pykspa | 0563f7779b0d4e385c21ae96787043aabf73ebc37c9b88f13f7a415ba44633c9

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	xbgqr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	xbgqr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	abqgjobtkla.exe

Pykspa
Pykspa is a worm spreads via Skype uses DGA and it's written in C++.
worm pykspa
Pykspa family
pykspa

UAC bypass 3 TTPs 23 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	xbgqr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	xbgqr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	xbgqr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	xbgqr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	xbgqr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	xbgqr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	xbgqr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	xbgqr.exe

Detect Pykspa worm 2 IoCs

worm

resource	yara_rule
behavioral1/files/0x0006000000023665-4.dat	family_pykspa
behavioral1/files/0x00070000000240bc-105.dat	family_pykspa

Adds policy Run key to start application 2 TTPs 39 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	abqgjobtkla.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xbgqr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xrmmdzzsqpazzmbyaqkff.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\krzmqzms = "vngetnlcyvebzkxssgy.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\krzmqzms = "ujzugxsgztztowgy.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\krzmqzms = "vngetnlcyvebzkxssgy.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\krzmqzms = "ujzugxsgztztowgy.exe"	abqgjobtkla.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	xbgqr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xbgqr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ibvukfewtrbzykyuvkdx.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xbgqr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vngetnlcyvebzkxssgy.exe"	abqgjobtkla.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\krzmqzms = "ibvukfewtrbzykyuvkdx.exe"	xbgqr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\krzmqzms = "ibvukfewtrbzykyuvkdx.exe"	xbgqr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nml = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qesqlzugfqtbxueqkj.exe"	abqgjobtkla.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nml = "C:\\Users\\Admin\\AppData\\Local\\Temp\\huheylfqoyahcyhsl.exe"	abqgjobtkla.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	xbgqr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xbgqr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kbtqexukfbjfcmysre.exe"	xbgqr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xbgqr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ujzugxsgztztowgy.exe"	xbgqr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xbgqr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vngetnlcyvebzkxssgy.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xbgqr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xrmmdzzsqpazzmbyaqkff.exe"	xbgqr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\krzmqzms = "vngetnlcyvebzkxssgy.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\krzmqzms = "brierjfuojqlhqbus.exe"	xbgqr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xbgqr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xrmmdzzsqpazzmbyaqkff.exe"	abqgjobtkla.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xbgqr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xrmmdzzsqpazzmbyaqkff.exe"	abqgjobtkla.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\krzmqzms = "xrmmdzzsqpazzmbyaqkff.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xbgqr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\brierjfuojqlhqbus.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\krzmqzms = "vngetnlcyvebzkxssgy.exe"	xbgqr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\krzmqzms = "ibvukfewtrbzykyuvkdx.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oqsenp = "amyunzsczijpjemw.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\krzmqzms = "vngetnlcyvebzkxssgy.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xbgqr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vngetnlcyvebzkxssgy.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\krzmqzms = "kbtqexukfbjfcmysre.exe"	xbgqr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xbgqr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\brierjfuojqlhqbus.exe"	xbgqr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	abqgjobtkla.exe

Disables RegEdit via registry modification 14 IoCs

defense_evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	abqgjobtkla.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	xbgqr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	xbgqr.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	abqgjobtkla.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	abqgjobtkla.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	abqgjobtkla.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	xbgqr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	xbgqr.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	abqgjobtkla.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	abqgjobtkla.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	abqgjobtkla.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	abqgjobtkla.exe

Checks computer location settings 2 TTPs 49 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	ujzugxsgztztowgy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	xrmmdzzsqpazzmbyaqkff.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	ujzugxsgztztowgy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	ujzugxsgztztowgy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	kbtqexukfbjfcmysre.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	ibvukfewtrbzykyuvkdx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	vngetnlcyvebzkxssgy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	xrmmdzzsqpazzmbyaqkff.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	abqgjobtkla.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	xrmmdzzsqpazzmbyaqkff.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	ujzugxsgztztowgy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	vngetnlcyvebzkxssgy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	ibvukfewtrbzykyuvkdx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	ujzugxsgztztowgy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	xrmmdzzsqpazzmbyaqkff.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	ibvukfewtrbzykyuvkdx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	xrmmdzzsqpazzmbyaqkff.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	xrmmdzzsqpazzmbyaqkff.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	brierjfuojqlhqbus.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	ibvukfewtrbzykyuvkdx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	kbtqexukfbjfcmysre.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	abqgjobtkla.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	vngetnlcyvebzkxssgy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	JaffaCakes118_9a68e3a1b3fc00cfbfb50a560d36bba1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	vngetnlcyvebzkxssgy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	vngetnlcyvebzkxssgy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	brierjfuojqlhqbus.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	vngetnlcyvebzkxssgy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	kbtqexukfbjfcmysre.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	ujzugxsgztztowgy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	kbtqexukfbjfcmysre.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	brierjfuojqlhqbus.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	ujzugxsgztztowgy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	ujzugxsgztztowgy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	ibvukfewtrbzykyuvkdx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	ibvukfewtrbzykyuvkdx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	vngetnlcyvebzkxssgy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	vngetnlcyvebzkxssgy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	ibvukfewtrbzykyuvkdx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	brierjfuojqlhqbus.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	brierjfuojqlhqbus.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	xrmmdzzsqpazzmbyaqkff.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	vngetnlcyvebzkxssgy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	vngetnlcyvebzkxssgy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	vngetnlcyvebzkxssgy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	ibvukfewtrbzykyuvkdx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	brierjfuojqlhqbus.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	ibvukfewtrbzykyuvkdx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	brierjfuojqlhqbus.exe

Executes dropped EXE 64 IoCs

pid	Process
2156	abqgjobtkla.exe
2224	brierjfuojqlhqbus.exe
5032	brierjfuojqlhqbus.exe
1748	abqgjobtkla.exe
1320	brierjfuojqlhqbus.exe
1324	xrmmdzzsqpazzmbyaqkff.exe
2988	ibvukfewtrbzykyuvkdx.exe
4832	abqgjobtkla.exe
4920	vngetnlcyvebzkxssgy.exe
3160	abqgjobtkla.exe
2308	ibvukfewtrbzykyuvkdx.exe
3204	vngetnlcyvebzkxssgy.exe
2748	abqgjobtkla.exe
4980	xbgqr.exe
2224	xbgqr.exe
1336	ujzugxsgztztowgy.exe
2800	brierjfuojqlhqbus.exe
2912	xrmmdzzsqpazzmbyaqkff.exe
2372	xrmmdzzsqpazzmbyaqkff.exe
1976	abqgjobtkla.exe
3180	abqgjobtkla.exe
4692	xrmmdzzsqpazzmbyaqkff.exe
1584	kbtqexukfbjfcmysre.exe
1416	brierjfuojqlhqbus.exe
3984	ujzugxsgztztowgy.exe
1640	xrmmdzzsqpazzmbyaqkff.exe
3104	xrmmdzzsqpazzmbyaqkff.exe
4652	abqgjobtkla.exe
2252	abqgjobtkla.exe
1584	vngetnlcyvebzkxssgy.exe
4272	vngetnlcyvebzkxssgy.exe
3236	ujzugxsgztztowgy.exe
2308	ibvukfewtrbzykyuvkdx.exe
3320	vngetnlcyvebzkxssgy.exe
4420	ujzugxsgztztowgy.exe
4924	abqgjobtkla.exe
4860	abqgjobtkla.exe
2264	abqgjobtkla.exe
2216	abqgjobtkla.exe
4016	ibvukfewtrbzykyuvkdx.exe
968	ibvukfewtrbzykyuvkdx.exe
952	abqgjobtkla.exe
1588	brierjfuojqlhqbus.exe
5092	vngetnlcyvebzkxssgy.exe
2968	xrmmdzzsqpazzmbyaqkff.exe
3048	abqgjobtkla.exe
1412	vngetnlcyvebzkxssgy.exe
3828	abqgjobtkla.exe
372	kbtqexukfbjfcmysre.exe
1416	ujzugxsgztztowgy.exe
1380	abqgjobtkla.exe
4636	ibvukfewtrbzykyuvkdx.exe
2800	ibvukfewtrbzykyuvkdx.exe
4884	ibvukfewtrbzykyuvkdx.exe
1864	ibvukfewtrbzykyuvkdx.exe
1448	abqgjobtkla.exe
1064	abqgjobtkla.exe
432	kbtqexukfbjfcmysre.exe
2276	ujzugxsgztztowgy.exe
4040	kbtqexukfbjfcmysre.exe
3688	brierjfuojqlhqbus.exe
1620	xrmmdzzsqpazzmbyaqkff.exe
1968	ujzugxsgztztowgy.exe
3468	brierjfuojqlhqbus.exe

Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs

defense_evasion

Safe Mode Boot

T1562.009

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power	xbgqr.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys	xbgqr.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc	xbgqr.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager	xbgqr.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys	xbgqr.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc	xbgqr.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

defense_evasion persistence privilege_escalation

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pzkahtjsgvw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vngetnlcyvebzkxssgy.exe ."	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\uuue = "huheylfqoyahcyhsl.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vbiuxfr = "ibvukfewtrbzykyuvkdx.exe ."	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mxjaivmwlbdt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ujzugxsgztztowgy.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\udncitiqdr = "xrmmdzzsqpazzmbyaqkff.exe ."	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mxjaivmwlbdt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ibvukfewtrbzykyuvkdx.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bjsglvjqc = "xrmmdzzsqpazzmbyaqkff.exe"	xbgqr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mxjaivmwlbdt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xrmmdzzsqpazzmbyaqkff.exe"	xbgqr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\vbiuxfr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ibvukfewtrbzykyuvkdx.exe ."	xbgqr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vbiuxfr = "ibvukfewtrbzykyuvkdx.exe ."	xbgqr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mxjaivmwlbdt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xrmmdzzsqpazzmbyaqkff.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vbiuxfr = "xrmmdzzsqpazzmbyaqkff.exe ."	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\integn = "brierjfuojqlhqbus.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pzkahtjsgvw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vngetnlcyvebzkxssgy.exe ."	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\integn = "ibvukfewtrbzykyuvkdx.exe"	xbgqr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\udncitiqdr = "ujzugxsgztztowgy.exe ."	xbgqr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pzkahtjsgvw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xrmmdzzsqpazzmbyaqkff.exe ."	xbgqr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\integn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xrmmdzzsqpazzmbyaqkff.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\integn = "kbtqexukfbjfcmysre.exe"	xbgqr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vbiuxfr = "xrmmdzzsqpazzmbyaqkff.exe ."	xbgqr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\integn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ujzugxsgztztowgy.exe"	xbgqr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\vbiuxfr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\brierjfuojqlhqbus.exe ."	xbgqr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\vbiuxfr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ibvukfewtrbzykyuvkdx.exe ."	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\integn = "ujzugxsgztztowgy.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\integn = "ujzugxsgztztowgy.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bjsglvjqc = "ibvukfewtrbzykyuvkdx.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\udncitiqdr = "vngetnlcyvebzkxssgy.exe ."	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\integn = "ibvukfewtrbzykyuvkdx.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mxjaivmwlbdt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xrmmdzzsqpazzmbyaqkff.exe"	xbgqr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\quymxbmo = "qesqlzugfqtbxueqkj.exe ."	abqgjobtkla.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\defqy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\huheylfqoyahcyhsl.exe ."	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\integn = "vngetnlcyvebzkxssgy.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bjsglvjqc = "brierjfuojqlhqbus.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vbiuxfr = "ujzugxsgztztowgy.exe ."	abqgjobtkla.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\udncitiqdr = "ibvukfewtrbzykyuvkdx.exe ."	abqgjobtkla.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\vbiuxfr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vngetnlcyvebzkxssgy.exe ."	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vbiuxfr = "ibvukfewtrbzykyuvkdx.exe ."	abqgjobtkla.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bjsglvjqc = "ujzugxsgztztowgy.exe"	xbgqr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bjsglvjqc = "ibvukfewtrbzykyuvkdx.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\agmcpvimdg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oeuurhestglvtsesopka.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hmrgsxjmc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oeuurhestglvtsesopka.exe ."	abqgjobtkla.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bjsglvjqc = "xrmmdzzsqpazzmbyaqkff.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\behuehr = "amyunzsczijpjemw.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vbiuxfr = "xrmmdzzsqpazzmbyaqkff.exe ."	xbgqr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bjsglvjqc = "kbtqexukfbjfcmysre.exe"	xbgqr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pzkahtjsgvw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vngetnlcyvebzkxssgy.exe ."	xbgqr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\integn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vngetnlcyvebzkxssgy.exe"	xbgqr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bjsglvjqc = "brierjfuojqlhqbus.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\integn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kbtqexukfbjfcmysre.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\integn = "kbtqexukfbjfcmysre.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\integn = "kbtqexukfbjfcmysre.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vbiuxfr = "brierjfuojqlhqbus.exe ."	abqgjobtkla.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\vbiuxfr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ujzugxsgztztowgy.exe ."	xbgqr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\integn = "ibvukfewtrbzykyuvkdx.exe"	xbgqr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\uuue = "dulmkbzoqekvuuhwtvriz.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hmrgsxjmc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qesqlzugfqtbxueqkj.exe ."	abqgjobtkla.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\integn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xrmmdzzsqpazzmbyaqkff.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\vbiuxfr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\brierjfuojqlhqbus.exe ."	abqgjobtkla.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bjsglvjqc = "ujzugxsgztztowgy.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bjsglvjqc = "brierjfuojqlhqbus.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\integn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ibvukfewtrbzykyuvkdx.exe"	abqgjobtkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vbiuxfr = "ibvukfewtrbzykyuvkdx.exe ."	xbgqr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\integn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\brierjfuojqlhqbus.exe"	xbgqr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\udncitiqdr = "ujzugxsgztztowgy.exe ."	abqgjobtkla.exe

Checks whether UAC is enabled 1 TTPs 22 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	xbgqr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	xbgqr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	xbgqr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	abqgjobtkla.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	abqgjobtkla.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	abqgjobtkla.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	abqgjobtkla.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	xbgqr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe

Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 4 IoCs

Possible Turn off User Account Control's privilege elevation for standard users.

Executable Installer File Permissions Weakness

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	xbgqr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	xbgqr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	abqgjobtkla.exe

Looks up external IP address via web service 6 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
29	whatismyipaddress.com
41	www.whatismyip.ca
48	www.whatismyip.ca
51	whatismyip.everdot.org
23	whatismyip.everdot.org
24	www.showmyipaddress.com

