:\users\admin\appdata\local\temp\mcdqkkdxkimvbsjvxhiy.exe"
      4⤵
      PID:1464
  - - C:\Users\Admin\AppData\Local\Temp\bchmy.exe
      "C:\Users\Admin\AppData\Local\Temp\bchmy.exe" "-c:\users\admin\appdata\local\temp\mcdqkkdxkimvbsjvxhiy.exe"
      4⤵
      PID:1512
  - - C:\Users\Admin\AppData\Local\Temp\bchmy.exe
      "C:\Users\Admin\AppData\Local\Temp\bchmy.exe" "-c:\users\admin\appdata\local\temp\mcdqkkdxkimvbsjvxhiy.exe"
      4⤵
      PID:3580
  - - C:\Users\Admin\AppData\Local\Temp\bchmy.exe
      "C:\Users\Admin\AppData\Local\Temp\bchmy.exe" "-c:\users\admin\appdata\local\temp\mcdqkkdxkimvbsjvxhiy.exe"
      4⤵
      PID:3188
  - - C:\Users\Admin\AppData\Local\Temp\bchmy.exe
      "C:\Users\Admin\AppData\Local\Temp\bchmy.exe" "-c:\users\admin\appdata\local\temp\mcdqkkdxkimvbsjvxhiy.exe"
      4⤵
      PID:6020
  - - C:\Users\Admin\AppData\Local\Temp\bchmy.exe
      "C:\Users\Admin\AppData\Local\Temp\bchmy.exe" "-c:\users\admin\appdata\local\temp\mcdqkkdxkimvbsjvxhiy.exe"
      4⤵
      PID:6104
  - - C:\Users\Admin\AppData\Local\Temp\bchmy.exe
      "C:\Users\Admin\AppData\Local\Temp\bchmy.exe" "-c:\users\admin\appdata\local\temp\mcdqkkdxkimvbsjvxhiy.exe"
      4⤵
      PID:3996
  - - C:\Users\Admin\AppData\Local\Temp\bchmy.exe
      "C:\Users\Admin\AppData\Local\Temp\bchmy.exe" "-c:\users\admin\appdata\local\temp\mcdqkkdxkimvbsjvxhiy.exe"
      4⤵
      PID:1304
  - - C:\Users\Admin\AppData\Local\Temp\bchmy.exe
      "C:\Users\Admin\AppData\Local\Temp\bchmy.exe" "-c:\users\admin\appdata\local\temp\mcdqkkdxkimvbsjvxhiy.exe"
      4⤵
      PID:4200
  - - C:\Users\Admin\AppData\Local\Temp\bchmy.exe
      "C:\Users\Admin\AppData\Local\Temp\bchmy.exe" "-c:\users\admin\appdata\local\temp\mcdqkkdxkimvbsjvxhiy.exe"
      4⤵
      PID:692
  - - C:\Users\Admin\AppData\Local\Temp\bchmy.exe
      "C:\Users\Admin\AppData\Local\Temp\bchmy.exe" "-c:\users\admin\appdata\local\temp\mcdqkkdxkimvbsjvxhiy.exe"
      4⤵
      PID:5192
  - - C:\Users\Admin\AppData\Local\Temp\bchmy.exe
      "C:\Users\Admin\AppData\Local\Temp\bchmy.exe" "-c:\users\admin\appdata\local\temp\mcdqkkdxkimvbsjvxhiy.exe"
      4⤵
      PID:4708
  - - C:\Users\Admin\AppData\Local\Temp\bchmy.exe
      "C:\Users\Admin\AppData\Local\Temp\bchmy.exe" "-c:\users\admin\appdata\local\temp\mcdqkkdxkimvbsjvxhiy.exe"
      4⤵
      PID:3444
  - - C:\Users\Admin\AppData\Local\Temp\bchmy.exe
      "C:\Users\Admin\AppData\Local\Temp\bchmy.exe" "-c:\users\admin\appdata\local\temp\mcdqkkdxkimvbsjvxhiy.exe"
      4⤵
      PID:3144
  - - C:\Users\Admin\AppData\Local\Temp\bchmy.exe
      "C:\Users\Admin\AppData\Local\Temp\bchmy.exe" "-c:\users\admin\appdata\local\temp\mcdqkkdxkimvbsjvxhiy.exe"
      4⤵
      PID:924
  - - C:\Users\Admin\AppData\Local\Temp\bchmy.exe
      "C:\Users\Admin\AppData\Local\Temp\bchmy.exe" "-c:\users\admin\appdata\local\temp\mcdqkkdxkimvbsjvxhiy.exe"
      4⤵
      PID:5192
  - - C:\Users\Admin\AppData\Local\Temp\bchmy.exe
      "C:\Users\Admin\AppData\Local\Temp\bchmy.exe" "-c:\users\admin\appdata\local\temp\mcdqkkdxkimvbsjvxhiy.exe"
      4⤵
      PID:4388
  - - C:\Users\Admin\AppData\Local\Temp\bchmy.exe
      "C:\Users\Admin\AppData\Local\Temp\bchmy.exe" "-c:\users\admin\appdata\local\temp\mcdqkkdxkimvbsjvxhiy.exe"
      4⤵
      PID:6100
  - - C:\Users\Admin\AppData\Local\Temp\bchmy.exe
      "C:\Users\Admin\AppData\Local\Temp\bchmy.exe" "-c:\users\admin\appdata\local\temp\mcdqkkdxkimvbsjvxhiy.exe"
      4⤵
      PID:5772
  - - C:\Users\Admin\AppData\Local\Temp\bchmy.exe
      "C:\Users\Admin\AppData\Local\Temp\bchmy.exe" "-c:\users\admin\appdata\local\temp\mcdqkkdxkimvbsjvxhiy.exe"
      4⤵
      PID:5728
  - - C:\Users\Admin\AppData\Local\Temp\bchmy.exe
      "C:\Users\Admin\AppData\Local\Temp\bchmy.exe" "-c:\users\admin\appdata\local\temp\mcdqkkdxkimvbsjvxhiy.exe"
      4⤵
      PID:4800
  - - C:\Users\Admin\AppData\Local\Temp\bchmy.exe
      "C:\Users\Admin\AppData\Local\Temp\bchmy.exe" "-c:\users\admin\appdata\local\temp\mcdqkkdxkimvbsjvxhiy.exe"
      4⤵
      PID:4520
  - - C:\Users\Admin\AppData\Local\Temp\bchmy.exe
      "C:\Users\Admin\AppData\Local\Temp\bchmy.exe" "-c:\users\admin\appdata\local\temp\mcdqkkdxkimvbsjvxhiy.exe"
      4⤵
      PID:4832
  - - C:\Users\Admin\AppData\Local\Temp\bchmy.exe
      "C:\Users\Admin\AppData\Local\Temp\bchmy.exe" "-c:\users\admin\appdata\local\temp\mcdqkkdxkimvbsjvxhiy.exe"
      4⤵
      PID:3436
  - - C:\Users\Admin\AppData\Local\Temp\bchmy.exe
      "C:\Users\Admin\AppData\Local\Temp\bchmy.exe" "-c:\users\admin\appdata\local\temp\mcdqkkdxkimvbsjvxhiy.exe"
      4⤵
      PID:5768
  - - C:\Users\Admin\AppData\Local\Temp\bchmy.exe
      "C:\Users\Admin\AppData\Local\Temp\bchmy.exe" "-c:\users\admin\appdata\local\temp\mcdqkkdxkimvbsjvxhiy.exe"
      4⤵
      PID:3700
  - - C:\Users\Admin\AppData\Local\Temp\bchmy.exe
      "C:\Users\Admin\AppData\Local\Temp\bchmy.exe" "-c:\users\admin\appdata\local\temp\mcdqkkdxkimvbsjvxhiy.exe"
      4⤵
      PID:5172
  - - C:\Users\Admin\AppData\Local\Temp\bchmy.exe
      "C:\Users\Admin\AppData\Local\Temp\bchmy.exe" "-c:\users\admin\appdata\local\temp\mcdqkkdxkimvbsjvxhiy.exe"
      4⤵
      PID:1828
  - - C:\Users\Admin\AppData\Local\Temp\bchmy.exe
      "C:\Users\Admin\AppData\Local\Temp\bchmy.exe" "-c:\users\admin\appdata\local\temp\mcdqkkdxkimvbsjvxhiy.exe"
      4⤵
      PID:2964
  - - C:\Users\Admin\AppData\Local\Temp\bchmy.exe
      "C:\Users\Admin\AppData\Local\Temp\bchmy.exe" "-c:\users\admin\appdata\local\temp\mcdqkkdxkimvbsjvxhiy.exe"
      4⤵
      PID:4748
  - - C:\Users\Admin\AppData\Local\Temp\bchmy.exe
      "C:\Users\Admin\AppData\Local\Temp\bchmy.exe" "-c:\users\admin\appdata\local\temp\mcdqkkdxkimvbsjvxhiy.exe"
      4⤵
      PID:6116
  - - C:\Users\Admin\AppData\Local\Temp\bchmy.exe
      "C:\Users\Admin\AppData\Local\Temp\bchmy.exe" "-c:\users\admin\appdata\local\temp\mcdqkkdxkimvbsjvxhiy.exe"
      4⤵
      PID:5348
  - - C:\Users\Admin\AppData\Local\Temp\bchmy.exe
      "C:\Users\Admin\AppData\Local\Temp\bchmy.exe" "-c:\users\admin\appdata\local\temp\mcdqkkdxkimvbsjvxhiy.exe"
      4⤵
      PID:2964
  - - C:\Users\Admin\AppData\Local\Temp\bchmy.exe
      "C:\Users\Admin\AppData\Local\Temp\bchmy.exe" "-c:\users\admin\appdata\local\temp\mcdqkkdxkimvbsjvxhiy.exe"
      4⤵
      PID:2020
  - - C:\Users\Admin\AppData\Local\Temp\bchmy.exe
      "C:\Users\Admin\AppData\Local\Temp\bchmy.exe" "-c:\users\admin\appdata\local\temp\mcdqkkdxkimvbsjvxhiy.exe"
      4⤵
      PID:3188
  - - C:\Users\Admin\AppData\Local\Temp\bchmy.exe
      "C:\Users\Admin\AppData\Local\Temp\bchmy.exe" "-c:\users\admin\appdata\local\temp\mcdqkkdxkimvbsjvxhiy.exe"
      4⤵
      PID:5636
  - - C:\Users\Admin\AppData\Local\Temp\bchmy.exe
      "C:\Users\Admin\AppData\Local\Temp\bchmy.exe" "-c:\users\admin\appdata\local\temp\mcdqkkdxkimvbsjvxhiy.exe"
      4⤵
      PID:3412
  - - C:\Users\Admin\AppData\Local\Temp\bchmy.exe
      "C:\Users\Admin\AppData\Local\Temp\bchmy.exe" "-c:\users\admin\appdata\local\temp\mcdqkkdxkimvbsjvxhiy.exe"
      4⤵
      PID:3692
  - - C:\Users\Admin\AppData\Local\Temp\bchmy.exe
      "C:\Users\Admin\AppData\Local\Temp\bchmy.exe" "-c:\users\admin\appdata\local\temp\mcdqkkdxkimvbsjvxhiy.exe"
      4⤵
      PID:2268
  - - C:\Users\Admin\AppData\Local\Temp\bchmy.exe
      "C:\Users\Admin\AppData\Local\Temp\bchmy.exe" "-c:\users\admin\appdata\local\temp\mcdqkkdxkimvbsjvxhiy.exe"
      4⤵
      PID:3992
  - - C:\Users\Admin\AppData\Local\Temp\bchmy.exe
      "C:\Users\Admin\AppData\Local\Temp\bchmy.exe" "-c:\users\admin\appdata\local\temp\mcdqkkdxkimvbsjvxhiy.exe"
      4⤵
      PID:5976
  - - C:\Users\Admin\AppData\Local\Temp\bchmy.exe
      "C:\Users\Admin\AppData\Local\Temp\bchmy.exe" "-c:\users\admin\appdata\local\temp\mcdqkkdxkimvbsjvxhiy.exe"
      4⤵
      PID:2888
  - - C:\Users\Admin\AppData\Local\Temp\bchmy.exe
      "C:\Users\Admin\AppData\Local\Temp\bchmy.exe" "-c:\users\admin\appdata\local\temp\mcdqkkdxkimvbsjvxhiy.exe"
      4⤵
      PID:3436
  - - C:\Users\Admin\AppData\Local\Temp\bchmy.exe
      "C:\Users\Admin\AppData\Local\Temp\bchmy.exe" "-c:\users\admin\appdata\local\temp\mcdqkkdxkimvbsjvxhiy.exe"
      4⤵
      PID:2248
  - - C:\Users\Admin\AppData\Local\Temp\bchmy.exe
      "C:\Users\Admin\AppData\Local\Temp\bchmy.exe" "-c:\users\admin\appdata\local\temp\mcdqkkdxkimvbsjvxhiy.exe"
      4⤵
      PID:1844
  - - C:\Users\Admin\AppData\Local\Temp\bchmy.exe
      "C:\Users\Admin\AppData\Local\Temp\bchmy.exe" "-c:\users\admin\appdata\local\temp\mcdqkkdxkimvbsjvxhiy.exe"
      4⤵
      PID:2272
  - - C:\Users\Admin\AppData\Local\Temp\bchmy.exe
      "C:\Users\Admin\AppData\Local\Temp\bchmy.exe" "-c:\users\admin\appdata\local\temp\mcdqkkdxkimvbsjvxhiy.exe"
      4⤵
      PID:3264
  - - C:\Users\Admin\AppData\Local\Temp\bchmy.exe
      "C:\Users\Admin\AppData\Local\Temp\bchmy.exe" "-c:\users\admin\appdata\local\temp\mcdqkkdxkimvbsjvxhiy.exe"
      4⤵
      PID:5336
  - - C:\Users\Admin\AppData\Local\Temp\bchmy.exe
      "C:\Users\Admin\AppData\Local\Temp\bchmy.exe" "-c:\users\admin\appdata\local\temp\mcdqkkdxkimvbsjvxhiy.exe"
      4⤵
      PID:1300
  - - C:\Users\Admin\AppData\Local\Temp\bchmy.exe
      "C:\Users\Admin\AppData\Local\Temp\bchmy.exe" "-c:\users\admin\appdata\local\temp\mcdqkkdxkimvbsjvxhiy.exe"
      4⤵
      PID:3100
  - - C:\Users\Admin\AppData\Local\Temp\bchmy.exe
      "C:\Users\Admin\AppData\Local\Temp\bchmy.exe" "-c:\users\admin\appdata\local\temp\mcdqkkdxkimvbsjvxhiy.exe"
      4⤵
      PID:5944
  - - C:\Users\Admin\AppData\Local\Temp\bchmy.exe
      "C:\Users\Admin\AppData\Local\Temp\bchmy.exe" "-c:\users\admin\appdata\local\temp\mcdqkkdxkimvbsjvxhiy.exe"
      4⤵
      PID:716
  - - C:\Users\Admin\AppData\Local\Temp\bchmy.exe
      "C:\Users\Admin\AppData\Local\Temp\bchmy.exe" "-c:\users\admin\appdata\local\temp\mcdqkkdxkimvbsjvxhiy.exe"
      4⤵
      PID:1940
  - - C:\Users\Admin\AppData\Local\Temp\bchmy.exe
      "C:\Users\Admin\AppData\Local\Temp\bchmy.exe" "-c:\users\admin\appdata\local\temp\mcdqkkdxkimvbsjvxhiy.exe"
      4⤵
      PID:2388
  - - C:\Users\Admin\AppData\Local\Temp\bchmy.exe
      "C:\Users\Admin\AppData\Local\Temp\bchmy.exe" "-c:\users\admin\appdata\local\temp\mcdqkkdxkimvbsjvxhiy.exe"
      4⤵
      PID:2412
  - - C:\Users\Admin\AppData\Local\Temp\bchmy.exe
      "C:\Users\Admin\AppData\Local\Temp\bchmy.exe" "-c:\users\admin\appdata\local\temp\mcdqkkdxkimvbsjvxhiy.exe"
      4⤵
      PID:216
  - - C:\Users\Admin\AppData\Local\Temp\bchmy.exe
      "C:\Users\Admin\AppData\Local\Temp\bchmy.exe" "-c:\users\admin\appdata\local\temp\mcdqkkdxkimvbsjvxhiy.exe"
      4⤵
      PID:1396
  - - C:\Users\Admin\AppData\Local\Temp\bchmy.exe
      "C:\Users\Admin\AppData\Local\Temp\bchmy.exe" "-c:\users\admin\appdata\local\temp\mcdqkkdxkimvbsjvxhiy.exe"
      4⤵
      PID:2072
  - - C:\Users\Admin\AppData\Local\Temp\bchmy.exe
      "C:\Users\Admin\AppData\Local\Temp\bchmy.exe" "-c:\users\admin\appdata\local\temp\mcdqkkdxkimvbsjvxhiy.exe"
      4⤵
      PID:6104
  - - C:\Users\Admin\AppData\Local\Temp\bchmy.exe
      "C:\Users\Admin\AppData\Local\Temp\bchmy.exe" "-c:\users\admin\appdata\local\temp\mcdqkkdxkimvbsjvxhiy.exe"
      4⤵
      PID:3672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zooatskdpmpxcsitudd.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2640
- C:\Users\Admin\AppData\Local\Temp\zooatskdpmpxcsitudd.exe
  C:\Users\Admin\AppData\Local\Temp\zooatskdpmpxcsitudd.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bsuideythglvcumzcnpgi.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:2008
- C:\Users\Admin\AppData\Local\Temp\bsuideythglvcumzcnpgi.exe
  C:\Users\Admin\AppData\Local\Temp\bsuideythglvcumzcnpgi.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1516
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\bsuideythglvcumzcnpgi.exe*."
    3⤵
    - Executes dropped EXE
    PID:544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mcwqrgxtnhmvbsjvxhiy.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4428
- C:\Windows\mcwqrgxtnhmvbsjvxhiy.exe
  mcwqrgxtnhmvbsjvxhiy.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ocumlynhzrubfujttb.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:3536
- C:\Windows\ocumlynhzrubfujttb.exe
  ocumlynhzrubfujttb.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4192
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ocumlynhzrubfujttb.exe*."
    3⤵
    - Executes dropped EXE
    PID:3200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bsnikaspkflvcumzcnpgb.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:1976
- C:\Windows\bsnikaspkflvcumzcnpgb.exe
  bsnikaspkflvcumzcnpgb.exe
  2⤵
  PID:2504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fsjaykyrizbhkymvu.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:3540
- C:\Windows\fsjaykyrizbhkymvu.exe
  fsjaykyrizbhkymvu.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4348
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\fsjaykyrizbhkymvu.exe*."
    3⤵
    - Executes dropped EXE
    PID:4664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zohaaoezslpxcsitudd.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:3812
- C:\Users\Admin\AppData\Local\Temp\zohaaoezslpxcsitudd.exe
  C:\Users\Admin\AppData\Local\Temp\zohaaoezslpxcsitudd.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mcwqrgxtnhmvbsjvxhiy.exe .
1⤵
PID:3088
- C:\Users\Admin\AppData\Local\Temp\mcwqrgxtnhmvbsjvxhiy.exe
  C:\Users\Admin\AppData\Local\Temp\mcwqrgxtnhmvbsjvxhiy.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2400
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\mcwqrgxtnhmvbsjvxhiy.exe*."
    3⤵
    - Executes dropped EXE
    PID:2484

