pykspa | 142e1f0c627422eae07efbb5d5597b6d41c7bd63c27d0af92f8848904d852159

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	yjjlw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	yjjlw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	bbygorkllli.exe

Pykspa
Pykspa is a worm spreads via Skype uses DGA and it's written in C++.
worm pykspa
Pykspa family
pykspa

UAC bypass 3 TTPs 31 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	yjjlw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	yjjlw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	yjjlw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	yjjlw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	yjjlw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	yjjlw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	yjjlw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	yjjlw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bbygorkllli.exe

Detect Pykspa worm 2 IoCs

worm

resource	yara_rule
behavioral1/files/0x00060000000236e9-4.dat	family_pykspa
behavioral1/files/0x000a00000002421e-85.dat	family_pykspa

Adds policy Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	bbygorkllli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qhnvmthrxmh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wvjzynjbpmpxcsituda.exe"	bbygorkllli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	yjjlw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nhqbvfwjskillw = "ljwljxsjwsubfujttb.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nhqbvfwjskillw = "yzphizxrhglvcumzcnmnd.exe"	bbygorkllli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nhqbvfwjskillw = "wvjzynjbpmpxcsituda.exe"	bbygorkllli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qhnvmthrxmh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yzphizxrhglvcumzcnmnd.exe"	bbygorkllli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	bbygorkllli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nhqbvfwjskillw = "vrcplxqfqkkprerz.exe"	yjjlw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	bbygorkllli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qhnvmthrxmh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yzphizxrhglvcumzcnmnd.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qhnvmthrxmh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vrcplxqfqkkprerz.exe"	yjjlw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qhnvmthrxmh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\czlzwjdtfabhkymvu.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nhqbvfwjskillw = "jjyppfcvkimvbsjvxhff.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nhqbvfwjskillw = "ljwljxsjwsubfujttb.exe"	bbygorkllli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	yjjlw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qhnvmthrxmh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wvjzynjbpmpxcsituda.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qhnvmthrxmh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jjyppfcvkimvbsjvxhff.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qhnvmthrxmh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jjyppfcvkimvbsjvxhff.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nhqbvfwjskillw = "yzphizxrhglvcumzcnmnd.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qhnvmthrxmh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\czlzwjdtfabhkymvu.exe"	yjjlw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qhnvmthrxmh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vrcplxqfqkkprerz.exe"	bbygorkllli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nhqbvfwjskillw = "czlzwjdtfabhkymvu.exe"	bbygorkllli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qhnvmthrxmh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wvjzynjbpmpxcsituda.exe"	yjjlw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	bbygorkllli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	bbygorkllli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nhqbvfwjskillw = "vrcplxqfqkkprerz.exe"	yjjlw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qhnvmthrxmh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jjyppfcvkimvbsjvxhff.exe"	yjjlw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nhqbvfwjskillw = "czlzwjdtfabhkymvu.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qhnvmthrxmh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vrcplxqfqkkprerz.exe"	yjjlw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nhqbvfwjskillw = "vrcplxqfqkkprerz.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qhnvmthrxmh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vrcplxqfqkkprerz.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qhnvmthrxmh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\czlzwjdtfabhkymvu.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nhqbvfwjskillw = "wvjzynjbpmpxcsituda.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qhnvmthrxmh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wvjzynjbpmpxcsituda.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nhqbvfwjskillw = "yzphizxrhglvcumzcnmnd.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nhqbvfwjskillw = "yzphizxrhglvcumzcnmnd.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qhnvmthrxmh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jjyppfcvkimvbsjvxhff.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nhqbvfwjskillw = "ljwljxsjwsubfujttb.exe"	yjjlw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qhnvmthrxmh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\czlzwjdtfabhkymvu.exe"	yjjlw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qhnvmthrxmh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jjyppfcvkimvbsjvxhff.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qhnvmthrxmh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ljwljxsjwsubfujttb.exe"	bbygorkllli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	bbygorkllli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nhqbvfwjskillw = "czlzwjdtfabhkymvu.exe"	yjjlw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qhnvmthrxmh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\czlzwjdtfabhkymvu.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qhnvmthrxmh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vrcplxqfqkkprerz.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nhqbvfwjskillw = "czlzwjdtfabhkymvu.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nhqbvfwjskillw = "czlzwjdtfabhkymvu.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nhqbvfwjskillw = "vrcplxqfqkkprerz.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nhqbvfwjskillw = "wvjzynjbpmpxcsituda.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nhqbvfwjskillw = "yzphizxrhglvcumzcnmnd.exe"	yjjlw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nhqbvfwjskillw = "jjyppfcvkimvbsjvxhff.exe"	bbygorkllli.exe

Blocklisted process makes network request 8 IoCs

flow	pid	Process
50	1424	Process not Found
56	1424	Process not Found
85	2848	BackgroundTransferHost.exe
86	2848	BackgroundTransferHost.exe
87	2848	BackgroundTransferHost.exe
88	2848	BackgroundTransferHost.exe
89	2848	BackgroundTransferHost.exe
91	2848	BackgroundTransferHost.exe

Disables RegEdit via registry modification 6 IoCs

defense_evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	bbygorkllli.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	yjjlw.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	yjjlw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	yjjlw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	yjjlw.exe

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	jjyppfcvkimvbsjvxhff.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	vrcplxqfqkkprerz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	yzphizxrhglvcumzcnmnd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	czlzwjdtfabhkymvu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	vrcplxqfqkkprerz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	vrcplxqfqkkprerz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	czlzwjdtfabhkymvu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	czlzwjdtfabhkymvu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	vrcplxqfqkkprerz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	jjyppfcvkimvbsjvxhff.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	yzphizxrhglvcumzcnmnd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	bbygorkllli.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	czlzwjdtfabhkymvu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	czlzwjdtfabhkymvu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	vrcplxqfqkkprerz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	ljwljxsjwsubfujttb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	wvjzynjbpmpxcsituda.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	ljwljxsjwsubfujttb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	jjyppfcvkimvbsjvxhff.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	yzphizxrhglvcumzcnmnd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	vrcplxqfqkkprerz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	czlzwjdtfabhkymvu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	czlzwjdtfabhkymvu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	yzphizxrhglvcumzcnmnd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	wvjzynjbpmpxcsituda.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	jjyppfcvkimvbsjvxhff.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	wvjzynjbpmpxcsituda.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	czlzwjdtfabhkymvu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	wvjzynjbpmpxcsituda.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	yzphizxrhglvcumzcnmnd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	ljwljxsjwsubfujttb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	jjyppfcvkimvbsjvxhff.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	JaffaCakes118_999637725d06c4657eabffc5618ff29b.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	wvjzynjbpmpxcsituda.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	yzphizxrhglvcumzcnmnd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	czlzwjdtfabhkymvu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	wvjzynjbpmpxcsituda.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	ljwljxsjwsubfujttb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	jjyppfcvkimvbsjvxhff.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	ljwljxsjwsubfujttb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	vrcplxqfqkkprerz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	wvjzynjbpmpxcsituda.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	wvjzynjbpmpxcsituda.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	czlzwjdtfabhkymvu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	vrcplxqfqkkprerz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	jjyppfcvkimvbsjvxhff.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	czlzwjdtfabhkymvu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	jjyppfcvkimvbsjvxhff.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	jjyppfcvkimvbsjvxhff.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	czlzwjdtfabhkymvu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	czlzwjdtfabhkymvu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	czlzwjdtfabhkymvu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	jjyppfcvkimvbsjvxhff.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	yzphizxrhglvcumzcnmnd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	czlzwjdtfabhkymvu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	jjyppfcvkimvbsjvxhff.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	vrcplxqfqkkprerz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	ljwljxsjwsubfujttb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	vrcplxqfqkkprerz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	czlzwjdtfabhkymvu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	yzphizxrhglvcumzcnmnd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	ljwljxsjwsubfujttb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	vrcplxqfqkkprerz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	wvjzynjbpmpxcsituda.exe

Executes dropped EXE 64 IoCs

pid	Process
5060	bbygorkllli.exe
4500	wvjzynjbpmpxcsituda.exe
1592	wvjzynjbpmpxcsituda.exe
3000	bbygorkllli.exe
3508	jjyppfcvkimvbsjvxhff.exe
3168	yzphizxrhglvcumzcnmnd.exe
1012	yzphizxrhglvcumzcnmnd.exe
2312	bbygorkllli.exe
2052	wvjzynjbpmpxcsituda.exe
4064	bbygorkllli.exe
2424	czlzwjdtfabhkymvu.exe
3344	jjyppfcvkimvbsjvxhff.exe
2472	bbygorkllli.exe
2760	yjjlw.exe
3988	yjjlw.exe
4632	yzphizxrhglvcumzcnmnd.exe
3656	wvjzynjbpmpxcsituda.exe
2828	yzphizxrhglvcumzcnmnd.exe
3580	vrcplxqfqkkprerz.exe
2976	bbygorkllli.exe
948	bbygorkllli.exe
2100	jjyppfcvkimvbsjvxhff.exe
4004	vrcplxqfqkkprerz.exe
4784	czlzwjdtfabhkymvu.exe
2148	jjyppfcvkimvbsjvxhff.exe
4444	yzphizxrhglvcumzcnmnd.exe
5092	jjyppfcvkimvbsjvxhff.exe
3600	czlzwjdtfabhkymvu.exe
4336	ljwljxsjwsubfujttb.exe
4100	bbygorkllli.exe
4948	bbygorkllli.exe
3580	bbygorkllli.exe
4852	bbygorkllli.exe
4568	czlzwjdtfabhkymvu.exe
924	czlzwjdtfabhkymvu.exe
4684	wvjzynjbpmpxcsituda.exe
4332	jjyppfcvkimvbsjvxhff.exe
2264	bbygorkllli.exe
2192	bbygorkllli.exe
1080	yzphizxrhglvcumzcnmnd.exe
4164	wvjzynjbpmpxcsituda.exe
4172	bbygorkllli.exe
4212	ljwljxsjwsubfujttb.exe
2744	ljwljxsjwsubfujttb.exe
4948	yzphizxrhglvcumzcnmnd.exe
1596	bbygorkllli.exe
4124	yzphizxrhglvcumzcnmnd.exe
228	bbygorkllli.exe
4120	vrcplxqfqkkprerz.exe
1140	czlzwjdtfabhkymvu.exe
2976	bbygorkllli.exe
1492	ljwljxsjwsubfujttb.exe
1212	ljwljxsjwsubfujttb.exe
848	yzphizxrhglvcumzcnmnd.exe
3068	czlzwjdtfabhkymvu.exe
3268	bbygorkllli.exe
3552	jjyppfcvkimvbsjvxhff.exe
2744	wvjzynjbpmpxcsituda.exe
1664	jjyppfcvkimvbsjvxhff.exe
4124	bbygorkllli.exe
1316	wvjzynjbpmpxcsituda.exe
2164	bbygorkllli.exe
4668	czlzwjdtfabhkymvu.exe
4784	czlzwjdtfabhkymvu.exe

Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs

defense_evasion

Safe Mode Boot

T1562.009

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager	yjjlw.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys	yjjlw.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc	yjjlw.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power	yjjlw.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys	yjjlw.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc	yjjlw.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

defense_evasion persistence privilege_escalation

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\mfnxqzpbjaxzy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vrcplxqfqkkprerz.exe ."	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nfmvnvkvcsop = "wvjzynjbpmpxcsituda.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\mfnxqzpbjaxzy = "wvjzynjbpmpxcsituda.exe ."	bbygorkllli.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nfmvnvkvcsop = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vrcplxqfqkkprerz.exe"	yjjlw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qlvhcnftdwvzamy = "ljwljxsjwsubfujttb.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nfmvnvkvcsop = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ljwljxsjwsubfujttb.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ljwljxsjwsubfujttb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jjyppfcvkimvbsjvxhff.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ljwljxsjwsubfujttb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yzphizxrhglvcumzcnmnd.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\czlzwjdtfabhkymvu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jjyppfcvkimvbsjvxhff.exe ."	bbygorkllli.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\mfnxqzpbjaxzy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wvjzynjbpmpxcsituda.exe ."	yjjlw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nfmvnvkvcsop = "yzphizxrhglvcumzcnmnd.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\mfnxqzpbjaxzy = "jjyppfcvkimvbsjvxhff.exe ."	bbygorkllli.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\mfnxqzpbjaxzy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\czlzwjdtfabhkymvu.exe ."	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nfmvnvkvcsop = "ljwljxsjwsubfujttb.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nfmvnvkvcsop = "czlzwjdtfabhkymvu.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\mfnxqzpbjaxzy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wvjzynjbpmpxcsituda.exe ."	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\mfnxqzpbjaxzy = "wvjzynjbpmpxcsituda.exe ."	bbygorkllli.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nfmvnvkvcsop = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yzphizxrhglvcumzcnmnd.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\mfnxqzpbjaxzy = "czlzwjdtfabhkymvu.exe ."	yjjlw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qlvhcnftdwvzamy = "jjyppfcvkimvbsjvxhff.exe"	yjjlw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\mfnxqzpbjaxzy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yzphizxrhglvcumzcnmnd.exe ."	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\czlzwjdtfabhkymvu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ljwljxsjwsubfujttb.exe ."	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nfmvnvkvcsop = "vrcplxqfqkkprerz.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qlvhcnftdwvzamy = "czlzwjdtfabhkymvu.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ljwljxsjwsubfujttb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ljwljxsjwsubfujttb.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\vrcplxqfqkkprerz = "yzphizxrhglvcumzcnmnd.exe ."	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ljwljxsjwsubfujttb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yzphizxrhglvcumzcnmnd.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nfmvnvkvcsop = "C:\\Users\\Admin\\AppData\\Local\\Temp\\czlzwjdtfabhkymvu.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ljwljxsjwsubfujttb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jjyppfcvkimvbsjvxhff.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\mfnxqzpbjaxzy = "czlzwjdtfabhkymvu.exe ."	bbygorkllli.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\vrcplxqfqkkprerz = "ljwljxsjwsubfujttb.exe ."	bbygorkllli.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qlvhcnftdwvzamy = "jjyppfcvkimvbsjvxhff.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\czlzwjdtfabhkymvu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jjyppfcvkimvbsjvxhff.exe ."	bbygorkllli.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qlvhcnftdwvzamy = "jjyppfcvkimvbsjvxhff.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qlvhcnftdwvzamy = "ljwljxsjwsubfujttb.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ljwljxsjwsubfujttb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ljwljxsjwsubfujttb.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nfmvnvkvcsop = "vrcplxqfqkkprerz.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nfmvnvkvcsop = "yzphizxrhglvcumzcnmnd.exe"	yjjlw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\czlzwjdtfabhkymvu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vrcplxqfqkkprerz.exe ."	bbygorkllli.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nfmvnvkvcsop = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yzphizxrhglvcumzcnmnd.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\vrcplxqfqkkprerz = "jjyppfcvkimvbsjvxhff.exe ."	bbygorkllli.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\mfnxqzpbjaxzy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\czlzwjdtfabhkymvu.exe ."	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\czlzwjdtfabhkymvu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yzphizxrhglvcumzcnmnd.exe ."	yjjlw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\mfnxqzpbjaxzy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\czlzwjdtfabhkymvu.exe ."	yjjlw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ljwljxsjwsubfujttb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jjyppfcvkimvbsjvxhff.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ljwljxsjwsubfujttb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yzphizxrhglvcumzcnmnd.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ljwljxsjwsubfujttb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vrcplxqfqkkprerz.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\vrcplxqfqkkprerz = "ljwljxsjwsubfujttb.exe ."	bbygorkllli.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\mfnxqzpbjaxzy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vrcplxqfqkkprerz.exe ."	yjjlw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ljwljxsjwsubfujttb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wvjzynjbpmpxcsituda.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qlvhcnftdwvzamy = "jjyppfcvkimvbsjvxhff.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nfmvnvkvcsop = "yzphizxrhglvcumzcnmnd.exe"	yjjlw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\vrcplxqfqkkprerz = "ljwljxsjwsubfujttb.exe ."	yjjlw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\mfnxqzpbjaxzy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wvjzynjbpmpxcsituda.exe ."	yjjlw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\czlzwjdtfabhkymvu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\czlzwjdtfabhkymvu.exe ."	yjjlw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nfmvnvkvcsop = "C:\\Users\\Admin\\AppData\\Local\\Temp\\czlzwjdtfabhkymvu.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nfmvnvkvcsop = "C:\\Users\\Admin\\AppData\\Local\\Temp\\czlzwjdtfabhkymvu.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qlvhcnftdwvzamy = "ljwljxsjwsubfujttb.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nfmvnvkvcsop = "ljwljxsjwsubfujttb.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nfmvnvkvcsop = "vrcplxqfqkkprerz.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\mfnxqzpbjaxzy = "czlzwjdtfabhkymvu.exe ."	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ljwljxsjwsubfujttb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vrcplxqfqkkprerz.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nfmvnvkvcsop = "jjyppfcvkimvbsjvxhff.exe"	bbygorkllli.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\vrcplxqfqkkprerz = "wvjzynjbpmpxcsituda.exe ."	bbygorkllli.exe

Checks whether UAC is enabled 1 TTPs 44 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	yjjlw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bbygorkllli.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bbygorkllli.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bbygorkllli.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bbygorkllli.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bbygorkllli.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bbygorkllli.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	yjjlw.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	yjjlw.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bbygorkllli.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bbygorkllli.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bbygorkllli.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bbygorkllli.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bbygorkllli.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bbygorkllli.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bbygorkllli.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bbygorkllli.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bbygorkllli.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bbygorkllli.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bbygorkllli.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	yjjlw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bbygorkllli.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bbygorkllli.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bbygorkllli.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bbygorkllli.exe

Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 3 IoCs

Possible Turn off User Account Control's privilege elevation for standard users.

