pykspa | 82152e68c39ffa853a1c37a91298921e7707bf0ce29fb0e18668a08d95a7f166

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	mtwzem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	mtwzem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	abqgjobtkla.exe

Pykspa
Pykspa is a worm spreads via Skype uses DGA and it's written in C++.
worm pykspa
Pykspa family
pykspa

UAC bypass 3 TTPs 24 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	mtwzem.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	mtwzem.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	mtwzem.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	mtwzem.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	mtwzem.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	mtwzem.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	mtwzem.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	mtwzem.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe

Detect Pykspa worm 2 IoCs

worm

resource	yara_rule
behavioral2/files/0x000d000000023f03-4.dat	family_pykspa
behavioral2/files/0x0007000000024062-84.dat	family_pykspa

Adds policy Run key to start application 2 TTPs 51 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mtwzem = "bxphbyxmqfkvuuhwtvpld.exe"	mtwzem.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lpp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ztjzrmjwyloxusdqlld.exe"	abqgjobtkla.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	abqgjobtkla.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	abqgjobtkla.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	abqgjobtkla.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lpp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fxlzpidoozahcyhsl.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mtwzem = "ypcpewqazjjpjemw.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lpp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mhypiecqthlvtsesopid.exe"	abqgjobtkla.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mtwzem = "fxlzpidoozahcyhsl.exe"	abqgjobtkla.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lpp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bxphbyxmqfkvuuhwtvpld.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mtwzem = "fxlzpidoozahcyhsl.exe"	abqgjobtkla.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lpp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mhypiecqthlvtsesopid.exe"	mtwzem.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mtwzem = "bxphbyxmqfkvuuhwtvpld.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mtwzem = "ohwlcwsefrtbxueqkj.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lpp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mhypiecqthlvtsesopid.exe"	abqgjobtkla.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	abqgjobtkla.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	mtwzem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mtwzem = "mhypiecqthlvtsesopid.exe"	mtwzem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mtwzem = "ohwlcwsefrtbxueqkj.exe"	mtwzem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lpp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bxphbyxmqfkvuuhwtvpld.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lpp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bxphbyxmqfkvuuhwtvpld.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mtwzem = "ypcpewqazjjpjemw.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mtwzem = "ohwlcwsefrtbxueqkj.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mtwzem = "mhypiecqthlvtsesopid.exe"	mtwzem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mtwzem = "ztjzrmjwyloxusdqlld.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mtwzem = "fxlzpidoozahcyhsl.exe"	abqgjobtkla.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mtwzem = "ztjzrmjwyloxusdqlld.exe"	mtwzem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lpp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ohwlcwsefrtbxueqkj.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mtwzem = "bxphbyxmqfkvuuhwtvpld.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lpp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ypcpewqazjjpjemw.exe"	abqgjobtkla.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	mtwzem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lpp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ypcpewqazjjpjemw.exe"	mtwzem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mtwzem = "ypcpewqazjjpjemw.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lpp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ztjzrmjwyloxusdqlld.exe"	abqgjobtkla.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mtwzem = "ypcpewqazjjpjemw.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lpp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bxphbyxmqfkvuuhwtvpld.exe"	mtwzem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lpp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fxlzpidoozahcyhsl.exe"	mtwzem.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mtwzem = "fxlzpidoozahcyhsl.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lpp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fxlzpidoozahcyhsl.exe"	mtwzem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lpp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ztjzrmjwyloxusdqlld.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lpp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fxlzpidoozahcyhsl.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lpp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bxphbyxmqfkvuuhwtvpld.exe"	abqgjobtkla.exe

Blocklisted process makes network request 5 IoCs

flow	pid	Process
55	3696	Process not Found
58	3696	Process not Found
62	3696	Process not Found
64	3696	Process not Found
66	3696	Process not Found

Disables RegEdit via registry modification 6 IoCs

defense_evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	abqgjobtkla.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	mtwzem.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	mtwzem.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	mtwzem.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	mtwzem.exe

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	ohwlcwsefrtbxueqkj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	fxlzpidoozahcyhsl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	ohwlcwsefrtbxueqkj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	fxlzpidoozahcyhsl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	fxlzpidoozahcyhsl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	ztjzrmjwyloxusdqlld.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	mhypiecqthlvtsesopid.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	ypcpewqazjjpjemw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	ztjzrmjwyloxusdqlld.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	mhypiecqthlvtsesopid.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	mhypiecqthlvtsesopid.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	fxlzpidoozahcyhsl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	mhypiecqthlvtsesopid.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	bxphbyxmqfkvuuhwtvpld.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	ztjzrmjwyloxusdqlld.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	bxphbyxmqfkvuuhwtvpld.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	bxphbyxmqfkvuuhwtvpld.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	bxphbyxmqfkvuuhwtvpld.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	bxphbyxmqfkvuuhwtvpld.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	bxphbyxmqfkvuuhwtvpld.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	bxphbyxmqfkvuuhwtvpld.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	ohwlcwsefrtbxueqkj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	bxphbyxmqfkvuuhwtvpld.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	ztjzrmjwyloxusdqlld.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	ohwlcwsefrtbxueqkj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	abqgjobtkla.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	bxphbyxmqfkvuuhwtvpld.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	ypcpewqazjjpjemw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	ypcpewqazjjpjemw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	fxlzpidoozahcyhsl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	ztjzrmjwyloxusdqlld.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	ohwlcwsefrtbxueqkj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	ohwlcwsefrtbxueqkj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	ztjzrmjwyloxusdqlld.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	bxphbyxmqfkvuuhwtvpld.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	ypcpewqazjjpjemw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	ztjzrmjwyloxusdqlld.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	ztjzrmjwyloxusdqlld.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	fxlzpidoozahcyhsl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	mhypiecqthlvtsesopid.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	bxphbyxmqfkvuuhwtvpld.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	ypcpewqazjjpjemw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	mhypiecqthlvtsesopid.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	ohwlcwsefrtbxueqkj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	mhypiecqthlvtsesopid.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	ztjzrmjwyloxusdqlld.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	fxlzpidoozahcyhsl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	bxphbyxmqfkvuuhwtvpld.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	ohwlcwsefrtbxueqkj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	ypcpewqazjjpjemw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	bxphbyxmqfkvuuhwtvpld.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	fxlzpidoozahcyhsl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	fxlzpidoozahcyhsl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	ztjzrmjwyloxusdqlld.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	ztjzrmjwyloxusdqlld.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	ohwlcwsefrtbxueqkj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	ypcpewqazjjpjemw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	ypcpewqazjjpjemw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	ohwlcwsefrtbxueqkj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	ypcpewqazjjpjemw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	fxlzpidoozahcyhsl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	mhypiecqthlvtsesopid.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	bxphbyxmqfkvuuhwtvpld.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	bxphbyxmqfkvuuhwtvpld.exe

Executes dropped EXE 64 IoCs

pid	Process
2788	abqgjobtkla.exe
408	ohwlcwsefrtbxueqkj.exe
1168	ohwlcwsefrtbxueqkj.exe
3104	abqgjobtkla.exe
2732	ypcpewqazjjpjemw.exe
2104	bxphbyxmqfkvuuhwtvpld.exe
3984	ohwlcwsefrtbxueqkj.exe
4344	fxlzpidoozahcyhsl.exe
2088	abqgjobtkla.exe
3476	abqgjobtkla.exe
3856	fxlzpidoozahcyhsl.exe
1088	bxphbyxmqfkvuuhwtvpld.exe
4028	abqgjobtkla.exe
4900	mtwzem.exe
3772	mtwzem.exe
4312	ypcpewqazjjpjemw.exe
2784	bxphbyxmqfkvuuhwtvpld.exe
3084	bxphbyxmqfkvuuhwtvpld.exe
5028	ohwlcwsefrtbxueqkj.exe
4496	abqgjobtkla.exe
412	ztjzrmjwyloxusdqlld.exe
5020	abqgjobtkla.exe
2392	ypcpewqazjjpjemw.exe
4980	fxlzpidoozahcyhsl.exe
2792	ztjzrmjwyloxusdqlld.exe
3428	bxphbyxmqfkvuuhwtvpld.exe
4840	abqgjobtkla.exe
2784	abqgjobtkla.exe
1168	bxphbyxmqfkvuuhwtvpld.exe
2260	ztjzrmjwyloxusdqlld.exe
3844	ohwlcwsefrtbxueqkj.exe
4420	bxphbyxmqfkvuuhwtvpld.exe
1736	mhypiecqthlvtsesopid.exe
4432	ypcpewqazjjpjemw.exe
4512	ypcpewqazjjpjemw.exe
3432	abqgjobtkla.exe
4452	abqgjobtkla.exe
2756	abqgjobtkla.exe
3468	abqgjobtkla.exe
4852	ypcpewqazjjpjemw.exe
4988	ohwlcwsefrtbxueqkj.exe
4772	abqgjobtkla.exe
4480	ypcpewqazjjpjemw.exe
4284	ztjzrmjwyloxusdqlld.exe
1580	ztjzrmjwyloxusdqlld.exe
808	abqgjobtkla.exe
1264	ztjzrmjwyloxusdqlld.exe
1168	abqgjobtkla.exe
3988	bxphbyxmqfkvuuhwtvpld.exe
4348	bxphbyxmqfkvuuhwtvpld.exe
404	abqgjobtkla.exe
5048	ztjzrmjwyloxusdqlld.exe
3228	ypcpewqazjjpjemw.exe
2056	ztjzrmjwyloxusdqlld.exe
4496	bxphbyxmqfkvuuhwtvpld.exe
4324	fxlzpidoozahcyhsl.exe
2948	mhypiecqthlvtsesopid.exe
972	abqgjobtkla.exe
3316	ztjzrmjwyloxusdqlld.exe
4648	abqgjobtkla.exe
2904	abqgjobtkla.exe
3032	ypcpewqazjjpjemw.exe
4432	ypcpewqazjjpjemw.exe
4724	mhypiecqthlvtsesopid.exe

Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs

defense_evasion

Safe Mode Boot

T1562.009

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power	mtwzem.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys	mtwzem.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc	mtwzem.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager	mtwzem.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys	mtwzem.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc	mtwzem.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

defense_evasion persistence privilege_escalation

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zhlpvep = "ypcpewqazjjpjemw.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\oxchoykm = "bxphbyxmqfkvuuhwtvpld.exe ."	mtwzem.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bhjlp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bxphbyxmqfkvuuhwtvpld.exe ."	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\yjqxgsgkdh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ztjzrmjwyloxusdqlld.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sxyz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ztjzrmjwyloxusdqlld.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bhjlp = "mhypiecqthlvtsesopid.exe ."	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bhjlp = "mhypiecqthlvtsesopid.exe ."	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sxyz = "ohwlcwsefrtbxueqkj.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zhlpvep = "fxlzpidoozahcyhsl.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sxyz = "ohwlcwsefrtbxueqkj.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zhlpvep = "ypcpewqazjjpjemw.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\oxchoykm = "ztjzrmjwyloxusdqlld.exe ."	mtwzem.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zhlpvep = "fxlzpidoozahcyhsl.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\oxchoykm = "mhypiecqthlvtsesopid.exe ."	mtwzem.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bhjlp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ypcpewqazjjpjemw.exe ."	mtwzem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\yjqxgsgkdh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ohwlcwsefrtbxueqkj.exe"	mtwzem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\fpvbjuhkc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ztjzrmjwyloxusdqlld.exe ."	mtwzem.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zhlpvep = "mhypiecqthlvtsesopid.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\yjqxgsgkdh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bxphbyxmqfkvuuhwtvpld.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bhjlp = "ztjzrmjwyloxusdqlld.exe ."	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bhjlp = "ohwlcwsefrtbxueqkj.exe ."	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\yjqxgsgkdh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fxlzpidoozahcyhsl.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sxyz = "ztjzrmjwyloxusdqlld.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bhjlp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ztjzrmjwyloxusdqlld.exe ."	mtwzem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bhjlp = "fxlzpidoozahcyhsl.exe ."	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\fpvbjuhkc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ypcpewqazjjpjemw.exe ."	abqgjobtkla.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\oxchoykm = "bxphbyxmqfkvuuhwtvpld.exe ."	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\yjqxgsgkdh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fxlzpidoozahcyhsl.exe"	mtwzem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bhjlp = "ypcpewqazjjpjemw.exe ."	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bhjlp = "mhypiecqthlvtsesopid.exe ."	mtwzem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sxyz = "ohwlcwsefrtbxueqkj.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\fpvbjuhkc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ztjzrmjwyloxusdqlld.exe ."	abqgjobtkla.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\oxchoykm = "fxlzpidoozahcyhsl.exe ."	abqgjobtkla.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sxyz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ohwlcwsefrtbxueqkj.exe"	mtwzem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\fpvbjuhkc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ztjzrmjwyloxusdqlld.exe ."	abqgjobtkla.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sxyz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ypcpewqazjjpjemw.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\yjqxgsgkdh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ohwlcwsefrtbxueqkj.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sxyz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fxlzpidoozahcyhsl.exe"	mtwzem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bhjlp = "ztjzrmjwyloxusdqlld.exe ."	abqgjobtkla.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\oxchoykm = "ypcpewqazjjpjemw.exe ."	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\yjqxgsgkdh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fxlzpidoozahcyhsl.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sxyz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ypcpewqazjjpjemw.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sxyz = "mhypiecqthlvtsesopid.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\oxchoykm = "ztjzrmjwyloxusdqlld.exe ."	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\fpvbjuhkc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fxlzpidoozahcyhsl.exe ."	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sxyz = "bxphbyxmqfkvuuhwtvpld.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sxyz = "ypcpewqazjjpjemw.exe"	mtwzem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\fpvbjuhkc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ohwlcwsefrtbxueqkj.exe ."	mtwzem.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\oxchoykm = "ztjzrmjwyloxusdqlld.exe ."	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bhjlp = "mhypiecqthlvtsesopid.exe ."	mtwzem.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zhlpvep = "ztjzrmjwyloxusdqlld.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\yjqxgsgkdh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ohwlcwsefrtbxueqkj.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sxyz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bxphbyxmqfkvuuhwtvpld.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\oxchoykm = "fxlzpidoozahcyhsl.exe ."	mtwzem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sxyz = "bxphbyxmqfkvuuhwtvpld.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sxyz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mhypiecqthlvtsesopid.exe"	mtwzem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sxyz = "ztjzrmjwyloxusdqlld.exe"	mtwzem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\fpvbjuhkc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bxphbyxmqfkvuuhwtvpld.exe ."	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\yjqxgsgkdh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ohwlcwsefrtbxueqkj.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\oxchoykm = "ypcpewqazjjpjemw.exe ."	mtwzem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bhjlp = "ypcpewqazjjpjemw.exe ."	abqgjobtkla.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\oxchoykm = "mhypiecqthlvtsesopid.exe ."	abqgjobtkla.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bhjlp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bxphbyxmqfkvuuhwtvpld.exe ."	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\fpvbjuhkc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ohwlcwsefrtbxueqkj.exe ."	abqgjobtkla.exe

Checks whether UAC is enabled 1 TTPs 30 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	abqgjobtkla.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	mtwzem.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	mtwzem.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	mtwzem.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	abqgjobtkla.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	abqgjobtkla.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	abqgjobtkla.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	mtwzem.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	abqgjobtkla.exe

Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 3 IoCs

Possible Turn off User Account Control's privilege elevation for standard users.

Executable Installer File Permissions Weakness

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	mtwzem.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	mtwzem.exe

Looks up external IP address via web service 5 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
25	www.showmyipaddress.com
29	whatismyipaddress.com
36	whatismyip.everdot.org
42	www.whatismyip.ca
51	www.whatismyip.ca