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\brierjfuojqlhqbus.exe	xbgqr.exe
File opened for modification	C:\Windows\SysWOW64\pzkahtjsgvwlbejwouepfmyoxlabqgjob.zju	xbgqr.exe
File opened for modification	C:\Windows\SysWOW64\brierjfuojqlhqbus.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\ujzugxsgztztowgy.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\kbtqexukfbjfcmysre.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\ibvukfewtrbzykyuvkdx.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\xrmmdzzsqpazzmbyaqkff.exe	abqgjobtkla.exe
File created	C:\Windows\SysWOW64\yxxcyzecfjzdiauwdyxxcy.ecf	xbgqr.exe
File opened for modification	C:\Windows\SysWOW64\xrmmdzzsqpazzmbyaqkff.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\ujzugxsgztztowgy.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\ibvukfewtrbzykyuvkdx.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\vngetnlcyvebzkxssgy.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\ojfgyvwqppbbcqgehytpqi.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\kbtqexukfbjfcmysre.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\ibvukfewtrbzykyuvkdx.exe	xbgqr.exe
File opened for modification	C:\Windows\SysWOW64\xrmmdzzsqpazzmbyaqkff.exe	xbgqr.exe
File created	C:\Windows\SysWOW64\pzkahtjsgvwlbejwouepfmyoxlabqgjob.zju	xbgqr.exe
File opened for modification	C:\Windows\SysWOW64\xrmmdzzsqpazzmbyaqkff.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\vngetnlcyvebzkxssgy.exe	xbgqr.exe
File opened for modification	C:\Windows\SysWOW64\brierjfuojqlhqbus.exe	xbgqr.exe
File opened for modification	C:\Windows\SysWOW64\ibvukfewtrbzykyuvkdx.exe	xbgqr.exe
File opened for modification	C:\Windows\SysWOW64\vngetnlcyvebzkxssgy.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\brierjfuojqlhqbus.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\vngetnlcyvebzkxssgy.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\xrmmdzzsqpazzmbyaqkff.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\xrmmdzzsqpazzmbyaqkff.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\ujzugxsgztztowgy.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\ojfgyvwqppbbcqgehytpqi.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\kbtqexukfbjfcmysre.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\ujzugxsgztztowgy.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\kbtqexukfbjfcmysre.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\xrmmdzzsqpazzmbyaqkff.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\ujzugxsgztztowgy.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\kbtqexukfbjfcmysre.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\vngetnlcyvebzkxssgy.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\xrmmdzzsqpazzmbyaqkff.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\brierjfuojqlhqbus.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\yxxcyzecfjzdiauwdyxxcy.ecf	xbgqr.exe
File opened for modification	C:\Windows\SysWOW64\ojfgyvwqppbbcqgehytpqi.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\kbtqexukfbjfcmysre.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\ujzugxsgztztowgy.exe	xbgqr.exe
File opened for modification	C:\Windows\SysWOW64\ujzugxsgztztowgy.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\brierjfuojqlhqbus.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\vngetnlcyvebzkxssgy.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\kbtqexukfbjfcmysre.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\ujzugxsgztztowgy.exe	xbgqr.exe
File opened for modification	C:\Windows\SysWOW64\vngetnlcyvebzkxssgy.exe	xbgqr.exe
File opened for modification	C:\Windows\SysWOW64\ibvukfewtrbzykyuvkdx.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\ojfgyvwqppbbcqgehytpqi.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\xrmmdzzsqpazzmbyaqkff.exe	xbgqr.exe
File opened for modification	C:\Windows\SysWOW64\ojfgyvwqppbbcqgehytpqi.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\ibvukfewtrbzykyuvkdx.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\vngetnlcyvebzkxssgy.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\ujzugxsgztztowgy.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\ojfgyvwqppbbcqgehytpqi.exe	xbgqr.exe
File opened for modification	C:\Windows\SysWOW64\ojfgyvwqppbbcqgehytpqi.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\kbtqexukfbjfcmysre.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\ujzugxsgztztowgy.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\brierjfuojqlhqbus.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\ibvukfewtrbzykyuvkdx.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\kbtqexukfbjfcmysre.exe	xbgqr.exe
File opened for modification	C:\Windows\SysWOW64\ojfgyvwqppbbcqgehytpqi.exe	xbgqr.exe
File opened for modification	C:\Windows\SysWOW64\vngetnlcyvebzkxssgy.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\SysWOW64\kbtqexukfbjfcmysre.exe	xbgqr.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\yxxcyzecfjzdiauwdyxxcy.ecf	xbgqr.exe
File created	C:\Program Files (x86)\yxxcyzecfjzdiauwdyxxcy.ecf	xbgqr.exe
File opened for modification	C:\Program Files (x86)\pzkahtjsgvwlbejwouepfmyoxlabqgjob.zju	xbgqr.exe
File created	C:\Program Files (x86)\pzkahtjsgvwlbejwouepfmyoxlabqgjob.zju	xbgqr.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\kbtqexukfbjfcmysre.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\pzkahtjsgvwlbejwouepfmyoxlabqgjob.zju	xbgqr.exe
File opened for modification	C:\Windows\ibvukfewtrbzykyuvkdx.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\vngetnlcyvebzkxssgy.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\ibvukfewtrbzykyuvkdx.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\ujzugxsgztztowgy.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\xrmmdzzsqpazzmbyaqkff.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\kbtqexukfbjfcmysre.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\ibvukfewtrbzykyuvkdx.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\brierjfuojqlhqbus.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\ibvukfewtrbzykyuvkdx.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\ujzugxsgztztowgy.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\brierjfuojqlhqbus.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\ojfgyvwqppbbcqgehytpqi.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\kbtqexukfbjfcmysre.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\xrmmdzzsqpazzmbyaqkff.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\brierjfuojqlhqbus.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\vngetnlcyvebzkxssgy.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\ojfgyvwqppbbcqgehytpqi.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\kbtqexukfbjfcmysre.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\vngetnlcyvebzkxssgy.exe	xbgqr.exe
File opened for modification	C:\Windows\xrmmdzzsqpazzmbyaqkff.exe	xbgqr.exe
File opened for modification	C:\Windows\brierjfuojqlhqbus.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\ujzugxsgztztowgy.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\ibvukfewtrbzykyuvkdx.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\vngetnlcyvebzkxssgy.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\ojfgyvwqppbbcqgehytpqi.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\xrmmdzzsqpazzmbyaqkff.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\vngetnlcyvebzkxssgy.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\vngetnlcyvebzkxssgy.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\brierjfuojqlhqbus.exe	xbgqr.exe
File opened for modification	C:\Windows\kbtqexukfbjfcmysre.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\ojfgyvwqppbbcqgehytpqi.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\ujzugxsgztztowgy.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\brierjfuojqlhqbus.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\brierjfuojqlhqbus.exe	xbgqr.exe
File opened for modification	C:\Windows\ojfgyvwqppbbcqgehytpqi.exe	xbgqr.exe
File created	C:\Windows\pzkahtjsgvwlbejwouepfmyoxlabqgjob.zju	xbgqr.exe
File opened for modification	C:\Windows\kbtqexukfbjfcmysre.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\vngetnlcyvebzkxssgy.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\vngetnlcyvebzkxssgy.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\ibvukfewtrbzykyuvkdx.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\ujzugxsgztztowgy.exe	xbgqr.exe
File opened for modification	C:\Windows\vngetnlcyvebzkxssgy.exe	xbgqr.exe
File opened for modification	C:\Windows\ibvukfewtrbzykyuvkdx.exe	xbgqr.exe
File opened for modification	C:\Windows\brierjfuojqlhqbus.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\ujzugxsgztztowgy.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\vngetnlcyvebzkxssgy.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\xrmmdzzsqpazzmbyaqkff.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\kbtqexukfbjfcmysre.exe	xbgqr.exe
File opened for modification	C:\Windows\xrmmdzzsqpazzmbyaqkff.exe	xbgqr.exe
File opened for modification	C:\Windows\yxxcyzecfjzdiauwdyxxcy.ecf	xbgqr.exe
File opened for modification	C:\Windows\ujzugxsgztztowgy.exe	xbgqr.exe
File opened for modification	C:\Windows\brierjfuojqlhqbus.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\ojfgyvwqppbbcqgehytpqi.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\xrmmdzzsqpazzmbyaqkff.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\brierjfuojqlhqbus.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\ujzugxsgztztowgy.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\ojfgyvwqppbbcqgehytpqi.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\ibvukfewtrbzykyuvkdx.exe	xbgqr.exe
File opened for modification	C:\Windows\ibvukfewtrbzykyuvkdx.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\ojfgyvwqppbbcqgehytpqi.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\kbtqexukfbjfcmysre.exe	abqgjobtkla.exe
File opened for modification	C:\Windows\xrmmdzzsqpazzmbyaqkff.exe	abqgjobtkla.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	brierjfuojqlhqbus.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ibvukfewtrbzykyuvkdx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xrmmdzzsqpazzmbyaqkff.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qesqlzugfqtbxueqkj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vngetnlcyvebzkxssgy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	brierjfuojqlhqbus.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	oeuurhestglvtsesopka.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ibvukfewtrbzykyuvkdx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xrmmdzzsqpazzmbyaqkff.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	brierjfuojqlhqbus.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kbtqexukfbjfcmysre.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xrmmdzzsqpazzmbyaqkff.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vngetnlcyvebzkxssgy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xbgqr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ujzugxsgztztowgy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vngetnlcyvebzkxssgy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bqfeaplyykoxusdqllf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	huheylfqoyahcyhsl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qesqlzugfqtbxueqkj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ibvukfewtrbzykyuvkdx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vngetnlcyvebzkxssgy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	huheylfqoyahcyhsl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vngetnlcyvebzkxssgy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vngetnlcyvebzkxssgy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xrmmdzzsqpazzmbyaqkff.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	oqsenp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xrmmdzzsqpazzmbyaqkff.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ujzugxsgztztowgy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xrmmdzzsqpazzmbyaqkff.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vngetnlcyvebzkxssgy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ibvukfewtrbzykyuvkdx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dulmkbzoqekvuuhwtvriz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ujzugxsgztztowgy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ujzugxsgztztowgy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ujzugxsgztztowgy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kbtqexukfbjfcmysre.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ibvukfewtrbzykyuvkdx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xrmmdzzsqpazzmbyaqkff.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ujzugxsgztztowgy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ibvukfewtrbzykyuvkdx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	brierjfuojqlhqbus.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	brierjfuojqlhqbus.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	brierjfuojqlhqbus.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vngetnlcyvebzkxssgy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	abqgjobtkla.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ujzugxsgztztowgy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	brierjfuojqlhqbus.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xrmmdzzsqpazzmbyaqkff.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	brierjfuojqlhqbus.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ibvukfewtrbzykyuvkdx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kbtqexukfbjfcmysre.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ibvukfewtrbzykyuvkdx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kbtqexukfbjfcmysre.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ujzugxsgztztowgy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ibvukfewtrbzykyuvkdx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vngetnlcyvebzkxssgy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ujzugxsgztztowgy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ibvukfewtrbzykyuvkdx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qesqlzugfqtbxueqkj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qesqlzugfqtbxueqkj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ibvukfewtrbzykyuvkdx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xrmmdzzsqpazzmbyaqkff.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	amyunzsczijpjemw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	huheylfqoyahcyhsl.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
3056	JaffaCakes118_9a68e3a1b3fc00cfbfb50a560d36bba1.exe
3056	JaffaCakes118_9a68e3a1b3fc00cfbfb50a560d36bba1.exe
3056	JaffaCakes118_9a68e3a1b3fc00cfbfb50a560d36bba1.exe
3056	JaffaCakes118_9a68e3a1b3fc00cfbfb50a560d36bba1.exe
3056	JaffaCakes118_9a68e3a1b3fc00cfbfb50a560d36bba1.exe
3056	JaffaCakes118_9a68e3a1b3fc00cfbfb50a560d36bba1.exe
3056	JaffaCakes118_9a68e3a1b3fc00cfbfb50a560d36bba1.exe
3056	JaffaCakes118_9a68e3a1b3fc00cfbfb50a560d36bba1.exe
3056	JaffaCakes118_9a68e3a1b3fc00cfbfb50a560d36bba1.exe
3056	JaffaCakes118_9a68e3a1b3fc00cfbfb50a560d36bba1.exe
3056	JaffaCakes118_9a68e3a1b3fc00cfbfb50a560d36bba1.exe
3056	JaffaCakes118_9a68e3a1b3fc00cfbfb50a560d36bba1.exe
3056	JaffaCakes118_9a68e3a1b3fc00cfbfb50a560d36bba1.exe
3056	JaffaCakes118_9a68e3a1b3fc00cfbfb50a560d36bba1.exe
3056	JaffaCakes118_9a68e3a1b3fc00cfbfb50a560d36bba1.exe
3056	JaffaCakes118_9a68e3a1b3fc00cfbfb50a560d36bba1.exe
4980	xbgqr.exe
4980	xbgqr.exe
3056	JaffaCakes118_9a68e3a1b3fc00cfbfb50a560d36bba1.exe
3056	JaffaCakes118_9a68e3a1b3fc00cfbfb50a560d36bba1.exe
3056	JaffaCakes118_9a68e3a1b3fc00cfbfb50a560d36bba1.exe
3056	JaffaCakes118_9a68e3a1b3fc00cfbfb50a560d36bba1.exe
3056	JaffaCakes118_9a68e3a1b3fc00cfbfb50a560d36bba1.exe
3056	JaffaCakes118_9a68e3a1b3fc00cfbfb50a560d36bba1.exe
3056	JaffaCakes118_9a68e3a1b3fc00cfbfb50a560d36bba1.exe
3056	JaffaCakes118_9a68e3a1b3fc00cfbfb50a560d36bba1.exe
3056	JaffaCakes118_9a68e3a1b3fc00cfbfb50a560d36bba1.exe
3056	JaffaCakes118_9a68e3a1b3fc00cfbfb50a560d36bba1.exe
3056	JaffaCakes118_9a68e3a1b3fc00cfbfb50a560d36bba1.exe
3056	JaffaCakes118_9a68e3a1b3fc00cfbfb50a560d36bba1.exe
3056	JaffaCakes118_9a68e3a1b3fc00cfbfb50a560d36bba1.exe
3056	JaffaCakes118_9a68e3a1b3fc00cfbfb50a560d36bba1.exe
3056	JaffaCakes118_9a68e3a1b3fc00cfbfb50a560d36bba1.exe
3056	JaffaCakes118_9a68e3a1b3fc00cfbfb50a560d36bba1.exe
3056	JaffaCakes118_9a68e3a1b3fc00cfbfb50a560d36bba1.exe
3056	JaffaCakes118_9a68e3a1b3fc00cfbfb50a560d36bba1.exe
3056	JaffaCakes118_9a68e3a1b3fc00cfbfb50a560d36bba1.exe
3056	JaffaCakes118_9a68e3a1b3fc00cfbfb50a560d36bba1.exe
3056	JaffaCakes118_9a68e3a1b3fc00cfbfb50a560d36bba1.exe
3056	JaffaCakes118_9a68e3a1b3fc00cfbfb50a560d36bba1.exe
3056	JaffaCakes118_9a68e3a1b3fc00cfbfb50a560d36bba1.exe
3056	JaffaCakes118_9a68e3a1b3fc00cfbfb50a560d36bba1.exe
3056	JaffaCakes118_9a68e3a1b3fc00cfbfb50a560d36bba1.exe
3056	JaffaCakes118_9a68e3a1b3fc00cfbfb50a560d36bba1.exe
3056	JaffaCakes118_9a68e3a1b3fc00cfbfb50a560d36bba1.exe
3056	JaffaCakes118_9a68e3a1b3fc00cfbfb50a560d36bba1.exe
3056	JaffaCakes118_9a68e3a1b3fc00cfbfb50a560d36bba1.exe
3056	JaffaCakes118_9a68e3a1b3fc00cfbfb50a560d36bba1.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4980	xbgqr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3056 wrote to memory of 2156	3056	JaffaCakes118_9a68e3a1b3fc00cfbfb50a560d36bba1.exe	273
PID 3056 wrote to memory of 2156	3056	JaffaCakes118_9a68e3a1b3fc00cfbfb50a560d36bba1.exe	273
PID 3056 wrote to memory of 2156	3056	JaffaCakes118_9a68e3a1b3fc00cfbfb50a560d36bba1.exe	273
PID 4468 wrote to memory of 2224	4468	cmd.exe	126
PID 4468 wrote to memory of 2224	4468	cmd.exe	126
PID 4468 wrote to memory of 2224	4468	cmd.exe	126
PID 556 wrote to memory of 5032	556	cmd.exe	98
PID 556 wrote to memory of 5032	556	cmd.exe	98
PID 556 wrote to memory of 5032	556	cmd.exe	98
PID 5032 wrote to memory of 1748	5032	brierjfuojqlhqbus.exe	99
PID 5032 wrote to memory of 1748	5032	brierjfuojqlhqbus.exe	99
PID 5032 wrote to memory of 1748	5032	brierjfuojqlhqbus.exe	99
PID 4420 wrote to memory of 1320	4420	cmd.exe	431
PID 4420 wrote to memory of 1320	4420	cmd.exe	431
PID 4420 wrote to memory of 1320	4420	cmd.exe	431
PID 1412 wrote to memory of 1324	1412	cmd.exe	328
PID 1412 wrote to memory of 1324	1412	cmd.exe	328
PID 1412 wrote to memory of 1324	1412	cmd.exe	328
PID 2192 wrote to memory of 2988	2192	cmd.exe	110
PID 2192 wrote to memory of 2988	2192	cmd.exe	110
PID 2192 wrote to memory of 2988	2192	cmd.exe	110
PID 1324 wrote to memory of 4832	1324	xrmmdzzsqpazzmbyaqkff.exe	200
PID 1324 wrote to memory of 4832	1324	xrmmdzzsqpazzmbyaqkff.exe	200
PID 1324 wrote to memory of 4832	1324	xrmmdzzsqpazzmbyaqkff.exe	200
PID 2912 wrote to memory of 4920	2912	cmd.exe	192
PID 2912 wrote to memory of 4920	2912	cmd.exe	192
PID 2912 wrote to memory of 4920	2912	cmd.exe	192
PID 4920 wrote to memory of 3160	4920	vngetnlcyvebzkxssgy.exe	407
PID 4920 wrote to memory of 3160	4920	vngetnlcyvebzkxssgy.exe	407
PID 4920 wrote to memory of 3160	4920	vngetnlcyvebzkxssgy.exe	407
PID 3196 wrote to memory of 2308	3196	cmd.exe	446
PID 3196 wrote to memory of 2308	3196	cmd.exe	446
PID 3196 wrote to memory of 2308	3196	cmd.exe	446
PID 3316 wrote to memory of 3204	3316	cmd.exe	121
PID 3316 wrote to memory of 3204	3316	cmd.exe	121
PID 3316 wrote to memory of 3204	3316	cmd.exe	121
PID 3204 wrote to memory of 2748	3204	vngetnlcyvebzkxssgy.exe	589
PID 3204 wrote to memory of 2748	3204	vngetnlcyvebzkxssgy.exe	589
PID 3204 wrote to memory of 2748	3204	vngetnlcyvebzkxssgy.exe	589
PID 2156 wrote to memory of 4980	2156	abqgjobtkla.exe	125
PID 2156 wrote to memory of 4980	2156	abqgjobtkla.exe	125
PID 2156 wrote to memory of 4980	2156	abqgjobtkla.exe	125
PID 2156 wrote to memory of 2224	2156	abqgjobtkla.exe	126
PID 2156 wrote to memory of 2224	2156	abqgjobtkla.exe	126
PID 2156 wrote to memory of 2224	2156	abqgjobtkla.exe	126
PID 4612 wrote to memory of 2800	4612	cmd.exe	566
PID 4612 wrote to memory of 2800	4612	cmd.exe	566
PID 4612 wrote to memory of 2800	4612	cmd.exe	566
PID 1804 wrote to memory of 1336	1804	cmd.exe	445
PID 1804 wrote to memory of 1336	1804	cmd.exe	445
PID 1804 wrote to memory of 1336	1804	cmd.exe	445
PID 2752 wrote to memory of 2912	2752	cmd.exe	345
PID 2752 wrote to memory of 2912	2752	cmd.exe	345
PID 2752 wrote to memory of 2912	2752	cmd.exe	345
PID 1324 wrote to memory of 2372	1324	cmd.exe	456
PID 1324 wrote to memory of 2372	1324	cmd.exe	456
PID 1324 wrote to memory of 2372	1324	cmd.exe	456
PID 2912 wrote to memory of 1976	2912	xrmmdzzsqpazzmbyaqkff.exe	434
PID 2912 wrote to memory of 1976	2912	xrmmdzzsqpazzmbyaqkff.exe	434
PID 2912 wrote to memory of 1976	2912	xrmmdzzsqpazzmbyaqkff.exe	434
PID 2372 wrote to memory of 3180	2372	xrmmdzzsqpazzmbyaqkff.exe	152
PID 2372 wrote to memory of 3180	2372	xrmmdzzsqpazzmbyaqkff.exe	152
PID 2372 wrote to memory of 3180	2372	xrmmdzzsqpazzmbyaqkff.exe	152
PID 1048 wrote to memory of 4692	1048	cmd.exe	495

System policy modification 1 TTPs 62 IoCs

defense_evasion

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	abqgjobtkla.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	xbgqr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	xbgqr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	xbgqr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	xbgqr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	xbgqr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	xbgqr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	xbgqr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	xbgqr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	abqgjobtkla.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	abqgjobtkla.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	abqgjobtkla.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	abqgjobtkla.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	xbgqr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	xbgqr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	xbgqr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	xbgqr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	xbgqr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	xbgqr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	xbgqr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	xbgqr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	xbgqr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	xbgqr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	xbgqr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	xbgqr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	xbgqr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	xbgqr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	xbgqr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abqgjobtkla.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	xbgqr.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9a68e3a1b3fc00cfbfb50a560d36bba1.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9a68e3a1b3fc00cfbfb50a560d36bba1.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3056
- C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
  "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\jaffacakes118_9a68e3a1b3fc00cfbfb50a560d36bba1.exe*"
  2⤵
  - Modifies WinLogon for persistence
  - UAC bypass
  - Adds policy Run key to start application
  - Disables RegEdit via registry modification
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Hijack Execution Flow: Executable Installer File Permissions Weakness
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2156
- - C:\Users\Admin\AppData\Local\Temp\xbgqr.exe
    "C:\Users\Admin\AppData\Local\Temp\xbgqr.exe" "-c:\users\admin\appdata\local\temp\jaffacakes118_9a68e3a1b3fc00cfbfb50a560d36bba1.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Impair Defenses: Safe Mode Boot
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Hijack Execution Flow: Executable Installer File Permissions Weakness
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:4980
- - C:\Users\Admin\AppData\Local\Temp\xbgqr.exe
    "C:\Users\Admin\AppData\Local\Temp\xbgqr.exe" "-c:\users\admin\appdata\local\temp\jaffacakes118_9a68e3a1b3fc00cfbfb50a560d36bba1.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Hijack Execution Flow: Executable Installer File Permissions Weakness
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:2224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c brierjfuojqlhqbus.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4468
- C:\Windows\brierjfuojqlhqbus.exe
  brierjfuojqlhqbus.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c brierjfuojqlhqbus.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:556
- C:\Windows\brierjfuojqlhqbus.exe
  brierjfuojqlhqbus.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5032
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\brierjfuojqlhqbus.exe*."
    3⤵
    - Executes dropped EXE
    PID:1748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c brierjfuojqlhqbus.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4420
- C:\Windows\brierjfuojqlhqbus.exe
  brierjfuojqlhqbus.exe
  2⤵
  - Executes dropped EXE
  PID:1320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xrmmdzzsqpazzmbyaqkff.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:1412
- C:\Windows\xrmmdzzsqpazzmbyaqkff.exe
  xrmmdzzsqpazzmbyaqkff.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1324
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\xrmmdzzsqpazzmbyaqkff.exe*."
    3⤵
    - Executes dropped EXE
    PID:4832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ibvukfewtrbzykyuvkdx.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2192
- C:\Users\Admin\AppData\Local\Temp\ibvukfewtrbzykyuvkdx.exe
  C:\Users\Admin\AppData\Local\Temp\ibvukfewtrbzykyuvkdx.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vngetnlcyvebzkxssgy.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:2912
- C:\Users\Admin\AppData\Local\Temp\vngetnlcyvebzkxssgy.exe
  C:\Users\Admin\AppData\Local\Temp\vngetnlcyvebzkxssgy.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4920
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\vngetnlcyvebzkxssgy.exe*."
    3⤵
    - Executes dropped EXE
    PID:3160

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ibvukfewtrbzykyuvkdx.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:3196
- C:\Users\Admin\AppData\Local\Temp\ibvukfewtrbzykyuvkdx.exe
  C:\Users\Admin\AppData\Local\Temp\ibvukfewtrbzykyuvkdx.exe
  2⤵
  - Executes dropped EXE
  PID:2308

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vngetnlcyvebzkxssgy.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:3316
- C:\Users\Admin\AppData\Local\Temp\vngetnlcyvebzkxssgy.exe
  C:\Users\Admin\AppData\Local\Temp\vngetnlcyvebzkxssgy.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3204
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\vngetnlcyvebzkxssgy.exe*."
    3⤵
    - Executes dropped EXE
    PID:2748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c brierjfuojqlhqbus.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4612
- C:\Windows\brierjfuojqlhqbus.exe
  brierjfuojqlhqbus.exe
  2⤵
  - Executes dropped EXE
  PID:2800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ujzugxsgztztowgy.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:1804
- C:\Windows\ujzugxsgztztowgy.exe
  ujzugxsgztztowgy.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1336

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xrmmdzzsqpazzmbyaqkff.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:2752
- C:\Windows\xrmmdzzsqpazzmbyaqkff.exe
  xrmmdzzsqpazzmbyaqkff.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2912
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\xrmmdzzsqpazzmbyaqkff.exe*."
    3⤵
    - Executes dropped EXE
    PID:1976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xrmmdzzsqpazzmbyaqkff.exe .
1⤵
- Suspicious use of WriteProcessMemory
PID:1324
- C:\Windows\xrmmdzzsqpazzmbyaqkff.exe
  xrmmdzzsqpazzmbyaqkff.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2372
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\xrmmdzzsqpazzmbyaqkff.exe*."
    3⤵
    - Executes dropped EXE
    PID:3180