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:3328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ocumlynhzrubfujttb.exe
1⤵
PID:3240
- C:\Users\Admin\AppData\Local\Temp\ocumlynhzrubfujttb.exe
  C:\Users\Admin\AppData\Local\Temp\ocumlynhzrubfujttb.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bsnikaspkflvcumzcnpgb.exe .
1⤵
PID:1600
- C:\Users\Admin\AppData\Local\Temp\bsnikaspkflvcumzcnpgb.exe
  C:\Users\Admin\AppData\Local\Temp\bsnikaspkflvcumzcnpgb.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2828
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\bsnikaspkflvcumzcnpgb.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:3856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zooatskdpmpxcsitudd.exe
1⤵
PID:4344
- C:\Windows\zooatskdpmpxcsitudd.exe
  zooatskdpmpxcsitudd.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bsuideythglvcumzcnpgi.exe .
1⤵
PID:544
- C:\Windows\bsuideythglvcumzcnpgi.exe
  bsuideythglvcumzcnpgi.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:636
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\bsuideythglvcumzcnpgi.exe*."
    3⤵
    - Executes dropped EXE
    PID:3816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ykhqgcrhqkkprerz.exe
1⤵
PID:4936
- C:\Windows\ykhqgcrhqkkprerz.exe
  ykhqgcrhqkkprerz.exe
  2⤵
  - Executes dropped EXE
  PID:4024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ykhqgcrhqkkprerz.exe
1⤵
PID:4840
- C:\Windows\ykhqgcrhqkkprerz.exe
  ykhqgcrhqkkprerz.exe
  2⤵
  - Executes dropped EXE
  PID:4412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ocbmectlwsubfujttb.exe .
1⤵
PID:2660
- C:\Windows\ocbmectlwsubfujttb.exe
  ocbmectlwsubfujttb.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4556
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ocbmectlwsubfujttb.exe*."
    3⤵
    - Executes dropped EXE
    PID:3572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zooatskdpmpxcsitudd.exe .
1⤵
PID:4864
- C:\Windows\zooatskdpmpxcsitudd.exe
  zooatskdpmpxcsitudd.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2412
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\zooatskdpmpxcsitudd.exe*."
    3⤵
    - Executes dropped EXE
    PID:3456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fsqaroevfabhkymvu.exe
1⤵
PID:4876
- C:\Users\Admin\AppData\Local\Temp\fsqaroevfabhkymvu.exe
  C:\Users\Admin\AppData\Local\Temp\fsqaroevfabhkymvu.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ocbmectlwsubfujttb.exe .
1⤵
PID:3220
- C:\Users\Admin\AppData\Local\Temp\ocbmectlwsubfujttb.exe
  C:\Users\Admin\AppData\Local\Temp\ocbmectlwsubfujttb.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:636
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ocbmectlwsubfujttb.exe*."
    3⤵
    - Executes dropped EXE
    PID:3980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bsuideythglvcumzcnpgi.exe
1⤵
PID:3408
- C:\Windows\bsuideythglvcumzcnpgi.exe
  bsuideythglvcumzcnpgi.exe
  2⤵
  - Executes dropped EXE
  PID:3000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zooatskdpmpxcsitudd.exe .
1⤵
PID:3492
- C:\Windows\zooatskdpmpxcsitudd.exe
  zooatskdpmpxcsitudd.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4748
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\zooatskdpmpxcsitudd.exe*."
    3⤵
    - Executes dropped EXE
    PID:5016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ocbmectlwsubfujttb.exe
1⤵
PID:4820
- C:\Users\Admin\AppData\Local\Temp\ocbmectlwsubfujttb.exe
  C:\Users\Admin\AppData\Local\Temp\ocbmectlwsubfujttb.exe
  2⤵
  - Executes dropped EXE
  PID:2788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zooatskdpmpxcsitudd.exe
1⤵
PID:3440
- C:\Users\Admin\AppData\Local\Temp\zooatskdpmpxcsitudd.exe
  C:\Users\Admin\AppData\Local\Temp\zooatskdpmpxcsitudd.exe
  2⤵
  - Executes dropped EXE
  PID:3244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ocbmectlwsubfujttb.exe .
1⤵
PID:3704
- C:\Users\Admin\AppData\Local\Temp\ocbmectlwsubfujttb.exe
  C:\Users\Admin\AppData\Local\Temp\ocbmectlwsubfujttb.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:712
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ocbmectlwsubfujttb.exe*."
    3⤵
    - Executes dropped EXE
    PID:2588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mcdqkkdxkimvbsjvxhiy.exe .
1⤵
PID:3832
- C:\Users\Admin\AppData\Local\Temp\mcdqkkdxkimvbsjvxhiy.exe
  C:\Users\Admin\AppData\Local\Temp\mcdqkkdxkimvbsjvxhiy.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4252
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\mcdqkkdxkimvbsjvxhiy.exe*."
    3⤵
    - Executes dropped EXE
    PID:2064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fsqaroevfabhkymvu.exe
1⤵
PID:3764
- C:\Users\Admin\AppData\Local\Temp\fsqaroevfabhkymvu.exe
  C:\Users\Admin\AppData\Local\Temp\fsqaroevfabhkymvu.exe
  2⤵
  - Executes dropped EXE
  PID:2716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mcdqkkdxkimvbsjvxhiy.exe .
1⤵
PID:3816
- C:\Users\Admin\AppData\Local\Temp\mcdqkkdxkimvbsjvxhiy.exe
  C:\Users\Admin\AppData\Local\Temp\mcdqkkdxkimvbsjvxhiy.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4976
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\mcdqkkdxkimvbsjvxhiy.exe*."
    3⤵
    - Executes dropped EXE
    PID:3572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ocbmectlwsubfujttb.exe
1⤵
PID:4344
- C:\Windows\ocbmectlwsubfujttb.exe
  ocbmectlwsubfujttb.exe
  2⤵
  - Executes dropped EXE
  PID:2008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ykhqgcrhqkkprerz.exe .
1⤵
PID:3000
- C:\Windows\ykhqgcrhqkkprerz.exe
  ykhqgcrhqkkprerz.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:716
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ykhqgcrhqkkprerz.exe*."
    3⤵
    - Executes dropped EXE
    PID:1908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ocbmectlwsubfujttb.exe
1⤵
PID:4404
- C:\Windows\ocbmectlwsubfujttb.exe
  ocbmectlwsubfujttb.exe
  2⤵
  - Executes dropped EXE
  PID:832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bsuideythglvcumzcnpgi.exe .
1⤵
PID:2468
- C:\Windows\bsuideythglvcumzcnpgi.exe
  bsuideythglvcumzcnpgi.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:1300
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\bsuideythglvcumzcnpgi.exe*."
    3⤵
    - Executes dropped EXE
    PID:4360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fsqaroevfabhkymvu.exe
1⤵
PID:224
- C:\Users\Admin\AppData\Local\Temp\fsqaroevfabhkymvu.exe
  C:\Users\Admin\AppData\Local\Temp\fsqaroevfabhkymvu.exe
  2⤵
  - Executes dropped EXE
  PID:4748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bsuideythglvcumzcnpgi.exe .
1⤵
PID:1596
- C:\Users\Admin\AppData\Local\Temp\bsuideythglvcumzcnpgi.exe
  C:\Users\Admin\AppData\Local\Temp\bsuideythglvcumzcnpgi.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4556
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\bsuideythglvcumzcnpgi.exe*."
    3⤵
    - Executes dropped EXE
    PID:3676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ykaqnyldtjkprerz.exe
1⤵
PID:2964
- C:\Windows\ykaqnyldtjkprerz.exe
  ykaqnyldtjkprerz.exe
  2⤵
  PID:628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ocbmectlwsubfujttb.exe
1⤵
PID:1672
- C:\Users\Admin\AppData\Local\Temp\ocbmectlwsubfujttb.exe
  C:\Users\Admin\AppData\Local\Temp\ocbmectlwsubfujttb.exe
  2⤵
  - Executes dropped EXE
  PID:1472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fsqaroevfabhkymvu.exe .
1⤵
PID:4688
- C:\Users\Admin\AppData\Local\Temp\fsqaroevfabhkymvu.exe
  C:\Users\Admin\AppData\Local\Temp\fsqaroevfabhkymvu.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3816
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\fsqaroevfabhkymvu.exe*."
    3⤵
    - Executes dropped EXE
    PID:3568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bsnikaspkflvcumzcnpgb.exe .
1⤵
PID:3656
- C:\Windows\bsnikaspkflvcumzcnpgb.exe
  bsnikaspkflvcumzcnpgb.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4656
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\bsnikaspkflvcumzcnpgb.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:3184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fsjaykyrizbhkymvu.exe
1⤵
PID:2368
- C:\Windows\fsjaykyrizbhkymvu.exe
  fsjaykyrizbhkymvu.exe
  2⤵
  PID:3808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mcwqrgxtnhmvbsjvxhiy.exe .
1⤵
PID:1408
- C:\Windows\mcwqrgxtnhmvbsjvxhiy.exe
  mcwqrgxtnhmvbsjvxhiy.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2268
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\mcwqrgxtnhmvbsjvxhiy.exe*."
    3⤵
    - Executes dropped EXE
    PID:4428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ykaqnyldtjkprerz.exe
1⤵
PID:2460
- C:\Users\Admin\AppData\Local\Temp\ykaqnyldtjkprerz.exe
  C:\Users\Admin\AppData\Local\Temp\ykaqnyldtjkprerz.exe
  2⤵
  PID:4784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bsnikaspkflvcumzcnpgb.exe .
1⤵
PID:4308
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:832
- C:\Users\Admin\AppData\Local\Temp\bsnikaspkflvcumzcnpgb.exe
  C:\Users\Admin\AppData\Local\Temp\bsnikaspkflvcumzcnpgb.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4392
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\bsnikaspkflvcumzcnpgb.exe*."
    3⤵
    - Executes dropped EXE
    PID:3108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ykaqnyldtjkprerz.exe
1⤵
PID:1908
- C:\Users\Admin\AppData\Local\Temp\ykaqnyldtjkprerz.exe
  C:\Users\Admin\AppData\Local\Temp\ykaqnyldtjkprerz.exe
  2⤵
  PID:2468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fsqaroevfabhkymvu.exe
1⤵
PID:1364
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1516
- C:\Windows\fsqaroevfabhkymvu.exe
  fsqaroevfabhkymvu.exe
  2⤵
  - Executes dropped EXE
  PID:2428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ykaqnyldtjkprerz.exe .
1⤵
PID:544
- C:\Users\Admin\AppData\Local\Temp\ykaqnyldtjkprerz.exe
  C:\Users\Admin\AppData\Local\Temp\ykaqnyldtjkprerz.exe .
  2⤵
  PID:1596
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ykaqnyldtjkprerz.exe*."
    3⤵
    - Executes dropped EXE
    PID:4412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ykhqgcrhqkkprerz.exe
1⤵
PID:3536
- C:\Windows\ykhqgcrhqkkprerz.exe
  ykhqgcrhqkkprerz.exe
  2⤵
  - Executes dropped EXE
  PID:2456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bsuideythglvcumzcnpgi.exe .
1⤵
PID:3084
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1472
- C:\Windows\bsuideythglvcumzcnpgi.exe
  bsuideythglvcumzcnpgi.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:3436
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\bsuideythglvcumzcnpgi.exe*."
    3⤵
    PID:3456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ocbmectlwsubfujttb.exe .
1⤵
PID:2200
- C:\Windows\ocbmectlwsubfujttb.exe
  ocbmectlwsubfujttb.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4976
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ocbmectlwsubfujttb.exe*."
    3⤵
    PID:2472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fsqaroevfabhkymvu.exe
1⤵
PID:3680
- C:\Windows\fsqaroevfabhkymvu.exe
  fsqaroevfabhkymvu.exe
  2⤵
  PID:2460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ocbmectlwsubfujttb.exe
1⤵
PID:3576
- C:\Windows\ocbmectlwsubfujttb.exe
  ocbmectlwsubfujttb.exe
  2⤵
  - Executes dropped EXE
  PID:4936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bsuideythglvcumzcnpgi.exe
1⤵
PID:4344
- C:\Windows\bsuideythglvcumzcnpgi.exe
  bsuideythglvcumzcnpgi.exe
  2⤵
  PID:4520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ocbmectlwsubfujttb.exe .
1⤵
PID:3652
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2008
- C:\Windows\ocbmectlwsubfujttb.exe
  ocbmectlwsubfujttb.exe .
  2⤵
  - Checks computer location settings
  PID:4040
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ocbmectlwsubfujttb.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:4388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ocbmectlwsubfujttb.exe .
1⤵
PID:3712
- C:\Windows\ocbmectlwsubfujttb.exe
  ocbmectlwsubfujttb.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:868
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ocbmectlwsubfujttb.exe*."
    3⤵
    PID:5124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zooatskdpmpxcsitudd.exe .
1⤵
PID:3000
- C:\Windows\zooatskdpmpxcsitudd.exe
  zooatskdpmpxcsitudd.exe .
  2⤵
  - Checks computer location settings
  PID:4624
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\zooatskdpmpxcsitudd.exe*."
    3⤵
    PID:5232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fsqaroevfabhkymvu.exe
1⤵
PID:1580
- C:\Users\Admin\AppData\Local\Temp\fsqaroevfabhkymvu.exe
  C:\Users\Admin\AppData\Local\Temp\fsqaroevfabhkymvu.exe
  2⤵
  PID:4696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fsqaroevfabhkymvu.exe
1⤵
PID:3692
- C:\Users\Admin\AppData\Local\Temp\fsqaroevfabhkymvu.exe
  C:\Users\Admin\AppData\Local\Temp\fsqaroevfabhkymvu.exe
  2⤵
  PID:4500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zooatskdpmpxcsitudd.exe .
1⤵
PID:3052
- C:\Users\Admin\AppData\Local\Temp\zooatskdpmpxcsitudd.exe
  C:\Users\Admin\AppData\Local\Temp\zooatskdpmpxcsitudd.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:2920
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\zooatskdpmpxcsitudd.exe*."
    3⤵
    PID:5344