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\bxphbyxmqfkvuuhwtvpld.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\fxlzpidoozahcyhsl.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\spibwuukpflxxymcadyvoh.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\fxlzpidoozahcyhsl.exe	mtwzem.exe
File opened for modification	C:\Windows\SysWOW64\ohwlcwsefrtbxueqkj.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\fxlzpidoozahcyhsl.exe	mtwzem.exe
File opened for modification	C:\Windows\SysWOW64\ohwlcwsefrtbxueqkj.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\spibwuukpflxxymcadyvoh.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\ohwlcwsefrtbxueqkj.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\ztjzrmjwyloxusdqlld.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\bxphbyxmqfkvuuhwtvpld.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\bxphbyxmqfkvuuhwtvpld.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\ohwlcwsefrtbxueqkj.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\ypcpewqazjjpjemw.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\ztjzrmjwyloxusdqlld.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\ypcpewqazjjpjemw.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\fxlzpidoozahcyhsl.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\bxphbyxmqfkvuuhwtvpld.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\ypcpewqazjjpjemw.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\ypcpewqazjjpjemw.exe	mtwzem.exe
File opened for modification	C:\Windows\SysWOW64\bxphbyxmqfkvuuhwtvpld.exe	mtwzem.exe
File opened for modification	C:\Windows\SysWOW64\fxlzpidoozahcyhsl.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\fxlzpidoozahcyhsl.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\ypcpewqazjjpjemw.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\mhypiecqthlvtsesopid.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\fxlzpidoozahcyhsl.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\ztjzrmjwyloxusdqlld.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\ohwlcwsefrtbxueqkj.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\bxphbyxmqfkvuuhwtvpld.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\mhypiecqthlvtsesopid.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\fxlzpidoozahcyhsl.exe	abqgjobtkla.exe
File created	C:\Windows\SysWOW64\tfnvfshmglghwmpuhzjvdlvixcwbwxmcf.xpz	mtwzem.exe
File opened for modification	C:\Windows\SysWOW64\ztjzrmjwyloxusdqlld.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\spibwuukpflxxymcadyvoh.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\fxlzpidoozahcyhsl.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\bxphbyxmqfkvuuhwtvpld.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\ztjzrmjwyloxusdqlld.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\mhypiecqthlvtsesopid.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\bxphbyxmqfkvuuhwtvpld.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\ztjzrmjwyloxusdqlld.exe	mtwzem.exe
File opened for modification	C:\Windows\SysWOW64\cdaxwycwfzjzdiauwdcdax.ycw	mtwzem.exe
File created	C:\Windows\SysWOW64\cdaxwycwfzjzdiauwdcdax.ycw	mtwzem.exe
File opened for modification	C:\Windows\SysWOW64\mhypiecqthlvtsesopid.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\fxlzpidoozahcyhsl.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\spibwuukpflxxymcadyvoh.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\ypcpewqazjjpjemw.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\fxlzpidoozahcyhsl.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\ohwlcwsefrtbxueqkj.exe	mtwzem.exe
File opened for modification	C:\Windows\SysWOW64\spibwuukpflxxymcadyvoh.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\mhypiecqthlvtsesopid.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\fxlzpidoozahcyhsl.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\ohwlcwsefrtbxueqkj.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\ztjzrmjwyloxusdqlld.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\ypcpewqazjjpjemw.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\ohwlcwsefrtbxueqkj.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\mhypiecqthlvtsesopid.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\fxlzpidoozahcyhsl.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\mhypiecqthlvtsesopid.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\ypcpewqazjjpjemw.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\ztjzrmjwyloxusdqlld.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\fxlzpidoozahcyhsl.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\bxphbyxmqfkvuuhwtvpld.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\ypcpewqazjjpjemw.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\ztjzrmjwyloxusdqlld.exe	abqgjobtkla.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\cdaxwycwfzjzdiauwdcdax.ycw	mtwzem.exe
File created	C:\Program Files (x86)\cdaxwycwfzjzdiauwdcdax.ycw	mtwzem.exe
File opened for modification	C:\Program Files (x86)\tfnvfshmglghwmpuhzjvdlvixcwbwxmcf.xpz	mtwzem.exe
File created	C:\Program Files (x86)\tfnvfshmglghwmpuhzjvdlvixcwbwxmcf.xpz	mtwzem.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\spibwuukpflxxymcadyvoh.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\ypcpewqazjjpjemw.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\ypcpewqazjjpjemw.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\ohwlcwsefrtbxueqkj.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\spibwuukpflxxymcadyvoh.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\ypcpewqazjjpjemw.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\ztjzrmjwyloxusdqlld.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\fxlzpidoozahcyhsl.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\mhypiecqthlvtsesopid.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\spibwuukpflxxymcadyvoh.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\mhypiecqthlvtsesopid.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\ohwlcwsefrtbxueqkj.exe	mtwzem.exe
File opened for modification	C:\Windows\cdaxwycwfzjzdiauwdcdax.ycw	mtwzem.exe
File opened for modification	C:\Windows\tfnvfshmglghwmpuhzjvdlvixcwbwxmcf.xpz	mtwzem.exe
File created	C:\Windows\tfnvfshmglghwmpuhzjvdlvixcwbwxmcf.xpz	mtwzem.exe
File opened for modification	C:\Windows\ohwlcwsefrtbxueqkj.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\mhypiecqthlvtsesopid.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\ztjzrmjwyloxusdqlld.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\bxphbyxmqfkvuuhwtvpld.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\fxlzpidoozahcyhsl.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\ohwlcwsefrtbxueqkj.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\fxlzpidoozahcyhsl.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\fxlzpidoozahcyhsl.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\fxlzpidoozahcyhsl.exe	mtwzem.exe
File opened for modification	C:\Windows\ohwlcwsefrtbxueqkj.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\ztjzrmjwyloxusdqlld.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\ohwlcwsefrtbxueqkj.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\ztjzrmjwyloxusdqlld.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\mhypiecqthlvtsesopid.exe	mtwzem.exe
File opened for modification	C:\Windows\bxphbyxmqfkvuuhwtvpld.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\ypcpewqazjjpjemw.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\ztjzrmjwyloxusdqlld.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\bxphbyxmqfkvuuhwtvpld.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\ztjzrmjwyloxusdqlld.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\ypcpewqazjjpjemw.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\spibwuukpflxxymcadyvoh.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\ohwlcwsefrtbxueqkj.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\ohwlcwsefrtbxueqkj.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\spibwuukpflxxymcadyvoh.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\ztjzrmjwyloxusdqlld.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\spibwuukpflxxymcadyvoh.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\fxlzpidoozahcyhsl.exe	mtwzem.exe
File opened for modification	C:\Windows\fxlzpidoozahcyhsl.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\ztjzrmjwyloxusdqlld.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\fxlzpidoozahcyhsl.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\ohwlcwsefrtbxueqkj.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\fxlzpidoozahcyhsl.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\mhypiecqthlvtsesopid.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\ohwlcwsefrtbxueqkj.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\mhypiecqthlvtsesopid.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\fxlzpidoozahcyhsl.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\ypcpewqazjjpjemw.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\bxphbyxmqfkvuuhwtvpld.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\ypcpewqazjjpjemw.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\bxphbyxmqfkvuuhwtvpld.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\mhypiecqthlvtsesopid.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\mhypiecqthlvtsesopid.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\bxphbyxmqfkvuuhwtvpld.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\spibwuukpflxxymcadyvoh.exe	mtwzem.exe
File opened for modification	C:\Windows\ztjzrmjwyloxusdqlld.exe	mtwzem.exe
File opened for modification	C:\Windows\bxphbyxmqfkvuuhwtvpld.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\fxlzpidoozahcyhsl.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\ohwlcwsefrtbxueqkj.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\mhypiecqthlvtsesopid.exe	abqgjobtkla.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_93c93c4012acf31e3af800ff24104c6c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bxphbyxmqfkvuuhwtvpld.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fxlzpidoozahcyhsl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ztjzrmjwyloxusdqlld.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ohwlcwsefrtbxueqkj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ypcpewqazjjpjemw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bxphbyxmqfkvuuhwtvpld.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ztjzrmjwyloxusdqlld.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bxphbyxmqfkvuuhwtvpld.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mhypiecqthlvtsesopid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bxphbyxmqfkvuuhwtvpld.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fxlzpidoozahcyhsl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ohwlcwsefrtbxueqkj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mhypiecqthlvtsesopid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ypcpewqazjjpjemw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bxphbyxmqfkvuuhwtvpld.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bxphbyxmqfkvuuhwtvpld.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mhypiecqthlvtsesopid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ypcpewqazjjpjemw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mhypiecqthlvtsesopid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ohwlcwsefrtbxueqkj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ohwlcwsefrtbxueqkj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mtwzem.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bxphbyxmqfkvuuhwtvpld.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fxlzpidoozahcyhsl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ypcpewqazjjpjemw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ztjzrmjwyloxusdqlld.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mhypiecqthlvtsesopid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fxlzpidoozahcyhsl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ohwlcwsefrtbxueqkj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bxphbyxmqfkvuuhwtvpld.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ohwlcwsefrtbxueqkj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fxlzpidoozahcyhsl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fxlzpidoozahcyhsl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ypcpewqazjjpjemw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mhypiecqthlvtsesopid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ypcpewqazjjpjemw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ohwlcwsefrtbxueqkj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mhypiecqthlvtsesopid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bxphbyxmqfkvuuhwtvpld.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ypcpewqazjjpjemw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ypcpewqazjjpjemw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ztjzrmjwyloxusdqlld.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bxphbyxmqfkvuuhwtvpld.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ypcpewqazjjpjemw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fxlzpidoozahcyhsl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ypcpewqazjjpjemw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bxphbyxmqfkvuuhwtvpld.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mhypiecqthlvtsesopid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mhypiecqthlvtsesopid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ypcpewqazjjpjemw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bxphbyxmqfkvuuhwtvpld.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ztjzrmjwyloxusdqlld.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ztjzrmjwyloxusdqlld.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fxlzpidoozahcyhsl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ztjzrmjwyloxusdqlld.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ohwlcwsefrtbxueqkj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ztjzrmjwyloxusdqlld.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	abqgjobtkla.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ohwlcwsefrtbxueqkj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bxphbyxmqfkvuuhwtvpld.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ohwlcwsefrtbxueqkj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ztjzrmjwyloxusdqlld.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bxphbyxmqfkvuuhwtvpld.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
776	JaffaCakes118_93c93c4012acf31e3af800ff24104c6c.exe
776	JaffaCakes118_93c93c4012acf31e3af800ff24104c6c.exe
776	JaffaCakes118_93c93c4012acf31e3af800ff24104c6c.exe
776	JaffaCakes118_93c93c4012acf31e3af800ff24104c6c.exe
776	JaffaCakes118_93c93c4012acf31e3af800ff24104c6c.exe
776	JaffaCakes118_93c93c4012acf31e3af800ff24104c6c.exe
776	JaffaCakes118_93c93c4012acf31e3af800ff24104c6c.exe
776	JaffaCakes118_93c93c4012acf31e3af800ff24104c6c.exe
776	JaffaCakes118_93c93c4012acf31e3af800ff24104c6c.exe
776	JaffaCakes118_93c93c4012acf31e3af800ff24104c6c.exe
776	JaffaCakes118_93c93c4012acf31e3af800ff24104c6c.exe
776	JaffaCakes118_93c93c4012acf31e3af800ff24104c6c.exe
776	JaffaCakes118_93c93c4012acf31e3af800ff24104c6c.exe
776	JaffaCakes118_93c93c4012acf31e3af800ff24104c6c.exe
776	JaffaCakes118_93c93c4012acf31e3af800ff24104c6c.exe
776	JaffaCakes118_93c93c4012acf31e3af800ff24104c6c.exe
4900	mtwzem.exe
4900	mtwzem.exe
776	JaffaCakes118_93c93c4012acf31e3af800ff24104c6c.exe
776	JaffaCakes118_93c93c4012acf31e3af800ff24104c6c.exe
776	JaffaCakes118_93c93c4012acf31e3af800ff24104c6c.exe
776	JaffaCakes118_93c93c4012acf31e3af800ff24104c6c.exe
776	JaffaCakes118_93c93c4012acf31e3af800ff24104c6c.exe
776	JaffaCakes118_93c93c4012acf31e3af800ff24104c6c.exe
776	JaffaCakes118_93c93c4012acf31e3af800ff24104c6c.exe
776	JaffaCakes118_93c93c4012acf31e3af800ff24104c6c.exe
776	JaffaCakes118_93c93c4012acf31e3af800ff24104c6c.exe
776	JaffaCakes118_93c93c4012acf31e3af800ff24104c6c.exe
776	JaffaCakes118_93c93c4012acf31e3af800ff24104c6c.exe
776	JaffaCakes118_93c93c4012acf31e3af800ff24104c6c.exe
776	JaffaCakes118_93c93c4012acf31e3af800ff24104c6c.exe
776	JaffaCakes118_93c93c4012acf31e3af800ff24104c6c.exe
776	JaffaCakes118_93c93c4012acf31e3af800ff24104c6c.exe
776	JaffaCakes118_93c93c4012acf31e3af800ff24104c6c.exe
776	JaffaCakes118_93c93c4012acf31e3af800ff24104c6c.exe
776	JaffaCakes118_93c93c4012acf31e3af800ff24104c6c.exe
776	JaffaCakes118_93c93c4012acf31e3af800ff24104c6c.exe
776	JaffaCakes118_93c93c4012acf31e3af800ff24104c6c.exe
776	JaffaCakes118_93c93c4012acf31e3af800ff24104c6c.exe
776	JaffaCakes118_93c93c4012acf31e3af800ff24104c6c.exe
776	JaffaCakes118_93c93c4012acf31e3af800ff24104c6c.exe
776	JaffaCakes118_93c93c4012acf31e3af800ff24104c6c.exe
776	JaffaCakes118_93c93c4012acf31e3af800ff24104c6c.exe
776	JaffaCakes118_93c93c4012acf31e3af800ff24104c6c.exe
776	JaffaCakes118_93c93c4012acf31e3af800ff24104c6c.exe
776	JaffaCakes118_93c93c4012acf31e3af800ff24104c6c.exe
776	JaffaCakes118_93c93c4012acf31e3af800ff24104c6c.exe
776	JaffaCakes118_93c93c4012acf31e3af800ff24104c6c.exe
776	JaffaCakes118_93c93c4012acf31e3af800ff24104c6c.exe
776	JaffaCakes118_93c93c4012acf31e3af800ff24104c6c.exe
776	JaffaCakes118_93c93c4012acf31e3af800ff24104c6c.exe
776	JaffaCakes118_93c93c4012acf31e3af800ff24104c6c.exe
776	JaffaCakes118_93c93c4012acf31e3af800ff24104c6c.exe
776	JaffaCakes118_93c93c4012acf31e3af800ff24104c6c.exe
776	JaffaCakes118_93c93c4012acf31e3af800ff24104c6c.exe
776	JaffaCakes118_93c93c4012acf31e3af800ff24104c6c.exe
776	JaffaCakes118_93c93c4012acf31e3af800ff24104c6c.exe
776	JaffaCakes118_93c93c4012acf31e3af800ff24104c6c.exe
4900	mtwzem.exe
4900	mtwzem.exe
776	JaffaCakes118_93c93c4012acf31e3af800ff24104c6c.exe
776	JaffaCakes118_93c93c4012acf31e3af800ff24104c6c.exe
776	JaffaCakes118_93c93c4012acf31e3af800ff24104c6c.exe
776	JaffaCakes118_93c93c4012acf31e3af800ff24104c6c.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4900	mtwzem.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 776 wrote to memory of 2788	776	JaffaCakes118_93c93c4012acf31e3af800ff24104c6c.exe	88
PID 776 wrote to memory of 2788	776	JaffaCakes118_93c93c4012acf31e3af800ff24104c6c.exe	88
PID 776 wrote to memory of 2788	776	JaffaCakes118_93c93c4012acf31e3af800ff24104c6c.exe	88
PID 244 wrote to memory of 408	244	cmd.exe	93
PID 244 wrote to memory of 408	244	cmd.exe	93
PID 244 wrote to memory of 408	244	cmd.exe	93
PID 3084 wrote to memory of 1168	3084	cmd.exe	96
PID 3084 wrote to memory of 1168	3084	cmd.exe	96
PID 3084 wrote to memory of 1168	3084	cmd.exe	96
PID 1168 wrote to memory of 3104	1168	ohwlcwsefrtbxueqkj.exe	99
PID 1168 wrote to memory of 3104	1168	ohwlcwsefrtbxueqkj.exe	99
PID 1168 wrote to memory of 3104	1168	ohwlcwsefrtbxueqkj.exe	99
PID 2568 wrote to memory of 2732	2568	cmd.exe	102
PID 2568 wrote to memory of 2732	2568	cmd.exe	102
PID 2568 wrote to memory of 2732	2568	cmd.exe	102
PID 4492 wrote to memory of 2104	4492	cmd.exe	105
PID 4492 wrote to memory of 2104	4492	cmd.exe	105
PID 4492 wrote to memory of 2104	4492	cmd.exe	105
PID 5028 wrote to memory of 3984	5028	cmd.exe	189
PID 5028 wrote to memory of 3984	5028	cmd.exe	189
PID 5028 wrote to memory of 3984	5028	cmd.exe	189
PID 940 wrote to memory of 4344	940	cmd.exe	109
PID 940 wrote to memory of 4344	940	cmd.exe	109
PID 940 wrote to memory of 4344	940	cmd.exe	109
PID 2104 wrote to memory of 2088	2104	bxphbyxmqfkvuuhwtvpld.exe	110
PID 2104 wrote to memory of 2088	2104	bxphbyxmqfkvuuhwtvpld.exe	110
PID 2104 wrote to memory of 2088	2104	bxphbyxmqfkvuuhwtvpld.exe	110
PID 4344 wrote to memory of 3476	4344	fxlzpidoozahcyhsl.exe	113
PID 4344 wrote to memory of 3476	4344	fxlzpidoozahcyhsl.exe	113
PID 4344 wrote to memory of 3476	4344	fxlzpidoozahcyhsl.exe	113
PID 4340 wrote to memory of 3856	4340	cmd.exe	118
PID 4340 wrote to memory of 3856	4340	cmd.exe	118
PID 4340 wrote to memory of 3856	4340	cmd.exe	118
PID 5056 wrote to memory of 1088	5056	cmd.exe	119
PID 5056 wrote to memory of 1088	5056	cmd.exe	119
PID 5056 wrote to memory of 1088	5056	cmd.exe	119
PID 1088 wrote to memory of 4028	1088	bxphbyxmqfkvuuhwtvpld.exe	120
PID 1088 wrote to memory of 4028	1088	bxphbyxmqfkvuuhwtvpld.exe	120
PID 1088 wrote to memory of 4028	1088	bxphbyxmqfkvuuhwtvpld.exe	120
PID 2788 wrote to memory of 4900	2788	abqgjobtkla.exe	121
PID 2788 wrote to memory of 4900	2788	abqgjobtkla.exe	121
PID 2788 wrote to memory of 4900	2788	abqgjobtkla.exe	121
PID 2788 wrote to memory of 3772	2788	abqgjobtkla.exe	122
PID 2788 wrote to memory of 3772	2788	abqgjobtkla.exe	122
PID 2788 wrote to memory of 3772	2788	abqgjobtkla.exe	122
PID 1608 wrote to memory of 4312	1608	cmd.exe	282
PID 1608 wrote to memory of 4312	1608	cmd.exe	282
PID 1608 wrote to memory of 4312	1608	cmd.exe	282
PID 2316 wrote to memory of 2784	2316	cmd.exe	168
PID 2316 wrote to memory of 2784	2316	cmd.exe	168
PID 2316 wrote to memory of 2784	2316	cmd.exe	168
PID 668 wrote to memory of 3084	668	cmd.exe	132
PID 668 wrote to memory of 3084	668	cmd.exe	132
PID 668 wrote to memory of 3084	668	cmd.exe	132
PID 3240 wrote to memory of 5028	3240	cmd.exe	335
PID 3240 wrote to memory of 5028	3240	cmd.exe	335
PID 3240 wrote to memory of 5028	3240	cmd.exe	335
PID 3084 wrote to memory of 4496	3084	bxphbyxmqfkvuuhwtvpld.exe	270
PID 3084 wrote to memory of 4496	3084	bxphbyxmqfkvuuhwtvpld.exe	270
PID 3084 wrote to memory of 4496	3084	bxphbyxmqfkvuuhwtvpld.exe	270
PID 1112 wrote to memory of 412	1112	cmd.exe	145
PID 1112 wrote to memory of 412	1112	cmd.exe	145
PID 1112 wrote to memory of 412	1112	cmd.exe	145
PID 5028 wrote to memory of 5020	5028	ohwlcwsefrtbxueqkj.exe	211