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kbtqexukfbjfcmysre.exe
1⤵
PID:5108
- C:\Windows\kbtqexukfbjfcmysre.exe
  kbtqexukfbjfcmysre.exe
  2⤵
  - Executes dropped EXE
  PID:1584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xrmmdzzsqpazzmbyaqkff.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:1048
- C:\Windows\xrmmdzzsqpazzmbyaqkff.exe
  xrmmdzzsqpazzmbyaqkff.exe
  2⤵
  - Executes dropped EXE
  PID:4692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c brierjfuojqlhqbus.exe .
1⤵
PID:4380
- C:\Windows\brierjfuojqlhqbus.exe
  brierjfuojqlhqbus.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1416
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\brierjfuojqlhqbus.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:4652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xrmmdzzsqpazzmbyaqkff.exe .
1⤵
PID:2968
- C:\Windows\xrmmdzzsqpazzmbyaqkff.exe
  xrmmdzzsqpazzmbyaqkff.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1640
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\xrmmdzzsqpazzmbyaqkff.exe*."
    3⤵
    - Executes dropped EXE
    PID:2252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ujzugxsgztztowgy.exe
1⤵
PID:3888
- C:\Users\Admin\AppData\Local\Temp\ujzugxsgztztowgy.exe
  C:\Users\Admin\AppData\Local\Temp\ujzugxsgztztowgy.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xrmmdzzsqpazzmbyaqkff.exe
1⤵
PID:2652
- C:\Users\Admin\AppData\Local\Temp\xrmmdzzsqpazzmbyaqkff.exe
  C:\Users\Admin\AppData\Local\Temp\xrmmdzzsqpazzmbyaqkff.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vngetnlcyvebzkxssgy.exe .
1⤵
PID:2736
- C:\Users\Admin\AppData\Local\Temp\vngetnlcyvebzkxssgy.exe
  C:\Users\Admin\AppData\Local\Temp\vngetnlcyvebzkxssgy.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:4272
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\vngetnlcyvebzkxssgy.exe*."
    3⤵
    - Executes dropped EXE
    PID:4924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vngetnlcyvebzkxssgy.exe .
1⤵
PID:5084
- C:\Users\Admin\AppData\Local\Temp\vngetnlcyvebzkxssgy.exe
  C:\Users\Admin\AppData\Local\Temp\vngetnlcyvebzkxssgy.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:1584
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\vngetnlcyvebzkxssgy.exe*."
    3⤵
    - Executes dropped EXE
    PID:2264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vngetnlcyvebzkxssgy.exe
1⤵
PID:116
- C:\Users\Admin\AppData\Local\Temp\vngetnlcyvebzkxssgy.exe
  C:\Users\Admin\AppData\Local\Temp\vngetnlcyvebzkxssgy.exe
  2⤵
  - Executes dropped EXE
  PID:3320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ujzugxsgztztowgy.exe
1⤵
PID:3920
- C:\Users\Admin\AppData\Local\Temp\ujzugxsgztztowgy.exe
  C:\Users\Admin\AppData\Local\Temp\ujzugxsgztztowgy.exe
  2⤵
  - Executes dropped EXE
  PID:3236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ujzugxsgztztowgy.exe .
1⤵
PID:3688
- C:\Users\Admin\AppData\Local\Temp\ujzugxsgztztowgy.exe
  C:\Users\Admin\AppData\Local\Temp\ujzugxsgztztowgy.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4420
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\ujzugxsgztztowgy.exe*."
    3⤵
    - Executes dropped EXE
    PID:2216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ibvukfewtrbzykyuvkdx.exe .
1⤵
PID:4040
- C:\Users\Admin\AppData\Local\Temp\ibvukfewtrbzykyuvkdx.exe
  C:\Users\Admin\AppData\Local\Temp\ibvukfewtrbzykyuvkdx.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2308
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\ibvukfewtrbzykyuvkdx.exe*."
    3⤵
    - Executes dropped EXE
    PID:4860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ibvukfewtrbzykyuvkdx.exe
1⤵
PID:4452
- C:\Windows\ibvukfewtrbzykyuvkdx.exe
  ibvukfewtrbzykyuvkdx.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ibvukfewtrbzykyuvkdx.exe .
1⤵
PID:3448
- C:\Windows\ibvukfewtrbzykyuvkdx.exe
  ibvukfewtrbzykyuvkdx.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:968
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\ibvukfewtrbzykyuvkdx.exe*."
    3⤵
    - Executes dropped EXE
    PID:952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c brierjfuojqlhqbus.exe
1⤵
PID:1072
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4920
- C:\Windows\brierjfuojqlhqbus.exe
  brierjfuojqlhqbus.exe
  2⤵
  - Executes dropped EXE
  PID:1588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vngetnlcyvebzkxssgy.exe .
1⤵
PID:4932
- C:\Windows\vngetnlcyvebzkxssgy.exe
  vngetnlcyvebzkxssgy.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5092
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\vngetnlcyvebzkxssgy.exe*."
    3⤵
    - Executes dropped EXE
    PID:3048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xrmmdzzsqpazzmbyaqkff.exe
1⤵
PID:3484
- C:\Users\Admin\AppData\Local\Temp\xrmmdzzsqpazzmbyaqkff.exe
  C:\Users\Admin\AppData\Local\Temp\xrmmdzzsqpazzmbyaqkff.exe
  2⤵
  - Executes dropped EXE
  PID:2968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vngetnlcyvebzkxssgy.exe .
1⤵
PID:1376
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4832
- C:\Users\Admin\AppData\Local\Temp\vngetnlcyvebzkxssgy.exe
  C:\Users\Admin\AppData\Local\Temp\vngetnlcyvebzkxssgy.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1412
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\vngetnlcyvebzkxssgy.exe*."
    3⤵
    - Executes dropped EXE
    PID:3828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbtqexukfbjfcmysre.exe
1⤵
PID:4504
- C:\Users\Admin\AppData\Local\Temp\kbtqexukfbjfcmysre.exe
  C:\Users\Admin\AppData\Local\Temp\kbtqexukfbjfcmysre.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ujzugxsgztztowgy.exe .
1⤵
PID:5060
- C:\Users\Admin\AppData\Local\Temp\ujzugxsgztztowgy.exe
  C:\Users\Admin\AppData\Local\Temp\ujzugxsgztztowgy.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:1416
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\ujzugxsgztztowgy.exe*."
    3⤵
    - Executes dropped EXE
    PID:1380

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:4860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ibvukfewtrbzykyuvkdx.exe
1⤵
PID:2768
- C:\Windows\ibvukfewtrbzykyuvkdx.exe
  ibvukfewtrbzykyuvkdx.exe
  2⤵
  - Executes dropped EXE
  PID:4636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ibvukfewtrbzykyuvkdx.exe
1⤵
PID:4100
- C:\Windows\ibvukfewtrbzykyuvkdx.exe
  ibvukfewtrbzykyuvkdx.exe
  2⤵
  - Executes dropped EXE
  PID:2800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ibvukfewtrbzykyuvkdx.exe .
1⤵
PID:4372
- C:\Windows\ibvukfewtrbzykyuvkdx.exe
  ibvukfewtrbzykyuvkdx.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4884
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\ibvukfewtrbzykyuvkdx.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:1448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ibvukfewtrbzykyuvkdx.exe .
1⤵
PID:1128
- C:\Windows\ibvukfewtrbzykyuvkdx.exe
  ibvukfewtrbzykyuvkdx.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1864
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\ibvukfewtrbzykyuvkdx.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Checks computer location settings
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Hijack Execution Flow: Executable Installer File Permissions Weakness
    - System Location Discovery: System Language Discovery
    - System policy modification
    PID:1064
  - - C:\Users\Admin\AppData\Local\Temp\oqsenp.exe
      "C:\Users\Admin\AppData\Local\Temp\oqsenp.exe" "-c:\windows\ibvukfewtrbzykyuvkdx.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2308
  - - C:\Users\Admin\AppData\Local\Temp\oqsenp.exe
      "C:\Users\Admin\AppData\Local\Temp\oqsenp.exe" "-c:\windows\ibvukfewtrbzykyuvkdx.exe"
      4⤵
      PID:2392
  - - C:\Users\Admin\AppData\Local\Temp\oqsenp.exe
      "C:\Users\Admin\AppData\Local\Temp\oqsenp.exe" "-c:\windows\ibvukfewtrbzykyuvkdx.exe"
      4⤵
      PID:4412
  - - C:\Users\Admin\AppData\Local\Temp\oqsenp.exe
      "C:\Users\Admin\AppData\Local\Temp\oqsenp.exe" "-c:\windows\ibvukfewtrbzykyuvkdx.exe"
      4⤵
      PID:2780
  - - C:\Users\Admin\AppData\Local\Temp\oqsenp.exe
      "C:\Users\Admin\AppData\Local\Temp\oqsenp.exe" "-c:\windows\ibvukfewtrbzykyuvkdx.exe"
      4⤵
      PID:2372
  - - C:\Users\Admin\AppData\Local\Temp\oqsenp.exe
      "C:\Users\Admin\AppData\Local\Temp\oqsenp.exe" "-c:\windows\ibvukfewtrbzykyuvkdx.exe"
      4⤵
      PID:4348
  - - C:\Users\Admin\AppData\Local\Temp\oqsenp.exe
      "C:\Users\Admin\AppData\Local\Temp\oqsenp.exe" "-c:\windows\ibvukfewtrbzykyuvkdx.exe"
      4⤵
      PID:880
  - - C:\Users\Admin\AppData\Local\Temp\oqsenp.exe
      "C:\Users\Admin\AppData\Local\Temp\oqsenp.exe" "-c:\windows\ibvukfewtrbzykyuvkdx.exe"
      4⤵
      PID:3024
  - - C:\Users\Admin\AppData\Local\Temp\oqsenp.exe
      "C:\Users\Admin\AppData\Local\Temp\oqsenp.exe" "-c:\windows\ibvukfewtrbzykyuvkdx.exe"
      4⤵
      PID:4256
  - - C:\Users\Admin\AppData\Local\Temp\oqsenp.exe
      "C:\Users\Admin\AppData\Local\Temp\oqsenp.exe" "-c:\windows\ibvukfewtrbzykyuvkdx.exe"
      4⤵
      PID:2748
  - - C:\Users\Admin\AppData\Local\Temp\oqsenp.exe
      "C:\Users\Admin\AppData\Local\Temp\oqsenp.exe" "-c:\windows\ibvukfewtrbzykyuvkdx.exe"
      4⤵
      PID:4580
  - - C:\Users\Admin\AppData\Local\Temp\oqsenp.exe
      "C:\Users\Admin\AppData\Local\Temp\oqsenp.exe" "-c:\windows\ibvukfewtrbzykyuvkdx.exe"
      4⤵
      PID:3188
  - - C:\Users\Admin\AppData\Local\Temp\oqsenp.exe
      "C:\Users\Admin\AppData\Local\Temp\oqsenp.exe" "-c:\windows\ibvukfewtrbzykyuvkdx.exe"
      4⤵
      PID:3500
  - - C:\Users\Admin\AppData\Local\Temp\oqsenp.exe
      "C:\Users\Admin\AppData\Local\Temp\oqsenp.exe" "-c:\windows\ibvukfewtrbzykyuvkdx.exe"
      4⤵
      PID:4256
  - - C:\Users\Admin\AppData\Local\Temp\oqsenp.exe
      "C:\Users\Admin\AppData\Local\Temp\oqsenp.exe" "-c:\windows\ibvukfewtrbzykyuvkdx.exe"
      4⤵
      PID:2968
  - - C:\Users\Admin\AppData\Local\Temp\oqsenp.exe
      "C:\Users\Admin\AppData\Local\Temp\oqsenp.exe" "-c:\windows\ibvukfewtrbzykyuvkdx.exe"
      4⤵
      PID:3128
  - - C:\Users\Admin\AppData\Local\Temp\oqsenp.exe
      "C:\Users\Admin\AppData\Local\Temp\oqsenp.exe" "-c:\windows\ibvukfewtrbzykyuvkdx.exe"
      4⤵
      PID:1172
  - - C:\Users\Admin\AppData\Local\Temp\oqsenp.exe
      "C:\Users\Admin\AppData\Local\Temp\oqsenp.exe" "-c:\windows\ibvukfewtrbzykyuvkdx.exe"
      4⤵
      PID:3024
  - - C:\Users\Admin\AppData\Local\Temp\oqsenp.exe
      "C:\Users\Admin\AppData\Local\Temp\oqsenp.exe" "-c:\windows\ibvukfewtrbzykyuvkdx.exe"
      4⤵
      PID:1336
  - - C:\Users\Admin\AppData\Local\Temp\oqsenp.exe
      "C:\Users\Admin\AppData\Local\Temp\oqsenp.exe" "-c:\windows\ibvukfewtrbzykyuvkdx.exe"
      4⤵
      PID:1348
  - - C:\Users\Admin\AppData\Local\Temp\oqsenp.exe
      "C:\Users\Admin\AppData\Local\Temp\oqsenp.exe" "-c:\windows\ibvukfewtrbzykyuvkdx.exe"
      4⤵
      PID:1112
  - - C:\Users\Admin\AppData\Local\Temp\oqsenp.exe
      "C:\Users\Admin\AppData\Local\Temp\oqsenp.exe" "-c:\windows\ibvukfewtrbzykyuvkdx.exe"
      4⤵
      PID:3024
  - - C:\Users\Admin\AppData\Local\Temp\oqsenp.exe
      "C:\Users\Admin\AppData\Local\Temp\oqsenp.exe" "-c:\windows\ibvukfewtrbzykyuvkdx.exe"
      4⤵
      PID:2276
  - - C:\Users\Admin\AppData\Local\Temp\oqsenp.exe
      "C:\Users\Admin\AppData\Local\Temp\oqsenp.exe" "-c:\windows\ibvukfewtrbzykyuvkdx.exe"
      4⤵
      PID:4316
  - - C:\Users\Admin\AppData\Local\Temp\oqsenp.exe
      "C:\Users\Admin\AppData\Local\Temp\oqsenp.exe" "-c:\windows\ibvukfewtrbzykyuvkdx.exe"
      4⤵
      PID:968
  - - C:\Users\Admin\AppData\Local\Temp\oqsenp.exe
      "C:\Users\Admin\AppData\Local\Temp\oqsenp.exe" "-c:\windows\ibvukfewtrbzykyuvkdx.exe"
      4⤵
      PID:4420
  - - C:\Users\Admin\AppData\Local\Temp\oqsenp.exe
      "C:\Users\Admin\AppData\Local\Temp\oqsenp.exe" "-c:\windows\ibvukfewtrbzykyuvkdx.exe"
      4⤵
      PID:4272
  - - C:\Users\Admin\AppData\Local\Temp\oqsenp.exe
      "C:\Users\Admin\AppData\Local\Temp\oqsenp.exe" "-c:\windows\ibvukfewtrbzykyuvkdx.exe"
      4⤵
      PID:880
  - - C:\Users\Admin\AppData\Local\Temp\oqsenp.exe
      "C:\Users\Admin\AppData\Local\Temp\oqsenp.exe" "-c:\windows\ibvukfewtrbzykyuvkdx.exe"
      4⤵
      PID:2968
  - - C:\Users\Admin\AppData\Local\Temp\oqsenp.exe
      "C:\Users\Admin\AppData\Local\Temp\oqsenp.exe" "-c:\windows\ibvukfewtrbzykyuvkdx.exe"
      4⤵
      PID:5084
  - - C:\Users\Admin\AppData\Local\Temp\oqsenp.exe
      "C:\Users\Admin\AppData\Local\Temp\oqsenp.exe" "-c:\windows\ibvukfewtrbzykyuvkdx.exe"
      4⤵
      PID:4360
  - - C:\Users\Admin\AppData\Local\Temp\oqsenp.exe
      "C:\Users\Admin\AppData\Local\Temp\oqsenp.exe" "-c:\windows\ibvukfewtrbzykyuvkdx.exe"
      4⤵
      PID:1276
  - - C:\Users\Admin\AppData\Local\Temp\oqsenp.exe
      "C:\Users\Admin\AppData\Local\Temp\oqsenp.exe" "-c:\windows\ibvukfewtrbzykyuvkdx.exe"
      4⤵
      PID:3160
  - - C:\Users\Admin\AppData\Local\Temp\oqsenp.exe
      "C:\Users\Admin\AppData\Local\Temp\oqsenp.exe" "-c:\windows\ibvukfewtrbzykyuvkdx.exe"
      4⤵
      PID:2704
  - - C:\Users\Admin\AppData\Local\Temp\oqsenp.exe
      "C:\Users\Admin\AppData\Local\Temp\oqsenp.exe" "-c:\windows\ibvukfewtrbzykyuvkdx.exe"
      4⤵
      PID:4460
  - - C:\Users\Admin\AppData\Local\Temp\oqsenp.exe
      "C:\Users\Admin\AppData\Local\Temp\oqsenp.exe" "-c:\windows\ibvukfewtrbzykyuvkdx.exe"
      4⤵
      PID:2468
  - - C:\Users\Admin\AppData\Local\Temp\oqsenp.exe
      "C:\Users\Admin\AppData\Local\Temp\oqsenp.exe" "-c:\windows\ibvukfewtrbzykyuvkdx.exe"
      4⤵
      PID:208
  - - C:\Users\Admin\AppData\Local\Temp\oqsenp.exe
      "C:\Users\Admin\AppData\Local\Temp\oqsenp.exe" "-c:\windows\ibvukfewtrbzykyuvkdx.exe"
      4⤵
      PID:1664
  - - C:\Users\Admin\AppData\Local\Temp\oqsenp.exe
      "C:\Users\Admin\AppData\Local\Temp\oqsenp.exe" "-c:\windows\ibvukfewtrbzykyuvkdx.exe"
      4⤵
      PID:4520
  - - C:\Users\Admin\AppData\Local\Temp\oqsenp.exe
      "C:\Users\Admin\AppData\Local\Temp\oqsenp.exe" "-c:\windows\ibvukfewtrbzykyuvkdx.exe"
      4⤵
      PID:3868
  - - C:\Users\Admin\AppData\Local\Temp\oqsenp.exe
      "C:\Users\Admin\AppData\Local\Temp\oqsenp.exe" "-c:\windows\ibvukfewtrbzykyuvkdx.exe"
      4⤵
      PID:1452
  - - C:\Users\Admin\AppData\Local\Temp\oqsenp.exe
      "C:\Users\Admin\AppData\Local\Temp\oqsenp.exe" "-c:\windows\ibvukfewtrbzykyuvkdx.exe"
      4⤵
      PID:3344
  - - C:\Users\Admin\AppData\Local\Temp\oqsenp.exe
      "C:\Users\Admin\AppData\Local\Temp\oqsenp.exe" "-c:\windows\ibvukfewtrbzykyuvkdx.exe"
      4⤵
      PID:2704
  - - C:\Users\Admin\AppData\Local\Temp\oqsenp.exe
      "C:\Users\Admin\AppData\Local\Temp\oqsenp.exe" "-c:\windows\ibvukfewtrbzykyuvkdx.exe"
      4⤵
      PID:4832
  - - C:\Users\Admin\AppData\Local\Temp\oqsenp.exe
      "C:\Users\Admin\AppData\Local\Temp\oqsenp.exe" "-c:\windows\ibvukfewtrbzykyuvkdx.exe"
      4⤵
      PID:4532
  - - C:\Users\Admin\AppData\Local\Temp\oqsenp.exe
      "C:\Users\Admin\AppData\Local\Temp\oqsenp.exe" "-c:\windows\ibvukfewtrbzykyuvkdx.exe"
      4⤵
      PID:3940
  - - C:\Users\Admin\AppData\Local\Temp\oqsenp.exe
      "C:\Users\Admin\AppData\Local\Temp\oqsenp.exe" "-c:\windows\ibvukfewtrbzykyuvkdx.exe"
      4⤵
      PID:1760
  - - C:\Users\Admin\AppData\Local\Temp\oqsenp.exe
      "C:\Users\Admin\AppData\Local\Temp\oqsenp.exe" "-c:\windows\ibvukfewtrbzykyuvkdx.exe"
      4⤵
      PID:1188
  - - C:\Users\Admin\AppData\Local\Temp\oqsenp.exe
      "C:\Users\Admin\AppData\Local\Temp\oqsenp.exe" "-c:\windows\ibvukfewtrbzykyuvkdx.exe"
      4⤵
      PID:1056
  - - C:\Users\Admin\AppData\Local\Temp\oqsenp.exe
      "C:\Users\Admin\AppData\Local\Temp\oqsenp.exe" "-c:\windows\ibvukfewtrbzykyuvkdx.exe"
      4⤵
      PID:60
  - - C:\Users\Admin\AppData\Local\Temp\oqsenp.exe
      "C:\Users\Admin\AppData\Local\Temp\oqsenp.exe" "-c:\windows\ibvukfewtrbzykyuvkdx.exe"
      4⤵
      PID:2920
  - - C:\Users\Admin\AppData\Local\Temp\oqsenp.exe
      "C:\Users\Admin\AppData\Local\Temp\oqsenp.exe" "-c:\windows\ibvukfewtrbzykyuvkdx.exe"
      4⤵
      PID:1112
  - - C:\Users\Admin\AppData\Local\Temp\oqsenp.exe
      "C:\Users\Admin\AppData\Local\Temp\oqsenp.exe" "-c:\windows\ibvukfewtrbzykyuvkdx.exe"
      4⤵
      PID:672
  - - C:\Users\Admin\AppData\Local\Temp\oqsenp.exe
      "C:\Users\Admin\AppData\Local\Temp\oqsenp.exe" "-c:\windows\ibvukfewtrbzykyuvkdx.exe"
      4⤵
      PID:4424
  - - C:\Users\Admin\AppData\Local\Temp\oqsenp.exe
      "C:\Users\Admin\AppData\Local\Temp\oqsenp.exe" "-c:\windows\ibvukfewtrbzykyuvkdx.exe"
      4⤵
      PID:1736
  - - C:\Users\Admin\AppData\Local\Temp\oqsenp.exe
      "C:\Users\Admin\AppData\Local\Temp\oqsenp.exe" "-c:\windows\ibvukfewtrbzykyuvkdx.exe"
      4⤵
      PID:392
  - - C:\Users\Admin\AppData\Local\Temp\oqsenp.exe
      "C:\Users\Admin\AppData\Local\Temp\oqsenp.exe" "-c:\windows\ibvukfewtrbzykyuvkdx.exe"
      4⤵
      PID:2920
  - - C:\Users\Admin\AppData\Local\Temp\oqsenp.exe
      "C:\Users\Admin\AppData\Local\Temp\oqsenp.exe" "-c:\windows\ibvukfewtrbzykyuvkdx.exe"
      4⤵
      PID:4088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ujzugxsgztztowgy.exe
1⤵
PID:3612
- C:\Windows\ujzugxsgztztowgy.exe
  ujzugxsgztztowgy.exe
  2⤵
  - Executes dropped EXE
  PID:2276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kbtqexukfbjfcmysre.exe
1⤵
PID:3928
- C:\Windows\kbtqexukfbjfcmysre.exe
  kbtqexukfbjfcmysre.exe
  2⤵
  - Executes dropped EXE
  PID:432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c brierjfuojqlhqbus.exe .
1⤵
PID:3100
- C:\Windows\brierjfuojqlhqbus.exe
  brierjfuojqlhqbus.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3688
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\brierjfuojqlhqbus.exe*."
    3⤵
    PID:2388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ujzugxsgztztowgy.exe .
1⤵
PID:3768
- C:\Windows\ujzugxsgztztowgy.exe
  ujzugxsgztztowgy.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1968
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\ujzugxsgztztowgy.exe*."
    3⤵
    PID:4180