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zooatskdpmpxcsitudd.exe
1⤵
PID:924
- C:\Windows\zooatskdpmpxcsitudd.exe
  zooatskdpmpxcsitudd.exe
  2⤵
  PID:1664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ocbmectlwsubfujttb.exe .
1⤵
PID:4308
- C:\Users\Admin\AppData\Local\Temp\ocbmectlwsubfujttb.exe
  C:\Users\Admin\AppData\Local\Temp\ocbmectlwsubfujttb.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4884
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ocbmectlwsubfujttb.exe*."
    3⤵
    PID:5292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ocbmectlwsubfujttb.exe .
1⤵
PID:2012
- C:\Windows\ocbmectlwsubfujttb.exe
  ocbmectlwsubfujttb.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1672
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ocbmectlwsubfujttb.exe*."
    3⤵
    PID:5460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ykhqgcrhqkkprerz.exe
1⤵
PID:3408
- C:\Users\Admin\AppData\Local\Temp\ykhqgcrhqkkprerz.exe
  C:\Users\Admin\AppData\Local\Temp\ykhqgcrhqkkprerz.exe
  2⤵
  PID:5220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bsuideythglvcumzcnpgi.exe
1⤵
PID:4412
- C:\Users\Admin\AppData\Local\Temp\bsuideythglvcumzcnpgi.exe
  C:\Users\Admin\AppData\Local\Temp\bsuideythglvcumzcnpgi.exe
  2⤵
  PID:5324

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zooatskdpmpxcsitudd.exe .
1⤵
PID:2504
- C:\Users\Admin\AppData\Local\Temp\zooatskdpmpxcsitudd.exe
  C:\Users\Admin\AppData\Local\Temp\zooatskdpmpxcsitudd.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:5416
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\zooatskdpmpxcsitudd.exe*."
    3⤵
    PID:5688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mcdqkkdxkimvbsjvxhiy.exe
1⤵
PID:3448
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:544
- C:\Users\Admin\AppData\Local\Temp\mcdqkkdxkimvbsjvxhiy.exe
  C:\Users\Admin\AppData\Local\Temp\mcdqkkdxkimvbsjvxhiy.exe
  2⤵
  PID:5276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mcdqkkdxkimvbsjvxhiy.exe .
1⤵
PID:4876
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2588
- C:\Users\Admin\AppData\Local\Temp\mcdqkkdxkimvbsjvxhiy.exe
  C:\Users\Admin\AppData\Local\Temp\mcdqkkdxkimvbsjvxhiy.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:5136
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\mcdqkkdxkimvbsjvxhiy.exe*."
    3⤵
    PID:5520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ykhqgcrhqkkprerz.exe .
1⤵
PID:728
- C:\Users\Admin\AppData\Local\Temp\ykhqgcrhqkkprerz.exe
  C:\Users\Admin\AppData\Local\Temp\ykhqgcrhqkkprerz.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:5152
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ykhqgcrhqkkprerz.exe*."
    3⤵
    PID:5552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ocbmectlwsubfujttb.exe
1⤵
PID:4400
- C:\Users\Admin\AppData\Local\Temp\ocbmectlwsubfujttb.exe
  C:\Users\Admin\AppData\Local\Temp\ocbmectlwsubfujttb.exe
  2⤵
  PID:5468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ykhqgcrhqkkprerz.exe .
1⤵
PID:3672
- C:\Users\Admin\AppData\Local\Temp\ykhqgcrhqkkprerz.exe
  C:\Users\Admin\AppData\Local\Temp\ykhqgcrhqkkprerz.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:5500
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ykhqgcrhqkkprerz.exe*."
    3⤵
    PID:5728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fsqaroevfabhkymvu.exe
1⤵
PID:5400
- C:\Windows\fsqaroevfabhkymvu.exe
  fsqaroevfabhkymvu.exe
  2⤵
  PID:5672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ocbmectlwsubfujttb.exe .
1⤵
PID:5612
- C:\Windows\ocbmectlwsubfujttb.exe
  ocbmectlwsubfujttb.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:5748
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ocbmectlwsubfujttb.exe*."
    3⤵
    PID:5868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fsqaroevfabhkymvu.exe
1⤵
PID:5780
- C:\Windows\fsqaroevfabhkymvu.exe
  fsqaroevfabhkymvu.exe
  2⤵
  PID:5888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mcdqkkdxkimvbsjvxhiy.exe .
1⤵
PID:5852
- C:\Windows\mcdqkkdxkimvbsjvxhiy.exe
  mcdqkkdxkimvbsjvxhiy.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:5960
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\mcdqkkdxkimvbsjvxhiy.exe*."
    3⤵
    PID:6136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ocbmectlwsubfujttb.exe
1⤵
PID:5940
- C:\Users\Admin\AppData\Local\Temp\ocbmectlwsubfujttb.exe
  C:\Users\Admin\AppData\Local\Temp\ocbmectlwsubfujttb.exe
  2⤵
  PID:6088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ocbmectlwsubfujttb.exe .
1⤵
PID:6044
- C:\Users\Admin\AppData\Local\Temp\ocbmectlwsubfujttb.exe
  C:\Users\Admin\AppData\Local\Temp\ocbmectlwsubfujttb.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4800
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ocbmectlwsubfujttb.exe*."
    3⤵
    PID:2832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ykhqgcrhqkkprerz.exe
1⤵
PID:5208
- C:\Users\Admin\AppData\Local\Temp\ykhqgcrhqkkprerz.exe
  C:\Users\Admin\AppData\Local\Temp\ykhqgcrhqkkprerz.exe
  2⤵
  PID:5260

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
PID:716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ocbmectlwsubfujttb.exe .
1⤵
PID:3184
- C:\Users\Admin\AppData\Local\Temp\ocbmectlwsubfujttb.exe
  C:\Users\Admin\AppData\Local\Temp\ocbmectlwsubfujttb.exe .
  2⤵
  - Checks computer location settings
  PID:3692
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ocbmectlwsubfujttb.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:4772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ocbmectlwsubfujttb.exe
1⤵
PID:5180
- C:\Windows\ocbmectlwsubfujttb.exe
  ocbmectlwsubfujttb.exe
  2⤵
  PID:456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mcdqkkdxkimvbsjvxhiy.exe .
1⤵
PID:5472
- C:\Windows\mcdqkkdxkimvbsjvxhiy.exe
  mcdqkkdxkimvbsjvxhiy.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:5468
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\mcdqkkdxkimvbsjvxhiy.exe*."
    3⤵
    PID:5372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fsqaroevfabhkymvu.exe
1⤵
PID:1300
- C:\Windows\fsqaroevfabhkymvu.exe
  fsqaroevfabhkymvu.exe
  2⤵
  PID:1596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mcdqkkdxkimvbsjvxhiy.exe .
1⤵
PID:3516
- C:\Windows\mcdqkkdxkimvbsjvxhiy.exe
  mcdqkkdxkimvbsjvxhiy.exe .
  2⤵
  - Checks computer location settings
  PID:3704
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\mcdqkkdxkimvbsjvxhiy.exe*."
    3⤵
    PID:5392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bsuideythglvcumzcnpgi.exe
1⤵
PID:4920
- C:\Users\Admin\AppData\Local\Temp\bsuideythglvcumzcnpgi.exe
  C:\Users\Admin\AppData\Local\Temp\bsuideythglvcumzcnpgi.exe
  2⤵
  PID:1888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ykhqgcrhqkkprerz.exe .
1⤵
PID:5188
- C:\Users\Admin\AppData\Local\Temp\ykhqgcrhqkkprerz.exe
  C:\Users\Admin\AppData\Local\Temp\ykhqgcrhqkkprerz.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:3572
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ykhqgcrhqkkprerz.exe*."
    3⤵
    PID:4656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mcdqkkdxkimvbsjvxhiy.exe
1⤵
PID:1476
- C:\Users\Admin\AppData\Local\Temp\mcdqkkdxkimvbsjvxhiy.exe
  C:\Users\Admin\AppData\Local\Temp\mcdqkkdxkimvbsjvxhiy.exe
  2⤵
  PID:1220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zooatskdpmpxcsitudd.exe .
1⤵
PID:4848
- C:\Users\Admin\AppData\Local\Temp\zooatskdpmpxcsitudd.exe
  C:\Users\Admin\AppData\Local\Temp\zooatskdpmpxcsitudd.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:5476
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\zooatskdpmpxcsitudd.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:5700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zooatskdpmpxcsitudd.exe
1⤵
PID:5576
- C:\Windows\zooatskdpmpxcsitudd.exe
  zooatskdpmpxcsitudd.exe
  2⤵
  PID:5516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ocbmectlwsubfujttb.exe .
1⤵
PID:5728
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:712
- C:\Windows\ocbmectlwsubfujttb.exe
  ocbmectlwsubfujttb.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:5404
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ocbmectlwsubfujttb.exe*."
    3⤵
    PID:3640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fsqaroevfabhkymvu.exe
1⤵
PID:5452
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4664
- C:\Windows\fsqaroevfabhkymvu.exe
  fsqaroevfabhkymvu.exe
  2⤵
  PID:5748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bsuideythglvcumzcnpgi.exe .
1⤵
PID:5864
- C:\Windows\bsuideythglvcumzcnpgi.exe
  bsuideythglvcumzcnpgi.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:5608
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\bsuideythglvcumzcnpgi.exe*."
    3⤵
    PID:6104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ocbmectlwsubfujttb.exe
1⤵
PID:5708
- C:\Users\Admin\AppData\Local\Temp\ocbmectlwsubfujttb.exe
  C:\Users\Admin\AppData\Local\Temp\ocbmectlwsubfujttb.exe
  2⤵
  PID:6112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zooatskdpmpxcsitudd.exe .
1⤵
PID:5820
- C:\Users\Admin\AppData\Local\Temp\zooatskdpmpxcsitudd.exe
  C:\Users\Admin\AppData\Local\Temp\zooatskdpmpxcsitudd.exe .
  2⤵
  - Checks computer location settings
  PID:5936
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\zooatskdpmpxcsitudd.exe*."
    3⤵
    PID:6068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mcdqkkdxkimvbsjvxhiy.exe
1⤵
PID:1664
- C:\Users\Admin\AppData\Local\Temp\mcdqkkdxkimvbsjvxhiy.exe
  C:\Users\Admin\AppData\Local\Temp\mcdqkkdxkimvbsjvxhiy.exe
  2⤵
  PID:2956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ykhqgcrhqkkprerz.exe .
1⤵
PID:5904
- C:\Users\Admin\AppData\Local\Temp\ykhqgcrhqkkprerz.exe
  C:\Users\Admin\AppData\Local\Temp\ykhqgcrhqkkprerz.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:6080
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ykhqgcrhqkkprerz.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:6060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mcdqkkdxkimvbsjvxhiy.exe
1⤵
PID:2164
- C:\Windows\mcdqkkdxkimvbsjvxhiy.exe
  mcdqkkdxkimvbsjvxhiy.exe
  2⤵
  PID:5016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bsuideythglvcumzcnpgi.exe .
1⤵
PID:4464
- C:\Windows\bsuideythglvcumzcnpgi.exe
  bsuideythglvcumzcnpgi.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:3492
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\bsuideythglvcumzcnpgi.exe*."
    3⤵
    PID:5348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fsqaroevfabhkymvu.exe
1⤵
PID:3732
- C:\Windows\fsqaroevfabhkymvu.exe
  fsqaroevfabhkymvu.exe
  2⤵
  PID:5324

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fsqaroevfabhkymvu.exe .
1⤵
PID:5316
- C:\Windows\fsqaroevfabhkymvu.exe
  fsqaroevfabhkymvu.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1672
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\fsqaroevfabhkymvu.exe*."
    3⤵
    PID:628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bsuideythglvcumzcnpgi.exe
1⤵
PID:5448
- C:\Users\Admin\AppData\Local\Temp\bsuideythglvcumzcnpgi.exe
  C:\Users\Admin\AppData\Local\Temp\bsuideythglvcumzcnpgi.exe
  2⤵
  PID:5200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bsuideythglvcumzcnpgi.exe .
1⤵
PID:5480
- C:\Users\Admin\AppData\Local\Temp\bsuideythglvcumzcnpgi.exe
  C:\Users\Admin\AppData\Local\Temp\bsuideythglvcumzcnpgi.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:5488
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\bsuideythglvcumzcnpgi.exe*."
    3⤵
    PID:5604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bsuideythglvcumzcnpgi.exe
1⤵
PID:1304
- C:\Users\Admin\AppData\Local\Temp\bsuideythglvcumzcnpgi.exe
  C:\Users\Admin\AppData\Local\Temp\bsuideythglvcumzcnpgi.exe
  2⤵
  PID:2412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ocbmectlwsubfujttb.exe .
1⤵
PID:5172
- C:\Users\Admin\AppData\Local\Temp\ocbmectlwsubfujttb.exe
  C:\Users\Admin\AppData\Local\Temp\ocbmectlwsubfujttb.exe .
  2⤵
  - Checks computer location settings
  PID:3408
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ocbmectlwsubfujttb.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:4636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zooatskdpmpxcsitudd.exe
1⤵
PID:4776
- C:\Windows\zooatskdpmpxcsitudd.exe
  zooatskdpmpxcsitudd.exe
  2⤵
  PID:2012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fsqaroevfabhkymvu.exe .
1⤵
PID:1728
- C:\Windows\fsqaroevfabhkymvu.exe
  fsqaroevfabhkymvu.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:5560
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\fsqaroevfabhkymvu.exe*."
    3⤵
    PID:5536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ocbmectlwsubfujttb.exe
1⤵
PID:5420
- C:\Windows\ocbmectlwsubfujttb.exe
  ocbmectlwsubfujttb.exe
  2⤵
  PID:4932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ocbmectlwsubfujttb.exe .
1⤵
PID:4936
- C:\Windows\ocbmectlwsubfujttb.exe
  ocbmectlwsubfujttb.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:3560
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ocbmectlwsubfujttb.exe*."
    3⤵
    PID:2132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bsuideythglvcumzcnpgi.exe
1⤵
PID:556
- C:\Users\Admin\AppData\Local\Temp\bsuideythglvcumzcnpgi.exe
  C:\Users\Admin\AppData\Local\Temp\bsuideythglvcumzcnpgi.exe
  2⤵
  PID:5532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mcdqkkdxkimvbsjvxhiy.exe .
1⤵
PID:5732
- C:\Users\Admin\AppData\Local\Temp\mcdqkkdxkimvbsjvxhiy.exe
  C:\Users\Admin\AppData\Local\Temp\mcdqkkdxkimvbsjvxhiy.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4824
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\mcdqkkdxkimvbsjvxhiy.exe*."
    3⤵
    PID:5768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ocbmectlwsubfujttb.exe
1⤵
PID:5740
- C:\Users\Admin\AppData\Local\Temp\ocbmectlwsubfujttb.exe
  C:\Users\Admin\AppData\Local\Temp\ocbmectlwsubfujttb.exe
  2⤵
  PID:3580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fsqaroevfabhkymvu.exe .
1⤵
PID:5432
- C:\Users\Admin\AppData\Local\Temp\fsqaroevfabhkymvu.exe
  C:\Users\Admin\AppData\Local\Temp\fsqaroevfabhkymvu.exe .
  2⤵
  - Checks computer location settings
  PID:5976
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\fsqaroevfabhkymvu.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:5656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fsjaykyrizbhkymvu.exe
1⤵
PID:6020
- C:\Windows\fsjaykyrizbhkymvu.exe
  fsjaykyrizbhkymvu.exe
  2⤵
  PID:5848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zohaaoezslpxcsitudd.exe .
1⤵
PID:5956
- C:\Windows\zohaaoezslpxcsitudd.exe
  zohaaoezslpxcsitudd.exe .
  2⤵
  PID:5756
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\zohaaoezslpxcsitudd.exe*."
    3⤵
    PID:4800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mcwqrgxtnhmvbsjvxhiy.exe
1⤵
PID:5980
- C:\Windows\mcwqrgxtnhmvbsjvxhiy.exe
  mcwqrgxtnhmvbsjvxhiy.exe
  2⤵
  PID:5876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zohaaoezslpxcsitudd.exe .
1⤵
PID:6136
- C:\Windows\zohaaoezslpxcsitudd.exe
  zohaaoezslpxcsitudd.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5908
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\zohaaoezslpxcsitudd.exe*."
    3⤵
    PID:4024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ocbmectlwsubfujttb.exe
1⤵
PID:6076
- C:\Windows\ocbmectlwsubfujttb.exe
  ocbmectlwsubfujttb.exe
  2⤵
  PID:4388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ocumlynhzrubfujttb.exe
1⤵
PID:6124
- C:\Users\Admin\AppData\Local\Temp\ocumlynhzrubfujttb.exe
  C:\Users\Admin\AppData\Local\Temp\ocumlynhzrubfujttb.exe
  2⤵
  PID:3460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ocumlynhzrubfujttb.exe .
1⤵
PID:5204
- C:\Users\Admin\AppData\Local\Temp\ocumlynhzrubfujttb.exe
  C:\Users\Admin\AppData\Local\Temp\ocumlynhzrubfujttb.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5276
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ocumlynhzrubfujttb.exe*."
    3⤵
    PID:5364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fsqaroevfabhkymvu.exe .
1⤵
PID:3184
- C:\Windows\fsqaroevfabhkymvu.exe
  fsqaroevfabhkymvu.exe .
  2⤵
  - Checks computer location settings
  PID:5292
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\fsqaroevfabhkymvu.exe*."
    3⤵
    PID:5336