System policy modification 1 TTPs 60 IoCs

defense_evasion

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	mtwzem.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	mtwzem.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	mtwzem.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	abqgjobtkla.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	mtwzem.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	mtwzem.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	abqgjobtkla.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	mtwzem.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	mtwzem.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	mtwzem.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	mtwzem.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	mtwzem.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	mtwzem.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	mtwzem.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	mtwzem.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	mtwzem.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	mtwzem.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	mtwzem.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	abqgjobtkla.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	mtwzem.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	mtwzem.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	mtwzem.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	abqgjobtkla.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	mtwzem.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	mtwzem.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	mtwzem.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	mtwzem.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	mtwzem.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_93c93c4012acf31e3af800ff24104c6c.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_93c93c4012acf31e3af800ff24104c6c.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:776
- C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
  "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\jaffacakes118_93c93c4012acf31e3af800ff24104c6c.exe*"
  2⤵
  - Modifies WinLogon for persistence
  - UAC bypass
  - Adds policy Run key to start application
  - Disables RegEdit via registry modification
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Hijack Execution Flow: Executable Installer File Permissions Weakness
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2788
- - C:\Users\Admin\AppData\Local\Temp\mtwzem.exe
    "C:\Users\Admin\AppData\Local\Temp\mtwzem.exe" "-C:\Users\Admin\AppData\Local\Temp\ypcpewqazjjpjemw.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Impair Defenses: Safe Mode Boot
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Hijack Execution Flow: Executable Installer File Permissions Weakness
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:4900
- - C:\Users\Admin\AppData\Local\Temp\mtwzem.exe
    "C:\Users\Admin\AppData\Local\Temp\mtwzem.exe" "-C:\Users\Admin\AppData\Local\Temp\ypcpewqazjjpjemw.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Hijack Execution Flow: Executable Installer File Permissions Weakness
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:3772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ohwlcwsefrtbxueqkj.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:244
- C:\Windows\ohwlcwsefrtbxueqkj.exe
  ohwlcwsefrtbxueqkj.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ohwlcwsefrtbxueqkj.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:3084
- C:\Windows\ohwlcwsefrtbxueqkj.exe
  ohwlcwsefrtbxueqkj.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1168
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\ohwlcwsefrtbxueqkj.exe*."
    3⤵
    - Executes dropped EXE
    PID:3104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ypcpewqazjjpjemw.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2568
- C:\Windows\ypcpewqazjjpjemw.exe
  ypcpewqazjjpjemw.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxphbyxmqfkvuuhwtvpld.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:4492
- C:\Windows\bxphbyxmqfkvuuhwtvpld.exe
  bxphbyxmqfkvuuhwtvpld.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2104
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\bxphbyxmqfkvuuhwtvpld.exe*."
    3⤵
    - Executes dropped EXE
    PID:2088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohwlcwsefrtbxueqkj.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:5028
- C:\Users\Admin\AppData\Local\Temp\ohwlcwsefrtbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\ohwlcwsefrtbxueqkj.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fxlzpidoozahcyhsl.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:940
- C:\Users\Admin\AppData\Local\Temp\fxlzpidoozahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\fxlzpidoozahcyhsl.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4344
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\fxlzpidoozahcyhsl.exe*."
    3⤵
    - Executes dropped EXE
    PID:3476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fxlzpidoozahcyhsl.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4340
- C:\Users\Admin\AppData\Local\Temp\fxlzpidoozahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\fxlzpidoozahcyhsl.exe
  2⤵
  - Executes dropped EXE
  PID:3856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxphbyxmqfkvuuhwtvpld.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:5056
- C:\Users\Admin\AppData\Local\Temp\bxphbyxmqfkvuuhwtvpld.exe
  C:\Users\Admin\AppData\Local\Temp\bxphbyxmqfkvuuhwtvpld.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1088
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\bxphbyxmqfkvuuhwtvpld.exe*."
    3⤵
    - Executes dropped EXE
    PID:4028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ypcpewqazjjpjemw.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:1608
- C:\Windows\ypcpewqazjjpjemw.exe
  ypcpewqazjjpjemw.exe
  2⤵
  - Executes dropped EXE
  PID:4312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxphbyxmqfkvuuhwtvpld.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2316
- C:\Windows\bxphbyxmqfkvuuhwtvpld.exe
  bxphbyxmqfkvuuhwtvpld.exe
  2⤵
  - Executes dropped EXE
  PID:2784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxphbyxmqfkvuuhwtvpld.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:668
- C:\Windows\bxphbyxmqfkvuuhwtvpld.exe
  bxphbyxmqfkvuuhwtvpld.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3084
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\bxphbyxmqfkvuuhwtvpld.exe*."
    3⤵
    - Executes dropped EXE
    PID:4496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ohwlcwsefrtbxueqkj.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:3240
- C:\Windows\ohwlcwsefrtbxueqkj.exe
  ohwlcwsefrtbxueqkj.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:5028
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\ohwlcwsefrtbxueqkj.exe*."
    3⤵
    - Executes dropped EXE
    PID:5020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ztjzrmjwyloxusdqlld.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:1112
- C:\Windows\ztjzrmjwyloxusdqlld.exe
  ztjzrmjwyloxusdqlld.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ypcpewqazjjpjemw.exe .
1⤵
PID:4820
- C:\Windows\ypcpewqazjjpjemw.exe
  ypcpewqazjjpjemw.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:2392
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\ypcpewqazjjpjemw.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:4840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ztjzrmjwyloxusdqlld.exe
1⤵
PID:3904
- C:\Windows\ztjzrmjwyloxusdqlld.exe
  ztjzrmjwyloxusdqlld.exe
  2⤵
  - Executes dropped EXE
  PID:2792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fxlzpidoozahcyhsl.exe
1⤵
PID:4852
- C:\Users\Admin\AppData\Local\Temp\fxlzpidoozahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\fxlzpidoozahcyhsl.exe
  2⤵
  - Executes dropped EXE
  PID:4980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxphbyxmqfkvuuhwtvpld.exe .
1⤵
PID:724
- C:\Windows\bxphbyxmqfkvuuhwtvpld.exe
  bxphbyxmqfkvuuhwtvpld.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3428
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\bxphbyxmqfkvuuhwtvpld.exe*."
    3⤵
    - Executes dropped EXE
    PID:2784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohwlcwsefrtbxueqkj.exe .
1⤵
PID:1356
- C:\Users\Admin\AppData\Local\Temp\ohwlcwsefrtbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\ohwlcwsefrtbxueqkj.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3844
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\ohwlcwsefrtbxueqkj.exe*."
    3⤵
    - Executes dropped EXE
    PID:3432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztjzrmjwyloxusdqlld.exe
1⤵
PID:4448
- C:\Users\Admin\AppData\Local\Temp\ztjzrmjwyloxusdqlld.exe
  C:\Users\Admin\AppData\Local\Temp\ztjzrmjwyloxusdqlld.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxphbyxmqfkvuuhwtvpld.exe .
1⤵
PID:464
- C:\Users\Admin\AppData\Local\Temp\bxphbyxmqfkvuuhwtvpld.exe
  C:\Users\Admin\AppData\Local\Temp\bxphbyxmqfkvuuhwtvpld.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1168
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\bxphbyxmqfkvuuhwtvpld.exe*."
    3⤵
    - Executes dropped EXE
    PID:4452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxphbyxmqfkvuuhwtvpld.exe
1⤵
PID:4356
- C:\Users\Admin\AppData\Local\Temp\bxphbyxmqfkvuuhwtvpld.exe
  C:\Users\Admin\AppData\Local\Temp\bxphbyxmqfkvuuhwtvpld.exe
  2⤵
  - Executes dropped EXE
  PID:4420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ypcpewqazjjpjemw.exe .
1⤵
PID:4528
- C:\Users\Admin\AppData\Local\Temp\ypcpewqazjjpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\ypcpewqazjjpjemw.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:4512
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\ypcpewqazjjpjemw.exe*."
    3⤵
    - Executes dropped EXE
    PID:2756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhypiecqthlvtsesopid.exe
1⤵
PID:1012
- C:\Users\Admin\AppData\Local\Temp\mhypiecqthlvtsesopid.exe
  C:\Users\Admin\AppData\Local\Temp\mhypiecqthlvtsesopid.exe
  2⤵
  - Executes dropped EXE
  PID:1736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ypcpewqazjjpjemw.exe .
1⤵
PID:4280
- C:\Users\Admin\AppData\Local\Temp\ypcpewqazjjpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\ypcpewqazjjpjemw.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4432
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\ypcpewqazjjpjemw.exe*."
    3⤵
    - Executes dropped EXE
    PID:3468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ypcpewqazjjpjemw.exe
1⤵
PID:4244
- C:\Windows\ypcpewqazjjpjemw.exe
  ypcpewqazjjpjemw.exe
  2⤵
  - Executes dropped EXE
  PID:4852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ohwlcwsefrtbxueqkj.exe .
1⤵
PID:2392
- C:\Windows\ohwlcwsefrtbxueqkj.exe
  ohwlcwsefrtbxueqkj.exe .
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4988
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\ohwlcwsefrtbxueqkj.exe*."
    3⤵
    - Executes dropped EXE
    PID:4772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ypcpewqazjjpjemw.exe
1⤵
PID:1460
- C:\Windows\ypcpewqazjjpjemw.exe
  ypcpewqazjjpjemw.exe
  2⤵
  - Executes dropped EXE
  PID:4480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ztjzrmjwyloxusdqlld.exe .
1⤵
PID:3984
- C:\Windows\ztjzrmjwyloxusdqlld.exe
  ztjzrmjwyloxusdqlld.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:4284
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\ztjzrmjwyloxusdqlld.exe*."
    3⤵
    - Executes dropped EXE
    PID:808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztjzrmjwyloxusdqlld.exe
1⤵
PID:1804
- C:\Users\Admin\AppData\Local\Temp\ztjzrmjwyloxusdqlld.exe
  C:\Users\Admin\AppData\Local\Temp\ztjzrmjwyloxusdqlld.exe
  2⤵
  - Executes dropped EXE
  PID:1580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztjzrmjwyloxusdqlld.exe .
1⤵
PID:2236
- C:\Users\Admin\AppData\Local\Temp\ztjzrmjwyloxusdqlld.exe
  C:\Users\Admin\AppData\Local\Temp\ztjzrmjwyloxusdqlld.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1264
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\ztjzrmjwyloxusdqlld.exe*."
    3⤵
    - Executes dropped EXE
    PID:1168

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxphbyxmqfkvuuhwtvpld.exe
1⤵
PID:3800
- C:\Users\Admin\AppData\Local\Temp\bxphbyxmqfkvuuhwtvpld.exe
  C:\Users\Admin\AppData\Local\Temp\bxphbyxmqfkvuuhwtvpld.exe
  2⤵
  - Executes dropped EXE
  PID:3988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxphbyxmqfkvuuhwtvpld.exe .
1⤵
PID:1012
- C:\Users\Admin\AppData\Local\Temp\bxphbyxmqfkvuuhwtvpld.exe
  C:\Users\Admin\AppData\Local\Temp\bxphbyxmqfkvuuhwtvpld.exe .
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4348
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\bxphbyxmqfkvuuhwtvpld.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ztjzrmjwyloxusdqlld.exe
1⤵
PID:3240
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5020
- C:\Windows\ztjzrmjwyloxusdqlld.exe
  ztjzrmjwyloxusdqlld.exe
  2⤵
  - Executes dropped EXE
  PID:5048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ypcpewqazjjpjemw.exe
1⤵
PID:748
- C:\Windows\ypcpewqazjjpjemw.exe
  ypcpewqazjjpjemw.exe
  2⤵
  - Executes dropped EXE
  PID:3228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ztjzrmjwyloxusdqlld.exe
1⤵
PID:3404
- C:\Windows\ztjzrmjwyloxusdqlld.exe
  ztjzrmjwyloxusdqlld.exe
  2⤵
  - Executes dropped EXE
  PID:2056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxphbyxmqfkvuuhwtvpld.exe .
1⤵
PID:5084
- C:\Windows\bxphbyxmqfkvuuhwtvpld.exe
  bxphbyxmqfkvuuhwtvpld.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:4496
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\bxphbyxmqfkvuuhwtvpld.exe*."
    3⤵
    - Executes dropped EXE
    PID:972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mhypiecqthlvtsesopid.exe .
1⤵
PID:3096
- C:\Windows\mhypiecqthlvtsesopid.exe
  mhypiecqthlvtsesopid.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2948
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\mhypiecqthlvtsesopid.exe*."
    3⤵
    - Executes dropped EXE
    PID:2904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fxlzpidoozahcyhsl.exe .
1⤵
PID:4772
- C:\Windows\fxlzpidoozahcyhsl.exe
  fxlzpidoozahcyhsl.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4324
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\fxlzpidoozahcyhsl.exe*."
    3⤵
    - Executes dropped EXE
    PID:4648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ztjzrmjwyloxusdqlld.exe
1⤵
PID:408
- C:\Windows\ztjzrmjwyloxusdqlld.exe
  ztjzrmjwyloxusdqlld.exe
  2⤵
  - Executes dropped EXE
  PID:3316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mhypiecqthlvtsesopid.exe
1⤵
PID:1676
- C:\Windows\mhypiecqthlvtsesopid.exe
  mhypiecqthlvtsesopid.exe
  2⤵
  - Executes dropped EXE
  PID:4724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ypcpewqazjjpjemw.exe
1⤵
PID:5000
- C:\Windows\ypcpewqazjjpjemw.exe
  ypcpewqazjjpjemw.exe
  2⤵
  - Executes dropped EXE
  PID:4432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ypcpewqazjjpjemw.exe .
1⤵
PID:3884
- C:\Windows\ypcpewqazjjpjemw.exe
  ypcpewqazjjpjemw.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3032
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\ypcpewqazjjpjemw.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:5084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fxlzpidoozahcyhsl.exe .
1⤵
PID:1828
- C:\Windows\fxlzpidoozahcyhsl.exe
  fxlzpidoozahcyhsl.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1440
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\fxlzpidoozahcyhsl.exe*."
    3⤵
    PID:3096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohwlcwsefrtbxueqkj.exe
1⤵
PID:4948
- C:\Users\Admin\AppData\Local\Temp\ohwlcwsefrtbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\ohwlcwsefrtbxueqkj.exe
  2⤵
  PID:3368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fxlzpidoozahcyhsl.exe .
1⤵
PID:2980
- C:\Windows\fxlzpidoozahcyhsl.exe
  fxlzpidoozahcyhsl.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1668
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\fxlzpidoozahcyhsl.exe*."
    3⤵
    PID:5008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxphbyxmqfkvuuhwtvpld.exe
1⤵
PID:3788
- C:\Users\Admin\AppData\Local\Temp\bxphbyxmqfkvuuhwtvpld.exe
  C:\Users\Admin\AppData\Local\Temp\bxphbyxmqfkvuuhwtvpld.exe
  2⤵
  PID:1328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ypcpewqazjjpjemw.exe
1⤵
PID:3800
- C:\Users\Admin\AppData\Local\Temp\ypcpewqazjjpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\ypcpewqazjjpjemw.exe
  2⤵
  PID:3000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohwlcwsefrtbxueqkj.exe .
1⤵
PID:4356
- C:\Users\Admin\AppData\Local\Temp\ohwlcwsefrtbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\ohwlcwsefrtbxueqkj.exe .
  2⤵
  - Checks computer location settings
  PID:640
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\ohwlcwsefrtbxueqkj.exe*."
    3⤵
    PID:3600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxphbyxmqfkvuuhwtvpld.exe .
1⤵
PID:2708
- C:\Users\Admin\AppData\Local\Temp\bxphbyxmqfkvuuhwtvpld.exe
  C:\Users\Admin\AppData\Local\Temp\bxphbyxmqfkvuuhwtvpld.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:624
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\bxphbyxmqfkvuuhwtvpld.exe*."
    3⤵
    PID:556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztjzrmjwyloxusdqlld.exe .
1⤵
PID:2756
- C:\Users\Admin\AppData\Local\Temp\ztjzrmjwyloxusdqlld.exe
  C:\Users\Admin\AppData\Local\Temp\ztjzrmjwyloxusdqlld.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4648
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\ztjzrmjwyloxusdqlld.exe*."
    3⤵
    PID:3520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhypiecqthlvtsesopid.exe
1⤵
PID:1340
- C:\Users\Admin\AppData\Local\Temp\mhypiecqthlvtsesopid.exe
  C:\Users\Admin\AppData\Local\Temp\mhypiecqthlvtsesopid.exe
  2⤵
  PID:2776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ypcpewqazjjpjemw.exe
1⤵
PID:4244
- C:\Users\Admin\AppData\Local\Temp\ypcpewqazjjpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\ypcpewqazjjpjemw.exe
  2⤵
  PID:4312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohwlcwsefrtbxueqkj.exe
1⤵
PID:2056
- C:\Users\Admin\AppData\Local\Temp\ohwlcwsefrtbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\ohwlcwsefrtbxueqkj.exe
  2⤵
  PID:1328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fxlzpidoozahcyhsl.exe .
1⤵
PID:1240
- C:\Users\Admin\AppData\Local\Temp\fxlzpidoozahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\fxlzpidoozahcyhsl.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:532
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\fxlzpidoozahcyhsl.exe*."
    3⤵
    PID:2160

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ypcpewqazjjpjemw.exe .
1⤵
PID:3064
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4284
- C:\Users\Admin\AppData\Local\Temp\ypcpewqazjjpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\ypcpewqazjjpjemw.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3068
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\ypcpewqazjjpjemw.exe*."
    3⤵
    PID:2792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhypiecqthlvtsesopid.exe .
1⤵
PID:4408
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4496
- C:\Users\Admin\AppData\Local\Temp\mhypiecqthlvtsesopid.exe
  C:\Users\Admin\AppData\Local\Temp\mhypiecqthlvtsesopid.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:5116
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\mhypiecqthlvtsesopid.exe*."
    3⤵
    PID:2776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ohwlcwsefrtbxueqkj.exe
1⤵
PID:4872
- C:\Windows\ohwlcwsefrtbxueqkj.exe
  ohwlcwsefrtbxueqkj.exe
  2⤵
  PID:4484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ypcpewqazjjpjemw.exe .
1⤵
PID:2392
- C:\Windows\ypcpewqazjjpjemw.exe
  ypcpewqazjjpjemw.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:888
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\ypcpewqazjjpjemw.exe*."
    3⤵
    PID:3096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fxlzpidoozahcyhsl.exe
1⤵
PID:404
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:640
- C:\Windows\fxlzpidoozahcyhsl.exe
  fxlzpidoozahcyhsl.exe
  2⤵
  PID:1120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ypcpewqazjjpjemw.exe .
1⤵
PID:1168
- C:\Windows\ypcpewqazjjpjemw.exe
  ypcpewqazjjpjemw.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5016
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\ypcpewqazjjpjemw.exe*."
    3⤵
    PID:2060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ypcpewqazjjpjemw.exe
1⤵
PID:1092
- C:\Users\Admin\AppData\Local\Temp\ypcpewqazjjpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\ypcpewqazjjpjemw.exe
  2⤵
  PID:2440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztjzrmjwyloxusdqlld.exe .
1⤵
PID:1608
- C:\Users\Admin\AppData\Local\Temp\ztjzrmjwyloxusdqlld.exe
  C:\Users\Admin\AppData\Local\Temp\ztjzrmjwyloxusdqlld.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4156
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\ztjzrmjwyloxusdqlld.exe*."
    3⤵
    PID:2288