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brierjfuojqlhqbus.exe
1⤵
PID:1964
- C:\Users\Admin\AppData\Local\Temp\brierjfuojqlhqbus.exe
  C:\Users\Admin\AppData\Local\Temp\brierjfuojqlhqbus.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xrmmdzzsqpazzmbyaqkff.exe
1⤵
PID:1072
- C:\Users\Admin\AppData\Local\Temp\xrmmdzzsqpazzmbyaqkff.exe
  C:\Users\Admin\AppData\Local\Temp\xrmmdzzsqpazzmbyaqkff.exe
  2⤵
  - Executes dropped EXE
  PID:1620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbtqexukfbjfcmysre.exe .
1⤵
PID:912
- C:\Users\Admin\AppData\Local\Temp\kbtqexukfbjfcmysre.exe
  C:\Users\Admin\AppData\Local\Temp\kbtqexukfbjfcmysre.exe .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:4040
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\kbtqexukfbjfcmysre.exe*."
    3⤵
    PID:4360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xrmmdzzsqpazzmbyaqkff.exe .
1⤵
PID:536
- C:\Users\Admin\AppData\Local\Temp\xrmmdzzsqpazzmbyaqkff.exe
  C:\Users\Admin\AppData\Local\Temp\xrmmdzzsqpazzmbyaqkff.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:2108
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\xrmmdzzsqpazzmbyaqkff.exe*."
    3⤵
    PID:5008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brierjfuojqlhqbus.exe
1⤵
PID:1248
- C:\Users\Admin\AppData\Local\Temp\brierjfuojqlhqbus.exe
  C:\Users\Admin\AppData\Local\Temp\brierjfuojqlhqbus.exe
  2⤵
  PID:4300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ujzugxsgztztowgy.exe
1⤵
PID:416
- C:\Users\Admin\AppData\Local\Temp\ujzugxsgztztowgy.exe
  C:\Users\Admin\AppData\Local\Temp\ujzugxsgztztowgy.exe
  2⤵
  PID:4636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kbtqexukfbjfcmysre.exe
1⤵
PID:1376
- C:\Windows\kbtqexukfbjfcmysre.exe
  kbtqexukfbjfcmysre.exe
  2⤵
  PID:3064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brierjfuojqlhqbus.exe .
1⤵
PID:4048
- C:\Users\Admin\AppData\Local\Temp\brierjfuojqlhqbus.exe
  C:\Users\Admin\AppData\Local\Temp\brierjfuojqlhqbus.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1620
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\brierjfuojqlhqbus.exe*."
    3⤵
    PID:3824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ujzugxsgztztowgy.exe .
1⤵
PID:1488
- C:\Users\Admin\AppData\Local\Temp\ujzugxsgztztowgy.exe
  C:\Users\Admin\AppData\Local\Temp\ujzugxsgztztowgy.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4932
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\ujzugxsgztztowgy.exe*."
    3⤵
    PID:4488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dulmkbzoqekvuuhwtvriz.exe
1⤵
PID:3200
- C:\Windows\dulmkbzoqekvuuhwtvriz.exe
  dulmkbzoqekvuuhwtvriz.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c brierjfuojqlhqbus.exe .
1⤵
PID:4412
- C:\Windows\brierjfuojqlhqbus.exe
  brierjfuojqlhqbus.exe .
  2⤵
  - Checks computer location settings
  PID:1964
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\brierjfuojqlhqbus.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:2136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c amyunzsczijpjemw.exe .
1⤵
PID:2392
- C:\Windows\amyunzsczijpjemw.exe
  amyunzsczijpjemw.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3012
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\amyunzsczijpjemw.exe*."
    3⤵
    PID:2064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ibvukfewtrbzykyuvkdx.exe
1⤵
PID:3876
- C:\Windows\ibvukfewtrbzykyuvkdx.exe
  ibvukfewtrbzykyuvkdx.exe
  2⤵
  PID:3064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dulmkbzoqekvuuhwtvriz.exe
1⤵
PID:2268
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2156
- C:\Windows\dulmkbzoqekvuuhwtvriz.exe
  dulmkbzoqekvuuhwtvriz.exe
  2⤵
  PID:4376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c brierjfuojqlhqbus.exe .
1⤵
PID:3736
- C:\Windows\brierjfuojqlhqbus.exe
  brierjfuojqlhqbus.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1276
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\brierjfuojqlhqbus.exe*."
    3⤵
    PID:4828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c qesqlzugfqtbxueqkj.exe .
1⤵
PID:2276
- C:\Windows\qesqlzugfqtbxueqkj.exe
  qesqlzugfqtbxueqkj.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3452
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\qesqlzugfqtbxueqkj.exe*."
    3⤵
    PID:4656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brierjfuojqlhqbus.exe
1⤵
PID:1976
- C:\Users\Admin\AppData\Local\Temp\brierjfuojqlhqbus.exe
  C:\Users\Admin\AppData\Local\Temp\brierjfuojqlhqbus.exe
  2⤵
  PID:2800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oeuurhestglvtsesopka.exe
1⤵
PID:1172
- C:\Users\Admin\AppData\Local\Temp\oeuurhestglvtsesopka.exe
  C:\Users\Admin\AppData\Local\Temp\oeuurhestglvtsesopka.exe
  2⤵
  PID:1588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vngetnlcyvebzkxssgy.exe .
1⤵
PID:2148
- C:\Users\Admin\AppData\Local\Temp\vngetnlcyvebzkxssgy.exe
  C:\Users\Admin\AppData\Local\Temp\vngetnlcyvebzkxssgy.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:2860
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\vngetnlcyvebzkxssgy.exe*."
    3⤵
    PID:1324

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oeuurhestglvtsesopka.exe .
1⤵
PID:4612
- C:\Users\Admin\AppData\Local\Temp\oeuurhestglvtsesopka.exe
  C:\Users\Admin\AppData\Local\Temp\oeuurhestglvtsesopka.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3380
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\oeuurhestglvtsesopka.exe*."
    3⤵
    PID:1568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xrmmdzzsqpazzmbyaqkff.exe
1⤵
PID:2604
- C:\Users\Admin\AppData\Local\Temp\xrmmdzzsqpazzmbyaqkff.exe
  C:\Users\Admin\AppData\Local\Temp\xrmmdzzsqpazzmbyaqkff.exe
  2⤵
  PID:3052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqfeaplyykoxusdqllf.exe
1⤵
PID:4496
- C:\Users\Admin\AppData\Local\Temp\bqfeaplyykoxusdqllf.exe
  C:\Users\Admin\AppData\Local\Temp\bqfeaplyykoxusdqllf.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbtqexukfbjfcmysre.exe .
1⤵
PID:4784
- C:\Users\Admin\AppData\Local\Temp\kbtqexukfbjfcmysre.exe
  C:\Users\Admin\AppData\Local\Temp\kbtqexukfbjfcmysre.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:3024
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\kbtqexukfbjfcmysre.exe*."
    3⤵
    PID:5104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\huheylfqoyahcyhsl.exe .
1⤵
PID:432
- C:\Users\Admin\AppData\Local\Temp\huheylfqoyahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\huheylfqoyahcyhsl.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1964
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\huheylfqoyahcyhsl.exe*."
    3⤵
    PID:1888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vngetnlcyvebzkxssgy.exe
1⤵
PID:3984
- C:\Windows\vngetnlcyvebzkxssgy.exe
  vngetnlcyvebzkxssgy.exe
  2⤵
  PID:3564

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ujzugxsgztztowgy.exe .
1⤵
PID:1676
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1324
- C:\Windows\ujzugxsgztztowgy.exe
  ujzugxsgztztowgy.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4856
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\ujzugxsgztztowgy.exe*."
    3⤵
    PID:2116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c brierjfuojqlhqbus.exe
1⤵
PID:2120
- C:\Windows\brierjfuojqlhqbus.exe
  brierjfuojqlhqbus.exe
  2⤵
  PID:416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ujzugxsgztztowgy.exe .
1⤵
PID:2748
- C:\Windows\ujzugxsgztztowgy.exe
  ujzugxsgztztowgy.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:3160
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\ujzugxsgztztowgy.exe*."
    3⤵
    PID:1960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xrmmdzzsqpazzmbyaqkff.exe
1⤵
PID:2268
- C:\Users\Admin\AppData\Local\Temp\xrmmdzzsqpazzmbyaqkff.exe
  C:\Users\Admin\AppData\Local\Temp\xrmmdzzsqpazzmbyaqkff.exe
  2⤵
  PID:2912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ibvukfewtrbzykyuvkdx.exe .
1⤵
PID:4460
- C:\Users\Admin\AppData\Local\Temp\ibvukfewtrbzykyuvkdx.exe
  C:\Users\Admin\AppData\Local\Temp\ibvukfewtrbzykyuvkdx.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:3380
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\ibvukfewtrbzykyuvkdx.exe*."
    3⤵
    PID:1276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ibvukfewtrbzykyuvkdx.exe
1⤵
PID:2044
- C:\Users\Admin\AppData\Local\Temp\ibvukfewtrbzykyuvkdx.exe
  C:\Users\Admin\AppData\Local\Temp\ibvukfewtrbzykyuvkdx.exe
  2⤵
  PID:3832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ibvukfewtrbzykyuvkdx.exe .
1⤵
PID:2196
- C:\Users\Admin\AppData\Local\Temp\ibvukfewtrbzykyuvkdx.exe
  C:\Users\Admin\AppData\Local\Temp\ibvukfewtrbzykyuvkdx.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1504
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\ibvukfewtrbzykyuvkdx.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:2440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ujzugxsgztztowgy.exe
1⤵
PID:3024
- C:\Windows\ujzugxsgztztowgy.exe
  ujzugxsgztztowgy.exe
  2⤵
  PID:3564

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c huheylfqoyahcyhsl.exe
1⤵
PID:5016
- C:\Windows\huheylfqoyahcyhsl.exe
  huheylfqoyahcyhsl.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ujzugxsgztztowgy.exe .
1⤵
PID:3104
- C:\Windows\ujzugxsgztztowgy.exe
  ujzugxsgztztowgy.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:2392
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\ujzugxsgztztowgy.exe*."
    3⤵
    PID:2752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c qesqlzugfqtbxueqkj.exe .
1⤵
PID:2916
- C:\Windows\qesqlzugfqtbxueqkj.exe
  qesqlzugfqtbxueqkj.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4884
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\qesqlzugfqtbxueqkj.exe*."
    3⤵
    PID:3612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xrmmdzzsqpazzmbyaqkff.exe
1⤵
PID:3876
- C:\Windows\xrmmdzzsqpazzmbyaqkff.exe
  xrmmdzzsqpazzmbyaqkff.exe
  2⤵
  PID:3160

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c amyunzsczijpjemw.exe
1⤵
PID:1508
- C:\Windows\amyunzsczijpjemw.exe
  amyunzsczijpjemw.exe
  2⤵
  PID:4256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ibvukfewtrbzykyuvkdx.exe .
1⤵
PID:3440
- C:\Windows\ibvukfewtrbzykyuvkdx.exe
  ibvukfewtrbzykyuvkdx.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:2076
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\ibvukfewtrbzykyuvkdx.exe*."
    3⤵
    PID:2636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c qesqlzugfqtbxueqkj.exe .
1⤵
PID:2000
- C:\Windows\qesqlzugfqtbxueqkj.exe
  qesqlzugfqtbxueqkj.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4544
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\qesqlzugfqtbxueqkj.exe*."
    3⤵
    PID:3340

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbtqexukfbjfcmysre.exe
1⤵
PID:3888
- C:\Users\Admin\AppData\Local\Temp\kbtqexukfbjfcmysre.exe
  C:\Users\Admin\AppData\Local\Temp\kbtqexukfbjfcmysre.exe
  2⤵
  PID:2312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oeuurhestglvtsesopka.exe
1⤵
PID:3484
- C:\Users\Admin\AppData\Local\Temp\oeuurhestglvtsesopka.exe
  C:\Users\Admin\AppData\Local\Temp\oeuurhestglvtsesopka.exe
  2⤵
  PID:4612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vngetnlcyvebzkxssgy.exe .
1⤵
PID:2200
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4040
- C:\Users\Admin\AppData\Local\Temp\vngetnlcyvebzkxssgy.exe
  C:\Users\Admin\AppData\Local\Temp\vngetnlcyvebzkxssgy.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4380
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\vngetnlcyvebzkxssgy.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:3160

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qesqlzugfqtbxueqkj.exe .
1⤵
PID:672
- C:\Users\Admin\AppData\Local\Temp\qesqlzugfqtbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\qesqlzugfqtbxueqkj.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1968
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\qesqlzugfqtbxueqkj.exe*."
    3⤵
    PID:1976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xrmmdzzsqpazzmbyaqkff.exe
1⤵
PID:1200
- C:\Users\Admin\AppData\Local\Temp\xrmmdzzsqpazzmbyaqkff.exe
  C:\Users\Admin\AppData\Local\Temp\xrmmdzzsqpazzmbyaqkff.exe
  2⤵
  PID:2152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qesqlzugfqtbxueqkj.exe
1⤵
PID:2800
- C:\Users\Admin\AppData\Local\Temp\qesqlzugfqtbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\qesqlzugfqtbxueqkj.exe
  2⤵
  PID:2388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brierjfuojqlhqbus.exe .
1⤵
PID:4188
- C:\Users\Admin\AppData\Local\Temp\brierjfuojqlhqbus.exe
  C:\Users\Admin\AppData\Local\Temp\brierjfuojqlhqbus.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1500
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\brierjfuojqlhqbus.exe*."
    3⤵
    PID:4272

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\huheylfqoyahcyhsl.exe .
1⤵
PID:5016
- C:\Users\Admin\AppData\Local\Temp\huheylfqoyahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\huheylfqoyahcyhsl.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2168
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\huheylfqoyahcyhsl.exe*."
    3⤵
    PID:4604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kbtqexukfbjfcmysre.exe
1⤵
PID:1472
- C:\Windows\kbtqexukfbjfcmysre.exe
  kbtqexukfbjfcmysre.exe
  2⤵
  PID:536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ibvukfewtrbzykyuvkdx.exe .
1⤵
PID:4612
- C:\Windows\ibvukfewtrbzykyuvkdx.exe
  ibvukfewtrbzykyuvkdx.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1172
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\ibvukfewtrbzykyuvkdx.exe*."
    3⤵
    PID:2244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ujzugxsgztztowgy.exe
1⤵
PID:3564
- C:\Windows\ujzugxsgztztowgy.exe
  ujzugxsgztztowgy.exe
  2⤵
  PID:1848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xrmmdzzsqpazzmbyaqkff.exe .
1⤵
PID:3380
- C:\Windows\xrmmdzzsqpazzmbyaqkff.exe
  xrmmdzzsqpazzmbyaqkff.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1320
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\xrmmdzzsqpazzmbyaqkff.exe*."
    3⤵
    PID:3064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xrmmdzzsqpazzmbyaqkff.exe
1⤵
PID:2440
- C:\Users\Admin\AppData\Local\Temp\xrmmdzzsqpazzmbyaqkff.exe
  C:\Users\Admin\AppData\Local\Temp\xrmmdzzsqpazzmbyaqkff.exe
  2⤵
  PID:1976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbtqexukfbjfcmysre.exe .
1⤵
PID:884
- C:\Users\Admin\AppData\Local\Temp\kbtqexukfbjfcmysre.exe
  C:\Users\Admin\AppData\Local\Temp\kbtqexukfbjfcmysre.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1960
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\kbtqexukfbjfcmysre.exe*."
    3⤵
    PID:4872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbtqexukfbjfcmysre.exe
1⤵
PID:3960
- C:\Users\Admin\AppData\Local\Temp\kbtqexukfbjfcmysre.exe
  C:\Users\Admin\AppData\Local\Temp\kbtqexukfbjfcmysre.exe
  2⤵
  PID:3736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vngetnlcyvebzkxssgy.exe .
1⤵
PID:1988
- C:\Users\Admin\AppData\Local\Temp\vngetnlcyvebzkxssgy.exe
  C:\Users\Admin\AppData\Local\Temp\vngetnlcyvebzkxssgy.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4828
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\vngetnlcyvebzkxssgy.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:4460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ujzugxsgztztowgy.exe
1⤵
PID:1336
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2308
- C:\Windows\ujzugxsgztztowgy.exe
  ujzugxsgztztowgy.exe
  2⤵
  PID:4076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ibvukfewtrbzykyuvkdx.exe .
1⤵
PID:3444
- C:\Windows\ibvukfewtrbzykyuvkdx.exe
  ibvukfewtrbzykyuvkdx.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:3988
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\ibvukfewtrbzykyuvkdx.exe*."
    3⤵
    PID:1848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ibvukfewtrbzykyuvkdx.exe
1⤵
PID:3408
- C:\Windows\ibvukfewtrbzykyuvkdx.exe
  ibvukfewtrbzykyuvkdx.exe
  2⤵
  PID:1472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kbtqexukfbjfcmysre.exe .
1⤵
PID:5004
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2372
- C:\Windows\kbtqexukfbjfcmysre.exe
  kbtqexukfbjfcmysre.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4580
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\kbtqexukfbjfcmysre.exe*."
    3⤵
    PID:2752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ujzugxsgztztowgy.exe
1⤵
PID:1588
- C:\Users\Admin\AppData\Local\Temp\ujzugxsgztztowgy.exe
  C:\Users\Admin\AppData\Local\Temp\ujzugxsgztztowgy.exe
  2⤵
  PID:2268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vngetnlcyvebzkxssgy.exe .
1⤵
PID:4352
- C:\Users\Admin\AppData\Local\Temp\vngetnlcyvebzkxssgy.exe
  C:\Users\Admin\AppData\Local\Temp\vngetnlcyvebzkxssgy.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:3028
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\vngetnlcyvebzkxssgy.exe*."
    3⤵
    PID:3440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbtqexukfbjfcmysre.exe
1⤵
PID:2540
- C:\Users\Admin\AppData\Local\Temp\kbtqexukfbjfcmysre.exe
  C:\Users\Admin\AppData\Local\Temp\kbtqexukfbjfcmysre.exe
  2⤵
  PID:4232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ujzugxsgztztowgy.exe .
1⤵
PID:3380
- C:\Users\Admin\AppData\Local\Temp\ujzugxsgztztowgy.exe
  C:\Users\Admin\AppData\Local\Temp\ujzugxsgztztowgy.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1968
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\ujzugxsgztztowgy.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:1736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xrmmdzzsqpazzmbyaqkff.exe
1⤵
PID:1500
- C:\Windows\xrmmdzzsqpazzmbyaqkff.exe
  xrmmdzzsqpazzmbyaqkff.exe
  2⤵
  PID:4488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xrmmdzzsqpazzmbyaqkff.exe .
1⤵
PID:1988
- C:\Windows\xrmmdzzsqpazzmbyaqkff.exe
  xrmmdzzsqpazzmbyaqkff.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4936
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\xrmmdzzsqpazzmbyaqkff.exe*."
    3⤵
    PID:2148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c brierjfuojqlhqbus.exe
1⤵
PID:2916
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3688
- C:\Windows\brierjfuojqlhqbus.exe
  brierjfuojqlhqbus.exe
  2⤵
  PID:744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vngetnlcyvebzkxssgy.exe .
1⤵
PID:3060
- C:\Windows\vngetnlcyvebzkxssgy.exe
  vngetnlcyvebzkxssgy.exe .
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:5060
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\vngetnlcyvebzkxssgy.exe*."
    3⤵
    PID:5108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ujzugxsgztztowgy.exe
1⤵
PID:2564
- C:\Users\Admin\AppData\Local\Temp\ujzugxsgztztowgy.exe
  C:\Users\Admin\AppData\Local\Temp\ujzugxsgztztowgy.exe
  2⤵
  PID:2244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kbtqexukfbjfcmysre.exe
1⤵
PID:4496
- C:\Windows\kbtqexukfbjfcmysre.exe
  kbtqexukfbjfcmysre.exe
  2⤵
  PID:1620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xrmmdzzsqpazzmbyaqkff.exe .
1⤵
PID:5016
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4692
- C:\Users\Admin\AppData\Local\Temp\xrmmdzzsqpazzmbyaqkff.exe
  C:\Users\Admin\AppData\Local\Temp\xrmmdzzsqpazzmbyaqkff.exe .
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4424
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\xrmmdzzsqpazzmbyaqkff.exe*."
    3⤵
    PID:3736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vngetnlcyvebzkxssgy.exe
1⤵
PID:5104
- C:\Windows\vngetnlcyvebzkxssgy.exe
  vngetnlcyvebzkxssgy.exe
  2⤵
  PID:3564