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fsqaroevfabhkymvu.exe
1⤵
PID:2896
- C:\Windows\fsqaroevfabhkymvu.exe
  fsqaroevfabhkymvu.exe
  2⤵
  PID:4488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fsjaykyrizbhkymvu.exe
1⤵
PID:3000
- C:\Users\Admin\AppData\Local\Temp\fsjaykyrizbhkymvu.exe
  C:\Users\Admin\AppData\Local\Temp\fsjaykyrizbhkymvu.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mcdqkkdxkimvbsjvxhiy.exe .
1⤵
PID:1596
- C:\Windows\mcdqkkdxkimvbsjvxhiy.exe
  mcdqkkdxkimvbsjvxhiy.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:5372
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\mcdqkkdxkimvbsjvxhiy.exe*."
    3⤵
    PID:4192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zohaaoezslpxcsitudd.exe .
1⤵
PID:456
- C:\Users\Admin\AppData\Local\Temp\zohaaoezslpxcsitudd.exe
  C:\Users\Admin\AppData\Local\Temp\zohaaoezslpxcsitudd.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2412
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\zohaaoezslpxcsitudd.exe*."
    3⤵
    PID:2456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zooatskdpmpxcsitudd.exe
1⤵
PID:1804
- C:\Users\Admin\AppData\Local\Temp\zooatskdpmpxcsitudd.exe
  C:\Users\Admin\AppData\Local\Temp\zooatskdpmpxcsitudd.exe
  2⤵
  PID:5036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ykhqgcrhqkkprerz.exe .
1⤵
PID:4308
- C:\Users\Admin\AppData\Local\Temp\ykhqgcrhqkkprerz.exe
  C:\Users\Admin\AppData\Local\Temp\ykhqgcrhqkkprerz.exe .
  2⤵
  - Checks computer location settings
  PID:3708
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ykhqgcrhqkkprerz.exe*."
    3⤵
    PID:5188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ykhqgcrhqkkprerz.exe
1⤵
PID:2340
- C:\Windows\ykhqgcrhqkkprerz.exe
  ykhqgcrhqkkprerz.exe
  2⤵
  PID:1048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fsqaroevfabhkymvu.exe .
1⤵
PID:3052
- C:\Windows\fsqaroevfabhkymvu.exe
  fsqaroevfabhkymvu.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:5536
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\fsqaroevfabhkymvu.exe*."
    3⤵
    PID:3444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bsuideythglvcumzcnpgi.exe
1⤵
PID:5692
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:636
- C:\Users\Admin\AppData\Local\Temp\bsuideythglvcumzcnpgi.exe
  C:\Users\Admin\AppData\Local\Temp\bsuideythglvcumzcnpgi.exe
  2⤵
  PID:1728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mcdqkkdxkimvbsjvxhiy.exe .
1⤵
PID:2468
- C:\Users\Admin\AppData\Local\Temp\mcdqkkdxkimvbsjvxhiy.exe
  C:\Users\Admin\AppData\Local\Temp\mcdqkkdxkimvbsjvxhiy.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:5100
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\mcdqkkdxkimvbsjvxhiy.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:4636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zooatskdpmpxcsitudd.exe
1⤵
PID:3064
- C:\Windows\zooatskdpmpxcsitudd.exe
  zooatskdpmpxcsitudd.exe
  2⤵
  PID:2472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ocbmectlwsubfujttb.exe
1⤵
PID:1576
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5688
- C:\Windows\ocbmectlwsubfujttb.exe
  ocbmectlwsubfujttb.exe
  2⤵
  PID:5400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bsuideythglvcumzcnpgi.exe .
1⤵
PID:2748
- C:\Windows\bsuideythglvcumzcnpgi.exe
  bsuideythglvcumzcnpgi.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:3456
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\bsuideythglvcumzcnpgi.exe*."
    3⤵
    PID:1512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mcdqkkdxkimvbsjvxhiy.exe
1⤵
PID:2604
- C:\Users\Admin\AppData\Local\Temp\mcdqkkdxkimvbsjvxhiy.exe
  C:\Users\Admin\AppData\Local\Temp\mcdqkkdxkimvbsjvxhiy.exe
  2⤵
  PID:6068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mcdqkkdxkimvbsjvxhiy.exe .
1⤵
PID:5404
- C:\Windows\mcdqkkdxkimvbsjvxhiy.exe
  mcdqkkdxkimvbsjvxhiy.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:5776
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\mcdqkkdxkimvbsjvxhiy.exe*."
    3⤵
    PID:3652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mcdqkkdxkimvbsjvxhiy.exe .
1⤵
PID:2168
- C:\Users\Admin\AppData\Local\Temp\mcdqkkdxkimvbsjvxhiy.exe
  C:\Users\Admin\AppData\Local\Temp\mcdqkkdxkimvbsjvxhiy.exe .
  2⤵
  - Checks computer location settings
  PID:1664
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\mcdqkkdxkimvbsjvxhiy.exe*."
    3⤵
    PID:4260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bsuideythglvcumzcnpgi.exe
1⤵
PID:4312
- C:\Windows\bsuideythglvcumzcnpgi.exe
  bsuideythglvcumzcnpgi.exe
  2⤵
  PID:5328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zooatskdpmpxcsitudd.exe .
1⤵
PID:6064
- C:\Windows\zooatskdpmpxcsitudd.exe
  zooatskdpmpxcsitudd.exe .
  2⤵
  - Checks computer location settings
  PID:5672
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\zooatskdpmpxcsitudd.exe*."
    3⤵
    PID:364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fsqaroevfabhkymvu.exe
1⤵
PID:6088
- C:\Users\Admin\AppData\Local\Temp\fsqaroevfabhkymvu.exe
  C:\Users\Admin\AppData\Local\Temp\fsqaroevfabhkymvu.exe
  2⤵
  PID:5388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mcdqkkdxkimvbsjvxhiy.exe
1⤵
PID:6036
- C:\Users\Admin\AppData\Local\Temp\mcdqkkdxkimvbsjvxhiy.exe
  C:\Users\Admin\AppData\Local\Temp\mcdqkkdxkimvbsjvxhiy.exe
  2⤵
  PID:6080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bsuideythglvcumzcnpgi.exe .
1⤵
PID:5800
- C:\Users\Admin\AppData\Local\Temp\bsuideythglvcumzcnpgi.exe
  C:\Users\Admin\AppData\Local\Temp\bsuideythglvcumzcnpgi.exe .
  2⤵
  - Checks computer location settings
  PID:3492
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\bsuideythglvcumzcnpgi.exe*."
    3⤵
    PID:5472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mcdqkkdxkimvbsjvxhiy.exe .
1⤵
PID:5608
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4748
- C:\Users\Admin\AppData\Local\Temp\mcdqkkdxkimvbsjvxhiy.exe
  C:\Users\Admin\AppData\Local\Temp\mcdqkkdxkimvbsjvxhiy.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:2964
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\mcdqkkdxkimvbsjvxhiy.exe*."
    3⤵
    PID:2420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ocbmectlwsubfujttb.exe
1⤵
PID:5340
- C:\Windows\ocbmectlwsubfujttb.exe
  ocbmectlwsubfujttb.exe
  2⤵
  PID:2064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ocbmectlwsubfujttb.exe
1⤵
PID:5204
- C:\Users\Admin\AppData\Local\Temp\ocbmectlwsubfujttb.exe
  C:\Users\Admin\AppData\Local\Temp\ocbmectlwsubfujttb.exe
  2⤵
  PID:3952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bsuideythglvcumzcnpgi.exe .
1⤵
PID:2136
- C:\Windows\bsuideythglvcumzcnpgi.exe
  bsuideythglvcumzcnpgi.exe .
  2⤵
  PID:5036
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\bsuideythglvcumzcnpgi.exe*."
    3⤵
    PID:5284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bsuideythglvcumzcnpgi.exe .
1⤵
PID:5344
- C:\Users\Admin\AppData\Local\Temp\bsuideythglvcumzcnpgi.exe
  C:\Users\Admin\AppData\Local\Temp\bsuideythglvcumzcnpgi.exe .
  2⤵
  PID:3704
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\bsuideythglvcumzcnpgi.exe*."
    3⤵
    PID:5352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zooatskdpmpxcsitudd.exe
1⤵
PID:3740
- C:\Windows\zooatskdpmpxcsitudd.exe
  zooatskdpmpxcsitudd.exe
  2⤵
  PID:4404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mcdqkkdxkimvbsjvxhiy.exe .
1⤵
PID:1048
- C:\Windows\mcdqkkdxkimvbsjvxhiy.exe
  mcdqkkdxkimvbsjvxhiy.exe .
  2⤵
  PID:5172
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\mcdqkkdxkimvbsjvxhiy.exe*."
    3⤵
    PID:2780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bsuideythglvcumzcnpgi.exe
1⤵
PID:4964
- C:\Users\Admin\AppData\Local\Temp\bsuideythglvcumzcnpgi.exe
  C:\Users\Admin\AppData\Local\Temp\bsuideythglvcumzcnpgi.exe
  2⤵
  PID:3680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bsuideythglvcumzcnpgi.exe .
1⤵
PID:1220
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3572
- C:\Users\Admin\AppData\Local\Temp\bsuideythglvcumzcnpgi.exe
  C:\Users\Admin\AppData\Local\Temp\bsuideythglvcumzcnpgi.exe .
  2⤵
  PID:3244
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\bsuideythglvcumzcnpgi.exe*."
    3⤵
    PID:1728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ykhqgcrhqkkprerz.exe
1⤵
PID:5476
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3808
- C:\Users\Admin\AppData\Local\Temp\ykhqgcrhqkkprerz.exe
  C:\Users\Admin\AppData\Local\Temp\ykhqgcrhqkkprerz.exe
  2⤵
  PID:3444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zooatskdpmpxcsitudd.exe .
1⤵
PID:5692
- C:\Users\Admin\AppData\Local\Temp\zooatskdpmpxcsitudd.exe
  C:\Users\Admin\AppData\Local\Temp\zooatskdpmpxcsitudd.exe .
  2⤵
  PID:5784
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\zooatskdpmpxcsitudd.exe*."
    3⤵
    PID:1940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ocbmectlwsubfujttb.exe
1⤵
PID:2452
- C:\Windows\ocbmectlwsubfujttb.exe
  ocbmectlwsubfujttb.exe
  2⤵
  PID:5808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mcdqkkdxkimvbsjvxhiy.exe .
1⤵
PID:1616
- C:\Windows\mcdqkkdxkimvbsjvxhiy.exe
  mcdqkkdxkimvbsjvxhiy.exe .
  2⤵
  PID:4860
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\mcdqkkdxkimvbsjvxhiy.exe*."
    3⤵
    PID:2744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zooatskdpmpxcsitudd.exe
1⤵
PID:5308
- C:\Windows\zooatskdpmpxcsitudd.exe
  zooatskdpmpxcsitudd.exe
  2⤵
  PID:2388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zooatskdpmpxcsitudd.exe .
1⤵
PID:3592
- C:\Windows\zooatskdpmpxcsitudd.exe
  zooatskdpmpxcsitudd.exe .
  2⤵
  PID:100
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\zooatskdpmpxcsitudd.exe*."
    3⤵
    PID:5812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ocbmectlwsubfujttb.exe
1⤵
PID:6100
- C:\Users\Admin\AppData\Local\Temp\ocbmectlwsubfujttb.exe
  C:\Users\Admin\AppData\Local\Temp\ocbmectlwsubfujttb.exe
  2⤵
  PID:2408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ykhqgcrhqkkprerz.exe .
1⤵
PID:5948
- C:\Users\Admin\AppData\Local\Temp\ykhqgcrhqkkprerz.exe
  C:\Users\Admin\AppData\Local\Temp\ykhqgcrhqkkprerz.exe .
  2⤵
  PID:1112
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ykhqgcrhqkkprerz.exe*."
    3⤵
    PID:5832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mcdqkkdxkimvbsjvxhiy.exe
1⤵
PID:5768
- C:\Users\Admin\AppData\Local\Temp\mcdqkkdxkimvbsjvxhiy.exe
  C:\Users\Admin\AppData\Local\Temp\mcdqkkdxkimvbsjvxhiy.exe
  2⤵
  PID:5492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ykhqgcrhqkkprerz.exe .
1⤵
PID:5648
- C:\Users\Admin\AppData\Local\Temp\ykhqgcrhqkkprerz.exe
  C:\Users\Admin\AppData\Local\Temp\ykhqgcrhqkkprerz.exe .
  2⤵
  PID:5984
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ykhqgcrhqkkprerz.exe*."
    3⤵
    PID:5336

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bsuideythglvcumzcnpgi.exe
1⤵
PID:2280
- C:\Windows\bsuideythglvcumzcnpgi.exe
  bsuideythglvcumzcnpgi.exe
  2⤵
  PID:5464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mcdqkkdxkimvbsjvxhiy.exe .
1⤵
PID:5592
- C:\Windows\mcdqkkdxkimvbsjvxhiy.exe
  mcdqkkdxkimvbsjvxhiy.exe .
  2⤵
  PID:6072
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\mcdqkkdxkimvbsjvxhiy.exe*."
    3⤵
    PID:5756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zooatskdpmpxcsitudd.exe
1⤵
PID:2776
- C:\Windows\zooatskdpmpxcsitudd.exe
  zooatskdpmpxcsitudd.exe
  2⤵
  PID:5484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mcdqkkdxkimvbsjvxhiy.exe .
1⤵
PID:5828
- C:\Windows\mcdqkkdxkimvbsjvxhiy.exe
  mcdqkkdxkimvbsjvxhiy.exe .
  2⤵
  PID:2412
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\mcdqkkdxkimvbsjvxhiy.exe*."
    3⤵
    PID:2432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ykhqgcrhqkkprerz.exe
1⤵
PID:3264
- C:\Users\Admin\AppData\Local\Temp\ykhqgcrhqkkprerz.exe
  C:\Users\Admin\AppData\Local\Temp\ykhqgcrhqkkprerz.exe
  2⤵
  PID:4940