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztjzrmjwyloxusdqlld.exe
1⤵
PID:1012
- C:\Users\Admin\AppData\Local\Temp\ztjzrmjwyloxusdqlld.exe
  C:\Users\Admin\AppData\Local\Temp\ztjzrmjwyloxusdqlld.exe
  2⤵
  PID:4520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxphbyxmqfkvuuhwtvpld.exe .
1⤵
PID:1580
- C:\Users\Admin\AppData\Local\Temp\bxphbyxmqfkvuuhwtvpld.exe
  C:\Users\Admin\AppData\Local\Temp\bxphbyxmqfkvuuhwtvpld.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1600
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\bxphbyxmqfkvuuhwtvpld.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:3380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ohwlcwsefrtbxueqkj.exe
1⤵
PID:1912
- C:\Windows\ohwlcwsefrtbxueqkj.exe
  ohwlcwsefrtbxueqkj.exe
  2⤵
  PID:3284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fxlzpidoozahcyhsl.exe .
1⤵
PID:408
- C:\Windows\fxlzpidoozahcyhsl.exe
  fxlzpidoozahcyhsl.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1756
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\fxlzpidoozahcyhsl.exe*."
    3⤵
    PID:3952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mhypiecqthlvtsesopid.exe
1⤵
PID:3432
- C:\Windows\mhypiecqthlvtsesopid.exe
  mhypiecqthlvtsesopid.exe
  2⤵
  PID:3904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fxlzpidoozahcyhsl.exe .
1⤵
PID:2088
- C:\Windows\fxlzpidoozahcyhsl.exe
  fxlzpidoozahcyhsl.exe .
  2⤵
  - Checks computer location settings
  PID:3028
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\fxlzpidoozahcyhsl.exe*."
    3⤵
    PID:3884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fxlzpidoozahcyhsl.exe
1⤵
PID:5028
- C:\Users\Admin\AppData\Local\Temp\fxlzpidoozahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\fxlzpidoozahcyhsl.exe
  2⤵
  PID:888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxphbyxmqfkvuuhwtvpld.exe .
1⤵
PID:3692
- C:\Users\Admin\AppData\Local\Temp\bxphbyxmqfkvuuhwtvpld.exe
  C:\Users\Admin\AppData\Local\Temp\bxphbyxmqfkvuuhwtvpld.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:956
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\bxphbyxmqfkvuuhwtvpld.exe*."
    3⤵
    PID:3480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ypcpewqazjjpjemw.exe
1⤵
PID:556
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1328
- C:\Users\Admin\AppData\Local\Temp\ypcpewqazjjpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\ypcpewqazjjpjemw.exe
  2⤵
  PID:1092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxphbyxmqfkvuuhwtvpld.exe .
1⤵
PID:3092
- C:\Users\Admin\AppData\Local\Temp\bxphbyxmqfkvuuhwtvpld.exe
  C:\Users\Admin\AppData\Local\Temp\bxphbyxmqfkvuuhwtvpld.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:3596
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\bxphbyxmqfkvuuhwtvpld.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:2436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxphbyxmqfkvuuhwtvpld.exe
1⤵
PID:440
- C:\Windows\bxphbyxmqfkvuuhwtvpld.exe
  bxphbyxmqfkvuuhwtvpld.exe
  2⤵
  PID:3652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ypcpewqazjjpjemw.exe .
1⤵
PID:632
- C:\Windows\ypcpewqazjjpjemw.exe
  ypcpewqazjjpjemw.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2056
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\ypcpewqazjjpjemw.exe*."
    3⤵
    PID:3444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ypcpewqazjjpjemw.exe
1⤵
PID:220
- C:\Windows\ypcpewqazjjpjemw.exe
  ypcpewqazjjpjemw.exe
  2⤵
  PID:3792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ztjzrmjwyloxusdqlld.exe .
1⤵
PID:4808
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2260
- C:\Windows\ztjzrmjwyloxusdqlld.exe
  ztjzrmjwyloxusdqlld.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:3316
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\ztjzrmjwyloxusdqlld.exe*."
    3⤵
    PID:2160

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxphbyxmqfkvuuhwtvpld.exe
1⤵
PID:1660
- C:\Users\Admin\AppData\Local\Temp\bxphbyxmqfkvuuhwtvpld.exe
  C:\Users\Admin\AppData\Local\Temp\bxphbyxmqfkvuuhwtvpld.exe
  2⤵
  PID:2776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhypiecqthlvtsesopid.exe .
1⤵
PID:3424
- C:\Users\Admin\AppData\Local\Temp\mhypiecqthlvtsesopid.exe
  C:\Users\Admin\AppData\Local\Temp\mhypiecqthlvtsesopid.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4740
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\mhypiecqthlvtsesopid.exe*."
    3⤵
    PID:4852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxphbyxmqfkvuuhwtvpld.exe
1⤵
PID:4820
- C:\Users\Admin\AppData\Local\Temp\bxphbyxmqfkvuuhwtvpld.exe
  C:\Users\Admin\AppData\Local\Temp\bxphbyxmqfkvuuhwtvpld.exe
  2⤵
  PID:1616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohwlcwsefrtbxueqkj.exe .
1⤵
PID:3472
- C:\Users\Admin\AppData\Local\Temp\ohwlcwsefrtbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\ohwlcwsefrtbxueqkj.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:3764
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\ohwlcwsefrtbxueqkj.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:3028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ztjzrmjwyloxusdqlld.exe
1⤵
PID:3844
- C:\Windows\ztjzrmjwyloxusdqlld.exe
  ztjzrmjwyloxusdqlld.exe
  2⤵
  PID:4384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxphbyxmqfkvuuhwtvpld.exe .
1⤵
PID:5064
- C:\Windows\bxphbyxmqfkvuuhwtvpld.exe
  bxphbyxmqfkvuuhwtvpld.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:3520
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\bxphbyxmqfkvuuhwtvpld.exe*."
    3⤵
    PID:1168

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ohwlcwsefrtbxueqkj.exe
1⤵
PID:556
- C:\Windows\ohwlcwsefrtbxueqkj.exe
  ohwlcwsefrtbxueqkj.exe
  2⤵
  PID:3944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mhypiecqthlvtsesopid.exe .
1⤵
PID:2352
- C:\Windows\mhypiecqthlvtsesopid.exe
  mhypiecqthlvtsesopid.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1604
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\mhypiecqthlvtsesopid.exe*."
    3⤵
    PID:5044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohwlcwsefrtbxueqkj.exe
1⤵
PID:5020
- C:\Users\Admin\AppData\Local\Temp\ohwlcwsefrtbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\ohwlcwsefrtbxueqkj.exe
  2⤵
  PID:4348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fxlzpidoozahcyhsl.exe .
1⤵
PID:3140
- C:\Users\Admin\AppData\Local\Temp\fxlzpidoozahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\fxlzpidoozahcyhsl.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:3444
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\fxlzpidoozahcyhsl.exe*."
    3⤵
    PID:3300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhypiecqthlvtsesopid.exe
1⤵
PID:4580
- C:\Users\Admin\AppData\Local\Temp\mhypiecqthlvtsesopid.exe
  C:\Users\Admin\AppData\Local\Temp\mhypiecqthlvtsesopid.exe
  2⤵
  PID:4496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxphbyxmqfkvuuhwtvpld.exe .
1⤵
PID:1152
- C:\Users\Admin\AppData\Local\Temp\bxphbyxmqfkvuuhwtvpld.exe
  C:\Users\Admin\AppData\Local\Temp\bxphbyxmqfkvuuhwtvpld.exe .
  2⤵
  PID:2036
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\bxphbyxmqfkvuuhwtvpld.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:3672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ohwlcwsefrtbxueqkj.exe
1⤵
PID:4340
- C:\Windows\ohwlcwsefrtbxueqkj.exe
  ohwlcwsefrtbxueqkj.exe
  2⤵
  PID:3064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ztjzrmjwyloxusdqlld.exe .
1⤵
PID:3424
- C:\Windows\ztjzrmjwyloxusdqlld.exe
  ztjzrmjwyloxusdqlld.exe .
  2⤵
  - Checks computer location settings
  PID:4648
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\ztjzrmjwyloxusdqlld.exe*."
    3⤵
    PID:2996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ztjzrmjwyloxusdqlld.exe
1⤵
PID:464
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3432
- C:\Windows\ztjzrmjwyloxusdqlld.exe
  ztjzrmjwyloxusdqlld.exe
  2⤵
  PID:4436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ohwlcwsefrtbxueqkj.exe .
1⤵
PID:1088
- C:\Windows\ohwlcwsefrtbxueqkj.exe
  ohwlcwsefrtbxueqkj.exe .
  2⤵
  - Checks computer location settings
  PID:4948
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\ohwlcwsefrtbxueqkj.exe*."
    3⤵
    PID:872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztjzrmjwyloxusdqlld.exe
1⤵
PID:2088
- C:\Users\Admin\AppData\Local\Temp\ztjzrmjwyloxusdqlld.exe
  C:\Users\Admin\AppData\Local\Temp\ztjzrmjwyloxusdqlld.exe
  2⤵
  PID:3944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxphbyxmqfkvuuhwtvpld.exe .
1⤵
PID:808
- C:\Users\Admin\AppData\Local\Temp\bxphbyxmqfkvuuhwtvpld.exe
  C:\Users\Admin\AppData\Local\Temp\bxphbyxmqfkvuuhwtvpld.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:2368
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\bxphbyxmqfkvuuhwtvpld.exe*."
    3⤵
    PID:2708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztjzrmjwyloxusdqlld.exe
1⤵
PID:2536
- C:\Users\Admin\AppData\Local\Temp\ztjzrmjwyloxusdqlld.exe
  C:\Users\Admin\AppData\Local\Temp\ztjzrmjwyloxusdqlld.exe
  2⤵
  PID:628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohwlcwsefrtbxueqkj.exe .
1⤵
PID:4216
- C:\Users\Admin\AppData\Local\Temp\ohwlcwsefrtbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\ohwlcwsefrtbxueqkj.exe .
  2⤵
  - Checks computer location settings
  PID:3228
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\ohwlcwsefrtbxueqkj.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ztjzrmjwyloxusdqlld.exe
1⤵
PID:3368
- C:\Windows\ztjzrmjwyloxusdqlld.exe
  ztjzrmjwyloxusdqlld.exe
  2⤵
  PID:1272

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ypcpewqazjjpjemw.exe
1⤵
PID:1652
- C:\Windows\ypcpewqazjjpjemw.exe
  ypcpewqazjjpjemw.exe
  2⤵
  PID:4788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ztjzrmjwyloxusdqlld.exe .
1⤵
PID:2352
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5116
- C:\Windows\ztjzrmjwyloxusdqlld.exe
  ztjzrmjwyloxusdqlld.exe .
  2⤵
  - Checks computer location settings
  PID:3852
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\ztjzrmjwyloxusdqlld.exe*."
    3⤵
    PID:1240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ohwlcwsefrtbxueqkj.exe
1⤵
PID:3912
- C:\Windows\ohwlcwsefrtbxueqkj.exe
  ohwlcwsefrtbxueqkj.exe
  2⤵
  PID:1388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mhypiecqthlvtsesopid.exe .
1⤵
PID:2792
- C:\Windows\mhypiecqthlvtsesopid.exe
  mhypiecqthlvtsesopid.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:944
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\mhypiecqthlvtsesopid.exe*."
    3⤵
    PID:3404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ztjzrmjwyloxusdqlld.exe
1⤵
PID:632
- C:\Windows\ztjzrmjwyloxusdqlld.exe
  ztjzrmjwyloxusdqlld.exe
  2⤵
  PID:4820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ztjzrmjwyloxusdqlld.exe .
1⤵
PID:4260
- C:\Windows\ztjzrmjwyloxusdqlld.exe
  ztjzrmjwyloxusdqlld.exe .
  2⤵
  - Checks computer location settings
  PID:4420
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\ztjzrmjwyloxusdqlld.exe*."
    3⤵
    PID:3892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mhypiecqthlvtsesopid.exe .
1⤵
PID:3068
- C:\Windows\mhypiecqthlvtsesopid.exe
  mhypiecqthlvtsesopid.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:2332
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\mhypiecqthlvtsesopid.exe*."
    3⤵
    PID:3140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ypcpewqazjjpjemw.exe
1⤵
PID:3460
- C:\Windows\ypcpewqazjjpjemw.exe
  ypcpewqazjjpjemw.exe
  2⤵
  PID:4840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohwlcwsefrtbxueqkj.exe
1⤵
PID:5108
- C:\Users\Admin\AppData\Local\Temp\ohwlcwsefrtbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\ohwlcwsefrtbxueqkj.exe
  2⤵
  PID:3980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fxlzpidoozahcyhsl.exe .
1⤵
PID:4352
- C:\Users\Admin\AppData\Local\Temp\fxlzpidoozahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\fxlzpidoozahcyhsl.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:2616
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\fxlzpidoozahcyhsl.exe*."
    3⤵
    PID:2372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mhypiecqthlvtsesopid.exe
1⤵
PID:3056
- C:\Windows\mhypiecqthlvtsesopid.exe
  mhypiecqthlvtsesopid.exe
  2⤵
  PID:1520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ztjzrmjwyloxusdqlld.exe .
1⤵
PID:3944
- C:\Windows\ztjzrmjwyloxusdqlld.exe
  ztjzrmjwyloxusdqlld.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1844
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\ztjzrmjwyloxusdqlld.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:1676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mhypiecqthlvtsesopid.exe .
1⤵
PID:5052
- C:\Windows\mhypiecqthlvtsesopid.exe
  mhypiecqthlvtsesopid.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4808
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\mhypiecqthlvtsesopid.exe*."
    3⤵
    PID:2768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohwlcwsefrtbxueqkj.exe
1⤵
PID:748
- C:\Users\Admin\AppData\Local\Temp\ohwlcwsefrtbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\ohwlcwsefrtbxueqkj.exe
  2⤵
  PID:3100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ypcpewqazjjpjemw.exe .
1⤵
PID:2404
- C:\Users\Admin\AppData\Local\Temp\ypcpewqazjjpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\ypcpewqazjjpjemw.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1976
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\ypcpewqazjjpjemw.exe*."
    3⤵
    PID:556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhypiecqthlvtsesopid.exe
1⤵
PID:1168
- C:\Users\Admin\AppData\Local\Temp\mhypiecqthlvtsesopid.exe
  C:\Users\Admin\AppData\Local\Temp\mhypiecqthlvtsesopid.exe
  2⤵
  PID:1968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fxlzpidoozahcyhsl.exe
1⤵
PID:1632
- C:\Users\Admin\AppData\Local\Temp\fxlzpidoozahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\fxlzpidoozahcyhsl.exe
  2⤵
  PID:1240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhypiecqthlvtsesopid.exe .
1⤵
PID:2112
- C:\Users\Admin\AppData\Local\Temp\mhypiecqthlvtsesopid.exe
  C:\Users\Admin\AppData\Local\Temp\mhypiecqthlvtsesopid.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2352
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\mhypiecqthlvtsesopid.exe*."
    3⤵
    PID:4992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohwlcwsefrtbxueqkj.exe .
1⤵
PID:1656
- C:\Users\Admin\AppData\Local\Temp\ohwlcwsefrtbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\ohwlcwsefrtbxueqkj.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5028
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\ohwlcwsefrtbxueqkj.exe*."
    3⤵
    PID:5032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ypcpewqazjjpjemw.exe
1⤵
PID:4344
- C:\Users\Admin\AppData\Local\Temp\ypcpewqazjjpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\ypcpewqazjjpjemw.exe
  2⤵
  PID:3752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fxlzpidoozahcyhsl.exe
1⤵
PID:4496
- C:\Users\Admin\AppData\Local\Temp\fxlzpidoozahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\fxlzpidoozahcyhsl.exe
  2⤵
  PID:2324

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztjzrmjwyloxusdqlld.exe .
1⤵
PID:3964
- C:\Users\Admin\AppData\Local\Temp\ztjzrmjwyloxusdqlld.exe
  C:\Users\Admin\AppData\Local\Temp\ztjzrmjwyloxusdqlld.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4736
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\ztjzrmjwyloxusdqlld.exe*."
    3⤵
    PID:4520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxphbyxmqfkvuuhwtvpld.exe .
1⤵
PID:4744
- C:\Users\Admin\AppData\Local\Temp\bxphbyxmqfkvuuhwtvpld.exe
  C:\Users\Admin\AppData\Local\Temp\bxphbyxmqfkvuuhwtvpld.exe .
  2⤵
  - Checks computer location settings
  PID:4952
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\bxphbyxmqfkvuuhwtvpld.exe*."
    3⤵
    PID:432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ohwlcwsefrtbxueqkj.exe
1⤵
PID:1520
- C:\Windows\ohwlcwsefrtbxueqkj.exe
  ohwlcwsefrtbxueqkj.exe
  2⤵
  PID:3484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mhypiecqthlvtsesopid.exe .
1⤵
PID:4504
- C:\Windows\mhypiecqthlvtsesopid.exe
  mhypiecqthlvtsesopid.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5092
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\mhypiecqthlvtsesopid.exe*."
    3⤵
    PID:3752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ztjzrmjwyloxusdqlld.exe
1⤵
PID:4320
- C:\Windows\ztjzrmjwyloxusdqlld.exe
  ztjzrmjwyloxusdqlld.exe
  2⤵
  PID:3320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mhypiecqthlvtsesopid.exe .
1⤵
PID:628
- C:\Windows\mhypiecqthlvtsesopid.exe
  mhypiecqthlvtsesopid.exe .
  2⤵
  - Checks computer location settings
  PID:3444
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\mhypiecqthlvtsesopid.exe*."
    3⤵
    PID:2056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fxlzpidoozahcyhsl.exe
1⤵
PID:732
- C:\Users\Admin\AppData\Local\Temp\fxlzpidoozahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\fxlzpidoozahcyhsl.exe
  2⤵
  PID:4420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztjzrmjwyloxusdqlld.exe .
1⤵
PID:4992
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3096
- C:\Users\Admin\AppData\Local\Temp\ztjzrmjwyloxusdqlld.exe
  C:\Users\Admin\AppData\Local\Temp\ztjzrmjwyloxusdqlld.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:2536
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\ztjzrmjwyloxusdqlld.exe*."
    3⤵
    PID:4600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohwlcwsefrtbxueqkj.exe
1⤵
PID:2700
- C:\Users\Admin\AppData\Local\Temp\ohwlcwsefrtbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\ohwlcwsefrtbxueqkj.exe
  2⤵
  PID:4344