Executable Installer File Permissions Weakness

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	yjjlw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	yjjlw.exe

Looks up external IP address via web service 6 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
24	whatismyipaddress.com
31	www.showmyipaddress.com
34	www.whatismyip.ca
36	whatismyip.everdot.org
41	www.whatismyip.ca
44	www.whatismyip.ca

Drops autorun.inf file 1 TTPs 4 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File created	C:\autorun.inf	yjjlw.exe
File opened for modification	F:\autorun.inf	yjjlw.exe
File created	F:\autorun.inf	yjjlw.exe
File opened for modification	C:\autorun.inf	yjjlw.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\ljwljxsjwsubfujttb.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\ljwljxsjwsubfujttb.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\czlzwjdtfabhkymvu.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\pribdvupggmxfyrfjvvxoh.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\czlzwjdtfabhkymvu.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\pribdvupggmxfyrfjvvxoh.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\vrcplxqfqkkprerz.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\wvjzynjbpmpxcsituda.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\pribdvupggmxfyrfjvvxoh.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\czlzwjdtfabhkymvu.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\jjyppfcvkimvbsjvxhff.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\czlzwjdtfabhkymvu.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\ljwljxsjwsubfujttb.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\wvjzynjbpmpxcsituda.exe	yjjlw.exe
File created	C:\Windows\SysWOW64\pzyzjjqtsaohxyzvhbjtstddkn.uib	yjjlw.exe
File opened for modification	C:\Windows\SysWOW64\pribdvupggmxfyrfjvvxoh.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\czlzwjdtfabhkymvu.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\wvjzynjbpmpxcsituda.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\vrcplxqfqkkprerz.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\jjyppfcvkimvbsjvxhff.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\pribdvupggmxfyrfjvvxoh.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\vrcplxqfqkkprerz.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\ljwljxsjwsubfujttb.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\pribdvupggmxfyrfjvvxoh.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\czlzwjdtfabhkymvu.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\ljwljxsjwsubfujttb.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\ljwljxsjwsubfujttb.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\wvjzynjbpmpxcsituda.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\yzphizxrhglvcumzcnmnd.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\czlzwjdtfabhkymvu.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\ljwljxsjwsubfujttb.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\wvjzynjbpmpxcsituda.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\yzphizxrhglvcumzcnmnd.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\pribdvupggmxfyrfjvvxoh.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\wvjzynjbpmpxcsituda.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\ljwljxsjwsubfujttb.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\vrcplxqfqkkprerz.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\czlzwjdtfabhkymvu.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\pribdvupggmxfyrfjvvxoh.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\czlzwjdtfabhkymvu.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\pribdvupggmxfyrfjvvxoh.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\ljwljxsjwsubfujttb.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\wvjzynjbpmpxcsituda.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\yzphizxrhglvcumzcnmnd.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\jjyppfcvkimvbsjvxhff.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\czlzwjdtfabhkymvu.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\jjyppfcvkimvbsjvxhff.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\jjyppfcvkimvbsjvxhff.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\yzphizxrhglvcumzcnmnd.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\jjyppfcvkimvbsjvxhff.exe	yjjlw.exe
File opened for modification	C:\Windows\SysWOW64\ljwljxsjwsubfujttb.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\vrcplxqfqkkprerz.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\ljwljxsjwsubfujttb.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\vrcplxqfqkkprerz.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\jjyppfcvkimvbsjvxhff.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\pribdvupggmxfyrfjvvxoh.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\pribdvupggmxfyrfjvvxoh.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\pribdvupggmxfyrfjvvxoh.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\czlzwjdtfabhkymvu.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\ljwljxsjwsubfujttb.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\wvjzynjbpmpxcsituda.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\wvjzynjbpmpxcsituda.exe	bbygorkllli.exe
File opened for modification	C:\Windows\SysWOW64\vrcplxqfqkkprerz.exe	yjjlw.exe
File opened for modification	C:\Windows\SysWOW64\yzphizxrhglvcumzcnmnd.exe	bbygorkllli.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\pzyzjjqtsaohxyzvhbjtstddkn.uib	yjjlw.exe
File opened for modification	C:\Program Files (x86)\qlvhcnftdwvzamyfchavfrmxpdngfjkwipmrk.pbw	yjjlw.exe
File created	C:\Program Files (x86)\qlvhcnftdwvzamyfchavfrmxpdngfjkwipmrk.pbw	yjjlw.exe
File opened for modification	C:\Program Files (x86)\pzyzjjqtsaohxyzvhbjtstddkn.uib	yjjlw.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\jjyppfcvkimvbsjvxhff.exe	bbygorkllli.exe
File opened for modification	C:\Windows\ljwljxsjwsubfujttb.exe	bbygorkllli.exe
File opened for modification	C:\Windows\jjyppfcvkimvbsjvxhff.exe	bbygorkllli.exe
File opened for modification	C:\Windows\jjyppfcvkimvbsjvxhff.exe	bbygorkllli.exe
File opened for modification	C:\Windows\vrcplxqfqkkprerz.exe	yjjlw.exe
File opened for modification	C:\Windows\yzphizxrhglvcumzcnmnd.exe	bbygorkllli.exe
File opened for modification	C:\Windows\vrcplxqfqkkprerz.exe	bbygorkllli.exe
File opened for modification	C:\Windows\ljwljxsjwsubfujttb.exe	bbygorkllli.exe
File opened for modification	C:\Windows\pribdvupggmxfyrfjvvxoh.exe	yjjlw.exe
File opened for modification	C:\Windows\ljwljxsjwsubfujttb.exe	yjjlw.exe
File opened for modification	C:\Windows\ljwljxsjwsubfujttb.exe	bbygorkllli.exe
File opened for modification	C:\Windows\czlzwjdtfabhkymvu.exe	bbygorkllli.exe
File opened for modification	C:\Windows\jjyppfcvkimvbsjvxhff.exe	bbygorkllli.exe
File opened for modification	C:\Windows\yzphizxrhglvcumzcnmnd.exe	bbygorkllli.exe
File opened for modification	C:\Windows\czlzwjdtfabhkymvu.exe	yjjlw.exe
File opened for modification	C:\Windows\jjyppfcvkimvbsjvxhff.exe	bbygorkllli.exe
File opened for modification	C:\Windows\wvjzynjbpmpxcsituda.exe	bbygorkllli.exe
File opened for modification	C:\Windows\pribdvupggmxfyrfjvvxoh.exe	bbygorkllli.exe
File opened for modification	C:\Windows\czlzwjdtfabhkymvu.exe	bbygorkllli.exe
File opened for modification	C:\Windows\czlzwjdtfabhkymvu.exe	bbygorkllli.exe
File opened for modification	C:\Windows\jjyppfcvkimvbsjvxhff.exe	bbygorkllli.exe
File opened for modification	C:\Windows\ljwljxsjwsubfujttb.exe	bbygorkllli.exe
File opened for modification	C:\Windows\vrcplxqfqkkprerz.exe	bbygorkllli.exe
File opened for modification	C:\Windows\czlzwjdtfabhkymvu.exe	bbygorkllli.exe
File opened for modification	C:\Windows\yzphizxrhglvcumzcnmnd.exe	bbygorkllli.exe
File opened for modification	C:\Windows\wvjzynjbpmpxcsituda.exe	bbygorkllli.exe
File opened for modification	C:\Windows\wvjzynjbpmpxcsituda.exe	bbygorkllli.exe
File opened for modification	C:\Windows\jjyppfcvkimvbsjvxhff.exe	bbygorkllli.exe
File opened for modification	C:\Windows\czlzwjdtfabhkymvu.exe	bbygorkllli.exe
File opened for modification	C:\Windows\czlzwjdtfabhkymvu.exe	bbygorkllli.exe
File opened for modification	C:\Windows\wvjzynjbpmpxcsituda.exe	bbygorkllli.exe
File opened for modification	C:\Windows\yzphizxrhglvcumzcnmnd.exe	bbygorkllli.exe
File opened for modification	C:\Windows\jjyppfcvkimvbsjvxhff.exe	bbygorkllli.exe
File opened for modification	C:\Windows\yzphizxrhglvcumzcnmnd.exe	bbygorkllli.exe
File opened for modification	C:\Windows\czlzwjdtfabhkymvu.exe	bbygorkllli.exe
File opened for modification	C:\Windows\yzphizxrhglvcumzcnmnd.exe	bbygorkllli.exe
File opened for modification	C:\Windows\pribdvupggmxfyrfjvvxoh.exe	bbygorkllli.exe
File opened for modification	C:\Windows\jjyppfcvkimvbsjvxhff.exe	bbygorkllli.exe
File opened for modification	C:\Windows\jjyppfcvkimvbsjvxhff.exe	bbygorkllli.exe
File opened for modification	C:\Windows\vrcplxqfqkkprerz.exe	bbygorkllli.exe
File opened for modification	C:\Windows\wvjzynjbpmpxcsituda.exe	bbygorkllli.exe
File opened for modification	C:\Windows\vrcplxqfqkkprerz.exe	yjjlw.exe
File opened for modification	C:\Windows\ljwljxsjwsubfujttb.exe	yjjlw.exe
File opened for modification	C:\Windows\vrcplxqfqkkprerz.exe	bbygorkllli.exe
File opened for modification	C:\Windows\yzphizxrhglvcumzcnmnd.exe	bbygorkllli.exe
File opened for modification	C:\Windows\ljwljxsjwsubfujttb.exe	bbygorkllli.exe
File opened for modification	C:\Windows\pribdvupggmxfyrfjvvxoh.exe	bbygorkllli.exe
File opened for modification	C:\Windows\czlzwjdtfabhkymvu.exe	bbygorkllli.exe
File opened for modification	C:\Windows\ljwljxsjwsubfujttb.exe	bbygorkllli.exe
File opened for modification	C:\Windows\jjyppfcvkimvbsjvxhff.exe	bbygorkllli.exe
File opened for modification	C:\Windows\pribdvupggmxfyrfjvvxoh.exe	bbygorkllli.exe
File opened for modification	C:\Windows\qlvhcnftdwvzamyfchavfrmxpdngfjkwipmrk.pbw	yjjlw.exe
File opened for modification	C:\Windows\vrcplxqfqkkprerz.exe	bbygorkllli.exe
File opened for modification	C:\Windows\wvjzynjbpmpxcsituda.exe	bbygorkllli.exe
File opened for modification	C:\Windows\jjyppfcvkimvbsjvxhff.exe	bbygorkllli.exe
File opened for modification	C:\Windows\czlzwjdtfabhkymvu.exe	bbygorkllli.exe
File opened for modification	C:\Windows\vrcplxqfqkkprerz.exe	bbygorkllli.exe
File opened for modification	C:\Windows\yzphizxrhglvcumzcnmnd.exe	bbygorkllli.exe
File opened for modification	C:\Windows\ljwljxsjwsubfujttb.exe	bbygorkllli.exe
File opened for modification	C:\Windows\czlzwjdtfabhkymvu.exe	yjjlw.exe
File opened for modification	C:\Windows\jjyppfcvkimvbsjvxhff.exe	yjjlw.exe
File opened for modification	C:\Windows\pribdvupggmxfyrfjvvxoh.exe	yjjlw.exe
File opened for modification	C:\Windows\pribdvupggmxfyrfjvvxoh.exe	bbygorkllli.exe
File opened for modification	C:\Windows\wvjzynjbpmpxcsituda.exe	bbygorkllli.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vrcplxqfqkkprerz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wvjzynjbpmpxcsituda.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	czlzwjdtfabhkymvu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ljwljxsjwsubfujttb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	czlzwjdtfabhkymvu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yzphizxrhglvcumzcnmnd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ljwljxsjwsubfujttb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	czlzwjdtfabhkymvu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	czlzwjdtfabhkymvu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ljwljxsjwsubfujttb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ljwljxsjwsubfujttb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vrcplxqfqkkprerz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bbygorkllli.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jjyppfcvkimvbsjvxhff.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ljwljxsjwsubfujttb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	czlzwjdtfabhkymvu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ljwljxsjwsubfujttb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yzphizxrhglvcumzcnmnd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wvjzynjbpmpxcsituda.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yzphizxrhglvcumzcnmnd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yzphizxrhglvcumzcnmnd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jjyppfcvkimvbsjvxhff.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	czlzwjdtfabhkymvu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jjyppfcvkimvbsjvxhff.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wvjzynjbpmpxcsituda.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	czlzwjdtfabhkymvu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vrcplxqfqkkprerz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jjyppfcvkimvbsjvxhff.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	czlzwjdtfabhkymvu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wvjzynjbpmpxcsituda.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jjyppfcvkimvbsjvxhff.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	czlzwjdtfabhkymvu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vrcplxqfqkkprerz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	czlzwjdtfabhkymvu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yzphizxrhglvcumzcnmnd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wvjzynjbpmpxcsituda.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wvjzynjbpmpxcsituda.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ljwljxsjwsubfujttb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yzphizxrhglvcumzcnmnd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vrcplxqfqkkprerz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ljwljxsjwsubfujttb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jjyppfcvkimvbsjvxhff.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ljwljxsjwsubfujttb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wvjzynjbpmpxcsituda.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vrcplxqfqkkprerz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vrcplxqfqkkprerz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_999637725d06c4657eabffc5618ff29b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ljwljxsjwsubfujttb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ljwljxsjwsubfujttb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vrcplxqfqkkprerz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ljwljxsjwsubfujttb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ljwljxsjwsubfujttb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wvjzynjbpmpxcsituda.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	czlzwjdtfabhkymvu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jjyppfcvkimvbsjvxhff.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vrcplxqfqkkprerz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jjyppfcvkimvbsjvxhff.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ljwljxsjwsubfujttb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jjyppfcvkimvbsjvxhff.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yzphizxrhglvcumzcnmnd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	czlzwjdtfabhkymvu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	czlzwjdtfabhkymvu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vrcplxqfqkkprerz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vrcplxqfqkkprerz.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1712	JaffaCakes118_999637725d06c4657eabffc5618ff29b.exe
1712	JaffaCakes118_999637725d06c4657eabffc5618ff29b.exe
1712	JaffaCakes118_999637725d06c4657eabffc5618ff29b.exe
1712	JaffaCakes118_999637725d06c4657eabffc5618ff29b.exe
1712	JaffaCakes118_999637725d06c4657eabffc5618ff29b.exe
1712	JaffaCakes118_999637725d06c4657eabffc5618ff29b.exe
1712	JaffaCakes118_999637725d06c4657eabffc5618ff29b.exe
1712	JaffaCakes118_999637725d06c4657eabffc5618ff29b.exe
1712	JaffaCakes118_999637725d06c4657eabffc5618ff29b.exe
1712	JaffaCakes118_999637725d06c4657eabffc5618ff29b.exe
1712	JaffaCakes118_999637725d06c4657eabffc5618ff29b.exe
1712	JaffaCakes118_999637725d06c4657eabffc5618ff29b.exe
1712	JaffaCakes118_999637725d06c4657eabffc5618ff29b.exe
1712	JaffaCakes118_999637725d06c4657eabffc5618ff29b.exe
2760	yjjlw.exe
2760	yjjlw.exe
1712	JaffaCakes118_999637725d06c4657eabffc5618ff29b.exe
1712	JaffaCakes118_999637725d06c4657eabffc5618ff29b.exe
1712	JaffaCakes118_999637725d06c4657eabffc5618ff29b.exe
1712	JaffaCakes118_999637725d06c4657eabffc5618ff29b.exe
1712	JaffaCakes118_999637725d06c4657eabffc5618ff29b.exe
1712	JaffaCakes118_999637725d06c4657eabffc5618ff29b.exe
1712	JaffaCakes118_999637725d06c4657eabffc5618ff29b.exe
1712	JaffaCakes118_999637725d06c4657eabffc5618ff29b.exe
1712	JaffaCakes118_999637725d06c4657eabffc5618ff29b.exe
1712	JaffaCakes118_999637725d06c4657eabffc5618ff29b.exe
1712	JaffaCakes118_999637725d06c4657eabffc5618ff29b.exe
1712	JaffaCakes118_999637725d06c4657eabffc5618ff29b.exe
1712	JaffaCakes118_999637725d06c4657eabffc5618ff29b.exe
1712	JaffaCakes118_999637725d06c4657eabffc5618ff29b.exe
1712	JaffaCakes118_999637725d06c4657eabffc5618ff29b.exe
1712	JaffaCakes118_999637725d06c4657eabffc5618ff29b.exe
1712	JaffaCakes118_999637725d06c4657eabffc5618ff29b.exe
1712	JaffaCakes118_999637725d06c4657eabffc5618ff29b.exe
1712	JaffaCakes118_999637725d06c4657eabffc5618ff29b.exe
1712	JaffaCakes118_999637725d06c4657eabffc5618ff29b.exe
1712	JaffaCakes118_999637725d06c4657eabffc5618ff29b.exe
1712	JaffaCakes118_999637725d06c4657eabffc5618ff29b.exe
1712	JaffaCakes118_999637725d06c4657eabffc5618ff29b.exe
1712	JaffaCakes118_999637725d06c4657eabffc5618ff29b.exe
1712	JaffaCakes118_999637725d06c4657eabffc5618ff29b.exe
1712	JaffaCakes118_999637725d06c4657eabffc5618ff29b.exe
1712	JaffaCakes118_999637725d06c4657eabffc5618ff29b.exe
1712	JaffaCakes118_999637725d06c4657eabffc5618ff29b.exe
1712	JaffaCakes118_999637725d06c4657eabffc5618ff29b.exe
1712	JaffaCakes118_999637725d06c4657eabffc5618ff29b.exe
1712	JaffaCakes118_999637725d06c4657eabffc5618ff29b.exe
1712	JaffaCakes118_999637725d06c4657eabffc5618ff29b.exe
1712	JaffaCakes118_999637725d06c4657eabffc5618ff29b.exe
1712	JaffaCakes118_999637725d06c4657eabffc5618ff29b.exe
1712	JaffaCakes118_999637725d06c4657eabffc5618ff29b.exe
1712	JaffaCakes118_999637725d06c4657eabffc5618ff29b.exe
1712	JaffaCakes118_999637725d06c4657eabffc5618ff29b.exe
1712	JaffaCakes118_999637725d06c4657eabffc5618ff29b.exe
1712	JaffaCakes118_999637725d06c4657eabffc5618ff29b.exe
1712	JaffaCakes118_999637725d06c4657eabffc5618ff29b.exe
1712	JaffaCakes118_999637725d06c4657eabffc5618ff29b.exe
1712	JaffaCakes118_999637725d06c4657eabffc5618ff29b.exe
2760	yjjlw.exe
2760	yjjlw.exe
1712	JaffaCakes118_999637725d06c4657eabffc5618ff29b.exe
1712	JaffaCakes118_999637725d06c4657eabffc5618ff29b.exe
1712	JaffaCakes118_999637725d06c4657eabffc5618ff29b.exe
1712	JaffaCakes118_999637725d06c4657eabffc5618ff29b.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2760	yjjlw.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1712 wrote to memory of 5060	1712	JaffaCakes118_999637725d06c4657eabffc5618ff29b.exe	91
PID 1712 wrote to memory of 5060	1712	JaffaCakes118_999637725d06c4657eabffc5618ff29b.exe	91
PID 1712 wrote to memory of 5060	1712	JaffaCakes118_999637725d06c4657eabffc5618ff29b.exe	91
PID 1508 wrote to memory of 4500	1508	cmd.exe	94
PID 1508 wrote to memory of 4500	1508	cmd.exe	94
PID 1508 wrote to memory of 4500	1508	cmd.exe	94
PID 4568 wrote to memory of 1592	4568	cmd.exe	99
PID 4568 wrote to memory of 1592	4568	cmd.exe	99
PID 4568 wrote to memory of 1592	4568	cmd.exe	99
PID 1592 wrote to memory of 3000	1592	wvjzynjbpmpxcsituda.exe	100
PID 1592 wrote to memory of 3000	1592	wvjzynjbpmpxcsituda.exe	100
PID 1592 wrote to memory of 3000	1592	wvjzynjbpmpxcsituda.exe	100
PID 2820 wrote to memory of 3508	2820	cmd.exe	105
PID 2820 wrote to memory of 3508	2820	cmd.exe	105
PID 2820 wrote to memory of 3508	2820	cmd.exe	105
PID 3808 wrote to memory of 3168	3808	cmd.exe	108
PID 3808 wrote to memory of 3168	3808	cmd.exe	108
PID 3808 wrote to memory of 3168	3808	cmd.exe	108
PID 1596 wrote to memory of 1012	1596	cmd.exe	111
PID 1596 wrote to memory of 1012	1596	cmd.exe	111
PID 1596 wrote to memory of 1012	1596	cmd.exe	111
PID 3168 wrote to memory of 2312	3168	yzphizxrhglvcumzcnmnd.exe	142
PID 3168 wrote to memory of 2312	3168	yzphizxrhglvcumzcnmnd.exe	142
PID 3168 wrote to memory of 2312	3168	yzphizxrhglvcumzcnmnd.exe	142
PID 4156 wrote to memory of 2052	4156	cmd.exe	113
PID 4156 wrote to memory of 2052	4156	cmd.exe	113
PID 4156 wrote to memory of 2052	4156	cmd.exe	113
PID 2052 wrote to memory of 4064	2052	wvjzynjbpmpxcsituda.exe	116
PID 2052 wrote to memory of 4064	2052	wvjzynjbpmpxcsituda.exe	116
PID 2052 wrote to memory of 4064	2052	wvjzynjbpmpxcsituda.exe	116
PID 3224 wrote to memory of 2424	3224	cmd.exe	119
PID 3224 wrote to memory of 2424	3224	cmd.exe	119
PID 3224 wrote to memory of 2424	3224	cmd.exe	119
PID 3344 wrote to memory of 2472	3344	jjyppfcvkimvbsjvxhff.exe	121
PID 3344 wrote to memory of 2472	3344	jjyppfcvkimvbsjvxhff.exe	121
PID 3344 wrote to memory of 2472	3344	jjyppfcvkimvbsjvxhff.exe	121
PID 5060 wrote to memory of 2760	5060	bbygorkllli.exe	122
PID 5060 wrote to memory of 2760	5060	bbygorkllli.exe	122
PID 5060 wrote to memory of 2760	5060	bbygorkllli.exe	122
PID 5060 wrote to memory of 3988	5060	bbygorkllli.exe	123
PID 5060 wrote to memory of 3988	5060	bbygorkllli.exe	123
PID 5060 wrote to memory of 3988	5060	bbygorkllli.exe	123
PID 4752 wrote to memory of 4632	4752	cmd.exe	130
PID 4752 wrote to memory of 4632	4752	cmd.exe	130
PID 4752 wrote to memory of 4632	4752	cmd.exe	130
PID 4628 wrote to memory of 3656	4628	cmd.exe	129
PID 4628 wrote to memory of 3656	4628	cmd.exe	129
PID 4628 wrote to memory of 3656	4628	cmd.exe	129
PID 4684 wrote to memory of 2828	4684	cmd.exe	135
PID 4684 wrote to memory of 2828	4684	cmd.exe	135
PID 4684 wrote to memory of 2828	4684	cmd.exe	135
PID 872 wrote to memory of 3580	872	cmd.exe	173
PID 872 wrote to memory of 3580	872	cmd.exe	173
PID 872 wrote to memory of 3580	872	cmd.exe	173
PID 2828 wrote to memory of 2976	2828	yzphizxrhglvcumzcnmnd.exe	345
PID 2828 wrote to memory of 2976	2828	yzphizxrhglvcumzcnmnd.exe	345
PID 2828 wrote to memory of 2976	2828	yzphizxrhglvcumzcnmnd.exe	345
PID 3580 wrote to memory of 948	3580	vrcplxqfqkkprerz.exe	150
PID 3580 wrote to memory of 948	3580	vrcplxqfqkkprerz.exe	150
PID 3580 wrote to memory of 948	3580	vrcplxqfqkkprerz.exe	150
PID 3684 wrote to memory of 2100	3684	cmd.exe	155
PID 3684 wrote to memory of 2100	3684	cmd.exe	155
PID 3684 wrote to memory of 2100	3684	cmd.exe	155
PID 3492 wrote to memory of 4004	3492	cmd.exe	300