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
PID:4784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zooatskdpmpxcsitudd.exe .
1⤵
PID:5680
- C:\Users\Admin\AppData\Local\Temp\zooatskdpmpxcsitudd.exe
  C:\Users\Admin\AppData\Local\Temp\zooatskdpmpxcsitudd.exe .
  2⤵
  PID:1828
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\zooatskdpmpxcsitudd.exe*."
    3⤵
    PID:5604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zooatskdpmpxcsitudd.exe
1⤵
PID:5240
- C:\Users\Admin\AppData\Local\Temp\zooatskdpmpxcsitudd.exe
  C:\Users\Admin\AppData\Local\Temp\zooatskdpmpxcsitudd.exe
  2⤵
  PID:4420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ykhqgcrhqkkprerz.exe .
1⤵
PID:5660
- C:\Users\Admin\AppData\Local\Temp\ykhqgcrhqkkprerz.exe
  C:\Users\Admin\AppData\Local\Temp\ykhqgcrhqkkprerz.exe .
  2⤵
  PID:3444
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ykhqgcrhqkkprerz.exe*."
    3⤵
    PID:4824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bsuideythglvcumzcnpgi.exe
1⤵
PID:3676
- C:\Windows\bsuideythglvcumzcnpgi.exe
  bsuideythglvcumzcnpgi.exe
  2⤵
  PID:4380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zooatskdpmpxcsitudd.exe .
1⤵
PID:4556
- C:\Windows\zooatskdpmpxcsitudd.exe
  zooatskdpmpxcsitudd.exe .
  2⤵
  PID:4352
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\zooatskdpmpxcsitudd.exe*."
    3⤵
    PID:5992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ykhqgcrhqkkprerz.exe
1⤵
PID:5892
- C:\Windows\ykhqgcrhqkkprerz.exe
  ykhqgcrhqkkprerz.exe
  2⤵
  PID:4396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mcdqkkdxkimvbsjvxhiy.exe .
1⤵
PID:6052
- C:\Windows\mcdqkkdxkimvbsjvxhiy.exe
  mcdqkkdxkimvbsjvxhiy.exe .
  2⤵
  PID:5280
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\mcdqkkdxkimvbsjvxhiy.exe*."
    3⤵
    PID:5636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mcdqkkdxkimvbsjvxhiy.exe
1⤵
PID:3460
- C:\Users\Admin\AppData\Local\Temp\mcdqkkdxkimvbsjvxhiy.exe
  C:\Users\Admin\AppData\Local\Temp\mcdqkkdxkimvbsjvxhiy.exe
  2⤵
  PID:4388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zooatskdpmpxcsitudd.exe .
1⤵
PID:5544
- C:\Users\Admin\AppData\Local\Temp\zooatskdpmpxcsitudd.exe
  C:\Users\Admin\AppData\Local\Temp\zooatskdpmpxcsitudd.exe .
  2⤵
  PID:5612
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\zooatskdpmpxcsitudd.exe*."
    3⤵
    PID:3900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bsuideythglvcumzcnpgi.exe
1⤵
PID:5884
- C:\Users\Admin\AppData\Local\Temp\bsuideythglvcumzcnpgi.exe
  C:\Users\Admin\AppData\Local\Temp\bsuideythglvcumzcnpgi.exe
  2⤵
  PID:556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ykhqgcrhqkkprerz.exe .
1⤵
PID:1664
- C:\Users\Admin\AppData\Local\Temp\ykhqgcrhqkkprerz.exe
  C:\Users\Admin\AppData\Local\Temp\ykhqgcrhqkkprerz.exe .
  2⤵
  PID:1940
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ykhqgcrhqkkprerz.exe*."
    3⤵
    PID:6088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zooatskdpmpxcsitudd.exe
1⤵
PID:5508
- C:\Windows\zooatskdpmpxcsitudd.exe
  zooatskdpmpxcsitudd.exe
  2⤵
  PID:5292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ocbmectlwsubfujttb.exe .
1⤵
PID:5468
- C:\Windows\ocbmectlwsubfujttb.exe
  ocbmectlwsubfujttb.exe .
  2⤵
  PID:5040
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ocbmectlwsubfujttb.exe*."
    3⤵
    PID:2964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bsuideythglvcumzcnpgi.exe
1⤵
PID:2268
- C:\Windows\bsuideythglvcumzcnpgi.exe
  bsuideythglvcumzcnpgi.exe
  2⤵
  PID:1804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zooatskdpmpxcsitudd.exe .
1⤵
PID:5076
- C:\Windows\zooatskdpmpxcsitudd.exe
  zooatskdpmpxcsitudd.exe .
  2⤵
  PID:5036
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\zooatskdpmpxcsitudd.exe*."
    3⤵
    PID:2896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mcdqkkdxkimvbsjvxhiy.exe
1⤵
PID:3856
- C:\Users\Admin\AppData\Local\Temp\mcdqkkdxkimvbsjvxhiy.exe
  C:\Users\Admin\AppData\Local\Temp\mcdqkkdxkimvbsjvxhiy.exe
  2⤵
  PID:5200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zooatskdpmpxcsitudd.exe .
1⤵
PID:5932
- C:\Users\Admin\AppData\Local\Temp\zooatskdpmpxcsitudd.exe
  C:\Users\Admin\AppData\Local\Temp\zooatskdpmpxcsitudd.exe .
  2⤵
  PID:5452
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\zooatskdpmpxcsitudd.exe*."
    3⤵
    PID:1908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fsqaroevfabhkymvu.exe
1⤵
PID:3512
- C:\Users\Admin\AppData\Local\Temp\fsqaroevfabhkymvu.exe
  C:\Users\Admin\AppData\Local\Temp\fsqaroevfabhkymvu.exe
  2⤵
  PID:5988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ocbmectlwsubfujttb.exe .
1⤵
PID:2780
- C:\Users\Admin\AppData\Local\Temp\ocbmectlwsubfujttb.exe
  C:\Users\Admin\AppData\Local\Temp\ocbmectlwsubfujttb.exe .
  2⤵
  PID:5604
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ocbmectlwsubfujttb.exe*."
    3⤵
    PID:5152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bsuideythglvcumzcnpgi.exe
1⤵
PID:3572
- C:\Windows\bsuideythglvcumzcnpgi.exe
  bsuideythglvcumzcnpgi.exe
  2⤵
  PID:5476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ocumlynhzrubfujttb.exe
1⤵
PID:4772
- C:\Windows\ocumlynhzrubfujttb.exe
  ocumlynhzrubfujttb.exe
  2⤵
  PID:4916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ykhqgcrhqkkprerz.exe .
1⤵
PID:3732
- C:\Windows\ykhqgcrhqkkprerz.exe
  ykhqgcrhqkkprerz.exe .
  2⤵
  PID:636
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ykhqgcrhqkkprerz.exe*."
    3⤵
    PID:4556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ocumlynhzrubfujttb.exe .
1⤵
PID:3816
- C:\Windows\ocumlynhzrubfujttb.exe
  ocumlynhzrubfujttb.exe .
  2⤵
  PID:4396
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ocumlynhzrubfujttb.exe*."
    3⤵
    PID:5296

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ocbmectlwsubfujttb.exe
1⤵
PID:5100
- C:\Windows\ocbmectlwsubfujttb.exe
  ocbmectlwsubfujttb.exe
  2⤵
  PID:1844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bsuideythglvcumzcnpgi.exe .
1⤵
PID:2468
- C:\Windows\bsuideythglvcumzcnpgi.exe
  bsuideythglvcumzcnpgi.exe .
  2⤵
  PID:5700
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\bsuideythglvcumzcnpgi.exe*."
    3⤵
    PID:2360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ocumlynhzrubfujttb.exe
1⤵
PID:5128
- C:\Windows\ocumlynhzrubfujttb.exe
  ocumlynhzrubfujttb.exe
  2⤵
  PID:1944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zooatskdpmpxcsitudd.exe
1⤵
PID:2132
- C:\Users\Admin\AppData\Local\Temp\zooatskdpmpxcsitudd.exe
  C:\Users\Admin\AppData\Local\Temp\zooatskdpmpxcsitudd.exe
  2⤵
  PID:5860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fsjaykyrizbhkymvu.exe .
1⤵
PID:5280
- C:\Windows\fsjaykyrizbhkymvu.exe
  fsjaykyrizbhkymvu.exe .
  2⤵
  PID:4924
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\fsjaykyrizbhkymvu.exe*."
    3⤵
    PID:5180

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fsqaroevfabhkymvu.exe .
1⤵
PID:2120
- C:\Users\Admin\AppData\Local\Temp\fsqaroevfabhkymvu.exe
  C:\Users\Admin\AppData\Local\Temp\fsqaroevfabhkymvu.exe .
  2⤵
  PID:5492
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\fsqaroevfabhkymvu.exe*."
    3⤵
    PID:4812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mcwqrgxtnhmvbsjvxhiy.exe
1⤵
PID:2072
- C:\Users\Admin\AppData\Local\Temp\mcwqrgxtnhmvbsjvxhiy.exe
  C:\Users\Admin\AppData\Local\Temp\mcwqrgxtnhmvbsjvxhiy.exe
  2⤵
  PID:6024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fsjaykyrizbhkymvu.exe .
1⤵
PID:5896
- C:\Users\Admin\AppData\Local\Temp\fsjaykyrizbhkymvu.exe
  C:\Users\Admin\AppData\Local\Temp\fsjaykyrizbhkymvu.exe .
  2⤵
  PID:5360
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\fsjaykyrizbhkymvu.exe*."
    3⤵
    PID:6028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ocbmectlwsubfujttb.exe
1⤵
PID:2168
- C:\Users\Admin\AppData\Local\Temp\ocbmectlwsubfujttb.exe
  C:\Users\Admin\AppData\Local\Temp\ocbmectlwsubfujttb.exe
  2⤵
  PID:5436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bsuideythglvcumzcnpgi.exe .
1⤵
PID:1300
- C:\Users\Admin\AppData\Local\Temp\bsuideythglvcumzcnpgi.exe
  C:\Users\Admin\AppData\Local\Temp\bsuideythglvcumzcnpgi.exe .
  2⤵
  PID:3952
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\bsuideythglvcumzcnpgi.exe*."
    3⤵
    PID:6132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zohaaoezslpxcsitudd.exe
1⤵
PID:5756
- C:\Users\Admin\AppData\Local\Temp\zohaaoezslpxcsitudd.exe
  C:\Users\Admin\AppData\Local\Temp\zohaaoezslpxcsitudd.exe
  2⤵
  PID:2480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ykaqnyldtjkprerz.exe .
1⤵
PID:5592
- C:\Users\Admin\AppData\Local\Temp\ykaqnyldtjkprerz.exe
  C:\Users\Admin\AppData\Local\Temp\ykaqnyldtjkprerz.exe .
  2⤵
  PID:5412
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ykaqnyldtjkprerz.exe*."
    3⤵
    PID:868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ocbmectlwsubfujttb.exe
1⤵
PID:4360
- C:\Windows\ocbmectlwsubfujttb.exe
  ocbmectlwsubfujttb.exe
  2⤵
  PID:2660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zooatskdpmpxcsitudd.exe .
1⤵
PID:3264
- C:\Windows\zooatskdpmpxcsitudd.exe
  zooatskdpmpxcsitudd.exe .
  2⤵
  PID:5420
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\zooatskdpmpxcsitudd.exe*."
    3⤵
    PID:60