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxphbyxmqfkvuuhwtvpld.exe .
1⤵
PID:4524
- C:\Users\Admin\AppData\Local\Temp\bxphbyxmqfkvuuhwtvpld.exe
  C:\Users\Admin\AppData\Local\Temp\bxphbyxmqfkvuuhwtvpld.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:3852
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\bxphbyxmqfkvuuhwtvpld.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:1972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxphbyxmqfkvuuhwtvpld.exe
1⤵
PID:3800
- C:\Windows\bxphbyxmqfkvuuhwtvpld.exe
  bxphbyxmqfkvuuhwtvpld.exe
  2⤵
  PID:848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fxlzpidoozahcyhsl.exe .
1⤵
PID:3844
- C:\Windows\fxlzpidoozahcyhsl.exe
  fxlzpidoozahcyhsl.exe .
  2⤵
  - Checks computer location settings
  PID:3964
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\fxlzpidoozahcyhsl.exe*."
    3⤵
    PID:2764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ztjzrmjwyloxusdqlld.exe
1⤵
PID:3284
- C:\Windows\ztjzrmjwyloxusdqlld.exe
  ztjzrmjwyloxusdqlld.exe
  2⤵
  PID:4580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ypcpewqazjjpjemw.exe .
1⤵
PID:3380
- C:\Windows\ypcpewqazjjpjemw.exe
  ypcpewqazjjpjemw.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4340
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\ypcpewqazjjpjemw.exe*."
    3⤵
    PID:3788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fxlzpidoozahcyhsl.exe
1⤵
PID:2732
- C:\Users\Admin\AppData\Local\Temp\fxlzpidoozahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\fxlzpidoozahcyhsl.exe
  2⤵
  PID:2684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohwlcwsefrtbxueqkj.exe .
1⤵
PID:4408
- C:\Users\Admin\AppData\Local\Temp\ohwlcwsefrtbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\ohwlcwsefrtbxueqkj.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:2436
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\ohwlcwsefrtbxueqkj.exe*."
    3⤵
    PID:1012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ypcpewqazjjpjemw.exe
1⤵
PID:1976
- C:\Users\Admin\AppData\Local\Temp\ypcpewqazjjpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\ypcpewqazjjpjemw.exe
  2⤵
  PID:4420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ypcpewqazjjpjemw.exe .
1⤵
PID:3056
- C:\Users\Admin\AppData\Local\Temp\ypcpewqazjjpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\ypcpewqazjjpjemw.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:3584
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\ypcpewqazjjpjemw.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:4820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mhypiecqthlvtsesopid.exe
1⤵
PID:2388
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1168
- C:\Windows\mhypiecqthlvtsesopid.exe
  mhypiecqthlvtsesopid.exe
  2⤵
  PID:112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ohwlcwsefrtbxueqkj.exe .
1⤵
PID:944
- C:\Windows\ohwlcwsefrtbxueqkj.exe
  ohwlcwsefrtbxueqkj.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:2704
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\ohwlcwsefrtbxueqkj.exe*."
    3⤵
    PID:3984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fxlzpidoozahcyhsl.exe
1⤵
PID:5044
- C:\Windows\fxlzpidoozahcyhsl.exe
  fxlzpidoozahcyhsl.exe
  2⤵
  PID:3532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxphbyxmqfkvuuhwtvpld.exe .
1⤵
PID:2476
- C:\Windows\bxphbyxmqfkvuuhwtvpld.exe
  bxphbyxmqfkvuuhwtvpld.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2712
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\bxphbyxmqfkvuuhwtvpld.exe*."
    3⤵
    PID:4816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohwlcwsefrtbxueqkj.exe
1⤵
PID:1756
- C:\Users\Admin\AppData\Local\Temp\ohwlcwsefrtbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\ohwlcwsefrtbxueqkj.exe
  2⤵
  PID:2148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ypcpewqazjjpjemw.exe .
1⤵
PID:3104
- C:\Users\Admin\AppData\Local\Temp\ypcpewqazjjpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\ypcpewqazjjpjemw.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:3472
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\ypcpewqazjjpjemw.exe*."
    3⤵
    PID:3192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ypcpewqazjjpjemw.exe
1⤵
PID:2732
- C:\Users\Admin\AppData\Local\Temp\ypcpewqazjjpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\ypcpewqazjjpjemw.exe
  2⤵
  PID:4244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohwlcwsefrtbxueqkj.exe .
1⤵
PID:1912
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4324
- C:\Users\Admin\AppData\Local\Temp\ohwlcwsefrtbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\ohwlcwsefrtbxueqkj.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4320
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\ohwlcwsefrtbxueqkj.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mhypiecqthlvtsesopid.exe
1⤵
PID:2948
- C:\Windows\mhypiecqthlvtsesopid.exe
  mhypiecqthlvtsesopid.exe
  2⤵
  PID:2352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxphbyxmqfkvuuhwtvpld.exe .
1⤵
PID:2332
- C:\Windows\bxphbyxmqfkvuuhwtvpld.exe
  bxphbyxmqfkvuuhwtvpld.exe .
  2⤵
  - Checks computer location settings
  PID:4868
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\bxphbyxmqfkvuuhwtvpld.exe*."
    3⤵
    PID:4348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fxlzpidoozahcyhsl.exe
1⤵
PID:4808
- C:\Windows\fxlzpidoozahcyhsl.exe
  fxlzpidoozahcyhsl.exe
  2⤵
  PID:3988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ztjzrmjwyloxusdqlld.exe .
1⤵
PID:1576
- C:\Windows\ztjzrmjwyloxusdqlld.exe
  ztjzrmjwyloxusdqlld.exe .
  2⤵
  - Checks computer location settings
  PID:1440
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\ztjzrmjwyloxusdqlld.exe*."
    3⤵
    PID:4512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztjzrmjwyloxusdqlld.exe
1⤵
PID:956
- C:\Users\Admin\AppData\Local\Temp\ztjzrmjwyloxusdqlld.exe
  C:\Users\Admin\AppData\Local\Temp\ztjzrmjwyloxusdqlld.exe
  2⤵
  PID:3432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxphbyxmqfkvuuhwtvpld.exe .
1⤵
PID:1264
- C:\Users\Admin\AppData\Local\Temp\bxphbyxmqfkvuuhwtvpld.exe
  C:\Users\Admin\AppData\Local\Temp\bxphbyxmqfkvuuhwtvpld.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:5044
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\bxphbyxmqfkvuuhwtvpld.exe*."
    3⤵
    PID:2704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhypiecqthlvtsesopid.exe
1⤵
PID:2404
- C:\Users\Admin\AppData\Local\Temp\mhypiecqthlvtsesopid.exe
  C:\Users\Admin\AppData\Local\Temp\mhypiecqthlvtsesopid.exe
  2⤵
  PID:4412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztjzrmjwyloxusdqlld.exe .
1⤵
PID:4744
- C:\Users\Admin\AppData\Local\Temp\ztjzrmjwyloxusdqlld.exe
  C:\Users\Admin\AppData\Local\Temp\ztjzrmjwyloxusdqlld.exe .
  2⤵
  PID:1388
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\ztjzrmjwyloxusdqlld.exe*."
    3⤵
    PID:3300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mhypiecqthlvtsesopid.exe
1⤵
PID:3104
- C:\Windows\mhypiecqthlvtsesopid.exe
  mhypiecqthlvtsesopid.exe
  2⤵
  PID:3028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ztjzrmjwyloxusdqlld.exe .
1⤵
PID:532
- C:\Windows\ztjzrmjwyloxusdqlld.exe
  ztjzrmjwyloxusdqlld.exe .
  2⤵
  PID:3012
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\ztjzrmjwyloxusdqlld.exe*."
    3⤵
    PID:4432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ypcpewqazjjpjemw.exe
1⤵
PID:2392
- C:\Windows\ypcpewqazjjpjemw.exe
  ypcpewqazjjpjemw.exe
  2⤵
  PID:5048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ypcpewqazjjpjemw.exe .
1⤵
PID:844
- C:\Windows\ypcpewqazjjpjemw.exe
  ypcpewqazjjpjemw.exe .
  2⤵
  PID:768
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\ypcpewqazjjpjemw.exe*."
    3⤵
    PID:4504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ypcpewqazjjpjemw.exe
1⤵
PID:4984
- C:\Users\Admin\AppData\Local\Temp\ypcpewqazjjpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\ypcpewqazjjpjemw.exe
  2⤵
  PID:2372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ypcpewqazjjpjemw.exe .
1⤵
PID:1668
- C:\Users\Admin\AppData\Local\Temp\ypcpewqazjjpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\ypcpewqazjjpjemw.exe .
  2⤵
  PID:3764
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\ypcpewqazjjpjemw.exe*."
    3⤵
    PID:4808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhypiecqthlvtsesopid.exe
1⤵
PID:3432
- C:\Users\Admin\AppData\Local\Temp\mhypiecqthlvtsesopid.exe
  C:\Users\Admin\AppData\Local\Temp\mhypiecqthlvtsesopid.exe
  2⤵
  PID:2384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ypcpewqazjjpjemw.exe .
1⤵
PID:3668
- C:\Users\Admin\AppData\Local\Temp\ypcpewqazjjpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\ypcpewqazjjpjemw.exe .
  2⤵
  PID:1652
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\ypcpewqazjjpjemw.exe*."
    3⤵
    PID:4280