System policy modification 1 TTPs 64 IoCs

defense_evasion

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	yjjlw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	yjjlw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	yjjlw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bbygorkllli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	yjjlw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bbygorkllli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bbygorkllli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bbygorkllli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	yjjlw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	yjjlw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	yjjlw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	yjjlw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	yjjlw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	yjjlw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	yjjlw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	bbygorkllli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	bbygorkllli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	bbygorkllli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	yjjlw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	yjjlw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	yjjlw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bbygorkllli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	bbygorkllli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	bbygorkllli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	yjjlw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	yjjlw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	yjjlw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	bbygorkllli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	bbygorkllli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bbygorkllli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	bbygorkllli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	yjjlw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	yjjlw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	bbygorkllli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	bbygorkllli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	yjjlw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	yjjlw.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_999637725d06c4657eabffc5618ff29b.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_999637725d06c4657eabffc5618ff29b.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1712
- C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
  "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\jaffacakes118_999637725d06c4657eabffc5618ff29b.exe*"
  2⤵
  - Modifies WinLogon for persistence
  - UAC bypass
  - Adds policy Run key to start application
  - Disables RegEdit via registry modification
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Hijack Execution Flow: Executable Installer File Permissions Weakness
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:5060
- - C:\Users\Admin\AppData\Local\Temp\yjjlw.exe
    "C:\Users\Admin\AppData\Local\Temp\yjjlw.exe" "-C:\Users\Admin\AppData\Local\Temp\vrcplxqfqkkprerz.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Impair Defenses: Safe Mode Boot
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Hijack Execution Flow: Executable Installer File Permissions Weakness
    - Drops autorun.inf file
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:2760
- - C:\Users\Admin\AppData\Local\Temp\yjjlw.exe
    "C:\Users\Admin\AppData\Local\Temp\yjjlw.exe" "-C:\Users\Admin\AppData\Local\Temp\vrcplxqfqkkprerz.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Hijack Execution Flow: Executable Installer File Permissions Weakness
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:3988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wvjzynjbpmpxcsituda.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:1508
- C:\Windows\wvjzynjbpmpxcsituda.exe
  wvjzynjbpmpxcsituda.exe
  2⤵
  - Executes dropped EXE
  PID:4500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wvjzynjbpmpxcsituda.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:4568
- C:\Windows\wvjzynjbpmpxcsituda.exe
  wvjzynjbpmpxcsituda.exe .
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1592
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\wvjzynjbpmpxcsituda.exe*."
    3⤵
    - Executes dropped EXE
    PID:3000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jjyppfcvkimvbsjvxhff.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2820
- C:\Windows\jjyppfcvkimvbsjvxhff.exe
  jjyppfcvkimvbsjvxhff.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yzphizxrhglvcumzcnmnd.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:3808
- C:\Windows\yzphizxrhglvcumzcnmnd.exe
  yzphizxrhglvcumzcnmnd.exe .
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3168
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\yzphizxrhglvcumzcnmnd.exe*."
    3⤵
    - Executes dropped EXE
    PID:2312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yzphizxrhglvcumzcnmnd.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:1596
- C:\Users\Admin\AppData\Local\Temp\yzphizxrhglvcumzcnmnd.exe
  C:\Users\Admin\AppData\Local\Temp\yzphizxrhglvcumzcnmnd.exe
  2⤵
  - Executes dropped EXE
  PID:1012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wvjzynjbpmpxcsituda.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:4156
- C:\Users\Admin\AppData\Local\Temp\wvjzynjbpmpxcsituda.exe
  C:\Users\Admin\AppData\Local\Temp\wvjzynjbpmpxcsituda.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2052
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\wvjzynjbpmpxcsituda.exe*."
    3⤵
    - Executes dropped EXE
    PID:4064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\czlzwjdtfabhkymvu.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:3224
- C:\Users\Admin\AppData\Local\Temp\czlzwjdtfabhkymvu.exe
  C:\Users\Admin\AppData\Local\Temp\czlzwjdtfabhkymvu.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jjyppfcvkimvbsjvxhff.exe .
1⤵
PID:1688
- C:\Users\Admin\AppData\Local\Temp\jjyppfcvkimvbsjvxhff.exe
  C:\Users\Admin\AppData\Local\Temp\jjyppfcvkimvbsjvxhff.exe .
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3344
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\jjyppfcvkimvbsjvxhff.exe*."
    3⤵
    - Executes dropped EXE
    PID:2472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wvjzynjbpmpxcsituda.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4628
- C:\Windows\wvjzynjbpmpxcsituda.exe
  wvjzynjbpmpxcsituda.exe
  2⤵
  - Executes dropped EXE
  PID:3656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yzphizxrhglvcumzcnmnd.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4752
- C:\Windows\yzphizxrhglvcumzcnmnd.exe
  yzphizxrhglvcumzcnmnd.exe
  2⤵
  - Executes dropped EXE
  PID:4632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vrcplxqfqkkprerz.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:872
- C:\Windows\vrcplxqfqkkprerz.exe
  vrcplxqfqkkprerz.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3580
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\vrcplxqfqkkprerz.exe*."
    3⤵
    - Executes dropped EXE
    PID:948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yzphizxrhglvcumzcnmnd.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:4684
- C:\Windows\yzphizxrhglvcumzcnmnd.exe
  yzphizxrhglvcumzcnmnd.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2828
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\yzphizxrhglvcumzcnmnd.exe*."
    3⤵
    - Executes dropped EXE
    PID:2976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vrcplxqfqkkprerz.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:3492
- C:\Windows\vrcplxqfqkkprerz.exe
  vrcplxqfqkkprerz.exe
  2⤵
  - Executes dropped EXE
  PID:4004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jjyppfcvkimvbsjvxhff.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:3684
- C:\Windows\jjyppfcvkimvbsjvxhff.exe
  jjyppfcvkimvbsjvxhff.exe
  2⤵
  - Executes dropped EXE
  PID:2100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jjyppfcvkimvbsjvxhff.exe .
1⤵
PID:3956
- C:\Windows\jjyppfcvkimvbsjvxhff.exe
  jjyppfcvkimvbsjvxhff.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2148
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\jjyppfcvkimvbsjvxhff.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:4100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c czlzwjdtfabhkymvu.exe .
1⤵
PID:2312
- C:\Windows\czlzwjdtfabhkymvu.exe
  czlzwjdtfabhkymvu.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:3600
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\czlzwjdtfabhkymvu.exe*."
    3⤵
    - Executes dropped EXE
    PID:4948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\czlzwjdtfabhkymvu.exe
1⤵
PID:3068
- C:\Users\Admin\AppData\Local\Temp\czlzwjdtfabhkymvu.exe
  C:\Users\Admin\AppData\Local\Temp\czlzwjdtfabhkymvu.exe
  2⤵
  - Executes dropped EXE
  PID:4784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yzphizxrhglvcumzcnmnd.exe
1⤵
PID:384
- C:\Users\Admin\AppData\Local\Temp\yzphizxrhglvcumzcnmnd.exe
  C:\Users\Admin\AppData\Local\Temp\yzphizxrhglvcumzcnmnd.exe
  2⤵
  - Executes dropped EXE
  PID:4444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jjyppfcvkimvbsjvxhff.exe .
1⤵
PID:1828
- C:\Users\Admin\AppData\Local\Temp\jjyppfcvkimvbsjvxhff.exe
  C:\Users\Admin\AppData\Local\Temp\jjyppfcvkimvbsjvxhff.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:5092
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\jjyppfcvkimvbsjvxhff.exe*."
    3⤵
    - Executes dropped EXE
    PID:3580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ljwljxsjwsubfujttb.exe .
1⤵
PID:3412
- C:\Users\Admin\AppData\Local\Temp\ljwljxsjwsubfujttb.exe
  C:\Users\Admin\AppData\Local\Temp\ljwljxsjwsubfujttb.exe .
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4336
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ljwljxsjwsubfujttb.exe*."
    3⤵
    - Executes dropped EXE
    PID:4852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\czlzwjdtfabhkymvu.exe
1⤵
PID:2988
- C:\Users\Admin\AppData\Local\Temp\czlzwjdtfabhkymvu.exe
  C:\Users\Admin\AppData\Local\Temp\czlzwjdtfabhkymvu.exe
  2⤵
  - Executes dropped EXE
  PID:924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\czlzwjdtfabhkymvu.exe
1⤵
PID:1584
- C:\Users\Admin\AppData\Local\Temp\czlzwjdtfabhkymvu.exe
  C:\Users\Admin\AppData\Local\Temp\czlzwjdtfabhkymvu.exe
  2⤵
  - Executes dropped EXE
  PID:4568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wvjzynjbpmpxcsituda.exe .
1⤵
PID:4664
- C:\Users\Admin\AppData\Local\Temp\wvjzynjbpmpxcsituda.exe
  C:\Users\Admin\AppData\Local\Temp\wvjzynjbpmpxcsituda.exe .
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4684
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\wvjzynjbpmpxcsituda.exe*."
    3⤵
    - Executes dropped EXE
    PID:2264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jjyppfcvkimvbsjvxhff.exe .
1⤵
PID:1416
- C:\Users\Admin\AppData\Local\Temp\jjyppfcvkimvbsjvxhff.exe
  C:\Users\Admin\AppData\Local\Temp\jjyppfcvkimvbsjvxhff.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:4332
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\jjyppfcvkimvbsjvxhff.exe*."
    3⤵
    - Executes dropped EXE
    PID:2192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yzphizxrhglvcumzcnmnd.exe
1⤵
PID:2920
- C:\Windows\yzphizxrhglvcumzcnmnd.exe
  yzphizxrhglvcumzcnmnd.exe
  2⤵
  - Executes dropped EXE
  PID:1080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wvjzynjbpmpxcsituda.exe .
1⤵
PID:380
- C:\Windows\wvjzynjbpmpxcsituda.exe
  wvjzynjbpmpxcsituda.exe .
  2⤵
  - Executes dropped EXE
  PID:4164
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\wvjzynjbpmpxcsituda.exe*."
    3⤵
    - Executes dropped EXE
    PID:4172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ljwljxsjwsubfujttb.exe
1⤵
PID:2504
- C:\Windows\ljwljxsjwsubfujttb.exe
  ljwljxsjwsubfujttb.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ljwljxsjwsubfujttb.exe .
1⤵
PID:2320
- C:\Windows\ljwljxsjwsubfujttb.exe
  ljwljxsjwsubfujttb.exe .
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2744
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ljwljxsjwsubfujttb.exe*."
    3⤵
    - Executes dropped EXE
    PID:1596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yzphizxrhglvcumzcnmnd.exe
1⤵
PID:1424
- C:\Users\Admin\AppData\Local\Temp\yzphizxrhglvcumzcnmnd.exe
  C:\Users\Admin\AppData\Local\Temp\yzphizxrhglvcumzcnmnd.exe
  2⤵
  - Executes dropped EXE
  PID:4948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yzphizxrhglvcumzcnmnd.exe .
1⤵
PID:4336
- C:\Users\Admin\AppData\Local\Temp\yzphizxrhglvcumzcnmnd.exe
  C:\Users\Admin\AppData\Local\Temp\yzphizxrhglvcumzcnmnd.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4124
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\yzphizxrhglvcumzcnmnd.exe*."
    3⤵
    - Executes dropped EXE
    PID:228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vrcplxqfqkkprerz.exe
1⤵
PID:1728
- C:\Users\Admin\AppData\Local\Temp\vrcplxqfqkkprerz.exe
  C:\Users\Admin\AppData\Local\Temp\vrcplxqfqkkprerz.exe
  2⤵
  - Executes dropped EXE
  PID:4120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\czlzwjdtfabhkymvu.exe .
1⤵
PID:3464
- C:\Users\Admin\AppData\Local\Temp\czlzwjdtfabhkymvu.exe
  C:\Users\Admin\AppData\Local\Temp\czlzwjdtfabhkymvu.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1140
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\czlzwjdtfabhkymvu.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:2976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ljwljxsjwsubfujttb.exe
1⤵
PID:2264
- C:\Windows\ljwljxsjwsubfujttb.exe
  ljwljxsjwsubfujttb.exe
  2⤵
  - Executes dropped EXE
  PID:1492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ljwljxsjwsubfujttb.exe
1⤵
PID:3168
- C:\Windows\ljwljxsjwsubfujttb.exe
  ljwljxsjwsubfujttb.exe
  2⤵
  - Executes dropped EXE
  PID:1212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yzphizxrhglvcumzcnmnd.exe
1⤵
PID:2192
- C:\Windows\yzphizxrhglvcumzcnmnd.exe
  yzphizxrhglvcumzcnmnd.exe
  2⤵
  - Executes dropped EXE
  PID:848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c czlzwjdtfabhkymvu.exe .
1⤵
PID:3864
- C:\Windows\czlzwjdtfabhkymvu.exe
  czlzwjdtfabhkymvu.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:3068
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\czlzwjdtfabhkymvu.exe*."
    3⤵
    - Executes dropped EXE
    PID:3268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jjyppfcvkimvbsjvxhff.exe .
1⤵
PID:1808
- C:\Windows\jjyppfcvkimvbsjvxhff.exe
  jjyppfcvkimvbsjvxhff.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3552
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\jjyppfcvkimvbsjvxhff.exe*."
    3⤵
    - Executes dropped EXE
    PID:4124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wvjzynjbpmpxcsituda.exe .
1⤵
PID:3636
- C:\Windows\wvjzynjbpmpxcsituda.exe
  wvjzynjbpmpxcsituda.exe .
  2⤵
  - Executes dropped EXE
  PID:2744
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\wvjzynjbpmpxcsituda.exe*."
    3⤵
    - Executes dropped EXE
    PID:2164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jjyppfcvkimvbsjvxhff.exe
1⤵
PID:4212
- C:\Windows\jjyppfcvkimvbsjvxhff.exe
  jjyppfcvkimvbsjvxhff.exe
  2⤵
  - Executes dropped EXE
  PID:1664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c czlzwjdtfabhkymvu.exe .
1⤵
PID:3876
- C:\Windows\czlzwjdtfabhkymvu.exe
  czlzwjdtfabhkymvu.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4668
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\czlzwjdtfabhkymvu.exe*."
    3⤵
    PID:3312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wvjzynjbpmpxcsituda.exe
1⤵
PID:3600
- C:\Windows\wvjzynjbpmpxcsituda.exe
  wvjzynjbpmpxcsituda.exe
  2⤵
  - Executes dropped EXE
  PID:1316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c czlzwjdtfabhkymvu.exe
1⤵
PID:4608
- C:\Windows\czlzwjdtfabhkymvu.exe
  czlzwjdtfabhkymvu.exe
  2⤵
  - Executes dropped EXE
  PID:4784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jjyppfcvkimvbsjvxhff.exe
1⤵
PID:3508
- C:\Users\Admin\AppData\Local\Temp\jjyppfcvkimvbsjvxhff.exe
  C:\Users\Admin\AppData\Local\Temp\jjyppfcvkimvbsjvxhff.exe
  2⤵
  PID:4624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ljwljxsjwsubfujttb.exe .
1⤵
PID:4992
- C:\Windows\ljwljxsjwsubfujttb.exe
  ljwljxsjwsubfujttb.exe .
  2⤵
  - Checks computer location settings
  PID:4740
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ljwljxsjwsubfujttb.exe*."
    3⤵
    PID:1212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ljwljxsjwsubfujttb.exe .
1⤵
PID:4500
- C:\Windows\ljwljxsjwsubfujttb.exe
  ljwljxsjwsubfujttb.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:2200
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ljwljxsjwsubfujttb.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:3168

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vrcplxqfqkkprerz.exe .
1⤵
PID:3568
- C:\Users\Admin\AppData\Local\Temp\vrcplxqfqkkprerz.exe
  C:\Users\Admin\AppData\Local\Temp\vrcplxqfqkkprerz.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:232
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\vrcplxqfqkkprerz.exe*."
    3⤵
    PID:4460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vrcplxqfqkkprerz.exe
1⤵
PID:1064
- C:\Users\Admin\AppData\Local\Temp\vrcplxqfqkkprerz.exe
  C:\Users\Admin\AppData\Local\Temp\vrcplxqfqkkprerz.exe
  2⤵
  PID:1008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vrcplxqfqkkprerz.exe
1⤵
PID:2128
- C:\Users\Admin\AppData\Local\Temp\vrcplxqfqkkprerz.exe
  C:\Users\Admin\AppData\Local\Temp\vrcplxqfqkkprerz.exe
  2⤵
  PID:4524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\czlzwjdtfabhkymvu.exe .
1⤵
PID:4220
- C:\Users\Admin\AppData\Local\Temp\czlzwjdtfabhkymvu.exe
  C:\Users\Admin\AppData\Local\Temp\czlzwjdtfabhkymvu.exe .
  2⤵
  PID:1804
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\czlzwjdtfabhkymvu.exe*."
    3⤵
    PID:3508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\czlzwjdtfabhkymvu.exe .
1⤵
PID:2608
- C:\Users\Admin\AppData\Local\Temp\czlzwjdtfabhkymvu.exe
  C:\Users\Admin\AppData\Local\Temp\czlzwjdtfabhkymvu.exe .
  2⤵
  - Checks computer location settings
  PID:4444
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\czlzwjdtfabhkymvu.exe*."
    3⤵
    PID:872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yzphizxrhglvcumzcnmnd.exe
1⤵
PID:5028
- C:\Users\Admin\AppData\Local\Temp\yzphizxrhglvcumzcnmnd.exe
  C:\Users\Admin\AppData\Local\Temp\yzphizxrhglvcumzcnmnd.exe
  2⤵
  PID:1908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wvjzynjbpmpxcsituda.exe
1⤵
PID:932
- C:\Users\Admin\AppData\Local\Temp\wvjzynjbpmpxcsituda.exe
  C:\Users\Admin\AppData\Local\Temp\wvjzynjbpmpxcsituda.exe
  2⤵
  PID:1984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wvjzynjbpmpxcsituda.exe .
1⤵
PID:384
- C:\Users\Admin\AppData\Local\Temp\wvjzynjbpmpxcsituda.exe
  C:\Users\Admin\AppData\Local\Temp\wvjzynjbpmpxcsituda.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:2876
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\wvjzynjbpmpxcsituda.exe*."
    3⤵
    PID:1140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vrcplxqfqkkprerz.exe
1⤵
PID:2424
- C:\Users\Admin\AppData\Local\Temp\vrcplxqfqkkprerz.exe
  C:\Users\Admin\AppData\Local\Temp\vrcplxqfqkkprerz.exe
  2⤵
  PID:2676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wvjzynjbpmpxcsituda.exe .
1⤵
PID:4700
- C:\Users\Admin\AppData\Local\Temp\wvjzynjbpmpxcsituda.exe
  C:\Users\Admin\AppData\Local\Temp\wvjzynjbpmpxcsituda.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1588
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\wvjzynjbpmpxcsituda.exe*."
    3⤵
    PID:4684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wvjzynjbpmpxcsituda.exe .
1⤵
PID:2296
- C:\Users\Admin\AppData\Local\Temp\wvjzynjbpmpxcsituda.exe
  C:\Users\Admin\AppData\Local\Temp\wvjzynjbpmpxcsituda.exe .
  2⤵
  - Checks computer location settings
  PID:2504
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\wvjzynjbpmpxcsituda.exe*."
    3⤵
    PID:4724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c czlzwjdtfabhkymvu.exe
1⤵
PID:3828
- C:\Windows\czlzwjdtfabhkymvu.exe
  czlzwjdtfabhkymvu.exe
  2⤵
  PID:3684