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zooatskdpmpxcsitudd.exe
1⤵
PID:5000
- C:\Windows\zooatskdpmpxcsitudd.exe
  zooatskdpmpxcsitudd.exe
  2⤵
  PID:696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fsqaroevfabhkymvu.exe
1⤵
PID:4764
- C:\Windows\fsqaroevfabhkymvu.exe
  fsqaroevfabhkymvu.exe
  2⤵
  PID:716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fsqaroevfabhkymvu.exe .
1⤵
PID:1032
- C:\Windows\fsqaroevfabhkymvu.exe
  fsqaroevfabhkymvu.exe .
  2⤵
  PID:5820
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\fsqaroevfabhkymvu.exe*."
    3⤵
    PID:4568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fsqaroevfabhkymvu.exe .
1⤵
PID:3412
- C:\Windows\fsqaroevfabhkymvu.exe
  fsqaroevfabhkymvu.exe .
  2⤵
  PID:2260
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\fsqaroevfabhkymvu.exe*."
    3⤵
    PID:1396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zooatskdpmpxcsitudd.exe
1⤵
PID:5640
- C:\Users\Admin\AppData\Local\Temp\zooatskdpmpxcsitudd.exe
  C:\Users\Admin\AppData\Local\Temp\zooatskdpmpxcsitudd.exe
  2⤵
  PID:4396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zooatskdpmpxcsitudd.exe
1⤵
PID:4584
- C:\Windows\zooatskdpmpxcsitudd.exe
  zooatskdpmpxcsitudd.exe
  2⤵
  PID:3812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zooatskdpmpxcsitudd.exe .
1⤵
PID:6112
- C:\Users\Admin\AppData\Local\Temp\zooatskdpmpxcsitudd.exe
  C:\Users\Admin\AppData\Local\Temp\zooatskdpmpxcsitudd.exe .
  2⤵
  PID:5732
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\zooatskdpmpxcsitudd.exe*."
    3⤵
    PID:5980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ocbmectlwsubfujttb.exe
1⤵
PID:4128
- C:\Windows\ocbmectlwsubfujttb.exe
  ocbmectlwsubfujttb.exe
  2⤵
  PID:2460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fsqaroevfabhkymvu.exe .
1⤵
PID:5660
- C:\Windows\fsqaroevfabhkymvu.exe
  fsqaroevfabhkymvu.exe .
  2⤵
  PID:6044
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\fsqaroevfabhkymvu.exe*."
    3⤵
    PID:6052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zooatskdpmpxcsitudd.exe .
1⤵
PID:2504
- C:\Windows\zooatskdpmpxcsitudd.exe
  zooatskdpmpxcsitudd.exe .
  2⤵
  PID:1768
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\zooatskdpmpxcsitudd.exe*."
    3⤵
    PID:2480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fsqaroevfabhkymvu.exe
1⤵
PID:5748
- C:\Users\Admin\AppData\Local\Temp\fsqaroevfabhkymvu.exe
  C:\Users\Admin\AppData\Local\Temp\fsqaroevfabhkymvu.exe
  2⤵
  PID:6124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mcdqkkdxkimvbsjvxhiy.exe
1⤵
PID:5808
- C:\Users\Admin\AppData\Local\Temp\mcdqkkdxkimvbsjvxhiy.exe
  C:\Users\Admin\AppData\Local\Temp\mcdqkkdxkimvbsjvxhiy.exe
  2⤵
  PID:4988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bsuideythglvcumzcnpgi.exe
1⤵
PID:5860
- C:\Windows\bsuideythglvcumzcnpgi.exe
  bsuideythglvcumzcnpgi.exe
  2⤵
  PID:6132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zooatskdpmpxcsitudd.exe .
1⤵
PID:5908
- C:\Users\Admin\AppData\Local\Temp\zooatskdpmpxcsitudd.exe
  C:\Users\Admin\AppData\Local\Temp\zooatskdpmpxcsitudd.exe .
  2⤵
  PID:2252
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\zooatskdpmpxcsitudd.exe*."
    3⤵
    PID:5176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ocbmectlwsubfujttb.exe .
1⤵
PID:6084
- C:\Windows\ocbmectlwsubfujttb.exe
  ocbmectlwsubfujttb.exe .
  2⤵
  PID:4280
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ocbmectlwsubfujttb.exe*."
    3⤵
    PID:5984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ykhqgcrhqkkprerz.exe .
1⤵
PID:5100
- C:\Users\Admin\AppData\Local\Temp\ykhqgcrhqkkprerz.exe
  C:\Users\Admin\AppData\Local\Temp\ykhqgcrhqkkprerz.exe .
  2⤵
  PID:5888
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ykhqgcrhqkkprerz.exe*."
    3⤵
    PID:3448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mcdqkkdxkimvbsjvxhiy.exe
1⤵
PID:5464
- C:\Users\Admin\AppData\Local\Temp\mcdqkkdxkimvbsjvxhiy.exe
  C:\Users\Admin\AppData\Local\Temp\mcdqkkdxkimvbsjvxhiy.exe
  2⤵
  PID:4208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bsuideythglvcumzcnpgi.exe .
1⤵
PID:5308
- C:\Users\Admin\AppData\Local\Temp\bsuideythglvcumzcnpgi.exe
  C:\Users\Admin\AppData\Local\Temp\bsuideythglvcumzcnpgi.exe .
  2⤵
  PID:5284
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\bsuideythglvcumzcnpgi.exe*."
    3⤵
    PID:2316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zooatskdpmpxcsitudd.exe
1⤵
PID:2200
- C:\Users\Admin\AppData\Local\Temp\zooatskdpmpxcsitudd.exe
  C:\Users\Admin\AppData\Local\Temp\zooatskdpmpxcsitudd.exe
  2⤵
  PID:2440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bsuideythglvcumzcnpgi.exe .
1⤵
PID:4864
- C:\Users\Admin\AppData\Local\Temp\bsuideythglvcumzcnpgi.exe
  C:\Users\Admin\AppData\Local\Temp\bsuideythglvcumzcnpgi.exe .
  2⤵
  PID:4356
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\bsuideythglvcumzcnpgi.exe*."
    3⤵
    PID:2956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zooatskdpmpxcsitudd.exe
1⤵
PID:5232
- C:\Users\Admin\AppData\Local\Temp\zooatskdpmpxcsitudd.exe
  C:\Users\Admin\AppData\Local\Temp\zooatskdpmpxcsitudd.exe
  2⤵
  PID:5568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zooatskdpmpxcsitudd.exe .
1⤵
PID:4400
- C:\Users\Admin\AppData\Local\Temp\zooatskdpmpxcsitudd.exe
  C:\Users\Admin\AppData\Local\Temp\zooatskdpmpxcsitudd.exe .
  2⤵
  PID:4512
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\zooatskdpmpxcsitudd.exe*."
    3⤵
    PID:3264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ocbmectlwsubfujttb.exe
1⤵
PID:4916
- C:\Windows\ocbmectlwsubfujttb.exe
  ocbmectlwsubfujttb.exe
  2⤵
  PID:5236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ykhqgcrhqkkprerz.exe .
1⤵
PID:4884
- C:\Windows\ykhqgcrhqkkprerz.exe
  ykhqgcrhqkkprerz.exe .
  2⤵
  PID:5164
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ykhqgcrhqkkprerz.exe*."
    3⤵
    PID:5376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bsuideythglvcumzcnpgi.exe
1⤵
PID:5936
- C:\Windows\bsuideythglvcumzcnpgi.exe
  bsuideythglvcumzcnpgi.exe
  2⤵
  PID:5672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fsqaroevfabhkymvu.exe .
1⤵
PID:1408
- C:\Windows\fsqaroevfabhkymvu.exe
  fsqaroevfabhkymvu.exe .
  2⤵
  PID:5836
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\fsqaroevfabhkymvu.exe*."
    3⤵
    PID:4488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ykhqgcrhqkkprerz.exe
1⤵
PID:3444
- C:\Users\Admin\AppData\Local\Temp\ykhqgcrhqkkprerz.exe
  C:\Users\Admin\AppData\Local\Temp\ykhqgcrhqkkprerz.exe
  2⤵
  PID:5432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ykhqgcrhqkkprerz.exe .
1⤵
PID:5268
- C:\Users\Admin\AppData\Local\Temp\ykhqgcrhqkkprerz.exe
  C:\Users\Admin\AppData\Local\Temp\ykhqgcrhqkkprerz.exe .
  2⤵
  PID:5320
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ykhqgcrhqkkprerz.exe*."
    3⤵
    PID:5800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zooatskdpmpxcsitudd.exe
1⤵
PID:4472
- C:\Users\Admin\AppData\Local\Temp\zooatskdpmpxcsitudd.exe
  C:\Users\Admin\AppData\Local\Temp\zooatskdpmpxcsitudd.exe
  2⤵
  PID:4988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bsuideythglvcumzcnpgi.exe .
1⤵
PID:4128
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4936
- C:\Users\Admin\AppData\Local\Temp\bsuideythglvcumzcnpgi.exe
  C:\Users\Admin\AppData\Local\Temp\bsuideythglvcumzcnpgi.exe .
  2⤵
  PID:820
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\bsuideythglvcumzcnpgi.exe*."
    3⤵
    PID:6008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bsuideythglvcumzcnpgi.exe
1⤵
PID:5588
- C:\Windows\bsuideythglvcumzcnpgi.exe
  bsuideythglvcumzcnpgi.exe
  2⤵
  PID:4260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mcdqkkdxkimvbsjvxhiy.exe .
1⤵
PID:844
- C:\Windows\mcdqkkdxkimvbsjvxhiy.exe
  mcdqkkdxkimvbsjvxhiy.exe .
  2⤵
  PID:5792
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\mcdqkkdxkimvbsjvxhiy.exe*."
    3⤵
    PID:4360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bsuideythglvcumzcnpgi.exe
1⤵
PID:5580
- C:\Windows\bsuideythglvcumzcnpgi.exe
  bsuideythglvcumzcnpgi.exe
  2⤵
  PID:4020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ocbmectlwsubfujttb.exe .
1⤵
PID:3996
- C:\Windows\ocbmectlwsubfujttb.exe
  ocbmectlwsubfujttb.exe .
  2⤵
  PID:4420
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ocbmectlwsubfujttb.exe*."
    3⤵
    PID:5124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bsuideythglvcumzcnpgi.exe
1⤵
PID:364
- C:\Users\Admin\AppData\Local\Temp\bsuideythglvcumzcnpgi.exe
  C:\Users\Admin\AppData\Local\Temp\bsuideythglvcumzcnpgi.exe
  2⤵
  PID:1300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ocbmectlwsubfujttb.exe .
1⤵
PID:4868
- C:\Users\Admin\AppData\Local\Temp\ocbmectlwsubfujttb.exe
  C:\Users\Admin\AppData\Local\Temp\ocbmectlwsubfujttb.exe .
  2⤵
  PID:4344
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ocbmectlwsubfujttb.exe*."
    3⤵
    PID:5948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bsuideythglvcumzcnpgi.exe
1⤵
PID:4964
- C:\Users\Admin\AppData\Local\Temp\bsuideythglvcumzcnpgi.exe
  C:\Users\Admin\AppData\Local\Temp\bsuideythglvcumzcnpgi.exe
  2⤵
  PID:544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fsqaroevfabhkymvu.exe .
1⤵
PID:5488
- C:\Users\Admin\AppData\Local\Temp\fsqaroevfabhkymvu.exe
  C:\Users\Admin\AppData\Local\Temp\fsqaroevfabhkymvu.exe .
  2⤵
  PID:6088
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\fsqaroevfabhkymvu.exe*."
    3⤵
    PID:4400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zooatskdpmpxcsitudd.exe
1⤵
PID:6020
- C:\Windows\zooatskdpmpxcsitudd.exe
  zooatskdpmpxcsitudd.exe
  2⤵
  PID:716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bsuideythglvcumzcnpgi.exe .
1⤵
PID:5764
- C:\Windows\bsuideythglvcumzcnpgi.exe
  bsuideythglvcumzcnpgi.exe .
  2⤵
  PID:4388
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\bsuideythglvcumzcnpgi.exe*."
    3⤵
    PID:5944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mcdqkkdxkimvbsjvxhiy.exe
1⤵
PID:5612
- C:\Windows\mcdqkkdxkimvbsjvxhiy.exe
  mcdqkkdxkimvbsjvxhiy.exe
  2⤵
  PID:2084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fsqaroevfabhkymvu.exe .
1⤵
PID:5540
- C:\Windows\fsqaroevfabhkymvu.exe
  fsqaroevfabhkymvu.exe .
  2⤵
  PID:1848
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\fsqaroevfabhkymvu.exe*."
    3⤵
    PID:5328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ykhqgcrhqkkprerz.exe
1⤵
PID:3980
- C:\Users\Admin\AppData\Local\Temp\ykhqgcrhqkkprerz.exe
  C:\Users\Admin\AppData\Local\Temp\ykhqgcrhqkkprerz.exe
  2⤵
  PID:5708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ocbmectlwsubfujttb.exe .
1⤵
PID:6108
- C:\Users\Admin\AppData\Local\Temp\ocbmectlwsubfujttb.exe
  C:\Users\Admin\AppData\Local\Temp\ocbmectlwsubfujttb.exe .
  2⤵
  PID:4748
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ocbmectlwsubfujttb.exe*."
    3⤵
    PID:5844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fsqaroevfabhkymvu.exe
1⤵
PID:4120
- C:\Users\Admin\AppData\Local\Temp\fsqaroevfabhkymvu.exe
  C:\Users\Admin\AppData\Local\Temp\fsqaroevfabhkymvu.exe
  2⤵
  PID:4752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zooatskdpmpxcsitudd.exe .
1⤵
PID:4920
- C:\Users\Admin\AppData\Local\Temp\zooatskdpmpxcsitudd.exe
  C:\Users\Admin\AppData\Local\Temp\zooatskdpmpxcsitudd.exe .
  2⤵
  PID:2480
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\zooatskdpmpxcsitudd.exe*."
    3⤵
    PID:1944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ykhqgcrhqkkprerz.exe
1⤵
PID:5444
- C:\Windows\ykhqgcrhqkkprerz.exe
  ykhqgcrhqkkprerz.exe
  2⤵
  PID:1976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mcdqkkdxkimvbsjvxhiy.exe .
1⤵
PID:5076
- C:\Windows\mcdqkkdxkimvbsjvxhiy.exe
  mcdqkkdxkimvbsjvxhiy.exe .
  2⤵
  PID:2072
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\mcdqkkdxkimvbsjvxhiy.exe*."
    3⤵
    PID:2776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ykhqgcrhqkkprerz.exe
1⤵
PID:3768
- C:\Windows\ykhqgcrhqkkprerz.exe
  ykhqgcrhqkkprerz.exe
  2⤵
  PID:5864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zooatskdpmpxcsitudd.exe .
1⤵
PID:3240
- C:\Windows\zooatskdpmpxcsitudd.exe
  zooatskdpmpxcsitudd.exe .
  2⤵
  PID:2664
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\zooatskdpmpxcsitudd.exe*."
    3⤵
    PID:364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bsuideythglvcumzcnpgi.exe
1⤵
PID:2008
- C:\Users\Admin\AppData\Local\Temp\bsuideythglvcumzcnpgi.exe
  C:\Users\Admin\AppData\Local\Temp\bsuideythglvcumzcnpgi.exe
  2⤵
  PID:3188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zooatskdpmpxcsitudd.exe .
1⤵
PID:6064
- C:\Users\Admin\AppData\Local\Temp\zooatskdpmpxcsitudd.exe
  C:\Users\Admin\AppData\Local\Temp\zooatskdpmpxcsitudd.exe .
  2⤵
  PID:3436
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\zooatskdpmpxcsitudd.exe*."
    3⤵
    PID:2716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fsqaroevfabhkymvu.exe
1⤵
PID:4420
- C:\Users\Admin\AppData\Local\Temp\fsqaroevfabhkymvu.exe
  C:\Users\Admin\AppData\Local\Temp\fsqaroevfabhkymvu.exe
  2⤵
  PID:5752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zooatskdpmpxcsitudd.exe .
1⤵
PID:1548
- C:\Users\Admin\AppData\Local\Temp\zooatskdpmpxcsitudd.exe
  C:\Users\Admin\AppData\Local\Temp\zooatskdpmpxcsitudd.exe .
  2⤵
  PID:5228
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\zooatskdpmpxcsitudd.exe*."
    3⤵
    PID:4332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zooatskdpmpxcsitudd.exe
1⤵
PID:3448
- C:\Windows\zooatskdpmpxcsitudd.exe
  zooatskdpmpxcsitudd.exe
  2⤵
  PID:2828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bsuideythglvcumzcnpgi.exe .
1⤵
PID:5988
- C:\Windows\bsuideythglvcumzcnpgi.exe
  bsuideythglvcumzcnpgi.exe .
  2⤵
  PID:5932
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\bsuideythglvcumzcnpgi.exe*."
    3⤵
    PID:5332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ocbmectlwsubfujttb.exe
1⤵
PID:4800
- C:\Windows\ocbmectlwsubfujttb.exe
  ocbmectlwsubfujttb.exe
  2⤵
  PID:728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mcdqkkdxkimvbsjvxhiy.exe .
1⤵
PID:3860
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4392
- C:\Windows\mcdqkkdxkimvbsjvxhiy.exe
  mcdqkkdxkimvbsjvxhiy.exe .
  2⤵
  PID:4388
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\mcdqkkdxkimvbsjvxhiy.exe*."
    3⤵
    PID:5612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mcdqkkdxkimvbsjvxhiy.exe
1⤵
PID:5676
- C:\Users\Admin\AppData\Local\Temp\mcdqkkdxkimvbsjvxhiy.exe
  C:\Users\Admin\AppData\Local\Temp\mcdqkkdxkimvbsjvxhiy.exe
  2⤵
  PID:4312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fsqaroevfabhkymvu.exe .
1⤵
PID:5784
- C:\Users\Admin\AppData\Local\Temp\fsqaroevfabhkymvu.exe
  C:\Users\Admin\AppData\Local\Temp\fsqaroevfabhkymvu.exe .
  2⤵
  PID:5640
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\fsqaroevfabhkymvu.exe*."
    3⤵
    PID:5564