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ypcpewqazjjpjemw.exe
1⤵
PID:3600
- C:\Windows\ypcpewqazjjpjemw.exe
  ypcpewqazjjpjemw.exe
  2⤵
  PID:2316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fxlzpidoozahcyhsl.exe .
1⤵
PID:748
- C:\Windows\fxlzpidoozahcyhsl.exe
  fxlzpidoozahcyhsl.exe .
  2⤵
  PID:3212
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\fxlzpidoozahcyhsl.exe*."
    3⤵
    PID:4320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fxlzpidoozahcyhsl.exe
1⤵
PID:5080
- C:\Windows\fxlzpidoozahcyhsl.exe
  fxlzpidoozahcyhsl.exe
  2⤵
  PID:4788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fxlzpidoozahcyhsl.exe .
1⤵
PID:1112
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3368
- C:\Windows\fxlzpidoozahcyhsl.exe
  fxlzpidoozahcyhsl.exe .
  2⤵
  PID:3952
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\fxlzpidoozahcyhsl.exe*."
    3⤵
    PID:2904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxphbyxmqfkvuuhwtvpld.exe
1⤵
PID:1076
- C:\Users\Admin\AppData\Local\Temp\bxphbyxmqfkvuuhwtvpld.exe
  C:\Users\Admin\AppData\Local\Temp\bxphbyxmqfkvuuhwtvpld.exe
  2⤵
  PID:1176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhypiecqthlvtsesopid.exe .
1⤵
PID:3696
- C:\Users\Admin\AppData\Local\Temp\mhypiecqthlvtsesopid.exe
  C:\Users\Admin\AppData\Local\Temp\mhypiecqthlvtsesopid.exe .
  2⤵
  PID:2260
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\mhypiecqthlvtsesopid.exe*."
    3⤵
    PID:2756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztjzrmjwyloxusdqlld.exe
1⤵
PID:3764
- C:\Users\Admin\AppData\Local\Temp\ztjzrmjwyloxusdqlld.exe
  C:\Users\Admin\AppData\Local\Temp\ztjzrmjwyloxusdqlld.exe
  2⤵
  PID:3700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ypcpewqazjjpjemw.exe .
1⤵
PID:1460
- C:\Users\Admin\AppData\Local\Temp\ypcpewqazjjpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\ypcpewqazjjpjemw.exe .
  2⤵
  PID:956
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\ypcpewqazjjpjemw.exe*."
    3⤵
    PID:4544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ypcpewqazjjpjemw.exe
1⤵
PID:2984
- C:\Windows\ypcpewqazjjpjemw.exe
  ypcpewqazjjpjemw.exe
  2⤵
  PID:1788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mhypiecqthlvtsesopid.exe
1⤵
PID:3668
- C:\Windows\mhypiecqthlvtsesopid.exe
  mhypiecqthlvtsesopid.exe
  2⤵
  PID:1512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mhypiecqthlvtsesopid.exe .
1⤵
PID:4028
- C:\Windows\mhypiecqthlvtsesopid.exe
  mhypiecqthlvtsesopid.exe .
  2⤵
  PID:944
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\mhypiecqthlvtsesopid.exe*."
    3⤵
    PID:1216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ztjzrmjwyloxusdqlld.exe .
1⤵
PID:4780
- C:\Windows\ztjzrmjwyloxusdqlld.exe
  ztjzrmjwyloxusdqlld.exe .
  2⤵
  PID:1240
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\ztjzrmjwyloxusdqlld.exe*."
    3⤵
    PID:2088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxphbyxmqfkvuuhwtvpld.exe
1⤵
PID:2712
- C:\Windows\bxphbyxmqfkvuuhwtvpld.exe
  bxphbyxmqfkvuuhwtvpld.exe
  2⤵
  PID:5008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ztjzrmjwyloxusdqlld.exe
1⤵
PID:552
- C:\Windows\ztjzrmjwyloxusdqlld.exe
  ztjzrmjwyloxusdqlld.exe
  2⤵
  PID:4384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxphbyxmqfkvuuhwtvpld.exe .
1⤵
PID:4472
- C:\Windows\bxphbyxmqfkvuuhwtvpld.exe
  bxphbyxmqfkvuuhwtvpld.exe .
  2⤵
  PID:4584
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\bxphbyxmqfkvuuhwtvpld.exe*."
    3⤵
    PID:1848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fxlzpidoozahcyhsl.exe
1⤵
PID:4736
- C:\Windows\fxlzpidoozahcyhsl.exe
  fxlzpidoozahcyhsl.exe
  2⤵
  PID:2616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ohwlcwsefrtbxueqkj.exe .
1⤵
PID:1076
- C:\Windows\ohwlcwsefrtbxueqkj.exe
  ohwlcwsefrtbxueqkj.exe .
  2⤵
  PID:2200
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\ohwlcwsefrtbxueqkj.exe*."
    3⤵
    PID:5080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhypiecqthlvtsesopid.exe
1⤵
PID:3980
- C:\Users\Admin\AppData\Local\Temp\mhypiecqthlvtsesopid.exe
  C:\Users\Admin\AppData\Local\Temp\mhypiecqthlvtsesopid.exe
  2⤵
  PID:3484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fxlzpidoozahcyhsl.exe .
1⤵
PID:2368
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:888
- C:\Windows\fxlzpidoozahcyhsl.exe
  fxlzpidoozahcyhsl.exe .
  2⤵
  PID:4524
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\fxlzpidoozahcyhsl.exe*."
    3⤵
    PID:3668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ypcpewqazjjpjemw.exe
1⤵
PID:632
- C:\Users\Admin\AppData\Local\Temp\ypcpewqazjjpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\ypcpewqazjjpjemw.exe
  2⤵
  PID:4892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fxlzpidoozahcyhsl.exe .
1⤵
PID:5016
- C:\Users\Admin\AppData\Local\Temp\fxlzpidoozahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\fxlzpidoozahcyhsl.exe .
  2⤵
  PID:2696
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\fxlzpidoozahcyhsl.exe*."
    3⤵
    PID:224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohwlcwsefrtbxueqkj.exe .
1⤵
PID:5020
- C:\Users\Admin\AppData\Local\Temp\ohwlcwsefrtbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\ohwlcwsefrtbxueqkj.exe .
  2⤵
  PID:4932
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\ohwlcwsefrtbxueqkj.exe*."
    3⤵
    PID:5080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ztjzrmjwyloxusdqlld.exe
1⤵
PID:2332
- C:\Windows\ztjzrmjwyloxusdqlld.exe
  ztjzrmjwyloxusdqlld.exe
  2⤵
  PID:4384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ztjzrmjwyloxusdqlld.exe .
1⤵
PID:4832
- C:\Windows\ztjzrmjwyloxusdqlld.exe
  ztjzrmjwyloxusdqlld.exe .
  2⤵
  PID:3904
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\ztjzrmjwyloxusdqlld.exe*."
    3⤵
    PID:1600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fxlzpidoozahcyhsl.exe
1⤵
PID:644
- C:\Users\Admin\AppData\Local\Temp\fxlzpidoozahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\fxlzpidoozahcyhsl.exe
  2⤵
  PID:3988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhypiecqthlvtsesopid.exe
1⤵
PID:1440
- C:\Users\Admin\AppData\Local\Temp\mhypiecqthlvtsesopid.exe
  C:\Users\Admin\AppData\Local\Temp\mhypiecqthlvtsesopid.exe
  2⤵
  PID:2996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fxlzpidoozahcyhsl.exe
1⤵
PID:3460
- C:\Users\Admin\AppData\Local\Temp\fxlzpidoozahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\fxlzpidoozahcyhsl.exe
  2⤵
  PID:3700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxphbyxmqfkvuuhwtvpld.exe .
1⤵
PID:3344
- C:\Users\Admin\AppData\Local\Temp\bxphbyxmqfkvuuhwtvpld.exe
  C:\Users\Admin\AppData\Local\Temp\bxphbyxmqfkvuuhwtvpld.exe .
  2⤵
  PID:3432
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\bxphbyxmqfkvuuhwtvpld.exe*."
    3⤵
    PID:5048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhypiecqthlvtsesopid.exe .
1⤵
PID:4312
- C:\Users\Admin\AppData\Local\Temp\mhypiecqthlvtsesopid.exe
  C:\Users\Admin\AppData\Local\Temp\mhypiecqthlvtsesopid.exe .
  2⤵
  PID:5064
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\mhypiecqthlvtsesopid.exe*."
    3⤵
    PID:4472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztjzrmjwyloxusdqlld.exe .
1⤵
PID:2052
- C:\Users\Admin\AppData\Local\Temp\ztjzrmjwyloxusdqlld.exe
  C:\Users\Admin\AppData\Local\Temp\ztjzrmjwyloxusdqlld.exe .
  2⤵
  PID:1404
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\ztjzrmjwyloxusdqlld.exe*."
    3⤵
    PID:4008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohwlcwsefrtbxueqkj.exe
1⤵
PID:3028
- C:\Users\Admin\AppData\Local\Temp\ohwlcwsefrtbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\ohwlcwsefrtbxueqkj.exe
  2⤵
  PID:4808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohwlcwsefrtbxueqkj.exe .
1⤵
PID:4580
- C:\Users\Admin\AppData\Local\Temp\ohwlcwsefrtbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\ohwlcwsefrtbxueqkj.exe .
  2⤵
  PID:2392
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\ohwlcwsefrtbxueqkj.exe*."
    3⤵
    PID:5100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fxlzpidoozahcyhsl.exe
1⤵
PID:4156
- C:\Windows\fxlzpidoozahcyhsl.exe
  fxlzpidoozahcyhsl.exe
  2⤵
  PID:4868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ztjzrmjwyloxusdqlld.exe .
1⤵
PID:3444
- C:\Windows\ztjzrmjwyloxusdqlld.exe
  ztjzrmjwyloxusdqlld.exe .
  2⤵
  PID:4664
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\ztjzrmjwyloxusdqlld.exe*."
    3⤵
    PID:4112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ztjzrmjwyloxusdqlld.exe
1⤵
PID:2696
- C:\Windows\ztjzrmjwyloxusdqlld.exe
  ztjzrmjwyloxusdqlld.exe
  2⤵
  PID:4356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mhypiecqthlvtsesopid.exe .
1⤵
PID:4320
- C:\Windows\mhypiecqthlvtsesopid.exe
  mhypiecqthlvtsesopid.exe .
  2⤵
  PID:1844
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\mhypiecqthlvtsesopid.exe*."
    3⤵
    PID:4820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxphbyxmqfkvuuhwtvpld.exe
1⤵
PID:4216
- C:\Users\Admin\AppData\Local\Temp\bxphbyxmqfkvuuhwtvpld.exe
  C:\Users\Admin\AppData\Local\Temp\bxphbyxmqfkvuuhwtvpld.exe
  2⤵
  PID:3440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztjzrmjwyloxusdqlld.exe .
1⤵
PID:1152
- C:\Users\Admin\AppData\Local\Temp\ztjzrmjwyloxusdqlld.exe
  C:\Users\Admin\AppData\Local\Temp\ztjzrmjwyloxusdqlld.exe .
  2⤵
  PID:3760
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\ztjzrmjwyloxusdqlld.exe*."
    3⤵
    PID:1972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fxlzpidoozahcyhsl.exe
1⤵
PID:5088
- C:\Users\Admin\AppData\Local\Temp\fxlzpidoozahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\fxlzpidoozahcyhsl.exe
  2⤵
  PID:4360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhypiecqthlvtsesopid.exe .
1⤵
PID:552
- C:\Users\Admin\AppData\Local\Temp\mhypiecqthlvtsesopid.exe
  C:\Users\Admin\AppData\Local\Temp\mhypiecqthlvtsesopid.exe .
  2⤵
  PID:3320
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\mhypiecqthlvtsesopid.exe*."
    3⤵
    PID:3140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fxlzpidoozahcyhsl.exe
1⤵
PID:4536
- C:\Windows\fxlzpidoozahcyhsl.exe
  fxlzpidoozahcyhsl.exe
  2⤵
  PID:2368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ypcpewqazjjpjemw.exe .
1⤵
PID:2392
- C:\Windows\ypcpewqazjjpjemw.exe
  ypcpewqazjjpjemw.exe .
  2⤵
  PID:4064
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\ypcpewqazjjpjemw.exe*."
    3⤵
    PID:2440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxphbyxmqfkvuuhwtvpld.exe
1⤵
PID:1148
- C:\Windows\bxphbyxmqfkvuuhwtvpld.exe
  bxphbyxmqfkvuuhwtvpld.exe
  2⤵
  PID:1668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ypcpewqazjjpjemw.exe .
1⤵
PID:3380
- C:\Windows\ypcpewqazjjpjemw.exe
  ypcpewqazjjpjemw.exe .
  2⤵
  PID:1080
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\ypcpewqazjjpjemw.exe*."
    3⤵
    PID:3068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztjzrmjwyloxusdqlld.exe
1⤵
PID:532
- C:\Users\Admin\AppData\Local\Temp\ztjzrmjwyloxusdqlld.exe
  C:\Users\Admin\AppData\Local\Temp\ztjzrmjwyloxusdqlld.exe
  2⤵
  PID:2220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxphbyxmqfkvuuhwtvpld.exe .
1⤵
PID:2684
- C:\Users\Admin\AppData\Local\Temp\bxphbyxmqfkvuuhwtvpld.exe
  C:\Users\Admin\AppData\Local\Temp\bxphbyxmqfkvuuhwtvpld.exe .
  2⤵
  PID:748
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\bxphbyxmqfkvuuhwtvpld.exe*."
    3⤵
    PID:4356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ypcpewqazjjpjemw.exe
1⤵
PID:2092
- C:\Users\Admin\AppData\Local\Temp\ypcpewqazjjpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\ypcpewqazjjpjemw.exe
  2⤵
  PID:2352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhypiecqthlvtsesopid.exe .
1⤵
PID:3440
- C:\Users\Admin\AppData\Local\Temp\mhypiecqthlvtsesopid.exe
  C:\Users\Admin\AppData\Local\Temp\mhypiecqthlvtsesopid.exe .
  2⤵
  PID:1776
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\mhypiecqthlvtsesopid.exe*."
    3⤵
    PID:872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ohwlcwsefrtbxueqkj.exe
1⤵
PID:3760
- C:\Windows\ohwlcwsefrtbxueqkj.exe
  ohwlcwsefrtbxueqkj.exe
  2⤵
  PID:1152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ztjzrmjwyloxusdqlld.exe .
1⤵
PID:1460
- C:\Windows\ztjzrmjwyloxusdqlld.exe
  ztjzrmjwyloxusdqlld.exe .
  2⤵
  PID:4980
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\ztjzrmjwyloxusdqlld.exe*."
    3⤵
    PID:3800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mhypiecqthlvtsesopid.exe
1⤵
PID:5048
- C:\Windows\mhypiecqthlvtsesopid.exe
  mhypiecqthlvtsesopid.exe
  2⤵
  PID:552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ypcpewqazjjpjemw.exe .
1⤵
PID:1448
- C:\Windows\ypcpewqazjjpjemw.exe
  ypcpewqazjjpjemw.exe .
  2⤵
  PID:4716
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\ypcpewqazjjpjemw.exe*."
    3⤵
    PID:2716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ypcpewqazjjpjemw.exe
1⤵
PID:2288
- C:\Users\Admin\AppData\Local\Temp\ypcpewqazjjpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\ypcpewqazjjpjemw.exe
  2⤵
  PID:4692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohwlcwsefrtbxueqkj.exe .
1⤵
PID:2064
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3520
- C:\Users\Admin\AppData\Local\Temp\ohwlcwsefrtbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\ohwlcwsefrtbxueqkj.exe .
  2⤵
  PID:2996
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\ohwlcwsefrtbxueqkj.exe*."
    3⤵
    PID:1668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fxlzpidoozahcyhsl.exe
1⤵
PID:1148
- C:\Users\Admin\AppData\Local\Temp\fxlzpidoozahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\fxlzpidoozahcyhsl.exe
  2⤵
  PID:220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fxlzpidoozahcyhsl.exe .
1⤵
PID:2220
- C:\Users\Admin\AppData\Local\Temp\fxlzpidoozahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\fxlzpidoozahcyhsl.exe .
  2⤵
  PID:1356
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\fxlzpidoozahcyhsl.exe*."
    3⤵
    PID:2708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ypcpewqazjjpjemw.exe
1⤵
PID:4524
- C:\Windows\ypcpewqazjjpjemw.exe
  ypcpewqazjjpjemw.exe
  2⤵
  PID:3300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxphbyxmqfkvuuhwtvpld.exe .
1⤵
PID:1844
- C:\Windows\bxphbyxmqfkvuuhwtvpld.exe
  bxphbyxmqfkvuuhwtvpld.exe .
  2⤵
  PID:3440
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\bxphbyxmqfkvuuhwtvpld.exe*."
    3⤵
    PID:1152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ohwlcwsefrtbxueqkj.exe
1⤵
PID:3612
- C:\Windows\ohwlcwsefrtbxueqkj.exe
  ohwlcwsefrtbxueqkj.exe
  2⤵
  PID:1632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxphbyxmqfkvuuhwtvpld.exe .
1⤵
PID:2784
- C:\Windows\bxphbyxmqfkvuuhwtvpld.exe
  bxphbyxmqfkvuuhwtvpld.exe .
  2⤵
  PID:2908
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\bxphbyxmqfkvuuhwtvpld.exe*."
    3⤵
    PID:4864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ypcpewqazjjpjemw.exe
1⤵
PID:1088
- C:\Users\Admin\AppData\Local\Temp\ypcpewqazjjpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\ypcpewqazjjpjemw.exe
  2⤵
  PID:3468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fxlzpidoozahcyhsl.exe .
1⤵
PID:4360
- C:\Users\Admin\AppData\Local\Temp\fxlzpidoozahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\fxlzpidoozahcyhsl.exe .
  2⤵
  PID:4692
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\fxlzpidoozahcyhsl.exe*."
    3⤵
    PID:816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxphbyxmqfkvuuhwtvpld.exe
1⤵
PID:4432
- C:\Users\Admin\AppData\Local\Temp\bxphbyxmqfkvuuhwtvpld.exe
  C:\Users\Admin\AppData\Local\Temp\bxphbyxmqfkvuuhwtvpld.exe
  2⤵
  PID:3912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztjzrmjwyloxusdqlld.exe .
1⤵
PID:5064
- C:\Users\Admin\AppData\Local\Temp\ztjzrmjwyloxusdqlld.exe
  C:\Users\Admin\AppData\Local\Temp\ztjzrmjwyloxusdqlld.exe .
  2⤵
  PID:5044
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\ztjzrmjwyloxusdqlld.exe*."
    3⤵
    PID:1672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxphbyxmqfkvuuhwtvpld.exe
1⤵
PID:112
- C:\Windows\bxphbyxmqfkvuuhwtvpld.exe
  bxphbyxmqfkvuuhwtvpld.exe
  2⤵
  PID:4688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ohwlcwsefrtbxueqkj.exe .
1⤵
PID:3248
- C:\Windows\ohwlcwsefrtbxueqkj.exe
  ohwlcwsefrtbxueqkj.exe .
  2⤵
  PID:3904
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\ohwlcwsefrtbxueqkj.exe*."
    3⤵
    PID:4736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ypcpewqazjjpjemw.exe
1⤵
PID:2236
- C:\Windows\ypcpewqazjjpjemw.exe
  ypcpewqazjjpjemw.exe
  2⤵
  PID:644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ztjzrmjwyloxusdqlld.exe .
1⤵
PID:376
- C:\Windows\ztjzrmjwyloxusdqlld.exe
  ztjzrmjwyloxusdqlld.exe .
  2⤵
  PID:2984
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\ztjzrmjwyloxusdqlld.exe*."
    3⤵
    PID:2704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fxlzpidoozahcyhsl.exe
1⤵
PID:956
- C:\Users\Admin\AppData\Local\Temp\fxlzpidoozahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\fxlzpidoozahcyhsl.exe
  2⤵
  PID:3104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ypcpewqazjjpjemw.exe .
1⤵
PID:4544
- C:\Users\Admin\AppData\Local\Temp\ypcpewqazjjpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\ypcpewqazjjpjemw.exe .
  2⤵
  PID:1576
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\ypcpewqazjjpjemw.exe*."
    3⤵
    PID:1776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxphbyxmqfkvuuhwtvpld.exe
1⤵
PID:1264
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3752
- C:\Users\Admin\AppData\Local\Temp\bxphbyxmqfkvuuhwtvpld.exe
  C:\Users\Admin\AppData\Local\Temp\bxphbyxmqfkvuuhwtvpld.exe
  2⤵
  PID:3612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxphbyxmqfkvuuhwtvpld.exe .
1⤵
PID:556
- C:\Users\Admin\AppData\Local\Temp\bxphbyxmqfkvuuhwtvpld.exe
  C:\Users\Admin\AppData\Local\Temp\bxphbyxmqfkvuuhwtvpld.exe .
  2⤵
  PID:4184
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\bxphbyxmqfkvuuhwtvpld.exe*."
    3⤵
    PID:1040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ohwlcwsefrtbxueqkj.exe
1⤵
PID:4244
- C:\Windows\ohwlcwsefrtbxueqkj.exe
  ohwlcwsefrtbxueqkj.exe
  2⤵
  PID:4492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ypcpewqazjjpjemw.exe .
1⤵
PID:632
- C:\Windows\ypcpewqazjjpjemw.exe
  ypcpewqazjjpjemw.exe .
  2⤵
  PID:396
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\ypcpewqazjjpjemw.exe*."
    3⤵
    PID:5044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ypcpewqazjjpjemw.exe
1⤵
PID:844
- C:\Windows\ypcpewqazjjpjemw.exe
  ypcpewqazjjpjemw.exe
  2⤵
  PID:1652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ypcpewqazjjpjemw.exe .
1⤵
PID:2996
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5008
- C:\Windows\ypcpewqazjjpjemw.exe
  ypcpewqazjjpjemw.exe .
  2⤵
  PID:4988
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\ypcpewqazjjpjemw.exe*."
    3⤵
    PID:5032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhypiecqthlvtsesopid.exe
1⤵
PID:4412
- C:\Users\Admin\AppData\Local\Temp\mhypiecqthlvtsesopid.exe
  C:\Users\Admin\AppData\Local\Temp\mhypiecqthlvtsesopid.exe
  2⤵
  PID:3240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ypcpewqazjjpjemw.exe .
1⤵
PID:4744
- C:\Users\Admin\AppData\Local\Temp\ypcpewqazjjpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\ypcpewqazjjpjemw.exe .
  2⤵
  PID:1148
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\ypcpewqazjjpjemw.exe*."
    3⤵
    PID:3300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ypcpewqazjjpjemw.exe
1⤵
PID:3380
- C:\Windows\ypcpewqazjjpjemw.exe
  ypcpewqazjjpjemw.exe
  2⤵
  PID:3480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fxlzpidoozahcyhsl.exe
1⤵
PID:2688
- C:\Windows\fxlzpidoozahcyhsl.exe
  fxlzpidoozahcyhsl.exe
  2⤵
  PID:2984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ztjzrmjwyloxusdqlld.exe .
1⤵
PID:2904
- C:\Windows\ztjzrmjwyloxusdqlld.exe
  ztjzrmjwyloxusdqlld.exe .
  2⤵
  PID:4016
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\ztjzrmjwyloxusdqlld.exe*."
    3⤵
    PID:1340

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhypiecqthlvtsesopid.exe
1⤵
PID:5068
- C:\Users\Admin\AppData\Local\Temp\mhypiecqthlvtsesopid.exe
  C:\Users\Admin\AppData\Local\Temp\mhypiecqthlvtsesopid.exe
  2⤵
  PID:1152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxphbyxmqfkvuuhwtvpld.exe .
1⤵
PID:1848
- C:\Windows\bxphbyxmqfkvuuhwtvpld.exe
  bxphbyxmqfkvuuhwtvpld.exe .
  2⤵
  PID:3984
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\bxphbyxmqfkvuuhwtvpld.exe*."
    3⤵
    PID:4864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ypcpewqazjjpjemw.exe .
1⤵
PID:2640
- C:\Users\Admin\AppData\Local\Temp\ypcpewqazjjpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\ypcpewqazjjpjemw.exe .
  2⤵
  PID:3696
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\ypcpewqazjjpjemw.exe*."
    3⤵
    PID:748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fxlzpidoozahcyhsl.exe
1⤵
PID:4808
- C:\Windows\fxlzpidoozahcyhsl.exe
  fxlzpidoozahcyhsl.exe
  2⤵
  PID:4244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mhypiecqthlvtsesopid.exe
1⤵
PID:4504
- C:\Windows\mhypiecqthlvtsesopid.exe
  mhypiecqthlvtsesopid.exe
  2⤵
  PID:4824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ohwlcwsefrtbxueqkj.exe .
1⤵
PID:3964
- C:\Windows\ohwlcwsefrtbxueqkj.exe
  ohwlcwsefrtbxueqkj.exe .
  2⤵
  PID:1112
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\ohwlcwsefrtbxueqkj.exe*."
    3⤵
    PID:4016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mhypiecqthlvtsesopid.exe .
1⤵
PID:4496
- C:\Windows\mhypiecqthlvtsesopid.exe
  mhypiecqthlvtsesopid.exe .
  2⤵
  PID:4432
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\mhypiecqthlvtsesopid.exe*."
    3⤵
    PID:3248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhypiecqthlvtsesopid.exe
1⤵
PID:1000
- C:\Users\Admin\AppData\Local\Temp\mhypiecqthlvtsesopid.exe
  C:\Users\Admin\AppData\Local\Temp\mhypiecqthlvtsesopid.exe
  2⤵
  PID:4988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhypiecqthlvtsesopid.exe
1⤵
PID:4580
- C:\Users\Admin\AppData\Local\Temp\mhypiecqthlvtsesopid.exe
  C:\Users\Admin\AppData\Local\Temp\mhypiecqthlvtsesopid.exe
  2⤵
  PID:3052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztjzrmjwyloxusdqlld.exe .
1⤵
PID:2064
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1328
- C:\Users\Admin\AppData\Local\Temp\ztjzrmjwyloxusdqlld.exe
  C:\Users\Admin\AppData\Local\Temp\ztjzrmjwyloxusdqlld.exe .
  2⤵
  PID:1504
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\ztjzrmjwyloxusdqlld.exe*."
    3⤵
    PID:3912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztjzrmjwyloxusdqlld.exe .
1⤵
PID:2160
- C:\Users\Admin\AppData\Local\Temp\ztjzrmjwyloxusdqlld.exe
  C:\Users\Admin\AppData\Local\Temp\ztjzrmjwyloxusdqlld.exe .
  2⤵
  PID:4852
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\ztjzrmjwyloxusdqlld.exe*."
    3⤵
    PID:4820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ypcpewqazjjpjemw.exe
1⤵
PID:5100
- C:\Users\Admin\AppData\Local\Temp\ypcpewqazjjpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\ypcpewqazjjpjemw.exe
  2⤵
  PID:3952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ypcpewqazjjpjemw.exe
1⤵
PID:3628
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1600
- C:\Users\Admin\AppData\Local\Temp\ypcpewqazjjpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\ypcpewqazjjpjemw.exe
  2⤵
  PID:4544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztjzrmjwyloxusdqlld.exe .
1⤵
PID:4516
- C:\Users\Admin\AppData\Local\Temp\ztjzrmjwyloxusdqlld.exe
  C:\Users\Admin\AppData\Local\Temp\ztjzrmjwyloxusdqlld.exe .
  2⤵
  PID:5016
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\ztjzrmjwyloxusdqlld.exe*."
    3⤵
    PID:4524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztjzrmjwyloxusdqlld.exe .
1⤵
PID:4992
- C:\Users\Admin\AppData\Local\Temp\ztjzrmjwyloxusdqlld.exe
  C:\Users\Admin\AppData\Local\Temp\ztjzrmjwyloxusdqlld.exe .
  2⤵
  PID:1120
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\ztjzrmjwyloxusdqlld.exe*."
    3⤵
    PID:3476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mhypiecqthlvtsesopid.exe
1⤵
PID:1100
- C:\Windows\mhypiecqthlvtsesopid.exe
  mhypiecqthlvtsesopid.exe
  2⤵
  PID:4448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxphbyxmqfkvuuhwtvpld.exe .
1⤵
PID:1972
- C:\Windows\bxphbyxmqfkvuuhwtvpld.exe
  bxphbyxmqfkvuuhwtvpld.exe .
  2⤵
  PID:2260
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\bxphbyxmqfkvuuhwtvpld.exe*."
    3⤵
    PID:2072