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
PID:4740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c czlzwjdtfabhkymvu.exe .
1⤵
PID:1472
- C:\Windows\czlzwjdtfabhkymvu.exe
  czlzwjdtfabhkymvu.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4004
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\czlzwjdtfabhkymvu.exe*."
    3⤵
    PID:4996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ljwljxsjwsubfujttb.exe
1⤵
PID:4512
- C:\Windows\ljwljxsjwsubfujttb.exe
  ljwljxsjwsubfujttb.exe
  2⤵
  PID:5052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ljwljxsjwsubfujttb.exe .
1⤵
PID:4332
- C:\Windows\ljwljxsjwsubfujttb.exe
  ljwljxsjwsubfujttb.exe .
  2⤵
  PID:4608
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ljwljxsjwsubfujttb.exe*."
    3⤵
    PID:392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yzphizxrhglvcumzcnmnd.exe
1⤵
PID:1768
- C:\Users\Admin\AppData\Local\Temp\yzphizxrhglvcumzcnmnd.exe
  C:\Users\Admin\AppData\Local\Temp\yzphizxrhglvcumzcnmnd.exe
  2⤵
  PID:4216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wvjzynjbpmpxcsituda.exe .
1⤵
PID:1008
- C:\Users\Admin\AppData\Local\Temp\wvjzynjbpmpxcsituda.exe
  C:\Users\Admin\AppData\Local\Temp\wvjzynjbpmpxcsituda.exe .
  2⤵
  - Checks computer location settings
  PID:2796
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\wvjzynjbpmpxcsituda.exe*."
    3⤵
    PID:1868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yzphizxrhglvcumzcnmnd.exe
1⤵
PID:1448
- C:\Users\Admin\AppData\Local\Temp\yzphizxrhglvcumzcnmnd.exe
  C:\Users\Admin\AppData\Local\Temp\yzphizxrhglvcumzcnmnd.exe
  2⤵
  PID:760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jjyppfcvkimvbsjvxhff.exe .
1⤵
PID:3460
- C:\Users\Admin\AppData\Local\Temp\jjyppfcvkimvbsjvxhff.exe
  C:\Users\Admin\AppData\Local\Temp\jjyppfcvkimvbsjvxhff.exe .
  2⤵
  - Checks computer location settings
  PID:1380
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\jjyppfcvkimvbsjvxhff.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:1036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vrcplxqfqkkprerz.exe
1⤵
PID:4108
- C:\Windows\vrcplxqfqkkprerz.exe
  vrcplxqfqkkprerz.exe
  2⤵
  PID:1460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vrcplxqfqkkprerz.exe .
1⤵
PID:3328
- C:\Windows\vrcplxqfqkkprerz.exe
  vrcplxqfqkkprerz.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2472
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\vrcplxqfqkkprerz.exe*."
    3⤵
    PID:2848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jjyppfcvkimvbsjvxhff.exe
1⤵
PID:2988
- C:\Windows\jjyppfcvkimvbsjvxhff.exe
  jjyppfcvkimvbsjvxhff.exe
  2⤵
  PID:3948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c czlzwjdtfabhkymvu.exe .
1⤵
PID:4664
- C:\Windows\czlzwjdtfabhkymvu.exe
  czlzwjdtfabhkymvu.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1920
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\czlzwjdtfabhkymvu.exe*."
    3⤵
    PID:2712

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yzphizxrhglvcumzcnmnd.exe
1⤵
PID:4164
- C:\Users\Admin\AppData\Local\Temp\yzphizxrhglvcumzcnmnd.exe
  C:\Users\Admin\AppData\Local\Temp\yzphizxrhglvcumzcnmnd.exe
  2⤵
  PID:2676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jjyppfcvkimvbsjvxhff.exe .
1⤵
PID:848
- C:\Users\Admin\AppData\Local\Temp\jjyppfcvkimvbsjvxhff.exe
  C:\Users\Admin\AppData\Local\Temp\jjyppfcvkimvbsjvxhff.exe .
  2⤵
  PID:4608
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\jjyppfcvkimvbsjvxhff.exe*."
    3⤵
    PID:3636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ljwljxsjwsubfujttb.exe
1⤵
PID:2976
- C:\Users\Admin\AppData\Local\Temp\ljwljxsjwsubfujttb.exe
  C:\Users\Admin\AppData\Local\Temp\ljwljxsjwsubfujttb.exe
  2⤵
  PID:384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vrcplxqfqkkprerz.exe .
1⤵
PID:448
- C:\Users\Admin\AppData\Local\Temp\vrcplxqfqkkprerz.exe
  C:\Users\Admin\AppData\Local\Temp\vrcplxqfqkkprerz.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:2424
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\vrcplxqfqkkprerz.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:4336

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ljwljxsjwsubfujttb.exe
1⤵
PID:1992
- C:\Windows\ljwljxsjwsubfujttb.exe
  ljwljxsjwsubfujttb.exe
  2⤵
  PID:1240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vrcplxqfqkkprerz.exe .
1⤵
PID:2504
- C:\Windows\vrcplxqfqkkprerz.exe
  vrcplxqfqkkprerz.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:2840
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\vrcplxqfqkkprerz.exe*."
    3⤵
    PID:184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jjyppfcvkimvbsjvxhff.exe
1⤵
PID:4764
- C:\Windows\jjyppfcvkimvbsjvxhff.exe
  jjyppfcvkimvbsjvxhff.exe
  2⤵
  PID:3004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wvjzynjbpmpxcsituda.exe .
1⤵
PID:4888
- C:\Windows\wvjzynjbpmpxcsituda.exe
  wvjzynjbpmpxcsituda.exe .
  2⤵
  - Checks computer location settings
  PID:5116
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\wvjzynjbpmpxcsituda.exe*."
    3⤵
    PID:5056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jjyppfcvkimvbsjvxhff.exe
1⤵
PID:4948
- C:\Users\Admin\AppData\Local\Temp\jjyppfcvkimvbsjvxhff.exe
  C:\Users\Admin\AppData\Local\Temp\jjyppfcvkimvbsjvxhff.exe
  2⤵
  PID:3984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jjyppfcvkimvbsjvxhff.exe .
1⤵
PID:1312
- C:\Users\Admin\AppData\Local\Temp\jjyppfcvkimvbsjvxhff.exe
  C:\Users\Admin\AppData\Local\Temp\jjyppfcvkimvbsjvxhff.exe .
  2⤵
  PID:2596
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\jjyppfcvkimvbsjvxhff.exe*."
    3⤵
    PID:3508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\czlzwjdtfabhkymvu.exe
1⤵
PID:4500
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4444
- C:\Users\Admin\AppData\Local\Temp\czlzwjdtfabhkymvu.exe
  C:\Users\Admin\AppData\Local\Temp\czlzwjdtfabhkymvu.exe
  2⤵
  PID:3412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vrcplxqfqkkprerz.exe .
1⤵
PID:4916
- C:\Users\Admin\AppData\Local\Temp\vrcplxqfqkkprerz.exe
  C:\Users\Admin\AppData\Local\Temp\vrcplxqfqkkprerz.exe .
  2⤵
  PID:3620
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\vrcplxqfqkkprerz.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:2712

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jjyppfcvkimvbsjvxhff.exe
1⤵
PID:3656
- C:\Windows\jjyppfcvkimvbsjvxhff.exe
  jjyppfcvkimvbsjvxhff.exe
  2⤵
  PID:1108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yzphizxrhglvcumzcnmnd.exe .
1⤵
PID:4100
- C:\Windows\yzphizxrhglvcumzcnmnd.exe
  yzphizxrhglvcumzcnmnd.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4556
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\yzphizxrhglvcumzcnmnd.exe*."
    3⤵
    PID:1740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wvjzynjbpmpxcsituda.exe
1⤵
PID:2044
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2976
- C:\Windows\wvjzynjbpmpxcsituda.exe
  wvjzynjbpmpxcsituda.exe
  2⤵
  PID:3492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vrcplxqfqkkprerz.exe .
1⤵
PID:1708
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4172
- C:\Windows\vrcplxqfqkkprerz.exe
  vrcplxqfqkkprerz.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:2296
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\vrcplxqfqkkprerz.exe*."
    3⤵
    PID:4440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yzphizxrhglvcumzcnmnd.exe
1⤵
PID:3388
- C:\Users\Admin\AppData\Local\Temp\yzphizxrhglvcumzcnmnd.exe
  C:\Users\Admin\AppData\Local\Temp\yzphizxrhglvcumzcnmnd.exe
  2⤵
  PID:2884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\czlzwjdtfabhkymvu.exe .
1⤵
PID:1396
- C:\Users\Admin\AppData\Local\Temp\czlzwjdtfabhkymvu.exe
  C:\Users\Admin\AppData\Local\Temp\czlzwjdtfabhkymvu.exe .
  2⤵
  - Checks computer location settings
  PID:184
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\czlzwjdtfabhkymvu.exe*."
    3⤵
    PID:1992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wvjzynjbpmpxcsituda.exe
1⤵
PID:2948
- C:\Users\Admin\AppData\Local\Temp\wvjzynjbpmpxcsituda.exe
  C:\Users\Admin\AppData\Local\Temp\wvjzynjbpmpxcsituda.exe
  2⤵
  PID:1460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ljwljxsjwsubfujttb.exe .
1⤵
PID:2472
- C:\Users\Admin\AppData\Local\Temp\ljwljxsjwsubfujttb.exe
  C:\Users\Admin\AppData\Local\Temp\ljwljxsjwsubfujttb.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1612
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ljwljxsjwsubfujttb.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:5116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jjyppfcvkimvbsjvxhff.exe
1⤵
PID:232
- C:\Windows\jjyppfcvkimvbsjvxhff.exe
  jjyppfcvkimvbsjvxhff.exe
  2⤵
  PID:1968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vrcplxqfqkkprerz.exe .
1⤵
PID:4660
- C:\Windows\vrcplxqfqkkprerz.exe
  vrcplxqfqkkprerz.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1780
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\vrcplxqfqkkprerz.exe*."
    3⤵
    PID:1752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vrcplxqfqkkprerz.exe
1⤵
PID:1540
- C:\Windows\vrcplxqfqkkprerz.exe
  vrcplxqfqkkprerz.exe
  2⤵
  PID:4664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vrcplxqfqkkprerz.exe .
1⤵
PID:2148
- C:\Windows\vrcplxqfqkkprerz.exe
  vrcplxqfqkkprerz.exe .
  2⤵
  PID:4188
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\vrcplxqfqkkprerz.exe*."
    3⤵
    PID:1036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vrcplxqfqkkprerz.exe
1⤵
PID:4504
- C:\Users\Admin\AppData\Local\Temp\vrcplxqfqkkprerz.exe
  C:\Users\Admin\AppData\Local\Temp\vrcplxqfqkkprerz.exe
  2⤵
  PID:3464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jjyppfcvkimvbsjvxhff.exe .
1⤵
PID:4212
- C:\Users\Admin\AppData\Local\Temp\jjyppfcvkimvbsjvxhff.exe
  C:\Users\Admin\AppData\Local\Temp\jjyppfcvkimvbsjvxhff.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4668
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\jjyppfcvkimvbsjvxhff.exe*."
    3⤵
    PID:1868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\czlzwjdtfabhkymvu.exe
1⤵
PID:4624
- C:\Users\Admin\AppData\Local\Temp\czlzwjdtfabhkymvu.exe
  C:\Users\Admin\AppData\Local\Temp\czlzwjdtfabhkymvu.exe
  2⤵
  PID:1060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wvjzynjbpmpxcsituda.exe .
1⤵
PID:2384
- C:\Users\Admin\AppData\Local\Temp\wvjzynjbpmpxcsituda.exe
  C:\Users\Admin\AppData\Local\Temp\wvjzynjbpmpxcsituda.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2996
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\wvjzynjbpmpxcsituda.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:4088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yzphizxrhglvcumzcnmnd.exe
1⤵
PID:916
- C:\Windows\yzphizxrhglvcumzcnmnd.exe
  yzphizxrhglvcumzcnmnd.exe
  2⤵
  PID:3600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jjyppfcvkimvbsjvxhff.exe .
1⤵
PID:3368
- C:\Windows\jjyppfcvkimvbsjvxhff.exe
  jjyppfcvkimvbsjvxhff.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4328
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\jjyppfcvkimvbsjvxhff.exe*."
    3⤵
    PID:1744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wvjzynjbpmpxcsituda.exe
1⤵
PID:2700
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2712
- C:\Windows\wvjzynjbpmpxcsituda.exe
  wvjzynjbpmpxcsituda.exe
  2⤵
  PID:3984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ljwljxsjwsubfujttb.exe .
1⤵
PID:4008
- C:\Windows\ljwljxsjwsubfujttb.exe
  ljwljxsjwsubfujttb.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3508
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ljwljxsjwsubfujttb.exe*."
    3⤵
    PID:4996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yzphizxrhglvcumzcnmnd.exe
1⤵
PID:2264
- C:\Users\Admin\AppData\Local\Temp\yzphizxrhglvcumzcnmnd.exe
  C:\Users\Admin\AppData\Local\Temp\yzphizxrhglvcumzcnmnd.exe
  2⤵
  PID:740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\czlzwjdtfabhkymvu.exe .
1⤵
PID:3412
- C:\Users\Admin\AppData\Local\Temp\czlzwjdtfabhkymvu.exe
  C:\Users\Admin\AppData\Local\Temp\czlzwjdtfabhkymvu.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1752
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\czlzwjdtfabhkymvu.exe*."
    3⤵
    PID:4628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\czlzwjdtfabhkymvu.exe
1⤵
PID:2988
- C:\Users\Admin\AppData\Local\Temp\czlzwjdtfabhkymvu.exe
  C:\Users\Admin\AppData\Local\Temp\czlzwjdtfabhkymvu.exe
  2⤵
  PID:4512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jjyppfcvkimvbsjvxhff.exe .
1⤵
PID:1008
- C:\Users\Admin\AppData\Local\Temp\jjyppfcvkimvbsjvxhff.exe
  C:\Users\Admin\AppData\Local\Temp\jjyppfcvkimvbsjvxhff.exe .
  2⤵
  PID:1836
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\jjyppfcvkimvbsjvxhff.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    PID:3212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ljwljxsjwsubfujttb.exe
1⤵
PID:1472
- C:\Windows\ljwljxsjwsubfujttb.exe
  ljwljxsjwsubfujttb.exe
  2⤵
  PID:2520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ljwljxsjwsubfujttb.exe
1⤵
PID:2332
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:848
- C:\Windows\ljwljxsjwsubfujttb.exe
  ljwljxsjwsubfujttb.exe
  2⤵
  PID:1808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c czlzwjdtfabhkymvu.exe .
1⤵
PID:4100
- C:\Windows\czlzwjdtfabhkymvu.exe
  czlzwjdtfabhkymvu.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:2564
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\czlzwjdtfabhkymvu.exe*."
    3⤵
    PID:3384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c czlzwjdtfabhkymvu.exe .
1⤵
PID:4484
- C:\Windows\czlzwjdtfabhkymvu.exe
  czlzwjdtfabhkymvu.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:3148
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\czlzwjdtfabhkymvu.exe*."
    3⤵
    PID:1332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vrcplxqfqkkprerz.exe
1⤵
PID:388
- C:\Windows\vrcplxqfqkkprerz.exe
  vrcplxqfqkkprerz.exe
  2⤵
  PID:2280

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jjyppfcvkimvbsjvxhff.exe
1⤵
PID:2384
- C:\Windows\jjyppfcvkimvbsjvxhff.exe
  jjyppfcvkimvbsjvxhff.exe
  2⤵
  PID:2608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jjyppfcvkimvbsjvxhff.exe
1⤵
PID:4700
- C:\Windows\jjyppfcvkimvbsjvxhff.exe
  jjyppfcvkimvbsjvxhff.exe
  2⤵
  PID:1860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c czlzwjdtfabhkymvu.exe .
1⤵
PID:4360
- C:\Windows\czlzwjdtfabhkymvu.exe
  czlzwjdtfabhkymvu.exe .
  2⤵
  - Checks computer location settings
  PID:5028
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\czlzwjdtfabhkymvu.exe*."
    3⤵
    PID:2564

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c czlzwjdtfabhkymvu.exe .
1⤵
PID:1612
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1804
- C:\Windows\czlzwjdtfabhkymvu.exe
  czlzwjdtfabhkymvu.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1032
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\czlzwjdtfabhkymvu.exe*."
    3⤵
    PID:1860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c czlzwjdtfabhkymvu.exe .
1⤵
PID:4392
- C:\Windows\czlzwjdtfabhkymvu.exe
  czlzwjdtfabhkymvu.exe .
  2⤵
  - Checks computer location settings
  PID:1868
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\czlzwjdtfabhkymvu.exe*."
    3⤵
    PID:4660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vrcplxqfqkkprerz.exe
1⤵
PID:1708
- C:\Users\Admin\AppData\Local\Temp\vrcplxqfqkkprerz.exe
  C:\Users\Admin\AppData\Local\Temp\vrcplxqfqkkprerz.exe
  2⤵
  PID:1808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\czlzwjdtfabhkymvu.exe
1⤵
PID:4604
- C:\Users\Admin\AppData\Local\Temp\czlzwjdtfabhkymvu.exe
  C:\Users\Admin\AppData\Local\Temp\czlzwjdtfabhkymvu.exe
  2⤵
  PID:752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\czlzwjdtfabhkymvu.exe .
1⤵
PID:2248
- C:\Users\Admin\AppData\Local\Temp\czlzwjdtfabhkymvu.exe
  C:\Users\Admin\AppData\Local\Temp\czlzwjdtfabhkymvu.exe .
  2⤵
  PID:4872
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\czlzwjdtfabhkymvu.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:3044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wvjzynjbpmpxcsituda.exe .
1⤵
PID:2624
- C:\Users\Admin\AppData\Local\Temp\wvjzynjbpmpxcsituda.exe
  C:\Users\Admin\AppData\Local\Temp\wvjzynjbpmpxcsituda.exe .
  2⤵
  PID:4328
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\wvjzynjbpmpxcsituda.exe*."
    3⤵
    PID:2320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ljwljxsjwsubfujttb.exe
1⤵
PID:3416
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3312
- C:\Windows\ljwljxsjwsubfujttb.exe
  ljwljxsjwsubfujttb.exe
  2⤵
  PID:2320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c czlzwjdtfabhkymvu.exe .
1⤵
PID:2240
- C:\Windows\czlzwjdtfabhkymvu.exe
  czlzwjdtfabhkymvu.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:3060
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\czlzwjdtfabhkymvu.exe*."
    3⤵
    PID:4500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vrcplxqfqkkprerz.exe
1⤵
PID:448
- C:\Users\Admin\AppData\Local\Temp\vrcplxqfqkkprerz.exe
  C:\Users\Admin\AppData\Local\Temp\vrcplxqfqkkprerz.exe
  2⤵
  PID:2468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ljwljxsjwsubfujttb.exe
1⤵
PID:4504
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1036
- C:\Users\Admin\AppData\Local\Temp\ljwljxsjwsubfujttb.exe
  C:\Users\Admin\AppData\Local\Temp\ljwljxsjwsubfujttb.exe
  2⤵
  PID:4672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vrcplxqfqkkprerz.exe
1⤵
PID:1620
- C:\Users\Admin\AppData\Local\Temp\vrcplxqfqkkprerz.exe
  C:\Users\Admin\AppData\Local\Temp\vrcplxqfqkkprerz.exe
  2⤵
  PID:4460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vrcplxqfqkkprerz.exe .
1⤵
PID:1444
- C:\Users\Admin\AppData\Local\Temp\vrcplxqfqkkprerz.exe
  C:\Users\Admin\AppData\Local\Temp\vrcplxqfqkkprerz.exe .
  2⤵
  - Checks computer location settings
  PID:3420
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\vrcplxqfqkkprerz.exe*."
    3⤵
    PID:3828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yzphizxrhglvcumzcnmnd.exe .
1⤵
PID:4240
- C:\Users\Admin\AppData\Local\Temp\yzphizxrhglvcumzcnmnd.exe
  C:\Users\Admin\AppData\Local\Temp\yzphizxrhglvcumzcnmnd.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:3392
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\yzphizxrhglvcumzcnmnd.exe*."
    3⤵
    PID:3212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jjyppfcvkimvbsjvxhff.exe .
1⤵
PID:788
- C:\Users\Admin\AppData\Local\Temp\jjyppfcvkimvbsjvxhff.exe
  C:\Users\Admin\AppData\Local\Temp\jjyppfcvkimvbsjvxhff.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1688
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\jjyppfcvkimvbsjvxhff.exe*."
    3⤵
    PID:3460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\czlzwjdtfabhkymvu.exe
1⤵
PID:4440
- C:\Users\Admin\AppData\Local\Temp\czlzwjdtfabhkymvu.exe
  C:\Users\Admin\AppData\Local\Temp\czlzwjdtfabhkymvu.exe
  2⤵
  PID:1664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\czlzwjdtfabhkymvu.exe .
1⤵
PID:2052
- C:\Users\Admin\AppData\Local\Temp\czlzwjdtfabhkymvu.exe
  C:\Users\Admin\AppData\Local\Temp\czlzwjdtfabhkymvu.exe .
  2⤵
  - Checks computer location settings
  PID:4484
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\czlzwjdtfabhkymvu.exe*."
    3⤵
    PID:2504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ljwljxsjwsubfujttb.exe
1⤵
PID:2264
- C:\Windows\ljwljxsjwsubfujttb.exe
  ljwljxsjwsubfujttb.exe
  2⤵
  PID:2320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vrcplxqfqkkprerz.exe .
1⤵
PID:4004
- C:\Windows\vrcplxqfqkkprerz.exe
  vrcplxqfqkkprerz.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:3492
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\vrcplxqfqkkprerz.exe*."
    3⤵
    PID:2920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jjyppfcvkimvbsjvxhff.exe
1⤵
PID:2940
- C:\Windows\jjyppfcvkimvbsjvxhff.exe
  jjyppfcvkimvbsjvxhff.exe
  2⤵
  PID:3224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c czlzwjdtfabhkymvu.exe .
1⤵
PID:5112
- C:\Windows\czlzwjdtfabhkymvu.exe
  czlzwjdtfabhkymvu.exe .
  2⤵
  PID:4700
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\czlzwjdtfabhkymvu.exe*."
    3⤵
    PID:4496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yzphizxrhglvcumzcnmnd.exe
1⤵
PID:4120
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2200
- C:\Users\Admin\AppData\Local\Temp\yzphizxrhglvcumzcnmnd.exe
  C:\Users\Admin\AppData\Local\Temp\yzphizxrhglvcumzcnmnd.exe
  2⤵
  PID:2988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ljwljxsjwsubfujttb.exe .
1⤵
PID:5024
- C:\Users\Admin\AppData\Local\Temp\ljwljxsjwsubfujttb.exe
  C:\Users\Admin\AppData\Local\Temp\ljwljxsjwsubfujttb.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4108
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ljwljxsjwsubfujttb.exe*."
    3⤵
    PID:2424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vrcplxqfqkkprerz.exe
1⤵
PID:2272
- C:\Users\Admin\AppData\Local\Temp\vrcplxqfqkkprerz.exe
  C:\Users\Admin\AppData\Local\Temp\vrcplxqfqkkprerz.exe
  2⤵
  PID:2796