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vngetnlcyvebzkxssgy.exe .
1⤵
PID:2312
- C:\Windows\vngetnlcyvebzkxssgy.exe
  vngetnlcyvebzkxssgy.exe .
  2⤵
  PID:2168
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\vngetnlcyvebzkxssgy.exe*."
    3⤵
    PID:4612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c brierjfuojqlhqbus.exe .
1⤵
PID:2780
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2252
- C:\Windows\brierjfuojqlhqbus.exe
  brierjfuojqlhqbus.exe .
  2⤵
  PID:4460
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\brierjfuojqlhqbus.exe*."
    3⤵
    PID:916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xrmmdzzsqpazzmbyaqkff.exe
1⤵
PID:3832
- C:\Users\Admin\AppData\Local\Temp\xrmmdzzsqpazzmbyaqkff.exe
  C:\Users\Admin\AppData\Local\Temp\xrmmdzzsqpazzmbyaqkff.exe
  2⤵
  PID:1472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbtqexukfbjfcmysre.exe .
1⤵
PID:2988
- C:\Users\Admin\AppData\Local\Temp\kbtqexukfbjfcmysre.exe
  C:\Users\Admin\AppData\Local\Temp\kbtqexukfbjfcmysre.exe .
  2⤵
  PID:1048
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\kbtqexukfbjfcmysre.exe*."
    3⤵
    PID:2768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ujzugxsgztztowgy.exe
1⤵
PID:884
- C:\Windows\ujzugxsgztztowgy.exe
  ujzugxsgztztowgy.exe
  2⤵
  PID:2652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xrmmdzzsqpazzmbyaqkff.exe
1⤵
PID:3740
- C:\Windows\xrmmdzzsqpazzmbyaqkff.exe
  xrmmdzzsqpazzmbyaqkff.exe
  2⤵
  PID:1848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vngetnlcyvebzkxssgy.exe .
1⤵
PID:768
- C:\Windows\vngetnlcyvebzkxssgy.exe
  vngetnlcyvebzkxssgy.exe .
  2⤵
  PID:5004
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\vngetnlcyvebzkxssgy.exe*."
    3⤵
    PID:4684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c brierjfuojqlhqbus.exe .
1⤵
PID:1504
- C:\Windows\brierjfuojqlhqbus.exe
  brierjfuojqlhqbus.exe .
  2⤵
  PID:3452
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\brierjfuojqlhqbus.exe*."
    3⤵
    PID:2636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbtqexukfbjfcmysre.exe
1⤵
PID:1248
- C:\Users\Admin\AppData\Local\Temp\kbtqexukfbjfcmysre.exe
  C:\Users\Admin\AppData\Local\Temp\kbtqexukfbjfcmysre.exe
  2⤵
  PID:2752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ibvukfewtrbzykyuvkdx.exe
1⤵
PID:1740
- C:\Users\Admin\AppData\Local\Temp\ibvukfewtrbzykyuvkdx.exe
  C:\Users\Admin\AppData\Local\Temp\ibvukfewtrbzykyuvkdx.exe
  2⤵
  PID:848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brierjfuojqlhqbus.exe .
1⤵
PID:3528
- C:\Users\Admin\AppData\Local\Temp\brierjfuojqlhqbus.exe
  C:\Users\Admin\AppData\Local\Temp\brierjfuojqlhqbus.exe .
  2⤵
  PID:2132
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\brierjfuojqlhqbus.exe*."
    3⤵
    PID:3832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brierjfuojqlhqbus.exe .
1⤵
PID:208
- C:\Users\Admin\AppData\Local\Temp\brierjfuojqlhqbus.exe
  C:\Users\Admin\AppData\Local\Temp\brierjfuojqlhqbus.exe .
  2⤵
  PID:5104
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\brierjfuojqlhqbus.exe*."
    3⤵
    PID:3052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ujzugxsgztztowgy.exe
1⤵
PID:1764
- C:\Users\Admin\AppData\Local\Temp\ujzugxsgztztowgy.exe
  C:\Users\Admin\AppData\Local\Temp\ujzugxsgztztowgy.exe
  2⤵
  PID:3244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbtqexukfbjfcmysre.exe
1⤵
PID:4300
- C:\Users\Admin\AppData\Local\Temp\kbtqexukfbjfcmysre.exe
  C:\Users\Admin\AppData\Local\Temp\kbtqexukfbjfcmysre.exe
  2⤵
  PID:4636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brierjfuojqlhqbus.exe .
1⤵
PID:1276
- C:\Users\Admin\AppData\Local\Temp\brierjfuojqlhqbus.exe
  C:\Users\Admin\AppData\Local\Temp\brierjfuojqlhqbus.exe .
  2⤵
  PID:1848
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\brierjfuojqlhqbus.exe*."
    3⤵
    PID:4412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ibvukfewtrbzykyuvkdx.exe .
1⤵
PID:940
- C:\Users\Admin\AppData\Local\Temp\ibvukfewtrbzykyuvkdx.exe
  C:\Users\Admin\AppData\Local\Temp\ibvukfewtrbzykyuvkdx.exe .
  2⤵
  PID:1128
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\ibvukfewtrbzykyuvkdx.exe*."
    3⤵
    PID:3012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ibvukfewtrbzykyuvkdx.exe
1⤵
PID:4048
- C:\Windows\ibvukfewtrbzykyuvkdx.exe
  ibvukfewtrbzykyuvkdx.exe
  2⤵
  PID:464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vngetnlcyvebzkxssgy.exe .
1⤵
PID:1348
- C:\Windows\vngetnlcyvebzkxssgy.exe
  vngetnlcyvebzkxssgy.exe .
  2⤵
  PID:3980
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\vngetnlcyvebzkxssgy.exe*."
    3⤵
    PID:1188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kbtqexukfbjfcmysre.exe
1⤵
PID:2800
- C:\Windows\kbtqexukfbjfcmysre.exe
  kbtqexukfbjfcmysre.exe
  2⤵
  PID:3048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vngetnlcyvebzkxssgy.exe .
1⤵
PID:1620
- C:\Windows\vngetnlcyvebzkxssgy.exe
  vngetnlcyvebzkxssgy.exe .
  2⤵
  PID:1324
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\vngetnlcyvebzkxssgy.exe*."
    3⤵
    PID:3408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbtqexukfbjfcmysre.exe
1⤵
PID:2920
- C:\Users\Admin\AppData\Local\Temp\kbtqexukfbjfcmysre.exe
  C:\Users\Admin\AppData\Local\Temp\kbtqexukfbjfcmysre.exe
  2⤵
  PID:3100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brierjfuojqlhqbus.exe .
1⤵
PID:2068
- C:\Users\Admin\AppData\Local\Temp\brierjfuojqlhqbus.exe
  C:\Users\Admin\AppData\Local\Temp\brierjfuojqlhqbus.exe .
  2⤵
  PID:2152
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\brierjfuojqlhqbus.exe*."
    3⤵
    PID:1784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ibvukfewtrbzykyuvkdx.exe
1⤵
PID:3868
- C:\Users\Admin\AppData\Local\Temp\ibvukfewtrbzykyuvkdx.exe
  C:\Users\Admin\AppData\Local\Temp\ibvukfewtrbzykyuvkdx.exe
  2⤵
  PID:2748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ibvukfewtrbzykyuvkdx.exe .
1⤵
PID:3660
- C:\Users\Admin\AppData\Local\Temp\ibvukfewtrbzykyuvkdx.exe
  C:\Users\Admin\AppData\Local\Temp\ibvukfewtrbzykyuvkdx.exe .
  2⤵
  PID:2268
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\ibvukfewtrbzykyuvkdx.exe*."
    3⤵
    PID:1764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c brierjfuojqlhqbus.exe
1⤵
PID:4804
- C:\Windows\brierjfuojqlhqbus.exe
  brierjfuojqlhqbus.exe
  2⤵
  PID:60

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vngetnlcyvebzkxssgy.exe .
1⤵
PID:1508
- C:\Windows\vngetnlcyvebzkxssgy.exe
  vngetnlcyvebzkxssgy.exe .
  2⤵
  PID:392
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\vngetnlcyvebzkxssgy.exe*."
    3⤵
    PID:4272

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vngetnlcyvebzkxssgy.exe
1⤵
PID:644
- C:\Windows\vngetnlcyvebzkxssgy.exe
  vngetnlcyvebzkxssgy.exe
  2⤵
  PID:1736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xrmmdzzsqpazzmbyaqkff.exe .
1⤵
PID:4828
- C:\Windows\xrmmdzzsqpazzmbyaqkff.exe
  xrmmdzzsqpazzmbyaqkff.exe .
  2⤵
  PID:2768
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\xrmmdzzsqpazzmbyaqkff.exe*."
    3⤵
    PID:4316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ujzugxsgztztowgy.exe
1⤵
PID:2312
- C:\Users\Admin\AppData\Local\Temp\ujzugxsgztztowgy.exe
  C:\Users\Admin\AppData\Local\Temp\ujzugxsgztztowgy.exe
  2⤵
  PID:1112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ujzugxsgztztowgy.exe .
1⤵
PID:4988
- C:\Users\Admin\AppData\Local\Temp\ujzugxsgztztowgy.exe
  C:\Users\Admin\AppData\Local\Temp\ujzugxsgztztowgy.exe .
  2⤵
  PID:4512
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\ujzugxsgztztowgy.exe*."
    3⤵
    PID:1620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ibvukfewtrbzykyuvkdx.exe
1⤵
PID:3188
- C:\Users\Admin\AppData\Local\Temp\ibvukfewtrbzykyuvkdx.exe
  C:\Users\Admin\AppData\Local\Temp\ibvukfewtrbzykyuvkdx.exe
  2⤵
  PID:1244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbtqexukfbjfcmysre.exe .
1⤵
PID:208
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2308
- C:\Users\Admin\AppData\Local\Temp\kbtqexukfbjfcmysre.exe
  C:\Users\Admin\AppData\Local\Temp\kbtqexukfbjfcmysre.exe .
  2⤵
  PID:2120
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\kbtqexukfbjfcmysre.exe*."
    3⤵
    PID:3420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xrmmdzzsqpazzmbyaqkff.exe
1⤵
PID:4460
- C:\Windows\xrmmdzzsqpazzmbyaqkff.exe
  xrmmdzzsqpazzmbyaqkff.exe
  2⤵
  PID:2116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kbtqexukfbjfcmysre.exe .
1⤵
PID:3988
- C:\Windows\kbtqexukfbjfcmysre.exe
  kbtqexukfbjfcmysre.exe .
  2⤵
  PID:2436
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\kbtqexukfbjfcmysre.exe*."
    3⤵
    PID:4924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c amyunzsczijpjemw.exe
1⤵
PID:4832
- C:\Windows\amyunzsczijpjemw.exe
  amyunzsczijpjemw.exe
  2⤵
  PID:4528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c brierjfuojqlhqbus.exe
1⤵
PID:4376
- C:\Windows\brierjfuojqlhqbus.exe
  brierjfuojqlhqbus.exe
  2⤵
  PID:348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c oeuurhestglvtsesopka.exe .
1⤵
PID:4048
- C:\Windows\oeuurhestglvtsesopka.exe
  oeuurhestglvtsesopka.exe .
  2⤵
  PID:4612
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\oeuurhestglvtsesopka.exe*."
    3⤵
    PID:3388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kbtqexukfbjfcmysre.exe .
1⤵
PID:1508
- C:\Windows\kbtqexukfbjfcmysre.exe
  kbtqexukfbjfcmysre.exe .
  2⤵
  PID:3380
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\kbtqexukfbjfcmysre.exe*."
    3⤵
    PID:1784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbtqexukfbjfcmysre.exe
1⤵
PID:3320
- C:\Users\Admin\AppData\Local\Temp\kbtqexukfbjfcmysre.exe
  C:\Users\Admin\AppData\Local\Temp\kbtqexukfbjfcmysre.exe
  2⤵
  PID:208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bqfeaplyykoxusdqllf.exe
1⤵
PID:3344
- C:\Windows\bqfeaplyykoxusdqllf.exe
  bqfeaplyykoxusdqllf.exe
  2⤵
  PID:768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ibvukfewtrbzykyuvkdx.exe .
1⤵
PID:512
- C:\Users\Admin\AppData\Local\Temp\ibvukfewtrbzykyuvkdx.exe
  C:\Users\Admin\AppData\Local\Temp\ibvukfewtrbzykyuvkdx.exe .
  2⤵
  PID:1384
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\ibvukfewtrbzykyuvkdx.exe*."
    3⤵
    PID:4684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c amyunzsczijpjemw.exe .
1⤵
PID:5016
- C:\Windows\amyunzsczijpjemw.exe
  amyunzsczijpjemw.exe .
  2⤵
  PID:4888
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\amyunzsczijpjemw.exe*."
    3⤵
    PID:3988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\huheylfqoyahcyhsl.exe
1⤵
PID:2276
- C:\Users\Admin\AppData\Local\Temp\huheylfqoyahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\huheylfqoyahcyhsl.exe
  2⤵
  PID:2436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dulmkbzoqekvuuhwtvriz.exe .
1⤵
PID:4988
- C:\Users\Admin\AppData\Local\Temp\dulmkbzoqekvuuhwtvriz.exe
  C:\Users\Admin\AppData\Local\Temp\dulmkbzoqekvuuhwtvriz.exe .
  2⤵
  PID:3432
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\dulmkbzoqekvuuhwtvriz.exe*."
    3⤵
    PID:4932

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
PID:2800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brierjfuojqlhqbus.exe
1⤵
PID:4016
- C:\Users\Admin\AppData\Local\Temp\brierjfuojqlhqbus.exe
  C:\Users\Admin\AppData\Local\Temp\brierjfuojqlhqbus.exe
  2⤵
  PID:1736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ibvukfewtrbzykyuvkdx.exe .
1⤵
PID:2120
- C:\Users\Admin\AppData\Local\Temp\ibvukfewtrbzykyuvkdx.exe
  C:\Users\Admin\AppData\Local\Temp\ibvukfewtrbzykyuvkdx.exe .
  2⤵
  PID:3468
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\ibvukfewtrbzykyuvkdx.exe*."
    3⤵
    PID:1452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqfeaplyykoxusdqllf.exe
1⤵
PID:3444
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2076
- C:\Users\Admin\AppData\Local\Temp\bqfeaplyykoxusdqllf.exe
  C:\Users\Admin\AppData\Local\Temp\bqfeaplyykoxusdqllf.exe
  2⤵
  PID:1416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqfeaplyykoxusdqllf.exe .
1⤵
PID:380
- C:\Users\Admin\AppData\Local\Temp\bqfeaplyykoxusdqllf.exe
  C:\Users\Admin\AppData\Local\Temp\bqfeaplyykoxusdqllf.exe .
  2⤵
  PID:2704
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\bqfeaplyykoxusdqllf.exe*."
    3⤵
    PID:4568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ujzugxsgztztowgy.exe
1⤵
PID:1188
- C:\Windows\ujzugxsgztztowgy.exe
  ujzugxsgztztowgy.exe
  2⤵
  PID:4680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xrmmdzzsqpazzmbyaqkff.exe .
1⤵
PID:1112
- C:\Windows\xrmmdzzsqpazzmbyaqkff.exe
  xrmmdzzsqpazzmbyaqkff.exe .
  2⤵
  PID:1200
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\xrmmdzzsqpazzmbyaqkff.exe*."
    3⤵
    PID:3940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xrmmdzzsqpazzmbyaqkff.exe
1⤵
PID:3928
- C:\Windows\xrmmdzzsqpazzmbyaqkff.exe
  xrmmdzzsqpazzmbyaqkff.exe
  2⤵
  PID:4416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c brierjfuojqlhqbus.exe .
1⤵
PID:4892
- C:\Windows\brierjfuojqlhqbus.exe
  brierjfuojqlhqbus.exe .
  2⤵
  PID:4400
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\brierjfuojqlhqbus.exe*."
    3⤵
    PID:4580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brierjfuojqlhqbus.exe
1⤵
PID:2372
- C:\Users\Admin\AppData\Local\Temp\brierjfuojqlhqbus.exe
  C:\Users\Admin\AppData\Local\Temp\brierjfuojqlhqbus.exe
  2⤵
  PID:2152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ibvukfewtrbzykyuvkdx.exe .
1⤵
PID:3160
- C:\Users\Admin\AppData\Local\Temp\ibvukfewtrbzykyuvkdx.exe
  C:\Users\Admin\AppData\Local\Temp\ibvukfewtrbzykyuvkdx.exe .
  2⤵
  PID:2448
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\ibvukfewtrbzykyuvkdx.exe*."
    3⤵
    PID:3732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xrmmdzzsqpazzmbyaqkff.exe
1⤵
PID:1568
- C:\Users\Admin\AppData\Local\Temp\xrmmdzzsqpazzmbyaqkff.exe
  C:\Users\Admin\AppData\Local\Temp\xrmmdzzsqpazzmbyaqkff.exe
  2⤵
  PID:1500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ujzugxsgztztowgy.exe .
1⤵
PID:4852
- C:\Users\Admin\AppData\Local\Temp\ujzugxsgztztowgy.exe
  C:\Users\Admin\AppData\Local\Temp\ujzugxsgztztowgy.exe .
  2⤵
  PID:3012
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\ujzugxsgztztowgy.exe*."
    3⤵
    PID:4656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c brierjfuojqlhqbus.exe
1⤵
PID:2656
- C:\Windows\brierjfuojqlhqbus.exe
  brierjfuojqlhqbus.exe
  2⤵
  PID:3868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vngetnlcyvebzkxssgy.exe .
1⤵
PID:4232
- C:\Windows\vngetnlcyvebzkxssgy.exe
  vngetnlcyvebzkxssgy.exe .
  2⤵
  PID:4364
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\vngetnlcyvebzkxssgy.exe*."
    3⤵
    PID:2716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ujzugxsgztztowgy.exe
1⤵
PID:1128
- C:\Windows\ujzugxsgztztowgy.exe
  ujzugxsgztztowgy.exe
  2⤵
  PID:3660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kbtqexukfbjfcmysre.exe .
1⤵
PID:1968
- C:\Windows\kbtqexukfbjfcmysre.exe
  kbtqexukfbjfcmysre.exe .
  2⤵
  PID:3824
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\kbtqexukfbjfcmysre.exe*."
    3⤵
    PID:3188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ujzugxsgztztowgy.exe
1⤵
PID:4388
- C:\Users\Admin\AppData\Local\Temp\ujzugxsgztztowgy.exe
  C:\Users\Admin\AppData\Local\Temp\ujzugxsgztztowgy.exe
  2⤵
  PID:4316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ujzugxsgztztowgy.exe .
1⤵
PID:676
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4016
- C:\Users\Admin\AppData\Local\Temp\ujzugxsgztztowgy.exe
  C:\Users\Admin\AppData\Local\Temp\ujzugxsgztztowgy.exe .
  2⤵
  PID:4884
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\ujzugxsgztztowgy.exe*."
    3⤵
    PID:4544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ibvukfewtrbzykyuvkdx.exe
1⤵
PID:464
- C:\Users\Admin\AppData\Local\Temp\ibvukfewtrbzykyuvkdx.exe
  C:\Users\Admin\AppData\Local\Temp\ibvukfewtrbzykyuvkdx.exe
  2⤵
  PID:940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brierjfuojqlhqbus.exe .
1⤵
PID:4220
- C:\Users\Admin\AppData\Local\Temp\brierjfuojqlhqbus.exe
  C:\Users\Admin\AppData\Local\Temp\brierjfuojqlhqbus.exe .
  2⤵
  PID:4348
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\brierjfuojqlhqbus.exe*."
    3⤵
    PID:3012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c brierjfuojqlhqbus.exe
1⤵
PID:208
- C:\Windows\brierjfuojqlhqbus.exe
  brierjfuojqlhqbus.exe
  2⤵
  PID:3868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ibvukfewtrbzykyuvkdx.exe .
1⤵
PID:1188
- C:\Windows\ibvukfewtrbzykyuvkdx.exe
  ibvukfewtrbzykyuvkdx.exe .
  2⤵
  PID:4364
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\ibvukfewtrbzykyuvkdx.exe*."
    3⤵
    PID:3660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ibvukfewtrbzykyuvkdx.exe
1⤵
PID:2120
- C:\Windows\ibvukfewtrbzykyuvkdx.exe
  ibvukfewtrbzykyuvkdx.exe
  2⤵
  PID:1676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c brierjfuojqlhqbus.exe .
1⤵
PID:3940
- C:\Windows\brierjfuojqlhqbus.exe
  brierjfuojqlhqbus.exe .
  2⤵
  PID:4652
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\brierjfuojqlhqbus.exe*."
    3⤵
    PID:2768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brierjfuojqlhqbus.exe
1⤵
PID:2968
- C:\Users\Admin\AppData\Local\Temp\brierjfuojqlhqbus.exe
  C:\Users\Admin\AppData\Local\Temp\brierjfuojqlhqbus.exe
  2⤵
  PID:3420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xrmmdzzsqpazzmbyaqkff.exe .
1⤵
PID:2000
- C:\Users\Admin\AppData\Local\Temp\xrmmdzzsqpazzmbyaqkff.exe
  C:\Users\Admin\AppData\Local\Temp\xrmmdzzsqpazzmbyaqkff.exe .
  2⤵
  PID:940
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\xrmmdzzsqpazzmbyaqkff.exe*."
    3⤵
    PID:1384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ujzugxsgztztowgy.exe
1⤵
PID:3608
- C:\Users\Admin\AppData\Local\Temp\ujzugxsgztztowgy.exe
  C:\Users\Admin\AppData\Local\Temp\ujzugxsgztztowgy.exe
  2⤵
  PID:1324