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fxlzpidoozahcyhsl.exe
1⤵
PID:4384
- C:\Windows\fxlzpidoozahcyhsl.exe
  fxlzpidoozahcyhsl.exe
  2⤵
  PID:3212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mhypiecqthlvtsesopid.exe .
1⤵
PID:1012
- C:\Windows\mhypiecqthlvtsesopid.exe
  mhypiecqthlvtsesopid.exe .
  2⤵
  PID:4432
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\mhypiecqthlvtsesopid.exe*."
    3⤵
    PID:4980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohwlcwsefrtbxueqkj.exe
1⤵
PID:3240
- C:\Users\Admin\AppData\Local\Temp\ohwlcwsefrtbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\ohwlcwsefrtbxueqkj.exe
  2⤵
  PID:3084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohwlcwsefrtbxueqkj.exe .
1⤵
PID:1088
- C:\Users\Admin\AppData\Local\Temp\ohwlcwsefrtbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\ohwlcwsefrtbxueqkj.exe .
  2⤵
  PID:4924
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\ohwlcwsefrtbxueqkj.exe*."
    3⤵
    PID:2476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohwlcwsefrtbxueqkj.exe
1⤵
PID:4508
- C:\Users\Admin\AppData\Local\Temp\ohwlcwsefrtbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\ohwlcwsefrtbxueqkj.exe
  2⤵
  PID:2980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxphbyxmqfkvuuhwtvpld.exe .
1⤵
PID:3100
- C:\Users\Admin\AppData\Local\Temp\bxphbyxmqfkvuuhwtvpld.exe
  C:\Users\Admin\AppData\Local\Temp\bxphbyxmqfkvuuhwtvpld.exe .
  2⤵
  PID:2088
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\bxphbyxmqfkvuuhwtvpld.exe*."
    3⤵
    PID:3056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ztjzrmjwyloxusdqlld.exe
1⤵
PID:3980
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2160
- C:\Windows\ztjzrmjwyloxusdqlld.exe
  ztjzrmjwyloxusdqlld.exe
  2⤵
  PID:2036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ohwlcwsefrtbxueqkj.exe .
1⤵
PID:2388
- C:\Windows\ohwlcwsefrtbxueqkj.exe
  ohwlcwsefrtbxueqkj.exe .
  2⤵
  PID:2996
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\ohwlcwsefrtbxueqkj.exe*."
    3⤵
    PID:1756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mhypiecqthlvtsesopid.exe
1⤵
PID:1668
- C:\Windows\mhypiecqthlvtsesopid.exe
  mhypiecqthlvtsesopid.exe
  2⤵
  PID:4984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fxlzpidoozahcyhsl.exe .
1⤵
PID:2148
- C:\Windows\fxlzpidoozahcyhsl.exe
  fxlzpidoozahcyhsl.exe .
  2⤵
  PID:224
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\fxlzpidoozahcyhsl.exe*."
    3⤵
    PID:2260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohwlcwsefrtbxueqkj.exe
1⤵
PID:1176
- C:\Users\Admin\AppData\Local\Temp\ohwlcwsefrtbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\ohwlcwsefrtbxueqkj.exe
  2⤵
  PID:3988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhypiecqthlvtsesopid.exe .
1⤵
PID:3212
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:532
- C:\Users\Admin\AppData\Local\Temp\mhypiecqthlvtsesopid.exe
  C:\Users\Admin\AppData\Local\Temp\mhypiecqthlvtsesopid.exe .
  2⤵
  PID:4028
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\mhypiecqthlvtsesopid.exe*."
    3⤵
    PID:1220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ypcpewqazjjpjemw.exe
1⤵
PID:1660
- C:\Users\Admin\AppData\Local\Temp\ypcpewqazjjpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\ypcpewqazjjpjemw.exe
  2⤵
  PID:3672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxphbyxmqfkvuuhwtvpld.exe .
1⤵
PID:3708
- C:\Users\Admin\AppData\Local\Temp\bxphbyxmqfkvuuhwtvpld.exe
  C:\Users\Admin\AppData\Local\Temp\bxphbyxmqfkvuuhwtvpld.exe .
  2⤵
  PID:2756
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\bxphbyxmqfkvuuhwtvpld.exe*."
    3⤵
    PID:4580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mhypiecqthlvtsesopid.exe
1⤵
PID:4280
- C:\Windows\mhypiecqthlvtsesopid.exe
  mhypiecqthlvtsesopid.exe
  2⤵
  PID:640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fxlzpidoozahcyhsl.exe .
1⤵
PID:3944
- C:\Windows\fxlzpidoozahcyhsl.exe
  fxlzpidoozahcyhsl.exe .
  2⤵
  PID:432
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\fxlzpidoozahcyhsl.exe*."
    3⤵
    PID:1040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ypcpewqazjjpjemw.exe
1⤵
PID:5084
- C:\Windows\ypcpewqazjjpjemw.exe
  ypcpewqazjjpjemw.exe
  2⤵
  PID:3428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ypcpewqazjjpjemw.exe .
1⤵
PID:3068
- C:\Windows\ypcpewqazjjpjemw.exe
  ypcpewqazjjpjemw.exe .
  2⤵
  PID:400
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\ypcpewqazjjpjemw.exe*."
    3⤵
    PID:2316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxphbyxmqfkvuuhwtvpld.exe
1⤵
PID:464
- C:\Users\Admin\AppData\Local\Temp\bxphbyxmqfkvuuhwtvpld.exe
  C:\Users\Admin\AppData\Local\Temp\bxphbyxmqfkvuuhwtvpld.exe
  2⤵
  PID:440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ypcpewqazjjpjemw.exe .
1⤵
PID:1504
- C:\Users\Admin\AppData\Local\Temp\ypcpewqazjjpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\ypcpewqazjjpjemw.exe .
  2⤵
  PID:1756
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\ypcpewqazjjpjemw.exe*."
    3⤵
    PID:3628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohwlcwsefrtbxueqkj.exe
1⤵
PID:2220
- C:\Users\Admin\AppData\Local\Temp\ohwlcwsefrtbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\ohwlcwsefrtbxueqkj.exe
  2⤵
  PID:1844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fxlzpidoozahcyhsl.exe .
1⤵
PID:3424
- C:\Users\Admin\AppData\Local\Temp\fxlzpidoozahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\fxlzpidoozahcyhsl.exe .
  2⤵
  PID:4516
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\fxlzpidoozahcyhsl.exe*."
    3⤵
    PID:2260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ypcpewqazjjpjemw.exe
1⤵
PID:764
- C:\Windows\ypcpewqazjjpjemw.exe
  ypcpewqazjjpjemw.exe
  2⤵
  PID:3484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxphbyxmqfkvuuhwtvpld.exe .
1⤵
PID:4604
- C:\Windows\bxphbyxmqfkvuuhwtvpld.exe
  bxphbyxmqfkvuuhwtvpld.exe .
  2⤵
  PID:3380
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\bxphbyxmqfkvuuhwtvpld.exe*."
    3⤵
    PID:2756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mhypiecqthlvtsesopid.exe
1⤵
PID:2380
- C:\Windows\mhypiecqthlvtsesopid.exe
  mhypiecqthlvtsesopid.exe
  2⤵
  PID:1356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ztjzrmjwyloxusdqlld.exe .
1⤵
PID:4432
- C:\Windows\ztjzrmjwyloxusdqlld.exe
  ztjzrmjwyloxusdqlld.exe .
  2⤵
  PID:2712
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\ztjzrmjwyloxusdqlld.exe*."
    3⤵
    PID:4356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ypcpewqazjjpjemw.exe
1⤵
PID:404
- C:\Users\Admin\AppData\Local\Temp\ypcpewqazjjpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\ypcpewqazjjpjemw.exe
  2⤵
  PID:1404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ypcpewqazjjpjemw.exe .
1⤵
PID:2328
- C:\Users\Admin\AppData\Local\Temp\ypcpewqazjjpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\ypcpewqazjjpjemw.exe .
  2⤵
  PID:376
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\ypcpewqazjjpjemw.exe*."
    3⤵
    PID:3236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ypcpewqazjjpjemw.exe
1⤵
PID:3140
- C:\Users\Admin\AppData\Local\Temp\ypcpewqazjjpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\ypcpewqazjjpjemw.exe
  2⤵
  PID:1632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxphbyxmqfkvuuhwtvpld.exe .
1⤵
PID:2288
- C:\Users\Admin\AppData\Local\Temp\bxphbyxmqfkvuuhwtvpld.exe
  C:\Users\Admin\AppData\Local\Temp\bxphbyxmqfkvuuhwtvpld.exe .
  2⤵
  PID:3764
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\bxphbyxmqfkvuuhwtvpld.exe*."
    3⤵
    PID:3468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ypcpewqazjjpjemw.exe
1⤵
PID:4792
- C:\Windows\ypcpewqazjjpjemw.exe
  ypcpewqazjjpjemw.exe
  2⤵
  PID:1424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mhypiecqthlvtsesopid.exe .
1⤵
PID:2316
- C:\Windows\mhypiecqthlvtsesopid.exe
  mhypiecqthlvtsesopid.exe .
  2⤵
  PID:5044
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\mhypiecqthlvtsesopid.exe*."
    3⤵
    PID:4832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ztjzrmjwyloxusdqlld.exe
1⤵
PID:2948
- C:\Windows\ztjzrmjwyloxusdqlld.exe
  ztjzrmjwyloxusdqlld.exe
  2⤵
  PID:2332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxphbyxmqfkvuuhwtvpld.exe .
1⤵
PID:4436
- C:\Windows\bxphbyxmqfkvuuhwtvpld.exe
  bxphbyxmqfkvuuhwtvpld.exe .
  2⤵
  PID:2352
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\bxphbyxmqfkvuuhwtvpld.exe*."
    3⤵
    PID:5064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohwlcwsefrtbxueqkj.exe
1⤵
PID:2900
- C:\Users\Admin\AppData\Local\Temp\ohwlcwsefrtbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\ohwlcwsefrtbxueqkj.exe
  2⤵
  PID:1148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohwlcwsefrtbxueqkj.exe .
1⤵
PID:3584
- C:\Users\Admin\AppData\Local\Temp\ohwlcwsefrtbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\ohwlcwsefrtbxueqkj.exe .
  2⤵
  PID:4156
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\ohwlcwsefrtbxueqkj.exe*."
    3⤵
    PID:880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhypiecqthlvtsesopid.exe
1⤵
PID:4464
- C:\Users\Admin\AppData\Local\Temp\mhypiecqthlvtsesopid.exe
  C:\Users\Admin\AppData\Local\Temp\mhypiecqthlvtsesopid.exe
  2⤵
  PID:3432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohwlcwsefrtbxueqkj.exe .
1⤵
PID:5008
- C:\Users\Admin\AppData\Local\Temp\ohwlcwsefrtbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\ohwlcwsefrtbxueqkj.exe .
  2⤵
  PID:5088
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\ohwlcwsefrtbxueqkj.exe*."
    3⤵
    PID:808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fxlzpidoozahcyhsl.exe
1⤵
PID:3448
- C:\Windows\fxlzpidoozahcyhsl.exe
  fxlzpidoozahcyhsl.exe
  2⤵
  PID:1012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxphbyxmqfkvuuhwtvpld.exe .
1⤵
PID:4540
- C:\Windows\bxphbyxmqfkvuuhwtvpld.exe
  bxphbyxmqfkvuuhwtvpld.exe .
  2⤵
  PID:844
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\bxphbyxmqfkvuuhwtvpld.exe*."
    3⤵
    PID:5112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ypcpewqazjjpjemw.exe
1⤵
PID:1968
- C:\Windows\ypcpewqazjjpjemw.exe
  ypcpewqazjjpjemw.exe
  2⤵
  PID:208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxphbyxmqfkvuuhwtvpld.exe .
1⤵
PID:3092
- C:\Windows\bxphbyxmqfkvuuhwtvpld.exe
  bxphbyxmqfkvuuhwtvpld.exe .
  2⤵
  PID:2260
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\bxphbyxmqfkvuuhwtvpld.exe*."
    3⤵
    PID:2860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ypcpewqazjjpjemw.exe
1⤵
PID:4816
- C:\Users\Admin\AppData\Local\Temp\ypcpewqazjjpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\ypcpewqazjjpjemw.exe
  2⤵
  PID:2784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztjzrmjwyloxusdqlld.exe .
1⤵
PID:1152
- C:\Users\Admin\AppData\Local\Temp\ztjzrmjwyloxusdqlld.exe
  C:\Users\Admin\AppData\Local\Temp\ztjzrmjwyloxusdqlld.exe .
  2⤵
  PID:4780
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\ztjzrmjwyloxusdqlld.exe*."
    3⤵
    PID:464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ypcpewqazjjpjemw.exe
1⤵
PID:3316
- C:\Users\Admin\AppData\Local\Temp\ypcpewqazjjpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\ypcpewqazjjpjemw.exe
  2⤵
  PID:4716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohwlcwsefrtbxueqkj.exe .
1⤵
PID:5020
- C:\Users\Admin\AppData\Local\Temp\ohwlcwsefrtbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\ohwlcwsefrtbxueqkj.exe .
  2⤵
  PID:4736
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\ohwlcwsefrtbxueqkj.exe*."
    3⤵
    PID:896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mhypiecqthlvtsesopid.exe
1⤵
PID:5044
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3320
- C:\Windows\mhypiecqthlvtsesopid.exe
  mhypiecqthlvtsesopid.exe
  2⤵
  PID:4008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxphbyxmqfkvuuhwtvpld.exe
1⤵
PID:1756
- C:\Windows\bxphbyxmqfkvuuhwtvpld.exe
  bxphbyxmqfkvuuhwtvpld.exe
  2⤵
  PID:4064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ypcpewqazjjpjemw.exe .
1⤵
PID:4576
- C:\Windows\ypcpewqazjjpjemw.exe
  ypcpewqazjjpjemw.exe .
  2⤵
  PID:872
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\ypcpewqazjjpjemw.exe*."
    3⤵
    PID:4112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fxlzpidoozahcyhsl.exe .
1⤵
PID:5064
- C:\Windows\fxlzpidoozahcyhsl.exe
  fxlzpidoozahcyhsl.exe .
  2⤵
  PID:1972
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\fxlzpidoozahcyhsl.exe*."
    3⤵
    PID:2872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fxlzpidoozahcyhsl.exe
1⤵
PID:3476
- C:\Windows\fxlzpidoozahcyhsl.exe
  fxlzpidoozahcyhsl.exe
  2⤵
  PID:5108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fxlzpidoozahcyhsl.exe
1⤵
PID:1344
- C:\Windows\fxlzpidoozahcyhsl.exe
  fxlzpidoozahcyhsl.exe
  2⤵
  PID:1040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ztjzrmjwyloxusdqlld.exe .
1⤵
PID:3368
- C:\Windows\ztjzrmjwyloxusdqlld.exe
  ztjzrmjwyloxusdqlld.exe .
  2⤵
  PID:2744
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\ztjzrmjwyloxusdqlld.exe*."
    3⤵
    PID:2764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ztjzrmjwyloxusdqlld.exe .
1⤵
PID:5052
- C:\Windows\ztjzrmjwyloxusdqlld.exe
  ztjzrmjwyloxusdqlld.exe .
  2⤵
  PID:3140
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\ztjzrmjwyloxusdqlld.exe*."
    3⤵
    PID:4744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohwlcwsefrtbxueqkj.exe
1⤵
PID:2148
- C:\Users\Admin\AppData\Local\Temp\ohwlcwsefrtbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\ohwlcwsefrtbxueqkj.exe
  2⤵
  PID:3428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ypcpewqazjjpjemw.exe
1⤵
PID:4824
- C:\Users\Admin\AppData\Local\Temp\ypcpewqazjjpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\ypcpewqazjjpjemw.exe
  2⤵
  PID:5028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ypcpewqazjjpjemw.exe .
1⤵
PID:4016
- C:\Users\Admin\AppData\Local\Temp\ypcpewqazjjpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\ypcpewqazjjpjemw.exe .
  2⤵
  PID:4992
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\ypcpewqazjjpjemw.exe*."
    3⤵
    PID:3800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztjzrmjwyloxusdqlld.exe .
1⤵
PID:944
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2056
- C:\Users\Admin\AppData\Local\Temp\ztjzrmjwyloxusdqlld.exe
  C:\Users\Admin\AppData\Local\Temp\ztjzrmjwyloxusdqlld.exe .
  2⤵
  PID:4988
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\ztjzrmjwyloxusdqlld.exe*."
    3⤵
    PID:764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ztjzrmjwyloxusdqlld.exe
1⤵
PID:2368
- C:\Windows\ztjzrmjwyloxusdqlld.exe
  ztjzrmjwyloxusdqlld.exe
  2⤵
  PID:396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ztjzrmjwyloxusdqlld.exe .
1⤵
PID:2124
- C:\Windows\ztjzrmjwyloxusdqlld.exe
  ztjzrmjwyloxusdqlld.exe .
  2⤵
  PID:4688
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\ztjzrmjwyloxusdqlld.exe*."
    3⤵
    PID:224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztjzrmjwyloxusdqlld.exe
1⤵
PID:3764
- C:\Users\Admin\AppData\Local\Temp\ztjzrmjwyloxusdqlld.exe
  C:\Users\Admin\AppData\Local\Temp\ztjzrmjwyloxusdqlld.exe
  2⤵
  PID:5104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ypcpewqazjjpjemw.exe
1⤵
PID:3020
- C:\Users\Admin\AppData\Local\Temp\ypcpewqazjjpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\ypcpewqazjjpjemw.exe
  2⤵
  PID:1152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohwlcwsefrtbxueqkj.exe .
1⤵
PID:1388
- C:\Users\Admin\AppData\Local\Temp\ohwlcwsefrtbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\ohwlcwsefrtbxueqkj.exe .
  2⤵
  PID:2904
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\ohwlcwsefrtbxueqkj.exe*."
    3⤵
    PID:5064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxphbyxmqfkvuuhwtvpld.exe .
1⤵
PID:3472
- C:\Users\Admin\AppData\Local\Temp\bxphbyxmqfkvuuhwtvpld.exe
  C:\Users\Admin\AppData\Local\Temp\bxphbyxmqfkvuuhwtvpld.exe .
  2⤵
  PID:3480
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\bxphbyxmqfkvuuhwtvpld.exe*."
    3⤵
    PID:1616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fxlzpidoozahcyhsl.exe
1⤵
PID:5016
- C:\Windows\fxlzpidoozahcyhsl.exe
  fxlzpidoozahcyhsl.exe
  2⤵
  PID:1660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxphbyxmqfkvuuhwtvpld.exe .
1⤵
PID:624
- C:\Windows\bxphbyxmqfkvuuhwtvpld.exe
  bxphbyxmqfkvuuhwtvpld.exe .
  2⤵
  PID:1972
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\bxphbyxmqfkvuuhwtvpld.exe*."
    3⤵
    PID:2052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhypiecqthlvtsesopid.exe
1⤵
PID:4948
- C:\Users\Admin\AppData\Local\Temp\mhypiecqthlvtsesopid.exe
  C:\Users\Admin\AppData\Local\Temp\mhypiecqthlvtsesopid.exe
  2⤵
  PID:4788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztjzrmjwyloxusdqlld.exe .
1⤵
PID:4984
- C:\Users\Admin\AppData\Local\Temp\ztjzrmjwyloxusdqlld.exe
  C:\Users\Admin\AppData\Local\Temp\ztjzrmjwyloxusdqlld.exe .
  2⤵
  PID:3788
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\ztjzrmjwyloxusdqlld.exe*."
    3⤵
    PID:5068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohwlcwsefrtbxueqkj.exe
1⤵
PID:4820
- C:\Users\Admin\AppData\Local\Temp\ohwlcwsefrtbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\ohwlcwsefrtbxueqkj.exe
  2⤵
  PID:3852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ypcpewqazjjpjemw.exe .
1⤵
PID:4952
- C:\Users\Admin\AppData\Local\Temp\ypcpewqazjjpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\ypcpewqazjjpjemw.exe .
  2⤵
  PID:3068
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\ypcpewqazjjpjemw.exe*."
    3⤵
    PID:4008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ypcpewqazjjpjemw.exe
1⤵
PID:644
- C:\Windows\ypcpewqazjjpjemw.exe
  ypcpewqazjjpjemw.exe
  2⤵
  PID:816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ypcpewqazjjpjemw.exe .
1⤵
PID:1828
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1168
- C:\Windows\ypcpewqazjjpjemw.exe
  ypcpewqazjjpjemw.exe .
  2⤵
  PID:4352
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\ypcpewqazjjpjemw.exe*."
    3⤵
    PID:4584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ztjzrmjwyloxusdqlld.exe
1⤵
PID:3892
- C:\Windows\ztjzrmjwyloxusdqlld.exe
  ztjzrmjwyloxusdqlld.exe
  2⤵
  PID:2616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxphbyxmqfkvuuhwtvpld.exe .
1⤵
PID:1588
- C:\Windows\bxphbyxmqfkvuuhwtvpld.exe
  bxphbyxmqfkvuuhwtvpld.exe .
  2⤵
  PID:3064
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\bxphbyxmqfkvuuhwtvpld.exe*."
    3⤵
    PID:2388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ypcpewqazjjpjemw.exe
1⤵
PID:3444
- C:\Users\Admin\AppData\Local\Temp\ypcpewqazjjpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\ypcpewqazjjpjemw.exe
  2⤵
  PID:692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohwlcwsefrtbxueqkj.exe .
1⤵
PID:880
- C:\Users\Admin\AppData\Local\Temp\ohwlcwsefrtbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\ohwlcwsefrtbxueqkj.exe .
  2⤵
  PID:1672
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\ohwlcwsefrtbxueqkj.exe*."
    3⤵
    PID:956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohwlcwsefrtbxueqkj.exe
1⤵
PID:2220
- C:\Users\Admin\AppData\Local\Temp\ohwlcwsefrtbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\ohwlcwsefrtbxueqkj.exe
  2⤵
  PID:5084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fxlzpidoozahcyhsl.exe .
1⤵
PID:4472
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5032
- C:\Users\Admin\AppData\Local\Temp\fxlzpidoozahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\fxlzpidoozahcyhsl.exe .
  2⤵
  PID:1388
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\fxlzpidoozahcyhsl.exe*."
    3⤵
    PID:2052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ypcpewqazjjpjemw.exe
1⤵
PID:4244
- C:\Windows\ypcpewqazjjpjemw.exe
  ypcpewqazjjpjemw.exe
  2⤵
  PID:2712