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jjyppfcvkimvbsjvxhff.exe .
1⤵
PID:1304
- C:\Users\Admin\AppData\Local\Temp\jjyppfcvkimvbsjvxhff.exe
  C:\Users\Admin\AppData\Local\Temp\jjyppfcvkimvbsjvxhff.exe .
  2⤵
  - Checks computer location settings
  PID:4088
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\jjyppfcvkimvbsjvxhff.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:4916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c czlzwjdtfabhkymvu.exe
1⤵
PID:2332
- C:\Windows\czlzwjdtfabhkymvu.exe
  czlzwjdtfabhkymvu.exe
  2⤵
  PID:3864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jjyppfcvkimvbsjvxhff.exe .
1⤵
PID:4488
- C:\Windows\jjyppfcvkimvbsjvxhff.exe
  jjyppfcvkimvbsjvxhff.exe .
  2⤵
  - Checks computer location settings
  PID:4484
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\jjyppfcvkimvbsjvxhff.exe*."
    3⤵
    PID:4800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wvjzynjbpmpxcsituda.exe
1⤵
PID:3144
- C:\Windows\wvjzynjbpmpxcsituda.exe
  wvjzynjbpmpxcsituda.exe
  2⤵
  PID:1968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yzphizxrhglvcumzcnmnd.exe .
1⤵
PID:3848
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2840
- C:\Windows\yzphizxrhglvcumzcnmnd.exe
  yzphizxrhglvcumzcnmnd.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:2876
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\yzphizxrhglvcumzcnmnd.exe*."
    3⤵
    PID:4004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vrcplxqfqkkprerz.exe
1⤵
PID:788
- C:\Users\Admin\AppData\Local\Temp\vrcplxqfqkkprerz.exe
  C:\Users\Admin\AppData\Local\Temp\vrcplxqfqkkprerz.exe
  2⤵
  PID:2180

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vrcplxqfqkkprerz.exe .
1⤵
PID:3464
- C:\Users\Admin\AppData\Local\Temp\vrcplxqfqkkprerz.exe
  C:\Users\Admin\AppData\Local\Temp\vrcplxqfqkkprerz.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4220
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\vrcplxqfqkkprerz.exe*."
    3⤵
    PID:1576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\czlzwjdtfabhkymvu.exe
1⤵
PID:2596
- C:\Users\Admin\AppData\Local\Temp\czlzwjdtfabhkymvu.exe
  C:\Users\Admin\AppData\Local\Temp\czlzwjdtfabhkymvu.exe
  2⤵
  PID:2128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yzphizxrhglvcumzcnmnd.exe .
1⤵
PID:2248
- C:\Users\Admin\AppData\Local\Temp\yzphizxrhglvcumzcnmnd.exe
  C:\Users\Admin\AppData\Local\Temp\yzphizxrhglvcumzcnmnd.exe .
  2⤵
  - Checks computer location settings
  PID:3792
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\yzphizxrhglvcumzcnmnd.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:1592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vrcplxqfqkkprerz.exe
1⤵
PID:3656
- C:\Windows\vrcplxqfqkkprerz.exe
  vrcplxqfqkkprerz.exe
  2⤵
  PID:4008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c czlzwjdtfabhkymvu.exe .
1⤵
PID:3012
- C:\Windows\czlzwjdtfabhkymvu.exe
  czlzwjdtfabhkymvu.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:112
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\czlzwjdtfabhkymvu.exe*."
    3⤵
    PID:3460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vrcplxqfqkkprerz.exe
1⤵
PID:4924
- C:\Windows\vrcplxqfqkkprerz.exe
  vrcplxqfqkkprerz.exe
  2⤵
  PID:5104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ljwljxsjwsubfujttb.exe .
1⤵
PID:404
- C:\Windows\ljwljxsjwsubfujttb.exe
  ljwljxsjwsubfujttb.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1968
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ljwljxsjwsubfujttb.exe*."
    3⤵
    PID:4480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wvjzynjbpmpxcsituda.exe
1⤵
PID:2676
- C:\Users\Admin\AppData\Local\Temp\wvjzynjbpmpxcsituda.exe
  C:\Users\Admin\AppData\Local\Temp\wvjzynjbpmpxcsituda.exe
  2⤵
  PID:3492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wvjzynjbpmpxcsituda.exe .
1⤵
PID:2180
- C:\Users\Admin\AppData\Local\Temp\wvjzynjbpmpxcsituda.exe
  C:\Users\Admin\AppData\Local\Temp\wvjzynjbpmpxcsituda.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1460
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\wvjzynjbpmpxcsituda.exe*."
    3⤵
    PID:2312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\czlzwjdtfabhkymvu.exe
1⤵
PID:2280
- C:\Users\Admin\AppData\Local\Temp\czlzwjdtfabhkymvu.exe
  C:\Users\Admin\AppData\Local\Temp\czlzwjdtfabhkymvu.exe
  2⤵
  PID:2940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jjyppfcvkimvbsjvxhff.exe .
1⤵
PID:3828
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1588
- C:\Users\Admin\AppData\Local\Temp\jjyppfcvkimvbsjvxhff.exe
  C:\Users\Admin\AppData\Local\Temp\jjyppfcvkimvbsjvxhff.exe .
  2⤵
  - Checks computer location settings
  PID:1752
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\jjyppfcvkimvbsjvxhff.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:2200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ljwljxsjwsubfujttb.exe
1⤵
PID:4660
- C:\Windows\ljwljxsjwsubfujttb.exe
  ljwljxsjwsubfujttb.exe
  2⤵
  PID:2884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wvjzynjbpmpxcsituda.exe .
1⤵
PID:1108
- C:\Windows\wvjzynjbpmpxcsituda.exe
  wvjzynjbpmpxcsituda.exe .
  2⤵
  PID:2996
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\wvjzynjbpmpxcsituda.exe*."
    3⤵
    PID:3172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ljwljxsjwsubfujttb.exe
1⤵
PID:1860
- C:\Windows\ljwljxsjwsubfujttb.exe
  ljwljxsjwsubfujttb.exe
  2⤵
  PID:3556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jjyppfcvkimvbsjvxhff.exe .
1⤵
PID:4568
- C:\Windows\jjyppfcvkimvbsjvxhff.exe
  jjyppfcvkimvbsjvxhff.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2936
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\jjyppfcvkimvbsjvxhff.exe*."
    3⤵
    PID:3460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vrcplxqfqkkprerz.exe
1⤵
PID:2164
- C:\Users\Admin\AppData\Local\Temp\vrcplxqfqkkprerz.exe
  C:\Users\Admin\AppData\Local\Temp\vrcplxqfqkkprerz.exe
  2⤵
  PID:1316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vrcplxqfqkkprerz.exe .
1⤵
PID:1904
- C:\Users\Admin\AppData\Local\Temp\vrcplxqfqkkprerz.exe
  C:\Users\Admin\AppData\Local\Temp\vrcplxqfqkkprerz.exe .
  2⤵
  - Checks computer location settings
  PID:388
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\vrcplxqfqkkprerz.exe*."
    3⤵
    PID:5104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ljwljxsjwsubfujttb.exe
1⤵
PID:3684
- C:\Users\Admin\AppData\Local\Temp\ljwljxsjwsubfujttb.exe
  C:\Users\Admin\AppData\Local\Temp\ljwljxsjwsubfujttb.exe
  2⤵
  PID:4696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\czlzwjdtfabhkymvu.exe .
1⤵
PID:2452
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3492
- C:\Users\Admin\AppData\Local\Temp\czlzwjdtfabhkymvu.exe
  C:\Users\Admin\AppData\Local\Temp\czlzwjdtfabhkymvu.exe .
  2⤵
  PID:4240
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\czlzwjdtfabhkymvu.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:1968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ljwljxsjwsubfujttb.exe
1⤵
PID:1916
- C:\Windows\ljwljxsjwsubfujttb.exe
  ljwljxsjwsubfujttb.exe
  2⤵
  PID:3876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yzphizxrhglvcumzcnmnd.exe .
1⤵
PID:4004
- C:\Windows\yzphizxrhglvcumzcnmnd.exe
  yzphizxrhglvcumzcnmnd.exe .
  2⤵
  - Checks computer location settings
  PID:1380
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\yzphizxrhglvcumzcnmnd.exe*."
    3⤵
    PID:4592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vrcplxqfqkkprerz.exe
1⤵
PID:3148
- C:\Windows\vrcplxqfqkkprerz.exe
  vrcplxqfqkkprerz.exe
  2⤵
  PID:3328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vrcplxqfqkkprerz.exe .
1⤵
PID:3236
- C:\Windows\vrcplxqfqkkprerz.exe
  vrcplxqfqkkprerz.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2628
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\vrcplxqfqkkprerz.exe*."
    3⤵
    PID:924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jjyppfcvkimvbsjvxhff.exe
1⤵
PID:872
- C:\Users\Admin\AppData\Local\Temp\jjyppfcvkimvbsjvxhff.exe
  C:\Users\Admin\AppData\Local\Temp\jjyppfcvkimvbsjvxhff.exe
  2⤵
  PID:2472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vrcplxqfqkkprerz.exe .
1⤵
PID:1920
- C:\Users\Admin\AppData\Local\Temp\vrcplxqfqkkprerz.exe
  C:\Users\Admin\AppData\Local\Temp\vrcplxqfqkkprerz.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1860
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\vrcplxqfqkkprerz.exe*."
    3⤵
    PID:2296

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wvjzynjbpmpxcsituda.exe
1⤵
PID:3656
- C:\Users\Admin\AppData\Local\Temp\wvjzynjbpmpxcsituda.exe
  C:\Users\Admin\AppData\Local\Temp\wvjzynjbpmpxcsituda.exe
  2⤵
  PID:724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ljwljxsjwsubfujttb.exe .
1⤵
PID:4740
- C:\Users\Admin\AppData\Local\Temp\ljwljxsjwsubfujttb.exe
  C:\Users\Admin\AppData\Local\Temp\ljwljxsjwsubfujttb.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3708
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ljwljxsjwsubfujttb.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:4924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jjyppfcvkimvbsjvxhff.exe
1⤵
PID:4240
- C:\Windows\jjyppfcvkimvbsjvxhff.exe
  jjyppfcvkimvbsjvxhff.exe
  2⤵
  PID:3508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ljwljxsjwsubfujttb.exe .
1⤵
PID:1864
- C:\Windows\ljwljxsjwsubfujttb.exe
  ljwljxsjwsubfujttb.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4328
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ljwljxsjwsubfujttb.exe*."
    3⤵
    PID:3312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yzphizxrhglvcumzcnmnd.exe
1⤵
PID:4728
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3948
- C:\Windows\yzphizxrhglvcumzcnmnd.exe
  yzphizxrhglvcumzcnmnd.exe
  2⤵
  PID:2468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wvjzynjbpmpxcsituda.exe .
1⤵
PID:3732
- C:\Windows\wvjzynjbpmpxcsituda.exe
  wvjzynjbpmpxcsituda.exe .
  2⤵
  - Checks computer location settings
  PID:1472
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\wvjzynjbpmpxcsituda.exe*."
    3⤵
    PID:1540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jjyppfcvkimvbsjvxhff.exe
1⤵
PID:2280
- C:\Users\Admin\AppData\Local\Temp\jjyppfcvkimvbsjvxhff.exe
  C:\Users\Admin\AppData\Local\Temp\jjyppfcvkimvbsjvxhff.exe
  2⤵
  PID:2272

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ljwljxsjwsubfujttb.exe .
1⤵
PID:4852
- C:\Users\Admin\AppData\Local\Temp\ljwljxsjwsubfujttb.exe
  C:\Users\Admin\AppData\Local\Temp\ljwljxsjwsubfujttb.exe .
  2⤵
  PID:1220
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ljwljxsjwsubfujttb.exe*."
    3⤵
    PID:4500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ljwljxsjwsubfujttb.exe
1⤵
PID:1924
- C:\Windows\ljwljxsjwsubfujttb.exe
  ljwljxsjwsubfujttb.exe
  2⤵
  PID:1828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ljwljxsjwsubfujttb.exe
1⤵
PID:112
- C:\Users\Admin\AppData\Local\Temp\ljwljxsjwsubfujttb.exe
  C:\Users\Admin\AppData\Local\Temp\ljwljxsjwsubfujttb.exe
  2⤵
  PID:3564

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jjyppfcvkimvbsjvxhff.exe
1⤵
PID:1108
- C:\Windows\jjyppfcvkimvbsjvxhff.exe
  jjyppfcvkimvbsjvxhff.exe
  2⤵
  PID:856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wvjzynjbpmpxcsituda.exe .
1⤵
PID:2596
- C:\Users\Admin\AppData\Local\Temp\wvjzynjbpmpxcsituda.exe
  C:\Users\Admin\AppData\Local\Temp\wvjzynjbpmpxcsituda.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1212
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\wvjzynjbpmpxcsituda.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:2416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c czlzwjdtfabhkymvu.exe .
1⤵
PID:1976
- C:\Windows\czlzwjdtfabhkymvu.exe
  czlzwjdtfabhkymvu.exe .
  2⤵
  - Checks computer location settings
  PID:5028
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\czlzwjdtfabhkymvu.exe*."
    3⤵
    PID:1864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c czlzwjdtfabhkymvu.exe .
1⤵
PID:1044
- C:\Windows\czlzwjdtfabhkymvu.exe
  czlzwjdtfabhkymvu.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:404
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\czlzwjdtfabhkymvu.exe*."
    3⤵
    PID:2884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vrcplxqfqkkprerz.exe
1⤵
PID:4164
- C:\Windows\vrcplxqfqkkprerz.exe
  vrcplxqfqkkprerz.exe
  2⤵
  PID:2132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jjyppfcvkimvbsjvxhff.exe .
1⤵
PID:3552
- C:\Windows\jjyppfcvkimvbsjvxhff.exe
  jjyppfcvkimvbsjvxhff.exe .
  2⤵
  - Checks computer location settings
  PID:368
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\jjyppfcvkimvbsjvxhff.exe*."
    3⤵
    PID:3312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wvjzynjbpmpxcsituda.exe
1⤵
PID:3188
- C:\Windows\wvjzynjbpmpxcsituda.exe
  wvjzynjbpmpxcsituda.exe
  2⤵
  PID:448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vrcplxqfqkkprerz.exe
1⤵
PID:3212
- C:\Users\Admin\AppData\Local\Temp\vrcplxqfqkkprerz.exe
  C:\Users\Admin\AppData\Local\Temp\vrcplxqfqkkprerz.exe
  2⤵
  PID:4660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ljwljxsjwsubfujttb.exe .
1⤵
PID:3464
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2424
- C:\Windows\ljwljxsjwsubfujttb.exe
  ljwljxsjwsubfujttb.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3608
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ljwljxsjwsubfujttb.exe*."
    3⤵
    PID:2884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ljwljxsjwsubfujttb.exe .
1⤵
PID:2732
- C:\Users\Admin\AppData\Local\Temp\ljwljxsjwsubfujttb.exe
  C:\Users\Admin\AppData\Local\Temp\ljwljxsjwsubfujttb.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3656
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ljwljxsjwsubfujttb.exe*."
    3⤵
    PID:1832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\czlzwjdtfabhkymvu.exe
1⤵
PID:384
- C:\Users\Admin\AppData\Local\Temp\czlzwjdtfabhkymvu.exe
  C:\Users\Admin\AppData\Local\Temp\czlzwjdtfabhkymvu.exe
  2⤵
  PID:2164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yzphizxrhglvcumzcnmnd.exe .
1⤵
PID:3236
- C:\Users\Admin\AppData\Local\Temp\yzphizxrhglvcumzcnmnd.exe
  C:\Users\Admin\AppData\Local\Temp\yzphizxrhglvcumzcnmnd.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3124
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\yzphizxrhglvcumzcnmnd.exe*."
    3⤵
    PID:1104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ljwljxsjwsubfujttb.exe
1⤵
PID:4852
- C:\Windows\ljwljxsjwsubfujttb.exe
  ljwljxsjwsubfujttb.exe
  2⤵
  PID:740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yzphizxrhglvcumzcnmnd.exe
1⤵
PID:3916
- C:\Users\Admin\AppData\Local\Temp\yzphizxrhglvcumzcnmnd.exe
  C:\Users\Admin\AppData\Local\Temp\yzphizxrhglvcumzcnmnd.exe
  2⤵
  PID:4968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vrcplxqfqkkprerz.exe .
1⤵
PID:3068
- C:\Windows\vrcplxqfqkkprerz.exe
  vrcplxqfqkkprerz.exe .
  2⤵
  - Checks computer location settings
  PID:2044
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\vrcplxqfqkkprerz.exe*."
    3⤵
    PID:1612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ljwljxsjwsubfujttb.exe
1⤵
PID:4488
- C:\Users\Admin\AppData\Local\Temp\ljwljxsjwsubfujttb.exe
  C:\Users\Admin\AppData\Local\Temp\ljwljxsjwsubfujttb.exe
  2⤵
  PID:4556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\czlzwjdtfabhkymvu.exe .
1⤵
PID:5104
- C:\Users\Admin\AppData\Local\Temp\czlzwjdtfabhkymvu.exe
  C:\Users\Admin\AppData\Local\Temp\czlzwjdtfabhkymvu.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4724
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\czlzwjdtfabhkymvu.exe*."
    3⤵
    PID:4720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ljwljxsjwsubfujttb.exe .
1⤵
PID:4900
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2796
- C:\Users\Admin\AppData\Local\Temp\ljwljxsjwsubfujttb.exe
  C:\Users\Admin\AppData\Local\Temp\ljwljxsjwsubfujttb.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4512
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ljwljxsjwsubfujttb.exe*."
    3⤵
    PID:2296