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vngetnlcyvebzkxssgy.exe .
1⤵
PID:600
- C:\Users\Admin\AppData\Local\Temp\vngetnlcyvebzkxssgy.exe
  C:\Users\Admin\AppData\Local\Temp\vngetnlcyvebzkxssgy.exe .
  2⤵
  PID:832
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\vngetnlcyvebzkxssgy.exe*."
    3⤵
    PID:1588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c brierjfuojqlhqbus.exe
1⤵
PID:2108
- C:\Windows\brierjfuojqlhqbus.exe
  brierjfuojqlhqbus.exe
  2⤵
  PID:4768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vngetnlcyvebzkxssgy.exe
1⤵
PID:2432
- C:\Windows\vngetnlcyvebzkxssgy.exe
  vngetnlcyvebzkxssgy.exe
  2⤵
  PID:3928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vngetnlcyvebzkxssgy.exe .
1⤵
PID:2064
- C:\Windows\vngetnlcyvebzkxssgy.exe
  vngetnlcyvebzkxssgy.exe .
  2⤵
  PID:1848
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\vngetnlcyvebzkxssgy.exe*."
    3⤵
    PID:2860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ibvukfewtrbzykyuvkdx.exe .
1⤵
PID:4256
- C:\Windows\ibvukfewtrbzykyuvkdx.exe
  ibvukfewtrbzykyuvkdx.exe .
  2⤵
  PID:672
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\ibvukfewtrbzykyuvkdx.exe*."
    3⤵
    PID:2108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ujzugxsgztztowgy.exe
1⤵
PID:3316
- C:\Windows\ujzugxsgztztowgy.exe
  ujzugxsgztztowgy.exe
  2⤵
  PID:1960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xrmmdzzsqpazzmbyaqkff.exe
1⤵
PID:4804
- C:\Windows\xrmmdzzsqpazzmbyaqkff.exe
  xrmmdzzsqpazzmbyaqkff.exe
  2⤵
  PID:4088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ujzugxsgztztowgy.exe .
1⤵
PID:4988
- C:\Windows\ujzugxsgztztowgy.exe
  ujzugxsgztztowgy.exe .
  2⤵
  PID:3956
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\ujzugxsgztztowgy.exe*."
    3⤵
    PID:2840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ibvukfewtrbzykyuvkdx.exe .
1⤵
PID:3876
- C:\Windows\ibvukfewtrbzykyuvkdx.exe
  ibvukfewtrbzykyuvkdx.exe .
  2⤵
  PID:2388
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\ibvukfewtrbzykyuvkdx.exe*."
    3⤵
    PID:884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vngetnlcyvebzkxssgy.exe
1⤵
PID:1380
- C:\Users\Admin\AppData\Local\Temp\vngetnlcyvebzkxssgy.exe
  C:\Users\Admin\AppData\Local\Temp\vngetnlcyvebzkxssgy.exe
  2⤵
  PID:3468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ibvukfewtrbzykyuvkdx.exe
1⤵
PID:1904
- C:\Users\Admin\AppData\Local\Temp\ibvukfewtrbzykyuvkdx.exe
  C:\Users\Admin\AppData\Local\Temp\ibvukfewtrbzykyuvkdx.exe
  2⤵
  PID:3484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brierjfuojqlhqbus.exe .
1⤵
PID:3052
- C:\Users\Admin\AppData\Local\Temp\brierjfuojqlhqbus.exe
  C:\Users\Admin\AppData\Local\Temp\brierjfuojqlhqbus.exe .
  2⤵
  PID:2860
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\brierjfuojqlhqbus.exe*."
    3⤵
    PID:3940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ujzugxsgztztowgy.exe .
1⤵
PID:4076
- C:\Users\Admin\AppData\Local\Temp\ujzugxsgztztowgy.exe
  C:\Users\Admin\AppData\Local\Temp\ujzugxsgztztowgy.exe .
  2⤵
  PID:4416
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\ujzugxsgztztowgy.exe*."
    3⤵
    PID:4080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ibvukfewtrbzykyuvkdx.exe
1⤵
PID:4532
- C:\Windows\ibvukfewtrbzykyuvkdx.exe
  ibvukfewtrbzykyuvkdx.exe
  2⤵
  PID:4048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ujzugxsgztztowgy.exe
1⤵
PID:4924
- C:\Users\Admin\AppData\Local\Temp\ujzugxsgztztowgy.exe
  C:\Users\Admin\AppData\Local\Temp\ujzugxsgztztowgy.exe
  2⤵
  PID:4232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brierjfuojqlhqbus.exe
1⤵
PID:2432
- C:\Users\Admin\AppData\Local\Temp\brierjfuojqlhqbus.exe
  C:\Users\Admin\AppData\Local\Temp\brierjfuojqlhqbus.exe
  2⤵
  PID:624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbtqexukfbjfcmysre.exe .
1⤵
PID:4528
- C:\Users\Admin\AppData\Local\Temp\kbtqexukfbjfcmysre.exe
  C:\Users\Admin\AppData\Local\Temp\kbtqexukfbjfcmysre.exe .
  2⤵
  PID:3956
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\kbtqexukfbjfcmysre.exe*."
    3⤵
    PID:380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vngetnlcyvebzkxssgy.exe .
1⤵
PID:2276
- C:\Users\Admin\AppData\Local\Temp\vngetnlcyvebzkxssgy.exe
  C:\Users\Admin\AppData\Local\Temp\vngetnlcyvebzkxssgy.exe .
  2⤵
  PID:2064
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\vngetnlcyvebzkxssgy.exe*."
    3⤵
    PID:4376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vngetnlcyvebzkxssgy.exe .
1⤵
PID:2912
- C:\Windows\vngetnlcyvebzkxssgy.exe
  vngetnlcyvebzkxssgy.exe .
  2⤵
  PID:4488
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\vngetnlcyvebzkxssgy.exe*."
    3⤵
    PID:5008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xrmmdzzsqpazzmbyaqkff.exe
1⤵
PID:4296
- C:\Windows\xrmmdzzsqpazzmbyaqkff.exe
  xrmmdzzsqpazzmbyaqkff.exe
  2⤵
  PID:2108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kbtqexukfbjfcmysre.exe .
1⤵
PID:1048
- C:\Windows\kbtqexukfbjfcmysre.exe
  kbtqexukfbjfcmysre.exe .
  2⤵
  PID:2860
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\kbtqexukfbjfcmysre.exe*."
    3⤵
    PID:2200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brierjfuojqlhqbus.exe
1⤵
PID:1848
- C:\Users\Admin\AppData\Local\Temp\brierjfuojqlhqbus.exe
  C:\Users\Admin\AppData\Local\Temp\brierjfuojqlhqbus.exe
  2⤵
  PID:5032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vngetnlcyvebzkxssgy.exe .
1⤵
PID:1380
- C:\Users\Admin\AppData\Local\Temp\vngetnlcyvebzkxssgy.exe
  C:\Users\Admin\AppData\Local\Temp\vngetnlcyvebzkxssgy.exe .
  2⤵
  PID:1904
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\vngetnlcyvebzkxssgy.exe*."
    3⤵
    PID:600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ujzugxsgztztowgy.exe
1⤵
PID:2568
- C:\Users\Admin\AppData\Local\Temp\ujzugxsgztztowgy.exe
  C:\Users\Admin\AppData\Local\Temp\ujzugxsgztztowgy.exe
  2⤵
  PID:952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbtqexukfbjfcmysre.exe .
1⤵
PID:3188
- C:\Users\Admin\AppData\Local\Temp\kbtqexukfbjfcmysre.exe
  C:\Users\Admin\AppData\Local\Temp\kbtqexukfbjfcmysre.exe .
  2⤵
  PID:4924
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\kbtqexukfbjfcmysre.exe*."
    3⤵
    PID:4352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kbtqexukfbjfcmysre.exe
1⤵
PID:3608
- C:\Windows\kbtqexukfbjfcmysre.exe
  kbtqexukfbjfcmysre.exe
  2⤵
  PID:4424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ujzugxsgztztowgy.exe .
1⤵
PID:2448
- C:\Windows\ujzugxsgztztowgy.exe
  ujzugxsgztztowgy.exe .
  2⤵
  PID:536
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\ujzugxsgztztowgy.exe*."
    3⤵
    PID:1968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c brierjfuojqlhqbus.exe
1⤵
PID:968
- C:\Windows\brierjfuojqlhqbus.exe
  brierjfuojqlhqbus.exe
  2⤵
  PID:4364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xrmmdzzsqpazzmbyaqkff.exe .
1⤵
PID:4512
- C:\Windows\xrmmdzzsqpazzmbyaqkff.exe
  xrmmdzzsqpazzmbyaqkff.exe .
  2⤵
  PID:2656
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\xrmmdzzsqpazzmbyaqkff.exe*."
    3⤵
    PID:3116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brierjfuojqlhqbus.exe
1⤵
PID:676
- C:\Users\Admin\AppData\Local\Temp\brierjfuojqlhqbus.exe
  C:\Users\Admin\AppData\Local\Temp\brierjfuojqlhqbus.exe
  2⤵
  PID:4348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ibvukfewtrbzykyuvkdx.exe .
1⤵
PID:3344
- C:\Users\Admin\AppData\Local\Temp\ibvukfewtrbzykyuvkdx.exe
  C:\Users\Admin\AppData\Local\Temp\ibvukfewtrbzykyuvkdx.exe .
  2⤵
  PID:3048
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\ibvukfewtrbzykyuvkdx.exe*."
    3⤵
    PID:1384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vngetnlcyvebzkxssgy.exe
1⤵
PID:3868
- C:\Users\Admin\AppData\Local\Temp\vngetnlcyvebzkxssgy.exe
  C:\Users\Admin\AppData\Local\Temp\vngetnlcyvebzkxssgy.exe
  2⤵
  PID:1848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vngetnlcyvebzkxssgy.exe .
1⤵
PID:1112
- C:\Users\Admin\AppData\Local\Temp\vngetnlcyvebzkxssgy.exe
  C:\Users\Admin\AppData\Local\Temp\vngetnlcyvebzkxssgy.exe .
  2⤵
  PID:1412
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\vngetnlcyvebzkxssgy.exe*."
    3⤵
    PID:2276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kbtqexukfbjfcmysre.exe
1⤵
PID:4080
- C:\Windows\kbtqexukfbjfcmysre.exe
  kbtqexukfbjfcmysre.exe
  2⤵
  PID:3928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ibvukfewtrbzykyuvkdx.exe .
1⤵
PID:4364
- C:\Windows\ibvukfewtrbzykyuvkdx.exe
  ibvukfewtrbzykyuvkdx.exe .
  2⤵
  PID:4180
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\ibvukfewtrbzykyuvkdx.exe*."
    3⤵
    PID:1976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vngetnlcyvebzkxssgy.exe
1⤵
PID:3340
- C:\Windows\vngetnlcyvebzkxssgy.exe
  vngetnlcyvebzkxssgy.exe
  2⤵
  PID:3888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kbtqexukfbjfcmysre.exe .
1⤵
PID:1008
- C:\Windows\kbtqexukfbjfcmysre.exe
  kbtqexukfbjfcmysre.exe .
  2⤵
  PID:3744
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\kbtqexukfbjfcmysre.exe*."
    3⤵
    PID:2604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c qesqlzugfqtbxueqkj.exe
1⤵
PID:4348
- C:\Windows\qesqlzugfqtbxueqkj.exe
  qesqlzugfqtbxueqkj.exe
  2⤵
  PID:3076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vngetnlcyvebzkxssgy.exe
1⤵
PID:3408
- C:\Users\Admin\AppData\Local\Temp\vngetnlcyvebzkxssgy.exe
  C:\Users\Admin\AppData\Local\Temp\vngetnlcyvebzkxssgy.exe
  2⤵
  PID:5004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brierjfuojqlhqbus.exe .
1⤵
PID:2080
- C:\Users\Admin\AppData\Local\Temp\brierjfuojqlhqbus.exe
  C:\Users\Admin\AppData\Local\Temp\brierjfuojqlhqbus.exe .
  2⤵
  PID:880
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\brierjfuojqlhqbus.exe*."
    3⤵
    PID:2388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bqfeaplyykoxusdqllf.exe .
1⤵
PID:1380
- C:\Windows\bqfeaplyykoxusdqllf.exe
  bqfeaplyykoxusdqllf.exe .
  2⤵
  PID:1336
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\bqfeaplyykoxusdqllf.exe*."
    3⤵
    PID:3912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c huheylfqoyahcyhsl.exe
1⤵
PID:4056
- C:\Windows\huheylfqoyahcyhsl.exe
  huheylfqoyahcyhsl.exe
  2⤵
  PID:4344

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brierjfuojqlhqbus.exe
1⤵
PID:4656
- C:\Users\Admin\AppData\Local\Temp\brierjfuojqlhqbus.exe
  C:\Users\Admin\AppData\Local\Temp\brierjfuojqlhqbus.exe
  2⤵
  PID:656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dulmkbzoqekvuuhwtvriz.exe .
1⤵
PID:4460
- C:\Windows\dulmkbzoqekvuuhwtvriz.exe
  dulmkbzoqekvuuhwtvriz.exe .
  2⤵
  PID:644
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\dulmkbzoqekvuuhwtvriz.exe*."
    3⤵
    PID:1472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ibvukfewtrbzykyuvkdx.exe .
1⤵
PID:1784
- C:\Users\Admin\AppData\Local\Temp\ibvukfewtrbzykyuvkdx.exe
  C:\Users\Admin\AppData\Local\Temp\ibvukfewtrbzykyuvkdx.exe .
  2⤵
  PID:464
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\ibvukfewtrbzykyuvkdx.exe*."
    3⤵
    PID:3744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oeuurhestglvtsesopka.exe
1⤵
PID:3564
- C:\Users\Admin\AppData\Local\Temp\oeuurhestglvtsesopka.exe
  C:\Users\Admin\AppData\Local\Temp\oeuurhestglvtsesopka.exe
  2⤵
  PID:3316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qesqlzugfqtbxueqkj.exe .
1⤵
PID:2196
- C:\Users\Admin\AppData\Local\Temp\qesqlzugfqtbxueqkj.exe
  C:\Users\Admin\AppData\Local\Temp\qesqlzugfqtbxueqkj.exe .
  2⤵
  PID:4316
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\qesqlzugfqtbxueqkj.exe*."
    3⤵
    PID:3620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dulmkbzoqekvuuhwtvriz.exe
1⤵
PID:4856
- C:\Users\Admin\AppData\Local\Temp\dulmkbzoqekvuuhwtvriz.exe
  C:\Users\Admin\AppData\Local\Temp\dulmkbzoqekvuuhwtvriz.exe
  2⤵
  PID:4416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqfeaplyykoxusdqllf.exe .
1⤵
PID:1416
- C:\Users\Admin\AppData\Local\Temp\bqfeaplyykoxusdqllf.exe
  C:\Users\Admin\AppData\Local\Temp\bqfeaplyykoxusdqllf.exe .
  2⤵
  PID:4344
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\bqfeaplyykoxusdqllf.exe*."
    3⤵
    PID:1452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xrmmdzzsqpazzmbyaqkff.exe
1⤵
PID:4604
- C:\Windows\xrmmdzzsqpazzmbyaqkff.exe
  xrmmdzzsqpazzmbyaqkff.exe
  2⤵
  PID:952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vngetnlcyvebzkxssgy.exe .
1⤵
PID:1276
- C:\Windows\vngetnlcyvebzkxssgy.exe
  vngetnlcyvebzkxssgy.exe .
  2⤵
  PID:2276
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\vngetnlcyvebzkxssgy.exe*."
    3⤵
    PID:656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ibvukfewtrbzykyuvkdx.exe
1⤵
PID:2688
- C:\Windows\ibvukfewtrbzykyuvkdx.exe
  ibvukfewtrbzykyuvkdx.exe
  2⤵
  PID:2448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ibvukfewtrbzykyuvkdx.exe .
1⤵
PID:60
- C:\Windows\ibvukfewtrbzykyuvkdx.exe
  ibvukfewtrbzykyuvkdx.exe .
  2⤵
  PID:3732
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\ibvukfewtrbzykyuvkdx.exe*."
    3⤵
    PID:1500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xrmmdzzsqpazzmbyaqkff.exe
1⤵
PID:1876
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:372
- C:\Users\Admin\AppData\Local\Temp\xrmmdzzsqpazzmbyaqkff.exe
  C:\Users\Admin\AppData\Local\Temp\xrmmdzzsqpazzmbyaqkff.exe
  2⤵
  PID:4684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ujzugxsgztztowgy.exe .
1⤵
PID:2468
- C:\Users\Admin\AppData\Local\Temp\ujzugxsgztztowgy.exe
  C:\Users\Admin\AppData\Local\Temp\ujzugxsgztztowgy.exe .
  2⤵
  PID:1620
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\ujzugxsgztztowgy.exe*."
    3⤵
    PID:3620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ujzugxsgztztowgy.exe
1⤵
PID:916
- C:\Users\Admin\AppData\Local\Temp\ujzugxsgztztowgy.exe
  C:\Users\Admin\AppData\Local\Temp\ujzugxsgztztowgy.exe
  2⤵
  PID:4856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbtqexukfbjfcmysre.exe .
1⤵
PID:1072
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2152
- C:\Users\Admin\AppData\Local\Temp\kbtqexukfbjfcmysre.exe
  C:\Users\Admin\AppData\Local\Temp\kbtqexukfbjfcmysre.exe .
  2⤵
  PID:4920
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\kbtqexukfbjfcmysre.exe*."
    3⤵
    PID:1128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xrmmdzzsqpazzmbyaqkff.exe
1⤵
PID:3416
- C:\Windows\xrmmdzzsqpazzmbyaqkff.exe
  xrmmdzzsqpazzmbyaqkff.exe
  2⤵
  PID:2720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vngetnlcyvebzkxssgy.exe .
1⤵
PID:2120
- C:\Windows\vngetnlcyvebzkxssgy.exe
  vngetnlcyvebzkxssgy.exe .
  2⤵
  PID:396
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\vngetnlcyvebzkxssgy.exe*."
    3⤵
    PID:672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ujzugxsgztztowgy.exe
1⤵
PID:656
- C:\Windows\ujzugxsgztztowgy.exe
  ujzugxsgztztowgy.exe
  2⤵
  PID:2568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vngetnlcyvebzkxssgy.exe .
1⤵
PID:1380
- C:\Windows\vngetnlcyvebzkxssgy.exe
  vngetnlcyvebzkxssgy.exe .
  2⤵
  PID:3448
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\vngetnlcyvebzkxssgy.exe*."
    3⤵
    PID:1664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brierjfuojqlhqbus.exe
1⤵
PID:1112
- C:\Users\Admin\AppData\Local\Temp\brierjfuojqlhqbus.exe
  C:\Users\Admin\AppData\Local\Temp\brierjfuojqlhqbus.exe
  2⤵
  PID:3832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brierjfuojqlhqbus.exe .
1⤵
PID:3556
- C:\Users\Admin\AppData\Local\Temp\brierjfuojqlhqbus.exe
  C:\Users\Admin\AppData\Local\Temp\brierjfuojqlhqbus.exe .
  2⤵
  PID:4160
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\brierjfuojqlhqbus.exe*."
    3⤵
    PID:4068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ibvukfewtrbzykyuvkdx.exe
1⤵
PID:4856
- C:\Users\Admin\AppData\Local\Temp\ibvukfewtrbzykyuvkdx.exe
  C:\Users\Admin\AppData\Local\Temp\ibvukfewtrbzykyuvkdx.exe
  2⤵
  PID:3444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xrmmdzzsqpazzmbyaqkff.exe .
1⤵
PID:3344
- C:\Users\Admin\AppData\Local\Temp\xrmmdzzsqpazzmbyaqkff.exe
  C:\Users\Admin\AppData\Local\Temp\xrmmdzzsqpazzmbyaqkff.exe .
  2⤵
  PID:2860
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\xrmmdzzsqpazzmbyaqkff.exe*."
    3⤵
    PID:2392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c brierjfuojqlhqbus.exe
1⤵
PID:4568
- C:\Windows\brierjfuojqlhqbus.exe
  brierjfuojqlhqbus.exe
  2⤵
  PID:1416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kbtqexukfbjfcmysre.exe .
1⤵
PID:4604
- C:\Windows\kbtqexukfbjfcmysre.exe
  kbtqexukfbjfcmysre.exe .
  2⤵
  PID:1308
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\kbtqexukfbjfcmysre.exe*."
    3⤵
    PID:968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c brierjfuojqlhqbus.exe
1⤵
PID:952
- C:\Windows\brierjfuojqlhqbus.exe
  brierjfuojqlhqbus.exe
  2⤵
  PID:2120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ujzugxsgztztowgy.exe .
1⤵
PID:1960
- C:\Windows\ujzugxsgztztowgy.exe
  ujzugxsgztztowgy.exe .
  2⤵
  PID:2988
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\ujzugxsgztztowgy.exe*."
    3⤵
    PID:4620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brierjfuojqlhqbus.exe
1⤵
PID:3564
- C:\Users\Admin\AppData\Local\Temp\brierjfuojqlhqbus.exe
  C:\Users\Admin\AppData\Local\Temp\brierjfuojqlhqbus.exe
  2⤵
  PID:4656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ibvukfewtrbzykyuvkdx.exe .
1⤵
PID:3832
- C:\Users\Admin\AppData\Local\Temp\ibvukfewtrbzykyuvkdx.exe
  C:\Users\Admin\AppData\Local\Temp\ibvukfewtrbzykyuvkdx.exe .
  2⤵
  PID:4684
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\ibvukfewtrbzykyuvkdx.exe*."
    3⤵
    PID:2468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ibvukfewtrbzykyuvkdx.exe
1⤵
PID:3940
- C:\Users\Admin\AppData\Local\Temp\ibvukfewtrbzykyuvkdx.exe
  C:\Users\Admin\AppData\Local\Temp\ibvukfewtrbzykyuvkdx.exe
  2⤵
  PID:3556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brierjfuojqlhqbus.exe .
1⤵
PID:4988
- C:\Users\Admin\AppData\Local\Temp\brierjfuojqlhqbus.exe
  C:\Users\Admin\AppData\Local\Temp\brierjfuojqlhqbus.exe .
  2⤵
  PID:4888
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\brierjfuojqlhqbus.exe*."
    3⤵
    PID:1324