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zohaaoezslpxcsitudd.exe
1⤵
PID:5672
- C:\Windows\zohaaoezslpxcsitudd.exe
  zohaaoezslpxcsitudd.exe
  2⤵
  PID:5744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zohaaoezslpxcsitudd.exe .
1⤵
PID:5328
- C:\Windows\zohaaoezslpxcsitudd.exe
  zohaaoezslpxcsitudd.exe .
  2⤵
  PID:5620
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\zohaaoezslpxcsitudd.exe*."
    3⤵
    PID:820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ocbmectlwsubfujttb.exe
1⤵
PID:4244
- C:\Users\Admin\AppData\Local\Temp\ocbmectlwsubfujttb.exe
  C:\Users\Admin\AppData\Local\Temp\ocbmectlwsubfujttb.exe
  2⤵
  PID:4988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bsuideythglvcumzcnpgi.exe .
1⤵
PID:4488
- C:\Users\Admin\AppData\Local\Temp\bsuideythglvcumzcnpgi.exe
  C:\Users\Admin\AppData\Local\Temp\bsuideythglvcumzcnpgi.exe .
  2⤵
  PID:4128
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\bsuideythglvcumzcnpgi.exe*."
    3⤵
    PID:5792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fsjaykyrizbhkymvu.exe
1⤵
PID:2004
- C:\Windows\fsjaykyrizbhkymvu.exe
  fsjaykyrizbhkymvu.exe
  2⤵
  PID:4200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zohaaoezslpxcsitudd.exe .
1⤵
PID:1416
- C:\Windows\zohaaoezslpxcsitudd.exe
  zohaaoezslpxcsitudd.exe .
  2⤵
  PID:3820
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\zohaaoezslpxcsitudd.exe*."
    3⤵
    PID:2836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bsnikaspkflvcumzcnpgb.exe
1⤵
PID:5168
- C:\Users\Admin\AppData\Local\Temp\bsnikaspkflvcumzcnpgb.exe
  C:\Users\Admin\AppData\Local\Temp\bsnikaspkflvcumzcnpgb.exe
  2⤵
  PID:3200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zohaaoezslpxcsitudd.exe .
1⤵
PID:3220
- C:\Users\Admin\AppData\Local\Temp\zohaaoezslpxcsitudd.exe
  C:\Users\Admin\AppData\Local\Temp\zohaaoezslpxcsitudd.exe .
  2⤵
  PID:3096
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\zohaaoezslpxcsitudd.exe*."
    3⤵
    PID:5924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ykaqnyldtjkprerz.exe
1⤵
PID:6092
- C:\Users\Admin\AppData\Local\Temp\ykaqnyldtjkprerz.exe
  C:\Users\Admin\AppData\Local\Temp\ykaqnyldtjkprerz.exe
  2⤵
  PID:5632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ykaqnyldtjkprerz.exe .
1⤵
PID:1888
- C:\Users\Admin\AppData\Local\Temp\ykaqnyldtjkprerz.exe
  C:\Users\Admin\AppData\Local\Temp\ykaqnyldtjkprerz.exe .
  2⤵
  PID:592
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ykaqnyldtjkprerz.exe*."
    3⤵
    PID:5840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zooatskdpmpxcsitudd.exe
1⤵
PID:3192
- C:\Windows\zooatskdpmpxcsitudd.exe
  zooatskdpmpxcsitudd.exe
  2⤵
  PID:2200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ykhqgcrhqkkprerz.exe .
1⤵
PID:5308
- C:\Windows\ykhqgcrhqkkprerz.exe
  ykhqgcrhqkkprerz.exe .
  2⤵
  PID:5668
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ykhqgcrhqkkprerz.exe*."
    3⤵
    PID:5680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ykhqgcrhqkkprerz.exe
1⤵
PID:6028
- C:\Windows\ykhqgcrhqkkprerz.exe
  ykhqgcrhqkkprerz.exe
  2⤵
  PID:5760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ocbmectlwsubfujttb.exe
1⤵
PID:4820
- C:\Windows\ocbmectlwsubfujttb.exe
  ocbmectlwsubfujttb.exe
  2⤵
  PID:5420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fsqaroevfabhkymvu.exe .
1⤵
PID:4416
- C:\Windows\fsqaroevfabhkymvu.exe
  fsqaroevfabhkymvu.exe .
  2⤵
  PID:4544
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\fsqaroevfabhkymvu.exe*."
    3⤵
    PID:3920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ykhqgcrhqkkprerz.exe
1⤵
PID:2660
- C:\Users\Admin\AppData\Local\Temp\ykhqgcrhqkkprerz.exe
  C:\Users\Admin\AppData\Local\Temp\ykhqgcrhqkkprerz.exe
  2⤵
  PID:2416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mcdqkkdxkimvbsjvxhiy.exe .
1⤵
PID:3456
- C:\Windows\mcdqkkdxkimvbsjvxhiy.exe
  mcdqkkdxkimvbsjvxhiy.exe .
  2⤵
  PID:4864
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\mcdqkkdxkimvbsjvxhiy.exe*."
    3⤵
    PID:5164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fsqaroevfabhkymvu.exe .
1⤵
PID:5172
- C:\Users\Admin\AppData\Local\Temp\fsqaroevfabhkymvu.exe
  C:\Users\Admin\AppData\Local\Temp\fsqaroevfabhkymvu.exe .
  2⤵
  PID:1056
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\fsqaroevfabhkymvu.exe*."
    3⤵
    PID:3860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mcdqkkdxkimvbsjvxhiy.exe
1⤵
PID:5932
- C:\Windows\mcdqkkdxkimvbsjvxhiy.exe
  mcdqkkdxkimvbsjvxhiy.exe
  2⤵
  PID:5544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ykhqgcrhqkkprerz.exe .
1⤵
PID:728
- C:\Windows\ykhqgcrhqkkprerz.exe
  ykhqgcrhqkkprerz.exe .
  2⤵
  PID:5708
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ykhqgcrhqkkprerz.exe*."
    3⤵
    PID:6040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zooatskdpmpxcsitudd.exe
1⤵
PID:5536
- C:\Users\Admin\AppData\Local\Temp\zooatskdpmpxcsitudd.exe
  C:\Users\Admin\AppData\Local\Temp\zooatskdpmpxcsitudd.exe
  2⤵
  PID:5348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mcdqkkdxkimvbsjvxhiy.exe
1⤵
PID:4312
- C:\Users\Admin\AppData\Local\Temp\mcdqkkdxkimvbsjvxhiy.exe
  C:\Users\Admin\AppData\Local\Temp\mcdqkkdxkimvbsjvxhiy.exe
  2⤵
  PID:5980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ocbmectlwsubfujttb.exe .
1⤵
PID:5880
- C:\Users\Admin\AppData\Local\Temp\ocbmectlwsubfujttb.exe
  C:\Users\Admin\AppData\Local\Temp\ocbmectlwsubfujttb.exe .
  2⤵
  PID:3592
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ocbmectlwsubfujttb.exe*."
    3⤵
    PID:5340

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bsuideythglvcumzcnpgi.exe
1⤵
PID:5552
- C:\Windows\bsuideythglvcumzcnpgi.exe
  bsuideythglvcumzcnpgi.exe
  2⤵
  PID:6124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ocbmectlwsubfujttb.exe .
1⤵
PID:5600
- C:\Users\Admin\AppData\Local\Temp\ocbmectlwsubfujttb.exe
  C:\Users\Admin\AppData\Local\Temp\ocbmectlwsubfujttb.exe .
  2⤵
  PID:5780
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ocbmectlwsubfujttb.exe*."
    3⤵
    PID:3460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fsqaroevfabhkymvu.exe .
1⤵
PID:5564
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5152
- C:\Windows\fsqaroevfabhkymvu.exe
  fsqaroevfabhkymvu.exe .
  2⤵
  PID:2836
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\fsqaroevfabhkymvu.exe*."
    3⤵
    PID:4024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zooatskdpmpxcsitudd.exe
1⤵
PID:4832
- C:\Users\Admin\AppData\Local\Temp\zooatskdpmpxcsitudd.exe
  C:\Users\Admin\AppData\Local\Temp\zooatskdpmpxcsitudd.exe
  2⤵
  PID:5704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zooatskdpmpxcsitudd.exe .
1⤵
PID:2164
- C:\Users\Admin\AppData\Local\Temp\zooatskdpmpxcsitudd.exe
  C:\Users\Admin\AppData\Local\Temp\zooatskdpmpxcsitudd.exe .
  2⤵
  PID:6140
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\zooatskdpmpxcsitudd.exe*."
    3⤵
    PID:5464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zooatskdpmpxcsitudd.exe
1⤵
PID:5240
- C:\Windows\zooatskdpmpxcsitudd.exe
  zooatskdpmpxcsitudd.exe
  2⤵
  PID:3096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ocbmectlwsubfujttb.exe .
1⤵
PID:5180
- C:\Windows\ocbmectlwsubfujttb.exe
  ocbmectlwsubfujttb.exe .
  2⤵
  PID:5576
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ocbmectlwsubfujttb.exe*."
    3⤵
    PID:5296

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ocbmectlwsubfujttb.exe
1⤵
PID:4380
- C:\Users\Admin\AppData\Local\Temp\ocbmectlwsubfujttb.exe
  C:\Users\Admin\AppData\Local\Temp\ocbmectlwsubfujttb.exe
  2⤵
  PID:5568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mcdqkkdxkimvbsjvxhiy.exe .
1⤵
PID:5444
- C:\Users\Admin\AppData\Local\Temp\mcdqkkdxkimvbsjvxhiy.exe
  C:\Users\Admin\AppData\Local\Temp\mcdqkkdxkimvbsjvxhiy.exe .
  2⤵
  PID:5908
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\mcdqkkdxkimvbsjvxhiy.exe*."
    3⤵
    PID:5124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bsuideythglvcumzcnpgi.exe
1⤵
PID:4584
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5468
- C:\Users\Admin\AppData\Local\Temp\bsuideythglvcumzcnpgi.exe
  C:\Users\Admin\AppData\Local\Temp\bsuideythglvcumzcnpgi.exe
  2⤵
  PID:5424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fsqaroevfabhkymvu.exe .
1⤵
PID:376
- C:\Users\Admin\AppData\Local\Temp\fsqaroevfabhkymvu.exe
  C:\Users\Admin\AppData\Local\Temp\fsqaroevfabhkymvu.exe .
  2⤵
  PID:5680
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\fsqaroevfabhkymvu.exe*."
    3⤵
    PID:2660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fsqaroevfabhkymvu.exe
1⤵
PID:1048
- C:\Windows\fsqaroevfabhkymvu.exe
  fsqaroevfabhkymvu.exe
  2⤵
  PID:5308

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mcdqkkdxkimvbsjvxhiy.exe .
1⤵
PID:3652
- C:\Windows\mcdqkkdxkimvbsjvxhiy.exe
  mcdqkkdxkimvbsjvxhiy.exe .
  2⤵
  PID:4820
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\mcdqkkdxkimvbsjvxhiy.exe*."
    3⤵
    PID:4544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mcdqkkdxkimvbsjvxhiy.exe
1⤵
PID:5364
- C:\Windows\mcdqkkdxkimvbsjvxhiy.exe
  mcdqkkdxkimvbsjvxhiy.exe
  2⤵
  PID:5488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mcdqkkdxkimvbsjvxhiy.exe .
1⤵
PID:5332
- C:\Windows\mcdqkkdxkimvbsjvxhiy.exe
  mcdqkkdxkimvbsjvxhiy.exe .
  2⤵
  PID:4392
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\mcdqkkdxkimvbsjvxhiy.exe*."
    3⤵
    PID:5028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zooatskdpmpxcsitudd.exe
1⤵
PID:5912
- C:\Users\Admin\AppData\Local\Temp\zooatskdpmpxcsitudd.exe
  C:\Users\Admin\AppData\Local\Temp\zooatskdpmpxcsitudd.exe
  2⤵
  PID:4252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ocbmectlwsubfujttb.exe .
1⤵
PID:4864
- C:\Users\Admin\AppData\Local\Temp\ocbmectlwsubfujttb.exe
  C:\Users\Admin\AppData\Local\Temp\ocbmectlwsubfujttb.exe .
  2⤵
  PID:4636
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ocbmectlwsubfujttb.exe*."
    3⤵
    PID:820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ocbmectlwsubfujttb.exe
1⤵
PID:5160
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3456
- C:\Users\Admin\AppData\Local\Temp\ocbmectlwsubfujttb.exe
  C:\Users\Admin\AppData\Local\Temp\ocbmectlwsubfujttb.exe
  2⤵
  PID:5980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ocbmectlwsubfujttb.exe .
1⤵
PID:5620
- C:\Users\Admin\AppData\Local\Temp\ocbmectlwsubfujttb.exe
  C:\Users\Admin\AppData\Local\Temp\ocbmectlwsubfujttb.exe .
  2⤵
  PID:5132
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ocbmectlwsubfujttb.exe*."
    3⤵
    PID:5972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fsqaroevfabhkymvu.exe
1⤵
PID:5040
- C:\Windows\fsqaroevfabhkymvu.exe
  fsqaroevfabhkymvu.exe
  2⤵
  PID:5720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ocbmectlwsubfujttb.exe .
1⤵
PID:4032
- C:\Windows\ocbmectlwsubfujttb.exe
  ocbmectlwsubfujttb.exe .
  2⤵
  PID:728
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ocbmectlwsubfujttb.exe*."
    3⤵
    PID:5820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ykhqgcrhqkkprerz.exe
1⤵
PID:5376
- C:\Windows\ykhqgcrhqkkprerz.exe
  ykhqgcrhqkkprerz.exe
  2⤵
  PID:5748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fsqaroevfabhkymvu.exe .
1⤵
PID:5416
- C:\Windows\fsqaroevfabhkymvu.exe
  fsqaroevfabhkymvu.exe .
  2⤵
  PID:3640
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\fsqaroevfabhkymvu.exe*."
    3⤵
    PID:1752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bsuideythglvcumzcnpgi.exe
1⤵
PID:868
- C:\Users\Admin\AppData\Local\Temp\bsuideythglvcumzcnpgi.exe
  C:\Users\Admin\AppData\Local\Temp\bsuideythglvcumzcnpgi.exe
  2⤵
  PID:1768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bsuideythglvcumzcnpgi.exe .
1⤵
PID:6064
- C:\Users\Admin\AppData\Local\Temp\bsuideythglvcumzcnpgi.exe
  C:\Users\Admin\AppData\Local\Temp\bsuideythglvcumzcnpgi.exe .
  2⤵
  PID:5236
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\bsuideythglvcumzcnpgi.exe*."
    3⤵
    PID:1040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ykhqgcrhqkkprerz.exe
1⤵
PID:3064
- C:\Users\Admin\AppData\Local\Temp\ykhqgcrhqkkprerz.exe
  C:\Users\Admin\AppData\Local\Temp\ykhqgcrhqkkprerz.exe
  2⤵
  PID:5300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zooatskdpmpxcsitudd.exe .
1⤵
PID:1212
- C:\Users\Admin\AppData\Local\Temp\zooatskdpmpxcsitudd.exe
  C:\Users\Admin\AppData\Local\Temp\zooatskdpmpxcsitudd.exe .
  2⤵
  PID:3192
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\zooatskdpmpxcsitudd.exe*."
    3⤵
    PID:4020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fsqaroevfabhkymvu.exe
1⤵
PID:4656
- C:\Windows\fsqaroevfabhkymvu.exe
  fsqaroevfabhkymvu.exe
  2⤵
  PID:224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zooatskdpmpxcsitudd.exe .
1⤵
PID:60
- C:\Windows\zooatskdpmpxcsitudd.exe
  zooatskdpmpxcsitudd.exe .
  2⤵
  PID:5740
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\zooatskdpmpxcsitudd.exe*."
    3⤵
    PID:5508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bsuideythglvcumzcnpgi.exe
1⤵
PID:8
- C:\Windows\bsuideythglvcumzcnpgi.exe
  bsuideythglvcumzcnpgi.exe
  2⤵
  PID:5448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bsuideythglvcumzcnpgi.exe .
1⤵
PID:2460
- C:\Windows\bsuideythglvcumzcnpgi.exe
  bsuideythglvcumzcnpgi.exe .
  2⤵
  PID:5892
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\bsuideythglvcumzcnpgi.exe*."
    3⤵
    PID:5848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fsqaroevfabhkymvu.exe
1⤵
PID:1156
- C:\Users\Admin\AppData\Local\Temp\fsqaroevfabhkymvu.exe
  C:\Users\Admin\AppData\Local\Temp\fsqaroevfabhkymvu.exe
  2⤵
  PID:2248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mcdqkkdxkimvbsjvxhiy.exe .
1⤵
PID:3940
- C:\Users\Admin\AppData\Local\Temp\mcdqkkdxkimvbsjvxhiy.exe
  C:\Users\Admin\AppData\Local\Temp\mcdqkkdxkimvbsjvxhiy.exe .
  2⤵
  PID:2956
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\mcdqkkdxkimvbsjvxhiy.exe*."
    3⤵
    PID:5996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mcdqkkdxkimvbsjvxhiy.exe
1⤵
PID:3992
- C:\Users\Admin\AppData\Local\Temp\mcdqkkdxkimvbsjvxhiy.exe
  C:\Users\Admin\AppData\Local\Temp\mcdqkkdxkimvbsjvxhiy.exe
  2⤵
  PID:5796

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mcdqkkdxkimvbsjvxhiy.exe .
1⤵
PID:3568
- C:\Users\Admin\AppData\Local\Temp\mcdqkkdxkimvbsjvxhiy.exe
  C:\Users\Admin\AppData\Local\Temp\mcdqkkdxkimvbsjvxhiy.exe .
  2⤵
  PID:3856
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\mcdqkkdxkimvbsjvxhiy.exe*."
    3⤵
    PID:4776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bsuideythglvcumzcnpgi.exe
1⤵
PID:5348
- C:\Windows\bsuideythglvcumzcnpgi.exe
  bsuideythglvcumzcnpgi.exe
  2⤵
  PID:5344