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jjyppfcvkimvbsjvxhff.exe
1⤵
PID:1808
- C:\Windows\jjyppfcvkimvbsjvxhff.exe
  jjyppfcvkimvbsjvxhff.exe
  2⤵
  PID:1008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c czlzwjdtfabhkymvu.exe .
1⤵
PID:3512
- C:\Windows\czlzwjdtfabhkymvu.exe
  czlzwjdtfabhkymvu.exe .
  2⤵
  PID:740
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\czlzwjdtfabhkymvu.exe*."
    3⤵
    PID:1976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ljwljxsjwsubfujttb.exe
1⤵
PID:4124
- C:\Users\Admin\AppData\Local\Temp\ljwljxsjwsubfujttb.exe
  C:\Users\Admin\AppData\Local\Temp\ljwljxsjwsubfujttb.exe
  2⤵
  PID:2112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yzphizxrhglvcumzcnmnd.exe .
1⤵
PID:2164
- C:\Users\Admin\AppData\Local\Temp\yzphizxrhglvcumzcnmnd.exe
  C:\Users\Admin\AppData\Local\Temp\yzphizxrhglvcumzcnmnd.exe .
  2⤵
  PID:4464
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\yzphizxrhglvcumzcnmnd.exe*."
    3⤵
    PID:984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wvjzynjbpmpxcsituda.exe
1⤵
PID:1032
- C:\Users\Admin\AppData\Local\Temp\wvjzynjbpmpxcsituda.exe
  C:\Users\Admin\AppData\Local\Temp\wvjzynjbpmpxcsituda.exe
  2⤵
  PID:3340

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vrcplxqfqkkprerz.exe .
1⤵
PID:2808
- C:\Users\Admin\AppData\Local\Temp\vrcplxqfqkkprerz.exe
  C:\Users\Admin\AppData\Local\Temp\vrcplxqfqkkprerz.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3148
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\vrcplxqfqkkprerz.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:3876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ljwljxsjwsubfujttb.exe
1⤵
PID:3644
- C:\Windows\ljwljxsjwsubfujttb.exe
  ljwljxsjwsubfujttb.exe
  2⤵
  PID:4476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wvjzynjbpmpxcsituda.exe .
1⤵
PID:2664
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:760
- C:\Windows\wvjzynjbpmpxcsituda.exe
  wvjzynjbpmpxcsituda.exe .
  2⤵
  - Checks computer location settings
  PID:1416
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\wvjzynjbpmpxcsituda.exe*."
    3⤵
    PID:4668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c czlzwjdtfabhkymvu.exe
1⤵
PID:384
- C:\Windows\czlzwjdtfabhkymvu.exe
  czlzwjdtfabhkymvu.exe
  2⤵
  PID:3864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yzphizxrhglvcumzcnmnd.exe .
1⤵
PID:1612
- C:\Windows\yzphizxrhglvcumzcnmnd.exe
  yzphizxrhglvcumzcnmnd.exe .
  2⤵
  - Checks computer location settings
  PID:3508
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\yzphizxrhglvcumzcnmnd.exe*."
    3⤵
    PID:4124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jjyppfcvkimvbsjvxhff.exe
1⤵
PID:5116
- C:\Users\Admin\AppData\Local\Temp\jjyppfcvkimvbsjvxhff.exe
  C:\Users\Admin\AppData\Local\Temp\jjyppfcvkimvbsjvxhff.exe
  2⤵
  PID:4740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ljwljxsjwsubfujttb.exe .
1⤵
PID:740
- C:\Users\Admin\AppData\Local\Temp\ljwljxsjwsubfujttb.exe
  C:\Users\Admin\AppData\Local\Temp\ljwljxsjwsubfujttb.exe .
  2⤵
  - Checks computer location settings
  PID:972
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ljwljxsjwsubfujttb.exe*."
    3⤵
    PID:1444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yzphizxrhglvcumzcnmnd.exe
1⤵
PID:2504
- C:\Users\Admin\AppData\Local\Temp\yzphizxrhglvcumzcnmnd.exe
  C:\Users\Admin\AppData\Local\Temp\yzphizxrhglvcumzcnmnd.exe
  2⤵
  PID:4212

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
PID:4004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wvjzynjbpmpxcsituda.exe .
1⤵
PID:1992
- C:\Users\Admin\AppData\Local\Temp\wvjzynjbpmpxcsituda.exe
  C:\Users\Admin\AppData\Local\Temp\wvjzynjbpmpxcsituda.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1540
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\wvjzynjbpmpxcsituda.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:4852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vrcplxqfqkkprerz.exe
1⤵
PID:2732
- C:\Windows\vrcplxqfqkkprerz.exe
  vrcplxqfqkkprerz.exe
  2⤵
  PID:1588

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
- Blocklisted process makes network request
PID:2848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ljwljxsjwsubfujttb.exe .
1⤵
PID:1068
- C:\Windows\ljwljxsjwsubfujttb.exe
  ljwljxsjwsubfujttb.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:3644
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ljwljxsjwsubfujttb.exe*."
    3⤵
    PID:4512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wvjzynjbpmpxcsituda.exe
1⤵
PID:528
- C:\Windows\wvjzynjbpmpxcsituda.exe
  wvjzynjbpmpxcsituda.exe
  2⤵
  PID:4800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jjyppfcvkimvbsjvxhff.exe .
1⤵
PID:4960
- C:\Windows\jjyppfcvkimvbsjvxhff.exe
  jjyppfcvkimvbsjvxhff.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:2460
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\jjyppfcvkimvbsjvxhff.exe*."
    3⤵
    PID:4164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vrcplxqfqkkprerz.exe
1⤵
PID:3708
- C:\Users\Admin\AppData\Local\Temp\vrcplxqfqkkprerz.exe
  C:\Users\Admin\AppData\Local\Temp\vrcplxqfqkkprerz.exe
  2⤵
  PID:3656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jjyppfcvkimvbsjvxhff.exe .
1⤵
PID:5116
- C:\Users\Admin\AppData\Local\Temp\jjyppfcvkimvbsjvxhff.exe
  C:\Users\Admin\AppData\Local\Temp\jjyppfcvkimvbsjvxhff.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:740
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\jjyppfcvkimvbsjvxhff.exe*."
    3⤵
    PID:3144

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jjyppfcvkimvbsjvxhff.exe
1⤵
PID:4328
- C:\Users\Admin\AppData\Local\Temp\jjyppfcvkimvbsjvxhff.exe
  C:\Users\Admin\AppData\Local\Temp\jjyppfcvkimvbsjvxhff.exe
  2⤵
  PID:1540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jjyppfcvkimvbsjvxhff.exe .
1⤵
PID:1312
- C:\Users\Admin\AppData\Local\Temp\jjyppfcvkimvbsjvxhff.exe
  C:\Users\Admin\AppData\Local\Temp\jjyppfcvkimvbsjvxhff.exe .
  2⤵
  PID:3388
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\jjyppfcvkimvbsjvxhff.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:2416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vrcplxqfqkkprerz.exe
1⤵
PID:5112
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3212
- C:\Windows\vrcplxqfqkkprerz.exe
  vrcplxqfqkkprerz.exe
  2⤵
  PID:916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yzphizxrhglvcumzcnmnd.exe .
1⤵
PID:3540
- C:\Windows\yzphizxrhglvcumzcnmnd.exe
  yzphizxrhglvcumzcnmnd.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3108
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\yzphizxrhglvcumzcnmnd.exe*."
    3⤵
    PID:2996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c czlzwjdtfabhkymvu.exe
1⤵
PID:5056
- C:\Windows\czlzwjdtfabhkymvu.exe
  czlzwjdtfabhkymvu.exe
  2⤵
  PID:2348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yzphizxrhglvcumzcnmnd.exe .
1⤵
PID:2628
- C:\Windows\yzphizxrhglvcumzcnmnd.exe
  yzphizxrhglvcumzcnmnd.exe .
  2⤵
  PID:4192
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\yzphizxrhglvcumzcnmnd.exe*."
    3⤵
    PID:5028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wvjzynjbpmpxcsituda.exe
1⤵
PID:4792
- C:\Users\Admin\AppData\Local\Temp\wvjzynjbpmpxcsituda.exe
  C:\Users\Admin\AppData\Local\Temp\wvjzynjbpmpxcsituda.exe
  2⤵
  PID:1380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wvjzynjbpmpxcsituda.exe .
1⤵
PID:4624
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4216
- C:\Users\Admin\AppData\Local\Temp\wvjzynjbpmpxcsituda.exe
  C:\Users\Admin\AppData\Local\Temp\wvjzynjbpmpxcsituda.exe .
  2⤵
  PID:3268
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\wvjzynjbpmpxcsituda.exe*."
    3⤵
    PID:1064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ljwljxsjwsubfujttb.exe
1⤵
PID:2240
- C:\Users\Admin\AppData\Local\Temp\ljwljxsjwsubfujttb.exe
  C:\Users\Admin\AppData\Local\Temp\ljwljxsjwsubfujttb.exe
  2⤵
  PID:4404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wvjzynjbpmpxcsituda.exe .
1⤵
PID:4172
- C:\Users\Admin\AppData\Local\Temp\wvjzynjbpmpxcsituda.exe
  C:\Users\Admin\AppData\Local\Temp\wvjzynjbpmpxcsituda.exe .
  2⤵
  PID:740
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\wvjzynjbpmpxcsituda.exe*."
    3⤵
    PID:1612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jjyppfcvkimvbsjvxhff.exe
1⤵
PID:2384
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1664
- C:\Windows\jjyppfcvkimvbsjvxhff.exe
  jjyppfcvkimvbsjvxhff.exe
  2⤵
  PID:3388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vrcplxqfqkkprerz.exe .
1⤵
PID:2456
- C:\Windows\vrcplxqfqkkprerz.exe
  vrcplxqfqkkprerz.exe .
  2⤵
  PID:1744
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\vrcplxqfqkkprerz.exe*."
    3⤵
    PID:1332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c czlzwjdtfabhkymvu.exe
1⤵
PID:4496
- C:\Windows\czlzwjdtfabhkymvu.exe
  czlzwjdtfabhkymvu.exe
  2⤵
  PID:4512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yzphizxrhglvcumzcnmnd.exe .
1⤵
PID:1596
- C:\Windows\yzphizxrhglvcumzcnmnd.exe
  yzphizxrhglvcumzcnmnd.exe .
  2⤵
  PID:2348
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\yzphizxrhglvcumzcnmnd.exe*."
    3⤵
    PID:528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vrcplxqfqkkprerz.exe
1⤵
PID:4556
- C:\Users\Admin\AppData\Local\Temp\vrcplxqfqkkprerz.exe
  C:\Users\Admin\AppData\Local\Temp\vrcplxqfqkkprerz.exe
  2⤵
  PID:4800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ljwljxsjwsubfujttb.exe .
1⤵
PID:4724
- C:\Users\Admin\AppData\Local\Temp\ljwljxsjwsubfujttb.exe
  C:\Users\Admin\AppData\Local\Temp\ljwljxsjwsubfujttb.exe .
  2⤵
  PID:4008
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ljwljxsjwsubfujttb.exe*."
    3⤵
    PID:1996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ljwljxsjwsubfujttb.exe
1⤵
PID:972
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1108
- C:\Users\Admin\AppData\Local\Temp\ljwljxsjwsubfujttb.exe
  C:\Users\Admin\AppData\Local\Temp\ljwljxsjwsubfujttb.exe
  2⤵
  PID:4124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yzphizxrhglvcumzcnmnd.exe .
1⤵
PID:4624
- C:\Users\Admin\AppData\Local\Temp\yzphizxrhglvcumzcnmnd.exe
  C:\Users\Admin\AppData\Local\Temp\yzphizxrhglvcumzcnmnd.exe .
  2⤵
  PID:1240
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\yzphizxrhglvcumzcnmnd.exe*."
    3⤵
    PID:2416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ljwljxsjwsubfujttb.exe
1⤵
PID:2796
- C:\Windows\ljwljxsjwsubfujttb.exe
  ljwljxsjwsubfujttb.exe
  2⤵
  PID:4480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ljwljxsjwsubfujttb.exe .
1⤵
PID:2172
- C:\Windows\ljwljxsjwsubfujttb.exe
  ljwljxsjwsubfujttb.exe .
  2⤵
  PID:4684
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ljwljxsjwsubfujttb.exe*."
    3⤵
    PID:3860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jjyppfcvkimvbsjvxhff.exe
1⤵
PID:4852
- C:\Windows\jjyppfcvkimvbsjvxhff.exe
  jjyppfcvkimvbsjvxhff.exe
  2⤵
  PID:2912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jjyppfcvkimvbsjvxhff.exe .
1⤵
PID:2452
- C:\Windows\jjyppfcvkimvbsjvxhff.exe
  jjyppfcvkimvbsjvxhff.exe .
  2⤵
  PID:932
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\jjyppfcvkimvbsjvxhff.exe*."
    3⤵
    PID:2148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\czlzwjdtfabhkymvu.exe
1⤵
PID:1744
- C:\Users\Admin\AppData\Local\Temp\czlzwjdtfabhkymvu.exe
  C:\Users\Admin\AppData\Local\Temp\czlzwjdtfabhkymvu.exe
  2⤵
  PID:4872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jjyppfcvkimvbsjvxhff.exe .
1⤵
PID:4668
- C:\Users\Admin\AppData\Local\Temp\jjyppfcvkimvbsjvxhff.exe
  C:\Users\Admin\AppData\Local\Temp\jjyppfcvkimvbsjvxhff.exe .
  2⤵
  PID:1984
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\jjyppfcvkimvbsjvxhff.exe*."
    3⤵
    PID:2948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ljwljxsjwsubfujttb.exe
1⤵
PID:4792
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4800
- C:\Users\Admin\AppData\Local\Temp\ljwljxsjwsubfujttb.exe
  C:\Users\Admin\AppData\Local\Temp\ljwljxsjwsubfujttb.exe
  2⤵
  PID:2312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\czlzwjdtfabhkymvu.exe .
1⤵
PID:3236
- C:\Users\Admin\AppData\Local\Temp\czlzwjdtfabhkymvu.exe
  C:\Users\Admin\AppData\Local\Temp\czlzwjdtfabhkymvu.exe .
  2⤵
  PID:2880
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\czlzwjdtfabhkymvu.exe*."
    3⤵
    PID:2460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wvjzynjbpmpxcsituda.exe
1⤵
PID:1780
- C:\Windows\wvjzynjbpmpxcsituda.exe
  wvjzynjbpmpxcsituda.exe
  2⤵
  PID:3508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vrcplxqfqkkprerz.exe .
1⤵
PID:3232
- C:\Windows\vrcplxqfqkkprerz.exe
  vrcplxqfqkkprerz.exe .
  2⤵
  PID:3172
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\vrcplxqfqkkprerz.exe*."
    3⤵
    PID:2668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yzphizxrhglvcumzcnmnd.exe
1⤵
PID:4728
- C:\Windows\yzphizxrhglvcumzcnmnd.exe
  yzphizxrhglvcumzcnmnd.exe
  2⤵
  PID:1808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jjyppfcvkimvbsjvxhff.exe .
1⤵
PID:3564
- C:\Windows\jjyppfcvkimvbsjvxhff.exe
  jjyppfcvkimvbsjvxhff.exe .
  2⤵
  PID:2504
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\jjyppfcvkimvbsjvxhff.exe*."
    3⤵
    PID:4332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vrcplxqfqkkprerz.exe
1⤵
PID:3416
- C:\Users\Admin\AppData\Local\Temp\vrcplxqfqkkprerz.exe
  C:\Users\Admin\AppData\Local\Temp\vrcplxqfqkkprerz.exe
  2⤵
  PID:1584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vrcplxqfqkkprerz.exe .
1⤵
PID:4484
- C:\Users\Admin\AppData\Local\Temp\vrcplxqfqkkprerz.exe
  C:\Users\Admin\AppData\Local\Temp\vrcplxqfqkkprerz.exe .
  2⤵
  PID:984
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\vrcplxqfqkkprerz.exe*."
    3⤵
    PID:1316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c czlzwjdtfabhkymvu.exe
1⤵
PID:1004
- C:\Windows\czlzwjdtfabhkymvu.exe
  czlzwjdtfabhkymvu.exe
  2⤵
  PID:3864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\czlzwjdtfabhkymvu.exe
1⤵
PID:3044
- C:\Users\Admin\AppData\Local\Temp\czlzwjdtfabhkymvu.exe
  C:\Users\Admin\AppData\Local\Temp\czlzwjdtfabhkymvu.exe
  2⤵
  PID:1864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\czlzwjdtfabhkymvu.exe .
1⤵
PID:1752
- C:\Users\Admin\AppData\Local\Temp\czlzwjdtfabhkymvu.exe
  C:\Users\Admin\AppData\Local\Temp\czlzwjdtfabhkymvu.exe .
  2⤵
  PID:3620
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\czlzwjdtfabhkymvu.exe*."
    3⤵
    PID:4660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ljwljxsjwsubfujttb.exe
1⤵
PID:1688
- C:\Windows\ljwljxsjwsubfujttb.exe
  ljwljxsjwsubfujttb.exe
  2⤵
  PID:4148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wvjzynjbpmpxcsituda.exe .
1⤵
PID:3108
- C:\Windows\wvjzynjbpmpxcsituda.exe
  wvjzynjbpmpxcsituda.exe .
  2⤵
  PID:720
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\wvjzynjbpmpxcsituda.exe*."
    3⤵
    PID:3508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ljwljxsjwsubfujttb.exe .
1⤵
PID:2204
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3412
- C:\Windows\ljwljxsjwsubfujttb.exe
  ljwljxsjwsubfujttb.exe .
  2⤵
  PID:4328
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ljwljxsjwsubfujttb.exe*."
    3⤵
    PID:3516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yzphizxrhglvcumzcnmnd.exe
1⤵
PID:4740
- C:\Windows\yzphizxrhglvcumzcnmnd.exe
  yzphizxrhglvcumzcnmnd.exe
  2⤵
  PID:2240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yzphizxrhglvcumzcnmnd.exe .
1⤵
PID:2264
- C:\Windows\yzphizxrhglvcumzcnmnd.exe
  yzphizxrhglvcumzcnmnd.exe .
  2⤵
  PID:2424
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\yzphizxrhglvcumzcnmnd.exe*."
    3⤵
    PID:2996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jjyppfcvkimvbsjvxhff.exe
1⤵
PID:4412
- C:\Windows\jjyppfcvkimvbsjvxhff.exe
  jjyppfcvkimvbsjvxhff.exe
  2⤵
  PID:4088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vrcplxqfqkkprerz.exe .
1⤵
PID:1908
- C:\Windows\vrcplxqfqkkprerz.exe
  vrcplxqfqkkprerz.exe .
  2⤵
  PID:3600
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\vrcplxqfqkkprerz.exe*."
    3⤵
    PID:788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\czlzwjdtfabhkymvu.exe
1⤵
PID:4900
- C:\Users\Admin\AppData\Local\Temp\czlzwjdtfabhkymvu.exe
  C:\Users\Admin\AppData\Local\Temp\czlzwjdtfabhkymvu.exe
  2⤵
  PID:3476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vrcplxqfqkkprerz.exe
1⤵
PID:4920
- C:\Users\Admin\AppData\Local\Temp\vrcplxqfqkkprerz.exe
  C:\Users\Admin\AppData\Local\Temp\vrcplxqfqkkprerz.exe
  2⤵
  PID:4592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jjyppfcvkimvbsjvxhff.exe .
1⤵
PID:4216
- C:\Users\Admin\AppData\Local\Temp\jjyppfcvkimvbsjvxhff.exe
  C:\Users\Admin\AppData\Local\Temp\jjyppfcvkimvbsjvxhff.exe .
  2⤵
  PID:1008
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\jjyppfcvkimvbsjvxhff.exe*."
    3⤵
    PID:924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vrcplxqfqkkprerz.exe .
1⤵
PID:3460
- C:\Users\Admin\AppData\Local\Temp\vrcplxqfqkkprerz.exe
  C:\Users\Admin\AppData\Local\Temp\vrcplxqfqkkprerz.exe .
  2⤵
  PID:3864
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\vrcplxqfqkkprerz.exe*."
    3⤵
    PID:1832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jjyppfcvkimvbsjvxhff.exe
1⤵
PID:1968
- C:\Windows\jjyppfcvkimvbsjvxhff.exe
  jjyppfcvkimvbsjvxhff.exe
  2⤵
  PID:3944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ljwljxsjwsubfujttb.exe
1⤵
PID:1860
- C:\Users\Admin\AppData\Local\Temp\ljwljxsjwsubfujttb.exe
  C:\Users\Admin\AppData\Local\Temp\ljwljxsjwsubfujttb.exe
  2⤵
  PID:3068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\czlzwjdtfabhkymvu.exe .
1⤵
PID:2460
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1744
- C:\Users\Admin\AppData\Local\Temp\czlzwjdtfabhkymvu.exe
  C:\Users\Admin\AppData\Local\Temp\czlzwjdtfabhkymvu.exe .
  2⤵
  PID:3568
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\czlzwjdtfabhkymvu.exe*."
    3⤵
    PID:3708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yzphizxrhglvcumzcnmnd.exe
1⤵
PID:3148
- C:\Users\Admin\AppData\Local\Temp\yzphizxrhglvcumzcnmnd.exe
  C:\Users\Admin\AppData\Local\Temp\yzphizxrhglvcumzcnmnd.exe
  2⤵
  PID:1044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jjyppfcvkimvbsjvxhff.exe .
1⤵
PID:2936
- C:\Windows\jjyppfcvkimvbsjvxhff.exe
  jjyppfcvkimvbsjvxhff.exe .
  2⤵
  PID:3108
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\jjyppfcvkimvbsjvxhff.exe*."
    3⤵
    PID:4120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yzphizxrhglvcumzcnmnd.exe .
1⤵
PID:4512
- C:\Users\Admin\AppData\Local\Temp\yzphizxrhglvcumzcnmnd.exe
  C:\Users\Admin\AppData\Local\Temp\yzphizxrhglvcumzcnmnd.exe .
  2⤵
  PID:2784
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\yzphizxrhglvcumzcnmnd.exe*."
    3⤵
    PID:2880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wvjzynjbpmpxcsituda.exe
1⤵
PID:932
- C:\Windows\wvjzynjbpmpxcsituda.exe
  wvjzynjbpmpxcsituda.exe
  2⤵
  PID:4332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ljwljxsjwsubfujttb.exe .
1⤵
PID:5060
- C:\Windows\ljwljxsjwsubfujttb.exe
  ljwljxsjwsubfujttb.exe .
  2⤵
  PID:2920
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ljwljxsjwsubfujttb.exe*."
    3⤵
    PID:3304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ljwljxsjwsubfujttb.exe
1⤵
PID:1380
- C:\Users\Admin\AppData\Local\Temp\ljwljxsjwsubfujttb.exe
  C:\Users\Admin\AppData\Local\Temp\ljwljxsjwsubfujttb.exe
  2⤵
  PID:5024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\czlzwjdtfabhkymvu.exe .
1⤵
PID:4476
- C:\Users\Admin\AppData\Local\Temp\czlzwjdtfabhkymvu.exe
  C:\Users\Admin\AppData\Local\Temp\czlzwjdtfabhkymvu.exe .
  2⤵
  PID:1004
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\czlzwjdtfabhkymvu.exe*."
    3⤵
    PID:1332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yzphizxrhglvcumzcnmnd.exe
1⤵
PID:1492
- C:\Users\Admin\AppData\Local\Temp\yzphizxrhglvcumzcnmnd.exe
  C:\Users\Admin\AppData\Local\Temp\yzphizxrhglvcumzcnmnd.exe
  2⤵
  PID:4484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wvjzynjbpmpxcsituda.exe .
1⤵
PID:4164
- C:\Users\Admin\AppData\Local\Temp\wvjzynjbpmpxcsituda.exe
  C:\Users\Admin\AppData\Local\Temp\wvjzynjbpmpxcsituda.exe .
  2⤵
  PID:3644
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\wvjzynjbpmpxcsituda.exe*."
    3⤵
    PID:3168