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ujzugxsgztztowgy.exe
1⤵
PID:2540
- C:\Windows\ujzugxsgztztowgy.exe
  ujzugxsgztztowgy.exe
  2⤵
  PID:4920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xrmmdzzsqpazzmbyaqkff.exe
1⤵
PID:4220
- C:\Windows\xrmmdzzsqpazzmbyaqkff.exe
  xrmmdzzsqpazzmbyaqkff.exe
  2⤵
  PID:3416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vngetnlcyvebzkxssgy.exe .
1⤵
PID:2388
- C:\Windows\vngetnlcyvebzkxssgy.exe
  vngetnlcyvebzkxssgy.exe .
  2⤵
  PID:1188
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\vngetnlcyvebzkxssgy.exe*."
    3⤵
    PID:4180

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ibvukfewtrbzykyuvkdx.exe .
1⤵
PID:2716
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3452
- C:\Windows\ibvukfewtrbzykyuvkdx.exe
  ibvukfewtrbzykyuvkdx.exe .
  2⤵
  PID:968
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\ibvukfewtrbzykyuvkdx.exe*."
    3⤵
    PID:2688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vngetnlcyvebzkxssgy.exe
1⤵
PID:3956
- C:\Windows\vngetnlcyvebzkxssgy.exe
  vngetnlcyvebzkxssgy.exe
  2⤵
  PID:3076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kbtqexukfbjfcmysre.exe
1⤵
PID:2120
- C:\Windows\kbtqexukfbjfcmysre.exe
  kbtqexukfbjfcmysre.exe
  2⤵
  PID:4016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ujzugxsgztztowgy.exe .
1⤵
PID:3244
- C:\Windows\ujzugxsgztztowgy.exe
  ujzugxsgztztowgy.exe .
  2⤵
  PID:1060
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\ujzugxsgztztowgy.exe*."
    3⤵
    PID:2988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ujzugxsgztztowgy.exe
1⤵
PID:4076
- C:\Windows\ujzugxsgztztowgy.exe
  ujzugxsgztztowgy.exe
  2⤵
  PID:3860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vngetnlcyvebzkxssgy.exe .
1⤵
PID:1620
- C:\Windows\vngetnlcyvebzkxssgy.exe
  vngetnlcyvebzkxssgy.exe .
  2⤵
  PID:600
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\vngetnlcyvebzkxssgy.exe*."
    3⤵
    PID:2276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ujzugxsgztztowgy.exe
1⤵
PID:1380
- C:\Users\Admin\AppData\Local\Temp\ujzugxsgztztowgy.exe
  C:\Users\Admin\AppData\Local\Temp\ujzugxsgztztowgy.exe
  2⤵
  PID:4532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xrmmdzzsqpazzmbyaqkff.exe
1⤵
PID:3528
- C:\Users\Admin\AppData\Local\Temp\xrmmdzzsqpazzmbyaqkff.exe
  C:\Users\Admin\AppData\Local\Temp\xrmmdzzsqpazzmbyaqkff.exe
  2⤵
  PID:2540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ibvukfewtrbzykyuvkdx.exe .
1⤵
PID:3960
- C:\Users\Admin\AppData\Local\Temp\ibvukfewtrbzykyuvkdx.exe
  C:\Users\Admin\AppData\Local\Temp\ibvukfewtrbzykyuvkdx.exe .
  2⤵
  PID:4380
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\ibvukfewtrbzykyuvkdx.exe*."
    3⤵
    PID:1384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ujzugxsgztztowgy.exe .
1⤵
PID:3160
- C:\Windows\ujzugxsgztztowgy.exe
  ujzugxsgztztowgy.exe .
  2⤵
  PID:1472
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\ujzugxsgztztowgy.exe*."
    3⤵
    PID:2840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xrmmdzzsqpazzmbyaqkff.exe .
1⤵
PID:456
- C:\Users\Admin\AppData\Local\Temp\xrmmdzzsqpazzmbyaqkff.exe
  C:\Users\Admin\AppData\Local\Temp\xrmmdzzsqpazzmbyaqkff.exe .
  2⤵
  PID:1508
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\xrmmdzzsqpazzmbyaqkff.exe*."
    3⤵
    PID:4236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vngetnlcyvebzkxssgy.exe
1⤵
PID:2440
- C:\Windows\vngetnlcyvebzkxssgy.exe
  vngetnlcyvebzkxssgy.exe
  2⤵
  PID:3028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ibvukfewtrbzykyuvkdx.exe
1⤵
PID:2000
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4636
- C:\Users\Admin\AppData\Local\Temp\ibvukfewtrbzykyuvkdx.exe
  C:\Users\Admin\AppData\Local\Temp\ibvukfewtrbzykyuvkdx.exe
  2⤵
  PID:940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ujzugxsgztztowgy.exe .
1⤵
PID:1452
- C:\Windows\ujzugxsgztztowgy.exe
  ujzugxsgztztowgy.exe .
  2⤵
  PID:4884
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\ujzugxsgztztowgy.exe*."
    3⤵
    PID:2840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ibvukfewtrbzykyuvkdx.exe
1⤵
PID:4284
- C:\Users\Admin\AppData\Local\Temp\ibvukfewtrbzykyuvkdx.exe
  C:\Users\Admin\AppData\Local\Temp\ibvukfewtrbzykyuvkdx.exe
  2⤵
  PID:380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xrmmdzzsqpazzmbyaqkff.exe .
1⤵
PID:4652
- C:\Users\Admin\AppData\Local\Temp\xrmmdzzsqpazzmbyaqkff.exe
  C:\Users\Admin\AppData\Local\Temp\xrmmdzzsqpazzmbyaqkff.exe .
  2⤵
  PID:880
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\xrmmdzzsqpazzmbyaqkff.exe*."
    3⤵
    PID:1200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brierjfuojqlhqbus.exe
1⤵
PID:3912
- C:\Users\Admin\AppData\Local\Temp\brierjfuojqlhqbus.exe
  C:\Users\Admin\AppData\Local\Temp\brierjfuojqlhqbus.exe
  2⤵
  PID:1384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ujzugxsgztztowgy.exe .
1⤵
PID:3076
- C:\Users\Admin\AppData\Local\Temp\ujzugxsgztztowgy.exe
  C:\Users\Admin\AppData\Local\Temp\ujzugxsgztztowgy.exe .
  2⤵
  PID:1508
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\ujzugxsgztztowgy.exe*."
    3⤵
    PID:4056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ibvukfewtrbzykyuvkdx.exe .
1⤵
PID:3048
- C:\Users\Admin\AppData\Local\Temp\ibvukfewtrbzykyuvkdx.exe
  C:\Users\Admin\AppData\Local\Temp\ibvukfewtrbzykyuvkdx.exe .
  2⤵
  PID:1060
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\ibvukfewtrbzykyuvkdx.exe*."
    3⤵
    PID:4820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ibvukfewtrbzykyuvkdx.exe
1⤵
PID:2068
- C:\Users\Admin\AppData\Local\Temp\ibvukfewtrbzykyuvkdx.exe
  C:\Users\Admin\AppData\Local\Temp\ibvukfewtrbzykyuvkdx.exe
  2⤵
  PID:4604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brierjfuojqlhqbus.exe .
1⤵
PID:1968
- C:\Users\Admin\AppData\Local\Temp\brierjfuojqlhqbus.exe
  C:\Users\Admin\AppData\Local\Temp\brierjfuojqlhqbus.exe .
  2⤵
  PID:2716
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\brierjfuojqlhqbus.exe*."
    3⤵
    PID:5108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kbtqexukfbjfcmysre.exe
1⤵
PID:3980
- C:\Windows\kbtqexukfbjfcmysre.exe
  kbtqexukfbjfcmysre.exe
  2⤵
  PID:744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xrmmdzzsqpazzmbyaqkff.exe .
1⤵
PID:2604
- C:\Windows\xrmmdzzsqpazzmbyaqkff.exe
  xrmmdzzsqpazzmbyaqkff.exe .
  2⤵
  PID:4820
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\xrmmdzzsqpazzmbyaqkff.exe*."
    3⤵
    PID:3832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vngetnlcyvebzkxssgy.exe
1⤵
PID:3988
- C:\Windows\vngetnlcyvebzkxssgy.exe
  vngetnlcyvebzkxssgy.exe
  2⤵
  PID:2716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ibvukfewtrbzykyuvkdx.exe .
1⤵
PID:1308
- C:\Windows\ibvukfewtrbzykyuvkdx.exe
  ibvukfewtrbzykyuvkdx.exe .
  2⤵
  PID:3620
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\ibvukfewtrbzykyuvkdx.exe*."
    3⤵
    PID:4488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbtqexukfbjfcmysre.exe
1⤵
PID:1312
- C:\Users\Admin\AppData\Local\Temp\kbtqexukfbjfcmysre.exe
  C:\Users\Admin\AppData\Local\Temp\kbtqexukfbjfcmysre.exe
  2⤵
  PID:1752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vngetnlcyvebzkxssgy.exe .
1⤵
PID:3556
- C:\Users\Admin\AppData\Local\Temp\vngetnlcyvebzkxssgy.exe
  C:\Users\Admin\AppData\Local\Temp\vngetnlcyvebzkxssgy.exe .
  2⤵
  PID:1500
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\vngetnlcyvebzkxssgy.exe*."
    3⤵
    PID:2080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ujzugxsgztztowgy.exe
1⤵
PID:2440
- C:\Users\Admin\AppData\Local\Temp\ujzugxsgztztowgy.exe
  C:\Users\Admin\AppData\Local\Temp\ujzugxsgztztowgy.exe
  2⤵
  PID:4784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ibvukfewtrbzykyuvkdx.exe .
1⤵
PID:4068
- C:\Users\Admin\AppData\Local\Temp\ibvukfewtrbzykyuvkdx.exe
  C:\Users\Admin\AppData\Local\Temp\ibvukfewtrbzykyuvkdx.exe .
  2⤵
  PID:2108
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\ibvukfewtrbzykyuvkdx.exe*."
    3⤵
    PID:512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vngetnlcyvebzkxssgy.exe
1⤵
PID:940
- C:\Windows\vngetnlcyvebzkxssgy.exe
  vngetnlcyvebzkxssgy.exe
  2⤵
  PID:1324

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ujzugxsgztztowgy.exe .
1⤵
PID:2520
- C:\Windows\ujzugxsgztztowgy.exe
  ujzugxsgztztowgy.exe .
  2⤵
  PID:3928
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\ujzugxsgztztowgy.exe*."
    3⤵
    PID:3344

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ibvukfewtrbzykyuvkdx.exe
1⤵
PID:3316
- C:\Windows\ibvukfewtrbzykyuvkdx.exe
  ibvukfewtrbzykyuvkdx.exe
  2⤵
  PID:600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ujzugxsgztztowgy.exe .
1⤵
PID:4868
- C:\Windows\ujzugxsgztztowgy.exe
  ujzugxsgztztowgy.exe .
  2⤵
  PID:1412
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\ujzugxsgztztowgy.exe*."
    3⤵
    PID:4088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xrmmdzzsqpazzmbyaqkff.exe
1⤵
PID:2604
- C:\Users\Admin\AppData\Local\Temp\xrmmdzzsqpazzmbyaqkff.exe
  C:\Users\Admin\AppData\Local\Temp\xrmmdzzsqpazzmbyaqkff.exe
  2⤵
  PID:2840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ujzugxsgztztowgy.exe .
1⤵
PID:1752
- C:\Users\Admin\AppData\Local\Temp\ujzugxsgztztowgy.exe
  C:\Users\Admin\AppData\Local\Temp\ujzugxsgztztowgy.exe .
  2⤵
  PID:1904
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\ujzugxsgztztowgy.exe*."
    3⤵
    PID:848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c qesqlzugfqtbxueqkj.exe
1⤵
PID:1848
- C:\Windows\qesqlzugfqtbxueqkj.exe
  qesqlzugfqtbxueqkj.exe
  2⤵
  PID:4372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ibvukfewtrbzykyuvkdx.exe
1⤵
PID:4988
- C:\Users\Admin\AppData\Local\Temp\ibvukfewtrbzykyuvkdx.exe
  C:\Users\Admin\AppData\Local\Temp\ibvukfewtrbzykyuvkdx.exe
  2⤵
  PID:4512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brierjfuojqlhqbus.exe .
1⤵
PID:3048
- C:\Users\Admin\AppData\Local\Temp\brierjfuojqlhqbus.exe
  C:\Users\Admin\AppData\Local\Temp\brierjfuojqlhqbus.exe .
  2⤵
  PID:4296
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\brierjfuojqlhqbus.exe*."
    3⤵
    PID:628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c amyunzsczijpjemw.exe .
1⤵
PID:2944
- C:\Windows\amyunzsczijpjemw.exe
  amyunzsczijpjemw.exe .
  2⤵
  PID:2988
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\amyunzsczijpjemw.exe*."
    3⤵
    PID:2968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dulmkbzoqekvuuhwtvriz.exe
1⤵
PID:1336
- C:\Windows\dulmkbzoqekvuuhwtvriz.exe
  dulmkbzoqekvuuhwtvriz.exe
  2⤵
  PID:4520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c huheylfqoyahcyhsl.exe .
1⤵
PID:4432
- C:\Windows\huheylfqoyahcyhsl.exe
  huheylfqoyahcyhsl.exe .
  2⤵
  PID:2704
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\huheylfqoyahcyhsl.exe*."
    3⤵
    PID:2520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqfeaplyykoxusdqllf.exe
1⤵
PID:1276
- C:\Users\Admin\AppData\Local\Temp\bqfeaplyykoxusdqllf.exe
  C:\Users\Admin\AppData\Local\Temp\bqfeaplyykoxusdqllf.exe
  2⤵
  PID:3824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqfeaplyykoxusdqllf.exe .
1⤵
PID:1620
- C:\Users\Admin\AppData\Local\Temp\bqfeaplyykoxusdqllf.exe
  C:\Users\Admin\AppData\Local\Temp\bqfeaplyykoxusdqllf.exe .
  2⤵
  PID:600
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\bqfeaplyykoxusdqllf.exe*."
    3⤵
    PID:1056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ujzugxsgztztowgy.exe
1⤵
PID:2192
- C:\Windows\ujzugxsgztztowgy.exe
  ujzugxsgztztowgy.exe
  2⤵
  PID:3956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oeuurhestglvtsesopka.exe
1⤵
PID:1072
- C:\Users\Admin\AppData\Local\Temp\oeuurhestglvtsesopka.exe
  C:\Users\Admin\AppData\Local\Temp\oeuurhestglvtsesopka.exe
  2⤵
  PID:2308

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oeuurhestglvtsesopka.exe .
1⤵
PID:768
- C:\Users\Admin\AppData\Local\Temp\oeuurhestglvtsesopka.exe
  C:\Users\Admin\AppData\Local\Temp\oeuurhestglvtsesopka.exe .
  2⤵
  PID:3564
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\oeuurhestglvtsesopka.exe*."
    3⤵
    PID:4352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c brierjfuojqlhqbus.exe .
1⤵
PID:1752
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1968
- C:\Windows\brierjfuojqlhqbus.exe
  brierjfuojqlhqbus.exe .
  2⤵
  PID:2440
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\brierjfuojqlhqbus.exe*."
    3⤵
    PID:4084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vngetnlcyvebzkxssgy.exe
1⤵
PID:3380
- C:\Windows\vngetnlcyvebzkxssgy.exe
  vngetnlcyvebzkxssgy.exe
  2⤵
  PID:4364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ujzugxsgztztowgy.exe .
1⤵
PID:3432
- C:\Windows\ujzugxsgztztowgy.exe
  ujzugxsgztztowgy.exe .
  2⤵
  PID:4520
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\ujzugxsgztztowgy.exe*."
    3⤵
    PID:644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ujzugxsgztztowgy.exe
1⤵
PID:2016
- C:\Users\Admin\AppData\Local\Temp\ujzugxsgztztowgy.exe
  C:\Users\Admin\AppData\Local\Temp\ujzugxsgztztowgy.exe
  2⤵
  PID:3196