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ocbmectlwsubfujttb.exe .
1⤵
PID:1528
- C:\Windows\ocbmectlwsubfujttb.exe
  ocbmectlwsubfujttb.exe .
  2⤵
  PID:5404
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ocbmectlwsubfujttb.exe*."
    3⤵
    PID:1996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fsqaroevfabhkymvu.exe
1⤵
PID:4884
- C:\Windows\fsqaroevfabhkymvu.exe
  fsqaroevfabhkymvu.exe
  2⤵
  PID:2704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mcdqkkdxkimvbsjvxhiy.exe .
1⤵
PID:5792
- C:\Windows\mcdqkkdxkimvbsjvxhiy.exe
  mcdqkkdxkimvbsjvxhiy.exe .
  2⤵
  PID:1828
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\mcdqkkdxkimvbsjvxhiy.exe*."
    3⤵
    PID:4824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zooatskdpmpxcsitudd.exe
1⤵
PID:1892
- C:\Users\Admin\AppData\Local\Temp\zooatskdpmpxcsitudd.exe
  C:\Users\Admin\AppData\Local\Temp\zooatskdpmpxcsitudd.exe
  2⤵
  PID:6092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ocbmectlwsubfujttb.exe .
1⤵
PID:4136
- C:\Users\Admin\AppData\Local\Temp\ocbmectlwsubfujttb.exe
  C:\Users\Admin\AppData\Local\Temp\ocbmectlwsubfujttb.exe .
  2⤵
  PID:728
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ocbmectlwsubfujttb.exe*."
    3⤵
    PID:3680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fsqaroevfabhkymvu.exe
1⤵
PID:3900
- C:\Users\Admin\AppData\Local\Temp\fsqaroevfabhkymvu.exe
  C:\Users\Admin\AppData\Local\Temp\fsqaroevfabhkymvu.exe
  2⤵
  PID:5780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bsuideythglvcumzcnpgi.exe .
1⤵
PID:5208
- C:\Users\Admin\AppData\Local\Temp\bsuideythglvcumzcnpgi.exe
  C:\Users\Admin\AppData\Local\Temp\bsuideythglvcumzcnpgi.exe .
  2⤵
  PID:2400
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\bsuideythglvcumzcnpgi.exe*."
    3⤵
    PID:5660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fsqaroevfabhkymvu.exe
1⤵
PID:4692
- C:\Windows\fsqaroevfabhkymvu.exe
  fsqaroevfabhkymvu.exe
  2⤵
  PID:6064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ocbmectlwsubfujttb.exe .
1⤵
PID:2268
- C:\Windows\ocbmectlwsubfujttb.exe
  ocbmectlwsubfujttb.exe .
  2⤵
  PID:5252
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ocbmectlwsubfujttb.exe*."
    3⤵
    PID:1804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fsqaroevfabhkymvu.exe
1⤵
PID:5768
- C:\Windows\fsqaroevfabhkymvu.exe
  fsqaroevfabhkymvu.exe
  2⤵
  PID:5908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ykhqgcrhqkkprerz.exe .
1⤵
PID:1464
- C:\Windows\ykhqgcrhqkkprerz.exe
  ykhqgcrhqkkprerz.exe .
  2⤵
  PID:6140
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ykhqgcrhqkkprerz.exe*."
    3⤵
    PID:3700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ocbmectlwsubfujttb.exe
1⤵
PID:5756
- C:\Users\Admin\AppData\Local\Temp\ocbmectlwsubfujttb.exe
  C:\Users\Admin\AppData\Local\Temp\ocbmectlwsubfujttb.exe
  2⤵
  PID:4552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ocbmectlwsubfujttb.exe .
1⤵
PID:828
- C:\Users\Admin\AppData\Local\Temp\ocbmectlwsubfujttb.exe
  C:\Users\Admin\AppData\Local\Temp\ocbmectlwsubfujttb.exe .
  2⤵
  PID:3768
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ocbmectlwsubfujttb.exe*."
    3⤵
    PID:5680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ykaqnyldtjkprerz.exe
1⤵
PID:5964
- C:\Windows\ykaqnyldtjkprerz.exe
  ykaqnyldtjkprerz.exe
  2⤵
  PID:2132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fsqaroevfabhkymvu.exe
1⤵
PID:2828
- C:\Users\Admin\AppData\Local\Temp\fsqaroevfabhkymvu.exe
  C:\Users\Admin\AppData\Local\Temp\fsqaroevfabhkymvu.exe
  2⤵
  PID:5328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mcwqrgxtnhmvbsjvxhiy.exe .
1⤵
PID:5928
- C:\Windows\mcwqrgxtnhmvbsjvxhiy.exe
  mcwqrgxtnhmvbsjvxhiy.exe .
  2⤵
  PID:3448
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\mcwqrgxtnhmvbsjvxhiy.exe*."
    3⤵
    PID:5304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ocbmectlwsubfujttb.exe .
1⤵
PID:5824
- C:\Users\Admin\AppData\Local\Temp\ocbmectlwsubfujttb.exe
  C:\Users\Admin\AppData\Local\Temp\ocbmectlwsubfujttb.exe .
  2⤵
  PID:5364
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ocbmectlwsubfujttb.exe*."
    3⤵
    PID:3992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fsjaykyrizbhkymvu.exe
1⤵
PID:3708
- C:\Windows\fsjaykyrizbhkymvu.exe
  fsjaykyrizbhkymvu.exe
  2⤵
  PID:5232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ocumlynhzrubfujttb.exe .
1⤵
PID:2368
- C:\Windows\ocumlynhzrubfujttb.exe
  ocumlynhzrubfujttb.exe .
  2⤵
  PID:4680
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ocumlynhzrubfujttb.exe*."
    3⤵
    PID:3568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ykaqnyldtjkprerz.exe
1⤵
PID:4388
- C:\Users\Admin\AppData\Local\Temp\ykaqnyldtjkprerz.exe
  C:\Users\Admin\AppData\Local\Temp\ykaqnyldtjkprerz.exe
  2⤵
  PID:5332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mcwqrgxtnhmvbsjvxhiy.exe .
1⤵
PID:552
- C:\Users\Admin\AppData\Local\Temp\mcwqrgxtnhmvbsjvxhiy.exe
  C:\Users\Admin\AppData\Local\Temp\mcwqrgxtnhmvbsjvxhiy.exe .
  2⤵
  PID:4416
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\mcwqrgxtnhmvbsjvxhiy.exe*."
    3⤵
    PID:5900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zohaaoezslpxcsitudd.exe
1⤵
PID:456
- C:\Users\Admin\AppData\Local\Temp\zohaaoezslpxcsitudd.exe
  C:\Users\Admin\AppData\Local\Temp\zohaaoezslpxcsitudd.exe
  2⤵
  PID:5172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mcwqrgxtnhmvbsjvxhiy.exe .
1⤵
PID:3808
- C:\Users\Admin\AppData\Local\Temp\mcwqrgxtnhmvbsjvxhiy.exe
  C:\Users\Admin\AppData\Local\Temp\mcwqrgxtnhmvbsjvxhiy.exe .
  2⤵
  PID:4412
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\mcwqrgxtnhmvbsjvxhiy.exe*."
    3⤵
    PID:5532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zooatskdpmpxcsitudd.exe
1⤵
PID:5536
- C:\Windows\zooatskdpmpxcsitudd.exe
  zooatskdpmpxcsitudd.exe
  2⤵
  PID:1624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fsqaroevfabhkymvu.exe .
1⤵
PID:4536
- C:\Windows\fsqaroevfabhkymvu.exe
  fsqaroevfabhkymvu.exe .
  2⤵
  PID:5040
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\fsqaroevfabhkymvu.exe*."
    3⤵
    PID:5720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bsuideythglvcumzcnpgi.exe
1⤵
PID:4068
- C:\Windows\bsuideythglvcumzcnpgi.exe
  bsuideythglvcumzcnpgi.exe
  2⤵
  PID:2540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mcdqkkdxkimvbsjvxhiy.exe .
1⤵
PID:4312
- C:\Windows\mcdqkkdxkimvbsjvxhiy.exe
  mcdqkkdxkimvbsjvxhiy.exe .
  2⤵
  PID:2988
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\mcdqkkdxkimvbsjvxhiy.exe*."
    3⤵
    PID:4400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bsuideythglvcumzcnpgi.exe
1⤵
PID:5036
- C:\Users\Admin\AppData\Local\Temp\bsuideythglvcumzcnpgi.exe
  C:\Users\Admin\AppData\Local\Temp\bsuideythglvcumzcnpgi.exe
  2⤵
  PID:5780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fsqaroevfabhkymvu.exe .
1⤵
PID:4396
- C:\Users\Admin\AppData\Local\Temp\fsqaroevfabhkymvu.exe
  C:\Users\Admin\AppData\Local\Temp\fsqaroevfabhkymvu.exe .
  2⤵
  PID:5392
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\fsqaroevfabhkymvu.exe*."
    3⤵
    PID:3440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fsqaroevfabhkymvu.exe
1⤵
PID:3460
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5324
- C:\Windows\fsqaroevfabhkymvu.exe
  fsqaroevfabhkymvu.exe
  2⤵
  PID:1768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bsuideythglvcumzcnpgi.exe .
1⤵
PID:6044
- C:\Windows\bsuideythglvcumzcnpgi.exe
  bsuideythglvcumzcnpgi.exe .
  2⤵
  PID:5764
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\bsuideythglvcumzcnpgi.exe*."
    3⤵
    PID:1364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zooatskdpmpxcsitudd.exe
1⤵
PID:1728
- C:\Users\Admin\AppData\Local\Temp\zooatskdpmpxcsitudd.exe
  C:\Users\Admin\AppData\Local\Temp\zooatskdpmpxcsitudd.exe
  2⤵
  PID:5568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bsuideythglvcumzcnpgi.exe .
1⤵
PID:1040
- C:\Users\Admin\AppData\Local\Temp\bsuideythglvcumzcnpgi.exe
  C:\Users\Admin\AppData\Local\Temp\bsuideythglvcumzcnpgi.exe .
  2⤵
  PID:2120
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\bsuideythglvcumzcnpgi.exe*."
    3⤵
    PID:4920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bsuideythglvcumzcnpgi.exe
1⤵
PID:4332
- C:\Windows\bsuideythglvcumzcnpgi.exe
  bsuideythglvcumzcnpgi.exe
  2⤵
  PID:5992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mcdqkkdxkimvbsjvxhiy.exe .
1⤵
PID:4512
- C:\Windows\mcdqkkdxkimvbsjvxhiy.exe
  mcdqkkdxkimvbsjvxhiy.exe .
  2⤵
  PID:3492
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\mcdqkkdxkimvbsjvxhiy.exe*."
    3⤵
    PID:5592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zooatskdpmpxcsitudd.exe
1⤵
PID:2716
- C:\Users\Admin\AppData\Local\Temp\zooatskdpmpxcsitudd.exe
  C:\Users\Admin\AppData\Local\Temp\zooatskdpmpxcsitudd.exe
  2⤵
  PID:4420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mcdqkkdxkimvbsjvxhiy.exe .
1⤵
PID:2164
- C:\Users\Admin\AppData\Local\Temp\mcdqkkdxkimvbsjvxhiy.exe
  C:\Users\Admin\AppData\Local\Temp\mcdqkkdxkimvbsjvxhiy.exe .
  2⤵
  PID:5940
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\mcdqkkdxkimvbsjvxhiy.exe*."
    3⤵
    PID:4316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zooatskdpmpxcsitudd.exe
1⤵
PID:1464
- C:\Windows\zooatskdpmpxcsitudd.exe
  zooatskdpmpxcsitudd.exe
  2⤵
  PID:8

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ykhqgcrhqkkprerz.exe .
1⤵
PID:6096
- C:\Windows\ykhqgcrhqkkprerz.exe
  ykhqgcrhqkkprerz.exe .
  2⤵
  PID:2260
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ykhqgcrhqkkprerz.exe*."
    3⤵
    PID:4864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ocbmectlwsubfujttb.exe
1⤵
PID:5488
- C:\Users\Admin\AppData\Local\Temp\ocbmectlwsubfujttb.exe
  C:\Users\Admin\AppData\Local\Temp\ocbmectlwsubfujttb.exe
  2⤵
  PID:2788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ykhqgcrhqkkprerz.exe .
1⤵
PID:1908
- C:\Users\Admin\AppData\Local\Temp\ykhqgcrhqkkprerz.exe
  C:\Users\Admin\AppData\Local\Temp\ykhqgcrhqkkprerz.exe .
  2⤵
  PID:4988
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ykhqgcrhqkkprerz.exe*."
    3⤵
    PID:5040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ocbmectlwsubfujttb.exe
1⤵
PID:5560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mcdqkkdxkimvbsjvxhiy.exe .
1⤵
PID:3580
- C:\Windows\mcdqkkdxkimvbsjvxhiy.exe
  mcdqkkdxkimvbsjvxhiy.exe .
  2⤵
  PID:544
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\mcdqkkdxkimvbsjvxhiy.exe*."
    3⤵
    PID:6016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ocbmectlwsubfujttb.exe
1⤵
PID:5292
- C:\Users\Admin\AppData\Local\Temp\ocbmectlwsubfujttb.exe
  C:\Users\Admin\AppData\Local\Temp\ocbmectlwsubfujttb.exe
  2⤵
  PID:4312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ykhqgcrhqkkprerz.exe
1⤵
PID:628
- C:\Windows\ykhqgcrhqkkprerz.exe
  ykhqgcrhqkkprerz.exe
  2⤵
  PID:3996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ykhqgcrhqkkprerz.exe .
1⤵
PID:5320
- C:\Users\Admin\AppData\Local\Temp\ykhqgcrhqkkprerz.exe
  C:\Users\Admin\AppData\Local\Temp\ykhqgcrhqkkprerz.exe .
  2⤵
  PID:552
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ykhqgcrhqkkprerz.exe*."
    3⤵
    PID:5536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fsqaroevfabhkymvu.exe .
1⤵
PID:5996
- C:\Windows\fsqaroevfabhkymvu.exe
  fsqaroevfabhkymvu.exe .
  2⤵
  PID:4392
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\fsqaroevfabhkymvu.exe*."
    3⤵
    PID:3740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fsqaroevfabhkymvu.exe
1⤵
PID:4084
- C:\Users\Admin\AppData\Local\Temp\fsqaroevfabhkymvu.exe
  C:\Users\Admin\AppData\Local\Temp\fsqaroevfabhkymvu.exe
  2⤵
  PID:3640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ocbmectlwsubfujttb.exe
1⤵
PID:3692
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5404
- C:\Windows\ocbmectlwsubfujttb.exe
  ocbmectlwsubfujttb.exe
  2⤵
  PID:5832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mcdqkkdxkimvbsjvxhiy.exe .
1⤵
PID:5132
- C:\Users\Admin\AppData\Local\Temp\mcdqkkdxkimvbsjvxhiy.exe
  C:\Users\Admin\AppData\Local\Temp\mcdqkkdxkimvbsjvxhiy.exe .
  2⤵
  PID:1476
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\mcdqkkdxkimvbsjvxhiy.exe*."
    3⤵
    PID:5360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zooatskdpmpxcsitudd.exe .
1⤵
PID:5620
- C:\Windows\zooatskdpmpxcsitudd.exe
  zooatskdpmpxcsitudd.exe .
  2⤵
  PID:2272
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\zooatskdpmpxcsitudd.exe*."
    3⤵
    PID:2420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zooatskdpmpxcsitudd.exe
1⤵
PID:3732
- C:\Users\Admin\AppData\Local\Temp\zooatskdpmpxcsitudd.exe
  C:\Users\Admin\AppData\Local\Temp\zooatskdpmpxcsitudd.exe
  2⤵
  PID:2988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ocbmectlwsubfujttb.exe .
1⤵
PID:396
- C:\Users\Admin\AppData\Local\Temp\ocbmectlwsubfujttb.exe
  C:\Users\Admin\AppData\Local\Temp\ocbmectlwsubfujttb.exe .
  2⤵
  PID:5036
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ocbmectlwsubfujttb.exe*."
    3⤵
    PID:3096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ykhqgcrhqkkprerz.exe
1⤵
PID:820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Winlogon Helper DLL

T1547.004

Hijack Execution Flow

T1574

Executable Installer File Permissions Weakness

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Winlogon Helper DLL

T1547.004

Hijack Execution Flow

T1574

Executable Installer File Permissions Weakness

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hijack Execution Flow

T1574

Executable Installer File Permissions Weakness

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Safe Mode Boot

T1562.009

Modify Registry