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yzphizxrhglvcumzcnmnd.exe
1⤵
PID:1992
- C:\Windows\yzphizxrhglvcumzcnmnd.exe
  yzphizxrhglvcumzcnmnd.exe
  2⤵
  PID:3516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jjyppfcvkimvbsjvxhff.exe .
1⤵
PID:3416
- C:\Windows\jjyppfcvkimvbsjvxhff.exe
  jjyppfcvkimvbsjvxhff.exe .
  2⤵
  PID:1752
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\jjyppfcvkimvbsjvxhff.exe*."
    3⤵
    PID:1980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wvjzynjbpmpxcsituda.exe
1⤵
PID:636
- C:\Windows\wvjzynjbpmpxcsituda.exe
  wvjzynjbpmpxcsituda.exe
  2⤵
  PID:1036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yzphizxrhglvcumzcnmnd.exe .
1⤵
PID:3108
- C:\Windows\yzphizxrhglvcumzcnmnd.exe
  yzphizxrhglvcumzcnmnd.exe .
  2⤵
  PID:3948
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\yzphizxrhglvcumzcnmnd.exe*."
    3⤵
    PID:1592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wvjzynjbpmpxcsituda.exe
1⤵
PID:1212
- C:\Users\Admin\AppData\Local\Temp\wvjzynjbpmpxcsituda.exe
  C:\Users\Admin\AppData\Local\Temp\wvjzynjbpmpxcsituda.exe
  2⤵
  PID:1612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wvjzynjbpmpxcsituda.exe .
1⤵
PID:5112
- C:\Users\Admin\AppData\Local\Temp\wvjzynjbpmpxcsituda.exe
  C:\Users\Admin\AppData\Local\Temp\wvjzynjbpmpxcsituda.exe .
  2⤵
  PID:5060
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\wvjzynjbpmpxcsituda.exe*."
    3⤵
    PID:3384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yzphizxrhglvcumzcnmnd.exe
1⤵
PID:3792
- C:\Users\Admin\AppData\Local\Temp\yzphizxrhglvcumzcnmnd.exe
  C:\Users\Admin\AppData\Local\Temp\yzphizxrhglvcumzcnmnd.exe
  2⤵
  PID:4404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vrcplxqfqkkprerz.exe .
1⤵
PID:2996
- C:\Users\Admin\AppData\Local\Temp\vrcplxqfqkkprerz.exe
  C:\Users\Admin\AppData\Local\Temp\vrcplxqfqkkprerz.exe .
  2⤵
  PID:1728
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\vrcplxqfqkkprerz.exe*."
    3⤵
    PID:3656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vrcplxqfqkkprerz.exe
1⤵
PID:2044
- C:\Windows\vrcplxqfqkkprerz.exe
  vrcplxqfqkkprerz.exe
  2⤵
  PID:1620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c czlzwjdtfabhkymvu.exe .
1⤵
PID:1868
- C:\Windows\czlzwjdtfabhkymvu.exe
  czlzwjdtfabhkymvu.exe .
  2⤵
  PID:4568
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\czlzwjdtfabhkymvu.exe*."
    3⤵
    PID:5028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ljwljxsjwsubfujttb.exe
1⤵
PID:4124
- C:\Windows\ljwljxsjwsubfujttb.exe
  ljwljxsjwsubfujttb.exe
  2⤵
  PID:4332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jjyppfcvkimvbsjvxhff.exe .
1⤵
PID:3516
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5116
- C:\Windows\jjyppfcvkimvbsjvxhff.exe
  jjyppfcvkimvbsjvxhff.exe .
  2⤵
  PID:3568
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\jjyppfcvkimvbsjvxhff.exe*."
    3⤵
    PID:1740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ljwljxsjwsubfujttb.exe
1⤵
PID:4108
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1992
- C:\Users\Admin\AppData\Local\Temp\ljwljxsjwsubfujttb.exe
  C:\Users\Admin\AppData\Local\Temp\ljwljxsjwsubfujttb.exe
  2⤵
  PID:1980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yzphizxrhglvcumzcnmnd.exe .
1⤵
PID:4792
- C:\Users\Admin\AppData\Local\Temp\yzphizxrhglvcumzcnmnd.exe
  C:\Users\Admin\AppData\Local\Temp\yzphizxrhglvcumzcnmnd.exe .
  2⤵
  PID:4740
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\yzphizxrhglvcumzcnmnd.exe*."
    3⤵
    PID:4764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wvjzynjbpmpxcsituda.exe
1⤵
PID:2248
- C:\Users\Admin\AppData\Local\Temp\wvjzynjbpmpxcsituda.exe
  C:\Users\Admin\AppData\Local\Temp\wvjzynjbpmpxcsituda.exe
  2⤵
  PID:1212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vrcplxqfqkkprerz.exe .
1⤵
PID:3304
- C:\Users\Admin\AppData\Local\Temp\vrcplxqfqkkprerz.exe
  C:\Users\Admin\AppData\Local\Temp\vrcplxqfqkkprerz.exe .
  2⤵
  PID:2948
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\vrcplxqfqkkprerz.exe*."
    3⤵
    PID:3476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vrcplxqfqkkprerz.exe
1⤵
PID:3564
- C:\Windows\vrcplxqfqkkprerz.exe
  vrcplxqfqkkprerz.exe
  2⤵
  PID:5112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ljwljxsjwsubfujttb.exe .
1⤵
PID:1332
- C:\Windows\ljwljxsjwsubfujttb.exe
  ljwljxsjwsubfujttb.exe .
  2⤵
  PID:4920
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ljwljxsjwsubfujttb.exe*."
    3⤵
    PID:2596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ljwljxsjwsubfujttb.exe
1⤵
PID:3144
- C:\Windows\ljwljxsjwsubfujttb.exe
  ljwljxsjwsubfujttb.exe
  2⤵
  PID:2352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wvjzynjbpmpxcsituda.exe .
1⤵
PID:2996
- C:\Windows\wvjzynjbpmpxcsituda.exe
  wvjzynjbpmpxcsituda.exe .
  2⤵
  PID:1416
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\wvjzynjbpmpxcsituda.exe*."
    3⤵
    PID:3632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yzphizxrhglvcumzcnmnd.exe
1⤵
PID:1916
- C:\Users\Admin\AppData\Local\Temp\yzphizxrhglvcumzcnmnd.exe
  C:\Users\Admin\AppData\Local\Temp\yzphizxrhglvcumzcnmnd.exe
  2⤵
  PID:3312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ljwljxsjwsubfujttb.exe .
1⤵
PID:5084
- C:\Users\Admin\AppData\Local\Temp\ljwljxsjwsubfujttb.exe
  C:\Users\Admin\AppData\Local\Temp\ljwljxsjwsubfujttb.exe .
  2⤵
  PID:4164
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ljwljxsjwsubfujttb.exe*."
    3⤵
    PID:2132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jjyppfcvkimvbsjvxhff.exe
1⤵
PID:1044
- C:\Users\Admin\AppData\Local\Temp\jjyppfcvkimvbsjvxhff.exe
  C:\Users\Admin\AppData\Local\Temp\jjyppfcvkimvbsjvxhff.exe
  2⤵
  PID:1472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ljwljxsjwsubfujttb.exe .
1⤵
PID:932
- C:\Users\Admin\AppData\Local\Temp\ljwljxsjwsubfujttb.exe
  C:\Users\Admin\AppData\Local\Temp\ljwljxsjwsubfujttb.exe .
  2⤵
  PID:4512
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ljwljxsjwsubfujttb.exe*."
    3⤵
    PID:4700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jjyppfcvkimvbsjvxhff.exe
1⤵
PID:4728
- C:\Windows\jjyppfcvkimvbsjvxhff.exe
  jjyppfcvkimvbsjvxhff.exe
  2⤵
  PID:4192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c czlzwjdtfabhkymvu.exe .
1⤵
PID:4140
- C:\Windows\czlzwjdtfabhkymvu.exe
  czlzwjdtfabhkymvu.exe .
  2⤵
  PID:2668
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\czlzwjdtfabhkymvu.exe*."
    3⤵
    PID:3948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c czlzwjdtfabhkymvu.exe
1⤵
PID:5052
- C:\Windows\czlzwjdtfabhkymvu.exe
  czlzwjdtfabhkymvu.exe
  2⤵
  PID:1312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ljwljxsjwsubfujttb.exe .
1⤵
PID:4948
- C:\Windows\ljwljxsjwsubfujttb.exe
  ljwljxsjwsubfujttb.exe .
  2⤵
  PID:5060
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ljwljxsjwsubfujttb.exe*."
    3⤵
    PID:3168

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yzphizxrhglvcumzcnmnd.exe
1⤵
PID:3860
- C:\Users\Admin\AppData\Local\Temp\yzphizxrhglvcumzcnmnd.exe
  C:\Users\Admin\AppData\Local\Temp\yzphizxrhglvcumzcnmnd.exe
  2⤵
  PID:3384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jjyppfcvkimvbsjvxhff.exe .
1⤵
PID:404
- C:\Users\Admin\AppData\Local\Temp\jjyppfcvkimvbsjvxhff.exe
  C:\Users\Admin\AppData\Local\Temp\jjyppfcvkimvbsjvxhff.exe .
  2⤵
  PID:4920
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\jjyppfcvkimvbsjvxhff.exe*."
    3⤵
    PID:1996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jjyppfcvkimvbsjvxhff.exe
1⤵
PID:3056
- C:\Users\Admin\AppData\Local\Temp\jjyppfcvkimvbsjvxhff.exe
  C:\Users\Admin\AppData\Local\Temp\jjyppfcvkimvbsjvxhff.exe
  2⤵
  PID:536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jjyppfcvkimvbsjvxhff.exe .
1⤵
PID:3144
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3828
- C:\Users\Admin\AppData\Local\Temp\jjyppfcvkimvbsjvxhff.exe
  C:\Users\Admin\AppData\Local\Temp\jjyppfcvkimvbsjvxhff.exe .
  2⤵
  PID:4724
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\jjyppfcvkimvbsjvxhff.exe*."
    3⤵
    PID:3340

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wvjzynjbpmpxcsituda.exe
1⤵
PID:3680
- C:\Windows\wvjzynjbpmpxcsituda.exe
  wvjzynjbpmpxcsituda.exe
  2⤵
  PID:2468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jjyppfcvkimvbsjvxhff.exe .
1⤵
PID:4784
- C:\Windows\jjyppfcvkimvbsjvxhff.exe
  jjyppfcvkimvbsjvxhff.exe .
  2⤵
  PID:4332
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\jjyppfcvkimvbsjvxhff.exe*."
    3⤵
    PID:1520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jjyppfcvkimvbsjvxhff.exe
1⤵
PID:2204
- C:\Windows\jjyppfcvkimvbsjvxhff.exe
  jjyppfcvkimvbsjvxhff.exe
  2⤵
  PID:1040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vrcplxqfqkkprerz.exe .
1⤵
PID:1920
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4500
- C:\Windows\vrcplxqfqkkprerz.exe
  vrcplxqfqkkprerz.exe .
  2⤵
  PID:1220
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\vrcplxqfqkkprerz.exe*."
    3⤵
    PID:368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\czlzwjdtfabhkymvu.exe
1⤵
PID:1772
- C:\Users\Admin\AppData\Local\Temp\czlzwjdtfabhkymvu.exe
  C:\Users\Admin\AppData\Local\Temp\czlzwjdtfabhkymvu.exe
  2⤵
  PID:4348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\czlzwjdtfabhkymvu.exe .
1⤵
PID:1304
- C:\Users\Admin\AppData\Local\Temp\czlzwjdtfabhkymvu.exe
  C:\Users\Admin\AppData\Local\Temp\czlzwjdtfabhkymvu.exe .
  2⤵
  PID:2884
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\czlzwjdtfabhkymvu.exe*."
    3⤵
    PID:1976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jjyppfcvkimvbsjvxhff.exe
1⤵
PID:2416
- C:\Users\Admin\AppData\Local\Temp\jjyppfcvkimvbsjvxhff.exe
  C:\Users\Admin\AppData\Local\Temp\jjyppfcvkimvbsjvxhff.exe
  2⤵
  PID:448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yzphizxrhglvcumzcnmnd.exe .
1⤵
PID:3464
- C:\Users\Admin\AppData\Local\Temp\yzphizxrhglvcumzcnmnd.exe
  C:\Users\Admin\AppData\Local\Temp\yzphizxrhglvcumzcnmnd.exe .
  2⤵
  PID:2320
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\yzphizxrhglvcumzcnmnd.exe*."
    3⤵
    PID:1596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vrcplxqfqkkprerz.exe
1⤵
PID:1316
- C:\Windows\vrcplxqfqkkprerz.exe
  vrcplxqfqkkprerz.exe
  2⤵
  PID:2456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ljwljxsjwsubfujttb.exe .
1⤵
PID:1424
- C:\Windows\ljwljxsjwsubfujttb.exe
  ljwljxsjwsubfujttb.exe .
  2⤵
  PID:3068
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ljwljxsjwsubfujttb.exe*."
    3⤵
    PID:3312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vrcplxqfqkkprerz.exe
1⤵
PID:2352
- C:\Windows\vrcplxqfqkkprerz.exe
  vrcplxqfqkkprerz.exe
  2⤵
  PID:2128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wvjzynjbpmpxcsituda.exe
1⤵
PID:1860
- C:\Windows\wvjzynjbpmpxcsituda.exe
  wvjzynjbpmpxcsituda.exe
  2⤵
  PID:4628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yzphizxrhglvcumzcnmnd.exe .
1⤵
PID:2820
- C:\Windows\yzphizxrhglvcumzcnmnd.exe
  yzphizxrhglvcumzcnmnd.exe .
  2⤵
  PID:3568
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\yzphizxrhglvcumzcnmnd.exe*."
    3⤵
    PID:4192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yzphizxrhglvcumzcnmnd.exe
1⤵
PID:4916
- C:\Windows\yzphizxrhglvcumzcnmnd.exe
  yzphizxrhglvcumzcnmnd.exe
  2⤵
  PID:1752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ljwljxsjwsubfujttb.exe
1⤵
PID:4496
- C:\Users\Admin\AppData\Local\Temp\ljwljxsjwsubfujttb.exe
  C:\Users\Admin\AppData\Local\Temp\ljwljxsjwsubfujttb.exe
  2⤵
  PID:1772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yzphizxrhglvcumzcnmnd.exe .
1⤵
PID:4624
- C:\Windows\yzphizxrhglvcumzcnmnd.exe
  yzphizxrhglvcumzcnmnd.exe .
  2⤵
  PID:2784
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\yzphizxrhglvcumzcnmnd.exe*."
    3⤵
    PID:3864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ljwljxsjwsubfujttb.exe .
1⤵
PID:4332
- C:\Users\Admin\AppData\Local\Temp\ljwljxsjwsubfujttb.exe
  C:\Users\Admin\AppData\Local\Temp\ljwljxsjwsubfujttb.exe .
  2⤵
  PID:2932
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ljwljxsjwsubfujttb.exe*."
    3⤵
    PID:4484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wvjzynjbpmpxcsituda.exe .
1⤵
PID:4784
- C:\Windows\wvjzynjbpmpxcsituda.exe
  wvjzynjbpmpxcsituda.exe .
  2⤵
  PID:4044
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\wvjzynjbpmpxcsituda.exe*."
    3⤵
    PID:1316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vrcplxqfqkkprerz.exe
1⤵
PID:4880
- C:\Windows\vrcplxqfqkkprerz.exe
  vrcplxqfqkkprerz.exe
  2⤵
  PID:2148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c czlzwjdtfabhkymvu.exe
1⤵
PID:720
- C:\Windows\czlzwjdtfabhkymvu.exe
  czlzwjdtfabhkymvu.exe
  2⤵
  PID:2876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wvjzynjbpmpxcsituda.exe .
1⤵
PID:2012
- C:\Windows\wvjzynjbpmpxcsituda.exe
  wvjzynjbpmpxcsituda.exe .
  2⤵
  PID:1472
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\wvjzynjbpmpxcsituda.exe*."
    3⤵
    PID:368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\czlzwjdtfabhkymvu.exe
1⤵
PID:388
- C:\Users\Admin\AppData\Local\Temp\czlzwjdtfabhkymvu.exe
  C:\Users\Admin\AppData\Local\Temp\czlzwjdtfabhkymvu.exe
  2⤵
  PID:112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ljwljxsjwsubfujttb.exe
1⤵
PID:3304
- C:\Users\Admin\AppData\Local\Temp\ljwljxsjwsubfujttb.exe
  C:\Users\Admin\AppData\Local\Temp\ljwljxsjwsubfujttb.exe
  2⤵
  PID:4720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c czlzwjdtfabhkymvu.exe .
1⤵
PID:3412
- C:\Windows\czlzwjdtfabhkymvu.exe
  czlzwjdtfabhkymvu.exe .
  2⤵
  PID:1240
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\czlzwjdtfabhkymvu.exe*."
    3⤵
    PID:1916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\czlzwjdtfabhkymvu.exe .
1⤵
PID:4888
- C:\Users\Admin\AppData\Local\Temp\czlzwjdtfabhkymvu.exe
  C:\Users\Admin\AppData\Local\Temp\czlzwjdtfabhkymvu.exe .
  2⤵
  PID:1584
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\czlzwjdtfabhkymvu.exe*."
    3⤵
    PID:2628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jjyppfcvkimvbsjvxhff.exe .
1⤵
PID:528
- C:\Users\Admin\AppData\Local\Temp\jjyppfcvkimvbsjvxhff.exe
  C:\Users\Admin\AppData\Local\Temp\jjyppfcvkimvbsjvxhff.exe .
  2⤵
  PID:1768
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\jjyppfcvkimvbsjvxhff.exe*."
    3⤵
    PID:2468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yzphizxrhglvcumzcnmnd.exe
1⤵
PID:1828
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1332
- C:\Users\Admin\AppData\Local\Temp\yzphizxrhglvcumzcnmnd.exe
  C:\Users\Admin\AppData\Local\Temp\yzphizxrhglvcumzcnmnd.exe
  2⤵
  PID:4476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vrcplxqfqkkprerz.exe .
1⤵
PID:3196
- C:\Users\Admin\AppData\Local\Temp\vrcplxqfqkkprerz.exe
  C:\Users\Admin\AppData\Local\Temp\vrcplxqfqkkprerz.exe .
  2⤵
  PID:760
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\vrcplxqfqkkprerz.exe*."
    3⤵
    PID:1780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jjyppfcvkimvbsjvxhff.exe
1⤵
PID:4392
- C:\Users\Admin\AppData\Local\Temp\jjyppfcvkimvbsjvxhff.exe
  C:\Users\Admin\AppData\Local\Temp\jjyppfcvkimvbsjvxhff.exe
  2⤵
  PID:1612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ljwljxsjwsubfujttb.exe .
1⤵
PID:2384
- C:\Users\Admin\AppData\Local\Temp\ljwljxsjwsubfujttb.exe
  C:\Users\Admin\AppData\Local\Temp\ljwljxsjwsubfujttb.exe .
  2⤵
  PID:1060
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ljwljxsjwsubfujttb.exe*."
    3⤵
    PID:3944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vrcplxqfqkkprerz.exe
1⤵
PID:4628
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1032
- C:\Users\Admin\AppData\Local\Temp\vrcplxqfqkkprerz.exe
  C:\Users\Admin\AppData\Local\Temp\vrcplxqfqkkprerz.exe
  2⤵
  PID:4708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yzphizxrhglvcumzcnmnd.exe .
1⤵
PID:4336
- C:\Users\Admin\AppData\Local\Temp\yzphizxrhglvcumzcnmnd.exe
  C:\Users\Admin\AppData\Local\Temp\yzphizxrhglvcumzcnmnd.exe .
  2⤵
  PID:3620
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\yzphizxrhglvcumzcnmnd.exe*."
    3⤵
    PID:3384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yzphizxrhglvcumzcnmnd.exe
1⤵
PID:972
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4004
- C:\Windows\yzphizxrhglvcumzcnmnd.exe
  yzphizxrhglvcumzcnmnd.exe
  2⤵
  PID:856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wvjzynjbpmpxcsituda.exe .
1⤵
PID:1304
- C:\Windows\wvjzynjbpmpxcsituda.exe
  wvjzynjbpmpxcsituda.exe .
  2⤵
  PID:3044
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\wvjzynjbpmpxcsituda.exe*."
    3⤵
    PID:4720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ljwljxsjwsubfujttb.exe
1⤵
PID:4348
- C:\Windows\ljwljxsjwsubfujttb.exe
  ljwljxsjwsubfujttb.exe
  2⤵
  PID:1008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c czlzwjdtfabhkymvu.exe .
1⤵
PID:4408
- C:\Windows\czlzwjdtfabhkymvu.exe
  czlzwjdtfabhkymvu.exe .
  2⤵
  PID:4088
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\czlzwjdtfabhkymvu.exe*."
    3⤵
    PID:3420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\czlzwjdtfabhkymvu.exe
1⤵
PID:3328
- C:\Users\Admin\AppData\Local\Temp\czlzwjdtfabhkymvu.exe
  C:\Users\Admin\AppData\Local\Temp\czlzwjdtfabhkymvu.exe
  2⤵
  PID:4100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yzphizxrhglvcumzcnmnd.exe .
1⤵
PID:2240
- C:\Users\Admin\AppData\Local\Temp\yzphizxrhglvcumzcnmnd.exe
  C:\Users\Admin\AppData\Local\Temp\yzphizxrhglvcumzcnmnd.exe .
  2⤵
  PID:3304
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\yzphizxrhglvcumzcnmnd.exe*."
    3⤵
    PID:2948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yzphizxrhglvcumzcnmnd.exe
1⤵
PID:536
- C:\Users\Admin\AppData\Local\Temp\yzphizxrhglvcumzcnmnd.exe
  C:\Users\Admin\AppData\Local\Temp\yzphizxrhglvcumzcnmnd.exe
  2⤵
  PID:3524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jjyppfcvkimvbsjvxhff.exe .
1⤵
PID:2172
- C:\Users\Admin\AppData\Local\Temp\jjyppfcvkimvbsjvxhff.exe
  C:\Users\Admin\AppData\Local\Temp\jjyppfcvkimvbsjvxhff.exe .
  2⤵
  PID:932
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\jjyppfcvkimvbsjvxhff.exe*."
    3⤵
    PID:4708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ljwljxsjwsubfujttb.exe
1⤵
PID:2012
- C:\Windows\ljwljxsjwsubfujttb.exe
  ljwljxsjwsubfujttb.exe
  2⤵
  PID:856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vrcplxqfqkkprerz.exe .
1⤵
PID:2352
- C:\Windows\vrcplxqfqkkprerz.exe
  vrcplxqfqkkprerz.exe .
  2⤵
  PID:1808
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\vrcplxqfqkkprerz.exe*."
    3⤵
    PID:3784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ljwljxsjwsubfujttb.exe
1⤵
PID:4360
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2564
- C:\Windows\ljwljxsjwsubfujttb.exe
  ljwljxsjwsubfujttb.exe
  2⤵
  PID:1740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wvjzynjbpmpxcsituda.exe .
1⤵
PID:984
- C:\Windows\wvjzynjbpmpxcsituda.exe
  wvjzynjbpmpxcsituda.exe .
  2⤵
  PID:4192
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\wvjzynjbpmpxcsituda.exe*."
    3⤵
    PID:336