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbtqexukfbjfcmysre.exe .
1⤵
PID:3612
- C:\Users\Admin\AppData\Local\Temp\kbtqexukfbjfcmysre.exe
  C:\Users\Admin\AppData\Local\Temp\kbtqexukfbjfcmysre.exe .
  2⤵
  PID:3448
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\kbtqexukfbjfcmysre.exe*."
    3⤵
    PID:624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brierjfuojqlhqbus.exe
1⤵
PID:4220
- C:\Users\Admin\AppData\Local\Temp\brierjfuojqlhqbus.exe
  C:\Users\Admin\AppData\Local\Temp\brierjfuojqlhqbus.exe
  2⤵
  PID:2376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbtqexukfbjfcmysre.exe .
1⤵
PID:1472
- C:\Users\Admin\AppData\Local\Temp\kbtqexukfbjfcmysre.exe
  C:\Users\Admin\AppData\Local\Temp\kbtqexukfbjfcmysre.exe .
  2⤵
  PID:3580
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\kbtqexukfbjfcmysre.exe*."
    3⤵
    PID:600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c brierjfuojqlhqbus.exe
1⤵
PID:1960
- C:\Windows\brierjfuojqlhqbus.exe
  brierjfuojqlhqbus.exe
  2⤵
  PID:2752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ujzugxsgztztowgy.exe .
1⤵
PID:1500
- C:\Windows\ujzugxsgztztowgy.exe
  ujzugxsgztztowgy.exe .
  2⤵
  PID:1904
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\ujzugxsgztztowgy.exe*."
    3⤵
    PID:2276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vngetnlcyvebzkxssgy.exe
1⤵
PID:2120
- C:\Windows\vngetnlcyvebzkxssgy.exe
  vngetnlcyvebzkxssgy.exe
  2⤵
  PID:2988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ujzugxsgztztowgy.exe .
1⤵
PID:4296
- C:\Windows\ujzugxsgztztowgy.exe
  ujzugxsgztztowgy.exe .
  2⤵
  PID:4068
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\ujzugxsgztztowgy.exe*."
    3⤵
    PID:1460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vngetnlcyvebzkxssgy.exe
1⤵
PID:5084
- C:\Users\Admin\AppData\Local\Temp\vngetnlcyvebzkxssgy.exe
  C:\Users\Admin\AppData\Local\Temp\vngetnlcyvebzkxssgy.exe
  2⤵
  PID:1172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ujzugxsgztztowgy.exe .
1⤵
PID:1212
- C:\Users\Admin\AppData\Local\Temp\ujzugxsgztztowgy.exe
  C:\Users\Admin\AppData\Local\Temp\ujzugxsgztztowgy.exe .
  2⤵
  PID:3432
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\ujzugxsgztztowgy.exe*."
    3⤵
    PID:3448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xrmmdzzsqpazzmbyaqkff.exe
1⤵
PID:4416
- C:\Users\Admin\AppData\Local\Temp\xrmmdzzsqpazzmbyaqkff.exe
  C:\Users\Admin\AppData\Local\Temp\xrmmdzzsqpazzmbyaqkff.exe
  2⤵
  PID:4236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ibvukfewtrbzykyuvkdx.exe .
1⤵
PID:372
- C:\Users\Admin\AppData\Local\Temp\ibvukfewtrbzykyuvkdx.exe
  C:\Users\Admin\AppData\Local\Temp\ibvukfewtrbzykyuvkdx.exe .
  2⤵
  PID:4780
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\ibvukfewtrbzykyuvkdx.exe*."
    3⤵
    PID:2840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c brierjfuojqlhqbus.exe
1⤵
PID:3560
- C:\Windows\brierjfuojqlhqbus.exe
  brierjfuojqlhqbus.exe
  2⤵
  PID:432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vngetnlcyvebzkxssgy.exe .
1⤵
PID:4852
- C:\Windows\vngetnlcyvebzkxssgy.exe
  vngetnlcyvebzkxssgy.exe .
  2⤵
  PID:4884
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\vngetnlcyvebzkxssgy.exe*."
    3⤵
    PID:1072

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kbtqexukfbjfcmysre.exe
1⤵
PID:4232
- C:\Windows\kbtqexukfbjfcmysre.exe
  kbtqexukfbjfcmysre.exe
  2⤵
  PID:4868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kbtqexukfbjfcmysre.exe .
1⤵
PID:4784
- C:\Windows\kbtqexukfbjfcmysre.exe
  kbtqexukfbjfcmysre.exe .
  2⤵
  PID:2080
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\kbtqexukfbjfcmysre.exe*."
    3⤵
    PID:512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ibvukfewtrbzykyuvkdx.exe
1⤵
PID:4684
- C:\Users\Admin\AppData\Local\Temp\ibvukfewtrbzykyuvkdx.exe
  C:\Users\Admin\AppData\Local\Temp\ibvukfewtrbzykyuvkdx.exe
  2⤵
  PID:4352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vngetnlcyvebzkxssgy.exe .
1⤵
PID:1904
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2276
- C:\Users\Admin\AppData\Local\Temp\vngetnlcyvebzkxssgy.exe
  C:\Users\Admin\AppData\Local\Temp\vngetnlcyvebzkxssgy.exe .
  2⤵
  PID:3888
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\vngetnlcyvebzkxssgy.exe*."
    3⤵
    PID:4604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xrmmdzzsqpazzmbyaqkff.exe
1⤵
PID:2016
- C:\Users\Admin\AppData\Local\Temp\xrmmdzzsqpazzmbyaqkff.exe
  C:\Users\Admin\AppData\Local\Temp\xrmmdzzsqpazzmbyaqkff.exe
  2⤵
  PID:3944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xrmmdzzsqpazzmbyaqkff.exe .
1⤵
PID:4348
- C:\Users\Admin\AppData\Local\Temp\xrmmdzzsqpazzmbyaqkff.exe
  C:\Users\Admin\AppData\Local\Temp\xrmmdzzsqpazzmbyaqkff.exe .
  2⤵
  PID:5004
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\xrmmdzzsqpazzmbyaqkff.exe*."
    3⤵
    PID:4820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vngetnlcyvebzkxssgy.exe
1⤵
PID:4828
- C:\Windows\vngetnlcyvebzkxssgy.exe
  vngetnlcyvebzkxssgy.exe
  2⤵
  PID:3316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ibvukfewtrbzykyuvkdx.exe .
1⤵
PID:3024
- C:\Windows\ibvukfewtrbzykyuvkdx.exe
  ibvukfewtrbzykyuvkdx.exe .
  2⤵
  PID:5032
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\ibvukfewtrbzykyuvkdx.exe*."
    3⤵
    PID:2652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ujzugxsgztztowgy.exe
1⤵
PID:3988
- C:\Windows\ujzugxsgztztowgy.exe
  ujzugxsgztztowgy.exe
  2⤵
  PID:1888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xrmmdzzsqpazzmbyaqkff.exe
1⤵
PID:2704
- C:\Windows\xrmmdzzsqpazzmbyaqkff.exe
  xrmmdzzsqpazzmbyaqkff.exe
  2⤵
  PID:3420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c brierjfuojqlhqbus.exe
1⤵
PID:1568
- C:\Windows\brierjfuojqlhqbus.exe
  brierjfuojqlhqbus.exe
  2⤵
  PID:348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c brierjfuojqlhqbus.exe .
1⤵
PID:1472
- C:\Windows\brierjfuojqlhqbus.exe
  brierjfuojqlhqbus.exe .
  2⤵
  PID:968
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\brierjfuojqlhqbus.exe*."
    3⤵
    PID:3408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c brierjfuojqlhqbus.exe .
1⤵
PID:2392
- C:\Windows\brierjfuojqlhqbus.exe
  brierjfuojqlhqbus.exe .
  2⤵
  PID:3048
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\brierjfuojqlhqbus.exe*."
    3⤵
    PID:416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kbtqexukfbjfcmysre.exe .
1⤵
PID:1320
- C:\Windows\kbtqexukfbjfcmysre.exe
  kbtqexukfbjfcmysre.exe .
  2⤵
  PID:656
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\kbtqexukfbjfcmysre.exe*."
    3⤵
    PID:3120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbtqexukfbjfcmysre.exe
1⤵
PID:1760
- C:\Users\Admin\AppData\Local\Temp\kbtqexukfbjfcmysre.exe
  C:\Users\Admin\AppData\Local\Temp\kbtqexukfbjfcmysre.exe
  2⤵
  PID:4380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c brierjfuojqlhqbus.exe
1⤵
PID:4180
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1588
- C:\Windows\brierjfuojqlhqbus.exe
  brierjfuojqlhqbus.exe
  2⤵
  PID:3444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vngetnlcyvebzkxssgy.exe .
1⤵
PID:1964
- C:\Users\Admin\AppData\Local\Temp\vngetnlcyvebzkxssgy.exe
  C:\Users\Admin\AppData\Local\Temp\vngetnlcyvebzkxssgy.exe .
  2⤵
  PID:4432
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\vngetnlcyvebzkxssgy.exe*."
    3⤵
    PID:2540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vngetnlcyvebzkxssgy.exe
1⤵
PID:3468
- C:\Windows\vngetnlcyvebzkxssgy.exe
  vngetnlcyvebzkxssgy.exe
  2⤵
  PID:3416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kbtqexukfbjfcmysre.exe .
1⤵
PID:3052
- C:\Windows\kbtqexukfbjfcmysre.exe
  kbtqexukfbjfcmysre.exe .
  2⤵
  PID:1008
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\kbtqexukfbjfcmysre.exe*."
    3⤵
    PID:4268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ujzugxsgztztowgy.exe .
1⤵
PID:4496
- C:\Windows\ujzugxsgztztowgy.exe
  ujzugxsgztztowgy.exe .
  2⤵
  PID:3988
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\ujzugxsgztztowgy.exe*."
    3⤵
    PID:416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vngetnlcyvebzkxssgy.exe
1⤵
PID:3732
- C:\Users\Admin\AppData\Local\Temp\vngetnlcyvebzkxssgy.exe
  C:\Users\Admin\AppData\Local\Temp\vngetnlcyvebzkxssgy.exe
  2⤵
  PID:2168

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbtqexukfbjfcmysre.exe
1⤵
PID:2372
- C:\Users\Admin\AppData\Local\Temp\kbtqexukfbjfcmysre.exe
  C:\Users\Admin\AppData\Local\Temp\kbtqexukfbjfcmysre.exe
  2⤵
  PID:2696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vngetnlcyvebzkxssgy.exe
1⤵
PID:2920
- C:\Users\Admin\AppData\Local\Temp\vngetnlcyvebzkxssgy.exe
  C:\Users\Admin\AppData\Local\Temp\vngetnlcyvebzkxssgy.exe
  2⤵
  PID:3484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ujzugxsgztztowgy.exe .
1⤵
PID:1112
- C:\Users\Admin\AppData\Local\Temp\ujzugxsgztztowgy.exe
  C:\Users\Admin\AppData\Local\Temp\ujzugxsgztztowgy.exe .
  2⤵
  PID:1424
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\ujzugxsgztztowgy.exe*."
    3⤵
    PID:4380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vngetnlcyvebzkxssgy.exe .
1⤵
PID:3316
- C:\Users\Admin\AppData\Local\Temp\vngetnlcyvebzkxssgy.exe
  C:\Users\Admin\AppData\Local\Temp\vngetnlcyvebzkxssgy.exe .
  2⤵
  PID:4084
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\vngetnlcyvebzkxssgy.exe*."
    3⤵
    PID:2752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbtqexukfbjfcmysre.exe .
1⤵
PID:4568
- C:\Users\Admin\AppData\Local\Temp\kbtqexukfbjfcmysre.exe
  C:\Users\Admin\AppData\Local\Temp\kbtqexukfbjfcmysre.exe .
  2⤵
  PID:1276
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\kbtqexukfbjfcmysre.exe*."
    3⤵
    PID:2688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brierjfuojqlhqbus.exe
1⤵
PID:4620
- C:\Users\Admin\AppData\Local\Temp\brierjfuojqlhqbus.exe
  C:\Users\Admin\AppData\Local\Temp\brierjfuojqlhqbus.exe
  2⤵
  PID:1308

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vngetnlcyvebzkxssgy.exe
1⤵
PID:832
- C:\Users\Admin\AppData\Local\Temp\vngetnlcyvebzkxssgy.exe
  C:\Users\Admin\AppData\Local\Temp\vngetnlcyvebzkxssgy.exe
  2⤵
  PID:348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbtqexukfbjfcmysre.exe .
1⤵
PID:4076
- C:\Users\Admin\AppData\Local\Temp\kbtqexukfbjfcmysre.exe
  C:\Users\Admin\AppData\Local\Temp\kbtqexukfbjfcmysre.exe .
  2⤵
  PID:2656
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\kbtqexukfbjfcmysre.exe*."
    3⤵
    PID:4416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ibvukfewtrbzykyuvkdx.exe .
1⤵
PID:4016
- C:\Users\Admin\AppData\Local\Temp\ibvukfewtrbzykyuvkdx.exe
  C:\Users\Admin\AppData\Local\Temp\ibvukfewtrbzykyuvkdx.exe .
  2⤵
  PID:456
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\ibvukfewtrbzykyuvkdx.exe*."
    3⤵
    PID:4924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c brierjfuojqlhqbus.exe
1⤵
PID:5032
- C:\Windows\brierjfuojqlhqbus.exe
  brierjfuojqlhqbus.exe
  2⤵
  PID:3564

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ibvukfewtrbzykyuvkdx.exe .
1⤵
PID:4232
- C:\Windows\ibvukfewtrbzykyuvkdx.exe
  ibvukfewtrbzykyuvkdx.exe .
  2⤵
  PID:3860
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\ibvukfewtrbzykyuvkdx.exe*."
    3⤵
    PID:3416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ibvukfewtrbzykyuvkdx.exe
1⤵
PID:4888
- C:\Windows\ibvukfewtrbzykyuvkdx.exe
  ibvukfewtrbzykyuvkdx.exe
  2⤵
  PID:1384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xrmmdzzsqpazzmbyaqkff.exe .
1⤵
PID:3484
- C:\Windows\xrmmdzzsqpazzmbyaqkff.exe
  xrmmdzzsqpazzmbyaqkff.exe .
  2⤵
  PID:4388
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\xrmmdzzsqpazzmbyaqkff.exe*."
    3⤵
    PID:1560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vngetnlcyvebzkxssgy.exe
1⤵
PID:2696
- C:\Users\Admin\AppData\Local\Temp\vngetnlcyvebzkxssgy.exe
  C:\Users\Admin\AppData\Local\Temp\vngetnlcyvebzkxssgy.exe
  2⤵
  PID:1476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brierjfuojqlhqbus.exe .
1⤵
PID:2688
- C:\Users\Admin\AppData\Local\Temp\brierjfuojqlhqbus.exe
  C:\Users\Admin\AppData\Local\Temp\brierjfuojqlhqbus.exe .
  2⤵
  PID:4532
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\brierjfuojqlhqbus.exe*."
    3⤵
    PID:216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ibvukfewtrbzykyuvkdx.exe
1⤵
PID:3588
- C:\Users\Admin\AppData\Local\Temp\ibvukfewtrbzykyuvkdx.exe
  C:\Users\Admin\AppData\Local\Temp\ibvukfewtrbzykyuvkdx.exe
  2⤵
  PID:1128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ibvukfewtrbzykyuvkdx.exe .
1⤵
PID:916
- C:\Users\Admin\AppData\Local\Temp\ibvukfewtrbzykyuvkdx.exe
  C:\Users\Admin\AppData\Local\Temp\ibvukfewtrbzykyuvkdx.exe .
  2⤵
  PID:2340
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\ibvukfewtrbzykyuvkdx.exe*."
    3⤵
    PID:5000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xrmmdzzsqpazzmbyaqkff.exe
1⤵
PID:1848
- C:\Windows\xrmmdzzsqpazzmbyaqkff.exe
  xrmmdzzsqpazzmbyaqkff.exe
  2⤵
  PID:3640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ujzugxsgztztowgy.exe .
1⤵
PID:4656
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5008
- C:\Windows\ujzugxsgztztowgy.exe
  ujzugxsgztztowgy.exe .
  2⤵
  PID:3912
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\ujzugxsgztztowgy.exe*."
    3⤵
    PID:4868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c brierjfuojqlhqbus.exe
1⤵
PID:2276
- C:\Windows\brierjfuojqlhqbus.exe
  brierjfuojqlhqbus.exe
  2⤵
  PID:3064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c kbtqexukfbjfcmysre.exe .
1⤵
PID:2388
- C:\Windows\kbtqexukfbjfcmysre.exe
  kbtqexukfbjfcmysre.exe .
  2⤵
  PID:3916
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\kbtqexukfbjfcmysre.exe*."
    3⤵
    PID:3860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xrmmdzzsqpazzmbyaqkff.exe
1⤵
PID:3532
- C:\Users\Admin\AppData\Local\Temp\xrmmdzzsqpazzmbyaqkff.exe
  C:\Users\Admin\AppData\Local\Temp\xrmmdzzsqpazzmbyaqkff.exe
  2⤵
  PID:2912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xrmmdzzsqpazzmbyaqkff.exe .
1⤵
PID:4604
- C:\Users\Admin\AppData\Local\Temp\xrmmdzzsqpazzmbyaqkff.exe
  C:\Users\Admin\AppData\Local\Temp\xrmmdzzsqpazzmbyaqkff.exe .
  2⤵
  PID:348
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\xrmmdzzsqpazzmbyaqkff.exe*."
    3⤵
    PID:1308

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brierjfuojqlhqbus.exe
1⤵
PID:768
- C:\Users\Admin\AppData\Local\Temp\brierjfuojqlhqbus.exe
  C:\Users\Admin\AppData\Local\Temp\brierjfuojqlhqbus.exe
  2⤵
  PID:600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbtqexukfbjfcmysre.exe .
1⤵
PID:3620
- C:\Users\Admin\AppData\Local\Temp\kbtqexukfbjfcmysre.exe
  C:\Users\Admin\AppData\Local\Temp\kbtqexukfbjfcmysre.exe .
  2⤵
  PID:4832
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\users\admin\appdata\local\temp\kbtqexukfbjfcmysre.exe*."
    3⤵
    PID:4364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c amyunzsczijpjemw.exe
1⤵
PID:392
- C:\Windows\amyunzsczijpjemw.exe
  amyunzsczijpjemw.exe
  2⤵
  PID:4680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c huheylfqoyahcyhsl.exe .
1⤵
PID:4736
- C:\Windows\huheylfqoyahcyhsl.exe
  huheylfqoyahcyhsl.exe .
  2⤵
  PID:844
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\huheylfqoyahcyhsl.exe*."
    3⤵
    PID:1664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c oeuurhestglvtsesopka.exe
1⤵
PID:3612
- C:\Windows\oeuurhestglvtsesopka.exe
  oeuurhestglvtsesopka.exe
  2⤵
  PID:1784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dulmkbzoqekvuuhwtvriz.exe .
1⤵
PID:3824
- C:\Windows\dulmkbzoqekvuuhwtvriz.exe
  dulmkbzoqekvuuhwtvriz.exe .
  2⤵
  PID:4016
- - C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe
    "C:\Users\Admin\AppData\Local\Temp\abqgjobtkla.exe" "c:\windows\dulmkbzoqekvuuhwtvriz.exe*."
    3⤵
    PID:4872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\huheylfqoyahcyhsl.exe
1⤵
PID:2108
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1568
- C:\Users\Admin\AppData\Local\Temp\huheylfqoyahcyhsl.exe
  C:\Users\Admin\AppData\Local\Temp\huheylfqoyahcyhsl.exe
  2⤵
  PID:4180

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c brierjfuojqlhqbus.exe
1⤵
PID:4296
- C:\Windows\brierjfuojqlhqbus.exe
  brierjfuojqlhqbus.exe
  2⤵
  PID:3076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqfeaplyykoxusdqllf.exe .
1⤵
PID:3120
- C:\Users\Admin\AppData\Local\Temp\bqfeaplyykoxusdqllf.exe
  C:\Users\Admin\AppData\Local\Temp\bqfeaplyykoxusdqllf.exe .
  2⤵
  PID:2392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c brierjfuojqlhqbus.exe .
1⤵
PID:1472
- C:\Windows\brierjfuojqlhqbus.exe
  brierjfuojqlhqbus.exe .
  2⤵
  PID:968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Winlogon Helper DLL

T1547.004

Hijack Execution Flow

T1574

Executable Installer File Permissions Weakness

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Winlogon Helper DLL

T1547.004

Hijack Execution Flow

T1574

Executable Installer File Permissions Weakness

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hijack Execution Flow

T1574

Executable Installer File Permissions Weakness

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Safe Mode Boot

T1562.009

Modify Registry