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fxlzpidoozahcyhsl.exe .
1⤵
PID:1012
- C:\Windows\fxlzpidoozahcyhsl.exe
  fxlzpidoozahcyhsl.exe .
  2⤵
  PID:5020
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\fxlzpidoozahcyhsl.exe*."
    3⤵
    PID:3220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxphbyxmqfkvuuhwtvpld.exe
1⤵
PID:4524
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3520
- C:\Windows\bxphbyxmqfkvuuhwtvpld.exe
  bxphbyxmqfkvuuhwtvpld.exe
  2⤵
  PID:4544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ztjzrmjwyloxusdqlld.exe .
1⤵
PID:848
- C:\Windows\ztjzrmjwyloxusdqlld.exe
  ztjzrmjwyloxusdqlld.exe .
  2⤵
  PID:3424
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\ztjzrmjwyloxusdqlld.exe*."
    3⤵
    PID:1520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhypiecqthlvtsesopid.exe
1⤵
PID:1340
- C:\Users\Admin\AppData\Local\Temp\mhypiecqthlvtsesopid.exe
  C:\Users\Admin\AppData\Local\Temp\mhypiecqthlvtsesopid.exe
  2⤵
  PID:4512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ypcpewqazjjpjemw.exe .
1⤵
PID:5104
- C:\Users\Admin\AppData\Local\Temp\ypcpewqazjjpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\ypcpewqazjjpjemw.exe .
  2⤵
  PID:3828
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\ypcpewqazjjpjemw.exe*."
    3⤵
    PID:1512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ypcpewqazjjpjemw.exe
1⤵
PID:4952
- C:\Users\Admin\AppData\Local\Temp\ypcpewqazjjpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\ypcpewqazjjpjemw.exe
  2⤵
  PID:2384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fxlzpidoozahcyhsl.exe .
1⤵
PID:5052
- C:\Users\Admin\AppData\Local\Temp\fxlzpidoozahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\fxlzpidoozahcyhsl.exe .
  2⤵
  PID:2440
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\fxlzpidoozahcyhsl.exe*."
    3⤵
    PID:1788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ztjzrmjwyloxusdqlld.exe
1⤵
PID:3084
- C:\Windows\ztjzrmjwyloxusdqlld.exe
  ztjzrmjwyloxusdqlld.exe
  2⤵
  PID:1668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fxlzpidoozahcyhsl.exe .
1⤵
PID:5016
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3316
- C:\Windows\fxlzpidoozahcyhsl.exe
  fxlzpidoozahcyhsl.exe .
  2⤵
  PID:1968
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\fxlzpidoozahcyhsl.exe*."
    3⤵
    PID:2008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ohwlcwsefrtbxueqkj.exe
1⤵
PID:5064
- C:\Windows\ohwlcwsefrtbxueqkj.exe
  ohwlcwsefrtbxueqkj.exe
  2⤵
  PID:2900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fxlzpidoozahcyhsl.exe .
1⤵
PID:2168
- C:\Windows\fxlzpidoozahcyhsl.exe
  fxlzpidoozahcyhsl.exe .
  2⤵
  PID:2160
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\fxlzpidoozahcyhsl.exe*."
    3⤵
    PID:3528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztjzrmjwyloxusdqlld.exe
1⤵
PID:2124
- C:\Users\Admin\AppData\Local\Temp\ztjzrmjwyloxusdqlld.exe
  C:\Users\Admin\AppData\Local\Temp\ztjzrmjwyloxusdqlld.exe
  2⤵
  PID:1616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohwlcwsefrtbxueqkj.exe .
1⤵
PID:400
- C:\Users\Admin\AppData\Local\Temp\ohwlcwsefrtbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\ohwlcwsefrtbxueqkj.exe .
  2⤵
  PID:1624
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\ohwlcwsefrtbxueqkj.exe*."
    3⤵
    PID:1224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztjzrmjwyloxusdqlld.exe
1⤵
PID:5068
- C:\Users\Admin\AppData\Local\Temp\ztjzrmjwyloxusdqlld.exe
  C:\Users\Admin\AppData\Local\Temp\ztjzrmjwyloxusdqlld.exe
  2⤵
  PID:4828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxphbyxmqfkvuuhwtvpld.exe .
1⤵
PID:2476
- C:\Users\Admin\AppData\Local\Temp\bxphbyxmqfkvuuhwtvpld.exe
  C:\Users\Admin\AppData\Local\Temp\bxphbyxmqfkvuuhwtvpld.exe .
  2⤵
  PID:4016
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\bxphbyxmqfkvuuhwtvpld.exe*."
    3⤵
    PID:4984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ztjzrmjwyloxusdqlld.exe
1⤵
PID:2696
- C:\Windows\ztjzrmjwyloxusdqlld.exe
  ztjzrmjwyloxusdqlld.exe
  2⤵
  PID:5028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ztjzrmjwyloxusdqlld.exe .
1⤵
PID:4156
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1520
- C:\Windows\ztjzrmjwyloxusdqlld.exe
  ztjzrmjwyloxusdqlld.exe .
  2⤵
  PID:4356
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\ztjzrmjwyloxusdqlld.exe*."
    3⤵
    PID:3068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ohwlcwsefrtbxueqkj.exe
1⤵
PID:844
- C:\Windows\ohwlcwsefrtbxueqkj.exe
  ohwlcwsefrtbxueqkj.exe
  2⤵
  PID:5000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fxlzpidoozahcyhsl.exe .
1⤵
PID:3828
- C:\Windows\fxlzpidoozahcyhsl.exe
  fxlzpidoozahcyhsl.exe .
  2⤵
  PID:4348
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\fxlzpidoozahcyhsl.exe*."
    3⤵
    PID:5080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxphbyxmqfkvuuhwtvpld.exe
1⤵
PID:3760
- C:\Users\Admin\AppData\Local\Temp\bxphbyxmqfkvuuhwtvpld.exe
  C:\Users\Admin\AppData\Local\Temp\bxphbyxmqfkvuuhwtvpld.exe
  2⤵
  PID:112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohwlcwsefrtbxueqkj.exe .
1⤵
PID:2052
- C:\Users\Admin\AppData\Local\Temp\ohwlcwsefrtbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\ohwlcwsefrtbxueqkj.exe .
  2⤵
  PID:3708
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\ohwlcwsefrtbxueqkj.exe*."
    3⤵
    PID:404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhypiecqthlvtsesopid.exe
1⤵
PID:692
- C:\Users\Admin\AppData\Local\Temp\mhypiecqthlvtsesopid.exe
  C:\Users\Admin\AppData\Local\Temp\mhypiecqthlvtsesopid.exe
  2⤵
  PID:2260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fxlzpidoozahcyhsl.exe .
1⤵
PID:3944
- C:\Users\Admin\AppData\Local\Temp\fxlzpidoozahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\fxlzpidoozahcyhsl.exe .
  2⤵
  PID:4852
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\fxlzpidoozahcyhsl.exe*."
    3⤵
    PID:4864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ztjzrmjwyloxusdqlld.exe
1⤵
PID:1148
- C:\Windows\ztjzrmjwyloxusdqlld.exe
  ztjzrmjwyloxusdqlld.exe
  2⤵
  PID:4436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fxlzpidoozahcyhsl.exe .
1⤵
PID:1172
- C:\Windows\fxlzpidoozahcyhsl.exe
  fxlzpidoozahcyhsl.exe .
  2⤵
  PID:1500
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\fxlzpidoozahcyhsl.exe*."
    3⤵
    PID:400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mhypiecqthlvtsesopid.exe
1⤵
PID:808
- C:\Windows\mhypiecqthlvtsesopid.exe
  mhypiecqthlvtsesopid.exe
  2⤵
  PID:5048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ypcpewqazjjpjemw.exe .
1⤵
PID:4448
- C:\Windows\ypcpewqazjjpjemw.exe
  ypcpewqazjjpjemw.exe .
  2⤵
  PID:2764
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\ypcpewqazjjpjemw.exe*."
    3⤵
    PID:2180

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fxlzpidoozahcyhsl.exe
1⤵
PID:3896
- C:\Users\Admin\AppData\Local\Temp\fxlzpidoozahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\fxlzpidoozahcyhsl.exe
  2⤵
  PID:4016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztjzrmjwyloxusdqlld.exe .
1⤵
PID:4280
- C:\Users\Admin\AppData\Local\Temp\ztjzrmjwyloxusdqlld.exe
  C:\Users\Admin\AppData\Local\Temp\ztjzrmjwyloxusdqlld.exe .
  2⤵
  PID:3800
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\ztjzrmjwyloxusdqlld.exe*."
    3⤵
    PID:2948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fxlzpidoozahcyhsl.exe
1⤵
PID:3092
- C:\Users\Admin\AppData\Local\Temp\fxlzpidoozahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\fxlzpidoozahcyhsl.exe
  2⤵
  PID:3584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fxlzpidoozahcyhsl.exe .
1⤵
PID:4512
- C:\Users\Admin\AppData\Local\Temp\fxlzpidoozahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\fxlzpidoozahcyhsl.exe .
  2⤵
  PID:4656
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\fxlzpidoozahcyhsl.exe*."
    3⤵
    PID:2860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ypcpewqazjjpjemw.exe
1⤵
PID:3020
- C:\Windows\ypcpewqazjjpjemw.exe
  ypcpewqazjjpjemw.exe
  2⤵
  PID:5060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fxlzpidoozahcyhsl.exe .
1⤵
PID:1404
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:872
- C:\Windows\fxlzpidoozahcyhsl.exe
  fxlzpidoozahcyhsl.exe .
  2⤵
  PID:2996
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\fxlzpidoozahcyhsl.exe*."
    3⤵
    PID:3084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fxlzpidoozahcyhsl.exe
1⤵
PID:4988
- C:\Windows\fxlzpidoozahcyhsl.exe
  fxlzpidoozahcyhsl.exe
  2⤵
  PID:2064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ohwlcwsefrtbxueqkj.exe
1⤵
PID:1064
- C:\Windows\ohwlcwsefrtbxueqkj.exe
  ohwlcwsefrtbxueqkj.exe
  2⤵
  PID:1448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxphbyxmqfkvuuhwtvpld.exe
1⤵
PID:2616
- C:\Windows\bxphbyxmqfkvuuhwtvpld.exe
  bxphbyxmqfkvuuhwtvpld.exe
  2⤵
  PID:244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxphbyxmqfkvuuhwtvpld.exe .
1⤵
PID:556
- C:\Windows\bxphbyxmqfkvuuhwtvpld.exe
  bxphbyxmqfkvuuhwtvpld.exe .
  2⤵
  PID:1076
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\bxphbyxmqfkvuuhwtvpld.exe*."
    3⤵
    PID:3300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ohwlcwsefrtbxueqkj.exe .
1⤵
PID:4496
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3028
- C:\Windows\ohwlcwsefrtbxueqkj.exe
  ohwlcwsefrtbxueqkj.exe .
  2⤵
  PID:4792
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\ohwlcwsefrtbxueqkj.exe*."
    3⤵
    PID:4824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fxlzpidoozahcyhsl.exe .
1⤵
PID:1968
- C:\Windows\fxlzpidoozahcyhsl.exe
  fxlzpidoozahcyhsl.exe .
  2⤵
  PID:4716
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\fxlzpidoozahcyhsl.exe*."
    3⤵
    PID:624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fxlzpidoozahcyhsl.exe
1⤵
PID:2900
- C:\Users\Admin\AppData\Local\Temp\fxlzpidoozahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\fxlzpidoozahcyhsl.exe
  2⤵
  PID:2456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ypcpewqazjjpjemw.exe
1⤵
PID:3668
- C:\Windows\ypcpewqazjjpjemw.exe
  ypcpewqazjjpjemw.exe
  2⤵
  PID:3612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ypcpewqazjjpjemw.exe
1⤵
PID:2124
- C:\Windows\ypcpewqazjjpjemw.exe
  ypcpewqazjjpjemw.exe
  2⤵
  PID:848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ypcpewqazjjpjemw.exe .
1⤵
PID:1388
- C:\Users\Admin\AppData\Local\Temp\ypcpewqazjjpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\ypcpewqazjjpjemw.exe .
  2⤵
  PID:1576
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\ypcpewqazjjpjemw.exe*."
    3⤵
    PID:3440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fxlzpidoozahcyhsl.exe .
1⤵
PID:780
- C:\Windows\fxlzpidoozahcyhsl.exe
  fxlzpidoozahcyhsl.exe .
  2⤵
  PID:3064
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\fxlzpidoozahcyhsl.exe*."
    3⤵
    PID:3092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ohwlcwsefrtbxueqkj.exe .
1⤵
PID:1972
- C:\Windows\ohwlcwsefrtbxueqkj.exe
  ohwlcwsefrtbxueqkj.exe .
  2⤵
  PID:4352
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\ohwlcwsefrtbxueqkj.exe*."
    3⤵
    PID:4028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fxlzpidoozahcyhsl.exe
1⤵
PID:1500
- C:\Users\Admin\AppData\Local\Temp\fxlzpidoozahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\fxlzpidoozahcyhsl.exe
  2⤵
  PID:404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxphbyxmqfkvuuhwtvpld.exe
1⤵
PID:3428
- C:\Users\Admin\AppData\Local\Temp\bxphbyxmqfkvuuhwtvpld.exe
  C:\Users\Admin\AppData\Local\Temp\bxphbyxmqfkvuuhwtvpld.exe
  2⤵
  PID:1220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztjzrmjwyloxusdqlld.exe .
1⤵
PID:2136
- C:\Users\Admin\AppData\Local\Temp\ztjzrmjwyloxusdqlld.exe
  C:\Users\Admin\AppData\Local\Temp\ztjzrmjwyloxusdqlld.exe .
  2⤵
  PID:1000
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\ztjzrmjwyloxusdqlld.exe*."
    3⤵
    PID:2456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fxlzpidoozahcyhsl.exe .
1⤵
PID:2764
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2368
- C:\Users\Admin\AppData\Local\Temp\fxlzpidoozahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\fxlzpidoozahcyhsl.exe .
  2⤵
  PID:4648
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\fxlzpidoozahcyhsl.exe*."
    3⤵
    PID:3212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhypiecqthlvtsesopid.exe
1⤵
PID:4448
- C:\Users\Admin\AppData\Local\Temp\mhypiecqthlvtsesopid.exe
  C:\Users\Admin\AppData\Local\Temp\mhypiecqthlvtsesopid.exe
  2⤵
  PID:1080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztjzrmjwyloxusdqlld.exe .
1⤵
PID:4280
- C:\Users\Admin\AppData\Local\Temp\ztjzrmjwyloxusdqlld.exe
  C:\Users\Admin\AppData\Local\Temp\ztjzrmjwyloxusdqlld.exe .
  2⤵
  PID:3912
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\ztjzrmjwyloxusdqlld.exe*."
    3⤵
    PID:3468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhypiecqthlvtsesopid.exe
1⤵
PID:4772
- C:\Users\Admin\AppData\Local\Temp\mhypiecqthlvtsesopid.exe
  C:\Users\Admin\AppData\Local\Temp\mhypiecqthlvtsesopid.exe
  2⤵
  PID:1504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxphbyxmqfkvuuhwtvpld.exe
1⤵
PID:3424
- C:\Users\Admin\AppData\Local\Temp\bxphbyxmqfkvuuhwtvpld.exe
  C:\Users\Admin\AppData\Local\Temp\bxphbyxmqfkvuuhwtvpld.exe
  2⤵
  PID:4008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhypiecqthlvtsesopid.exe .
1⤵
PID:2716
- C:\Users\Admin\AppData\Local\Temp\mhypiecqthlvtsesopid.exe
  C:\Users\Admin\AppData\Local\Temp\mhypiecqthlvtsesopid.exe .
  2⤵
  PID:4832
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\mhypiecqthlvtsesopid.exe*."
    3⤵
    PID:848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ypcpewqazjjpjemw.exe .
1⤵
PID:2708
- C:\Users\Admin\AppData\Local\Temp\ypcpewqazjjpjemw.exe
  C:\Users\Admin\AppData\Local\Temp\ypcpewqazjjpjemw.exe .
  2⤵
  PID:2004
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\ypcpewqazjjpjemw.exe*."
    3⤵
    PID:3584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mhypiecqthlvtsesopid.exe
1⤵
PID:1224
- C:\Windows\mhypiecqthlvtsesopid.exe
  mhypiecqthlvtsesopid.exe
  2⤵
  PID:2900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ohwlcwsefrtbxueqkj.exe .
1⤵
PID:4316
- C:\Windows\ohwlcwsefrtbxueqkj.exe
  ohwlcwsefrtbxueqkj.exe .
  2⤵
  PID:224
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\ohwlcwsefrtbxueqkj.exe*."
    3⤵
    PID:2908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mhypiecqthlvtsesopid.exe
1⤵
PID:5016
- C:\Windows\mhypiecqthlvtsesopid.exe
  mhypiecqthlvtsesopid.exe
  2⤵
  PID:2392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxphbyxmqfkvuuhwtvpld.exe .
1⤵
PID:4892
- C:\Windows\bxphbyxmqfkvuuhwtvpld.exe
  bxphbyxmqfkvuuhwtvpld.exe .
  2⤵
  PID:1216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ypcpewqazjjpjemw.exe
1⤵
PID:4992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Winlogon Helper DLL

T1547.004

Hijack Execution Flow

T1574

Executable Installer File Permissions Weakness

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Winlogon Helper DLL

T1547.004

Hijack Execution Flow

T1574

Executable Installer File Permissions Weakness

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hijack Execution Flow

T1574

Executable Installer File Permissions Weakness

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Safe Mode Boot

T1562.009

Modify Registry