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\czlzwjdtfabhkymvu.exe
1⤵
PID:1060
- C:\Users\Admin\AppData\Local\Temp\czlzwjdtfabhkymvu.exe
  C:\Users\Admin\AppData\Local\Temp\czlzwjdtfabhkymvu.exe
  2⤵
  PID:4760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jjyppfcvkimvbsjvxhff.exe .
1⤵
PID:2816
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:740
- C:\Users\Admin\AppData\Local\Temp\jjyppfcvkimvbsjvxhff.exe
  C:\Users\Admin\AppData\Local\Temp\jjyppfcvkimvbsjvxhff.exe .
  2⤵
  PID:3696
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\jjyppfcvkimvbsjvxhff.exe*."
    3⤵
    PID:4580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\czlzwjdtfabhkymvu.exe
1⤵
PID:4448
- C:\Users\Admin\AppData\Local\Temp\czlzwjdtfabhkymvu.exe
  C:\Users\Admin\AppData\Local\Temp\czlzwjdtfabhkymvu.exe
  2⤵
  PID:4332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yzphizxrhglvcumzcnmnd.exe .
1⤵
PID:1008
- C:\Users\Admin\AppData\Local\Temp\yzphizxrhglvcumzcnmnd.exe
  C:\Users\Admin\AppData\Local\Temp\yzphizxrhglvcumzcnmnd.exe .
  2⤵
  PID:4476
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\yzphizxrhglvcumzcnmnd.exe*."
    3⤵
    PID:2684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yzphizxrhglvcumzcnmnd.exe
1⤵
PID:2712
- C:\Windows\yzphizxrhglvcumzcnmnd.exe
  yzphizxrhglvcumzcnmnd.exe
  2⤵
  PID:384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yzphizxrhglvcumzcnmnd.exe .
1⤵
PID:452
- C:\Windows\yzphizxrhglvcumzcnmnd.exe
  yzphizxrhglvcumzcnmnd.exe .
  2⤵
  PID:3304
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\yzphizxrhglvcumzcnmnd.exe*."
    3⤵
    PID:3792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jjyppfcvkimvbsjvxhff.exe
1⤵
PID:4188
- C:\Windows\jjyppfcvkimvbsjvxhff.exe
  jjyppfcvkimvbsjvxhff.exe
  2⤵
  PID:3312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yzphizxrhglvcumzcnmnd.exe .
1⤵
PID:3492
- C:\Windows\yzphizxrhglvcumzcnmnd.exe
  yzphizxrhglvcumzcnmnd.exe .
  2⤵
  PID:1324
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\yzphizxrhglvcumzcnmnd.exe*."
    3⤵
    PID:1460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ljwljxsjwsubfujttb.exe
1⤵
PID:1596
- C:\Users\Admin\AppData\Local\Temp\ljwljxsjwsubfujttb.exe
  C:\Users\Admin\AppData\Local\Temp\ljwljxsjwsubfujttb.exe
  2⤵
  PID:4104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yzphizxrhglvcumzcnmnd.exe .
1⤵
PID:4724
- C:\Users\Admin\AppData\Local\Temp\yzphizxrhglvcumzcnmnd.exe
  C:\Users\Admin\AppData\Local\Temp\yzphizxrhglvcumzcnmnd.exe .
  2⤵
  PID:4392
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\yzphizxrhglvcumzcnmnd.exe*."
    3⤵
    PID:2312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yzphizxrhglvcumzcnmnd.exe
1⤵
PID:1444
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2320
- C:\Users\Admin\AppData\Local\Temp\yzphizxrhglvcumzcnmnd.exe
  C:\Users\Admin\AppData\Local\Temp\yzphizxrhglvcumzcnmnd.exe
  2⤵
  PID:3148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yzphizxrhglvcumzcnmnd.exe .
1⤵
PID:2264
- C:\Users\Admin\AppData\Local\Temp\yzphizxrhglvcumzcnmnd.exe
  C:\Users\Admin\AppData\Local\Temp\yzphizxrhglvcumzcnmnd.exe .
  2⤵
  PID:1468
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\yzphizxrhglvcumzcnmnd.exe*."
    3⤵
    PID:3976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wvjzynjbpmpxcsituda.exe
1⤵
PID:1212
- C:\Windows\wvjzynjbpmpxcsituda.exe
  wvjzynjbpmpxcsituda.exe
  2⤵
  PID:3056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ljwljxsjwsubfujttb.exe .
1⤵
PID:336
- C:\Windows\ljwljxsjwsubfujttb.exe
  ljwljxsjwsubfujttb.exe .
  2⤵
  PID:872
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ljwljxsjwsubfujttb.exe*."
    3⤵
    PID:3568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wvjzynjbpmpxcsituda.exe
1⤵
PID:3384
- C:\Windows\wvjzynjbpmpxcsituda.exe
  wvjzynjbpmpxcsituda.exe
  2⤵
  PID:3696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ljwljxsjwsubfujttb.exe .
1⤵
PID:1304
- C:\Windows\ljwljxsjwsubfujttb.exe
  ljwljxsjwsubfujttb.exe .
  2⤵
  PID:4332
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ljwljxsjwsubfujttb.exe*."
    3⤵
    PID:2036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ljwljxsjwsubfujttb.exe
1⤵
PID:4220
- C:\Users\Admin\AppData\Local\Temp\ljwljxsjwsubfujttb.exe
  C:\Users\Admin\AppData\Local\Temp\ljwljxsjwsubfujttb.exe
  2⤵
  PID:2468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\czlzwjdtfabhkymvu.exe .
1⤵
PID:4476
- C:\Users\Admin\AppData\Local\Temp\czlzwjdtfabhkymvu.exe
  C:\Users\Admin\AppData\Local\Temp\czlzwjdtfabhkymvu.exe .
  2⤵
  PID:2460
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\czlzwjdtfabhkymvu.exe*."
    3⤵
    PID:4908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\czlzwjdtfabhkymvu.exe
1⤵
PID:3564
- C:\Users\Admin\AppData\Local\Temp\czlzwjdtfabhkymvu.exe
  C:\Users\Admin\AppData\Local\Temp\czlzwjdtfabhkymvu.exe
  2⤵
  PID:2280

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yzphizxrhglvcumzcnmnd.exe .
1⤵
PID:4408
- C:\Users\Admin\AppData\Local\Temp\yzphizxrhglvcumzcnmnd.exe
  C:\Users\Admin\AppData\Local\Temp\yzphizxrhglvcumzcnmnd.exe .
  2⤵
  PID:3524
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\yzphizxrhglvcumzcnmnd.exe*."
    3⤵
    PID:368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jjyppfcvkimvbsjvxhff.exe
1⤵
PID:1632
- C:\Windows\jjyppfcvkimvbsjvxhff.exe
  jjyppfcvkimvbsjvxhff.exe
  2⤵
  PID:4404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yzphizxrhglvcumzcnmnd.exe .
1⤵
PID:1996
- C:\Windows\yzphizxrhglvcumzcnmnd.exe
  yzphizxrhglvcumzcnmnd.exe .
  2⤵
  PID:3492
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\yzphizxrhglvcumzcnmnd.exe*."
    3⤵
    PID:1416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jjyppfcvkimvbsjvxhff.exe
1⤵
PID:712
- C:\Windows\jjyppfcvkimvbsjvxhff.exe
  jjyppfcvkimvbsjvxhff.exe
  2⤵
  PID:2148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ljwljxsjwsubfujttb.exe .
1⤵
PID:3708
- C:\Windows\ljwljxsjwsubfujttb.exe
  ljwljxsjwsubfujttb.exe .
  2⤵
  PID:692
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ljwljxsjwsubfujttb.exe*."
    3⤵
    PID:428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\czlzwjdtfabhkymvu.exe
1⤵
PID:1860
- C:\Users\Admin\AppData\Local\Temp\czlzwjdtfabhkymvu.exe
  C:\Users\Admin\AppData\Local\Temp\czlzwjdtfabhkymvu.exe
  2⤵
  PID:4440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ljwljxsjwsubfujttb.exe .
1⤵
PID:3236
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4660
- C:\Users\Admin\AppData\Local\Temp\ljwljxsjwsubfujttb.exe
  C:\Users\Admin\AppData\Local\Temp\ljwljxsjwsubfujttb.exe .
  2⤵
  PID:4884
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ljwljxsjwsubfujttb.exe*."
    3⤵
    PID:4684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ljwljxsjwsubfujttb.exe
1⤵
PID:2132
- C:\Users\Admin\AppData\Local\Temp\ljwljxsjwsubfujttb.exe
  C:\Users\Admin\AppData\Local\Temp\ljwljxsjwsubfujttb.exe
  2⤵
  PID:3232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wvjzynjbpmpxcsituda.exe .
1⤵
PID:1208
- C:\Users\Admin\AppData\Local\Temp\wvjzynjbpmpxcsituda.exe
  C:\Users\Admin\AppData\Local\Temp\wvjzynjbpmpxcsituda.exe .
  2⤵
  PID:1956
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\wvjzynjbpmpxcsituda.exe*."
    3⤵
    PID:1520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wvjzynjbpmpxcsituda.exe
1⤵
PID:3540
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2468
- C:\Windows\wvjzynjbpmpxcsituda.exe
  wvjzynjbpmpxcsituda.exe
  2⤵
  PID:2416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vrcplxqfqkkprerz.exe .
1⤵
PID:3732
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3044
- C:\Windows\vrcplxqfqkkprerz.exe
  vrcplxqfqkkprerz.exe .
  2⤵
  PID:4648
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\vrcplxqfqkkprerz.exe*."
    3⤵
    PID:3328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c czlzwjdtfabhkymvu.exe
1⤵
PID:4116
- C:\Windows\czlzwjdtfabhkymvu.exe
  czlzwjdtfabhkymvu.exe
  2⤵
  PID:3656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yzphizxrhglvcumzcnmnd.exe .
1⤵
PID:4348
- C:\Windows\yzphizxrhglvcumzcnmnd.exe
  yzphizxrhglvcumzcnmnd.exe .
  2⤵
  PID:2832
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\yzphizxrhglvcumzcnmnd.exe*."
    3⤵
    PID:4992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wvjzynjbpmpxcsituda.exe
1⤵
PID:1012
- C:\Users\Admin\AppData\Local\Temp\wvjzynjbpmpxcsituda.exe
  C:\Users\Admin\AppData\Local\Temp\wvjzynjbpmpxcsituda.exe
  2⤵
  PID:5116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ljwljxsjwsubfujttb.exe .
1⤵
PID:452
- C:\Users\Admin\AppData\Local\Temp\ljwljxsjwsubfujttb.exe
  C:\Users\Admin\AppData\Local\Temp\ljwljxsjwsubfujttb.exe .
  2⤵
  PID:1756
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ljwljxsjwsubfujttb.exe*."
    3⤵
    PID:4592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vrcplxqfqkkprerz.exe
1⤵
PID:4608
- C:\Users\Admin\AppData\Local\Temp\vrcplxqfqkkprerz.exe
  C:\Users\Admin\AppData\Local\Temp\vrcplxqfqkkprerz.exe
  2⤵
  PID:3144

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jjyppfcvkimvbsjvxhff.exe .
1⤵
PID:3512
- C:\Users\Admin\AppData\Local\Temp\jjyppfcvkimvbsjvxhff.exe
  C:\Users\Admin\AppData\Local\Temp\jjyppfcvkimvbsjvxhff.exe .
  2⤵
  PID:788
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\jjyppfcvkimvbsjvxhff.exe*."
    3⤵
    PID:4140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ljwljxsjwsubfujttb.exe
1⤵
PID:3068
- C:\Windows\ljwljxsjwsubfujttb.exe
  ljwljxsjwsubfujttb.exe
  2⤵
  PID:1044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jjyppfcvkimvbsjvxhff.exe
1⤵
PID:4236
- C:\Windows\jjyppfcvkimvbsjvxhff.exe
  jjyppfcvkimvbsjvxhff.exe
  2⤵
  PID:692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vrcplxqfqkkprerz.exe
1⤵
PID:2684
- C:\Windows\vrcplxqfqkkprerz.exe
  vrcplxqfqkkprerz.exe
  2⤵
  PID:4192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c czlzwjdtfabhkymvu.exe .
1⤵
PID:4920
- C:\Windows\czlzwjdtfabhkymvu.exe
  czlzwjdtfabhkymvu.exe .
  2⤵
  PID:2876
- - C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
    "C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\czlzwjdtfabhkymvu.exe*."
    3⤵
    PID:2468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jjyppfcvkimvbsjvxhff.exe .
1⤵
PID:2204
- C:\Windows\jjyppfcvkimvbsjvxhff.exe
  jjyppfcvkimvbsjvxhff.exe .
  2⤵
  PID:3568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c czlzwjdtfabhkymvu.exe .
1⤵
PID:3236
- C:\Windows\czlzwjdtfabhkymvu.exe
  czlzwjdtfabhkymvu.exe .
  2⤵
  PID:3556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vrcplxqfqkkprerz.exe
1⤵
PID:1424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jjyppfcvkimvbsjvxhff.exe
1⤵
PID:1908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wvjzynjbpmpxcsituda.exe
1⤵
PID:4448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wvjzynjbpmpxcsituda.exe .
1⤵
PID:2608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c czlzwjdtfabhkymvu.exe .
1⤵
PID:2036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jjyppfcvkimvbsjvxhff.exe
1⤵
PID:4100
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c czlzwjdtfabhkymvu.exe .
1⤵
PID:3996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Winlogon Helper DLL

T1547.004

Hijack Execution Flow

T1574

Executable Installer File Permissions Weakness

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Winlogon Helper DLL

T1547.004

Hijack Execution Flow

T1574

Executable Installer File Permissions Weakness

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hijack Execution Flow

T1574

Executable Installer File Permissions Weakness

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Safe Mode Boot

T1562.009

Modify Registry