Malware Analysis Report

2025-08-10 16:32

Sample ID 250418-a3x7tayqx8
Target JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1
SHA256 2e69cd89b60105229d7465e33802b3ff410aa6c470320732b23b88fa48572f9b
Tags
pykspa defense_evasion discovery persistence privilege_escalation trojan worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2e69cd89b60105229d7465e33802b3ff410aa6c470320732b23b88fa48572f9b

Threat Level: Known bad

The file JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1 was found to be: Known bad.

Malicious Activity Summary

pykspa defense_evasion discovery persistence privilege_escalation trojan worm

UAC bypass

Pykspa family

Modifies WinLogon for persistence

Pykspa

Detect Pykspa worm

Adds policy Run key to start application

Disables RegEdit via registry modification

Impair Defenses: Safe Mode Boot

Executes dropped EXE

Checks computer location settings

Checks whether UAC is enabled

Looks up external IP address via web service

Hijack Execution Flow: Executable Installer File Permissions Weakness

Adds Run key to start application

Drops autorun.inf file

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

System policy modification

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-04-18 00:44

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-04-18 00:44

Reported

2025-04-18 00:47

Platform

win10v2004-20250314-en

Max time kernel

56s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\whhmr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\whhmr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A

Pykspa

worm pykspa

Pykspa family

pykspa

UAC bypass

defense_evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\whhmr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\whhmr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\whhmr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\whhmr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\whhmr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\whhmr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\whhmr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\whhmr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A

Detect Pykspa worm

worm
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds policy Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\whhmr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\axjarjbrlzrlkraqa.exe" C:\Users\Admin\AppData\Local\Temp\whhmr.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jxaiqzip = "tpaqgxodwjatrxfu.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jxaiqzip = "tpaqgxodwjatrxfu.exe" C:\Users\Admin\AppData\Local\Temp\whhmr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jxaiqzip = "wxnidzvpnfbzcnauiqklb.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jxaiqzip = "hhwqkfatqhczblxqdkdd.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\whhmr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jhumexqhcrkffnxoze.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jxaiqzip = "tpaqgxodwjatrxfu.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jxaiqzip = "tpaqgxodwjatrxfu.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\whhmr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\whhmr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tpaqgxodwjatrxfu.exe" C:\Users\Admin\AppData\Local\Temp\whhmr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\whhmr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\uthatnhzvlfbclwoagy.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jxaiqzip = "tpaqgxodwjatrxfu.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\whhmr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wxnidzvpnfbzcnauiqklb.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\whhmr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wxnidzvpnfbzcnauiqklb.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\whhmr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\whhmr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\axjarjbrlzrlkraqa.exe" C:\Users\Admin\AppData\Local\Temp\whhmr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jxaiqzip = "jhumexqhcrkffnxoze.exe" C:\Users\Admin\AppData\Local\Temp\whhmr.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\whhmr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wxnidzvpnfbzcnauiqklb.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jxaiqzip = "wxnidzvpnfbzcnauiqklb.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jxaiqzip = "jhumexqhcrkffnxoze.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jxaiqzip = "hhwqkfatqhczblxqdkdd.exe" C:\Users\Admin\AppData\Local\Temp\whhmr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jxaiqzip = "tpaqgxodwjatrxfu.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\whhmr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jhumexqhcrkffnxoze.exe" C:\Users\Admin\AppData\Local\Temp\whhmr.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\whhmr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wxnidzvpnfbzcnauiqklb.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\whhmr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tpaqgxodwjatrxfu.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\whhmr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hhwqkfatqhczblxqdkdd.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jxaiqzip = "jhumexqhcrkffnxoze.exe" C:\Users\Admin\AppData\Local\Temp\whhmr.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\whhmr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hhwqkfatqhczblxqdkdd.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jxaiqzip = "tpaqgxodwjatrxfu.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\whhmr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tpaqgxodwjatrxfu.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\whhmr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\axjarjbrlzrlkraqa.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\whhmr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\uthatnhzvlfbclwoagy.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\whhmr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jhumexqhcrkffnxoze.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jxaiqzip = "wxnidzvpnfbzcnauiqklb.exe" C:\Users\Admin\AppData\Local\Temp\whhmr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\whhmr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hhwqkfatqhczblxqdkdd.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\whhmr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\uthatnhzvlfbclwoagy.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\whhmr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\axjarjbrlzrlkraqa.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\whhmr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wxnidzvpnfbzcnauiqklb.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jxaiqzip = "jhumexqhcrkffnxoze.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jxaiqzip = "tpaqgxodwjatrxfu.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jxaiqzip = "axjarjbrlzrlkraqa.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jxaiqzip = "jhumexqhcrkffnxoze.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jxaiqzip = "tpaqgxodwjatrxfu.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\whhmr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hhwqkfatqhczblxqdkdd.exe" C:\Users\Admin\AppData\Local\Temp\whhmr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\whhmr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jhumexqhcrkffnxoze.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A

Disables RegEdit via registry modification

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\whhmr.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\whhmr.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\whhmr.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\whhmr.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Windows\wxnidzvpnfbzcnauiqklb.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Windows\hhwqkfatqhczblxqdkdd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Windows\uthatnhzvlfbclwoagy.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Windows\tpaqgxodwjatrxfu.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Windows\jhumexqhcrkffnxoze.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Windows\jhumexqhcrkffnxoze.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Windows\uthatnhzvlfbclwoagy.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Windows\tpaqgxodwjatrxfu.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Windows\axjarjbrlzrlkraqa.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Windows\tpaqgxodwjatrxfu.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Windows\hhwqkfatqhczblxqdkdd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Windows\uthatnhzvlfbclwoagy.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Windows\uthatnhzvlfbclwoagy.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Windows\jhumexqhcrkffnxoze.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Windows\tpaqgxodwjatrxfu.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Windows\uthatnhzvlfbclwoagy.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Windows\wxnidzvpnfbzcnauiqklb.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Windows\axjarjbrlzrlkraqa.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Windows\jhumexqhcrkffnxoze.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Windows\tpaqgxodwjatrxfu.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Windows\hhwqkfatqhczblxqdkdd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Windows\hhwqkfatqhczblxqdkdd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Windows\tpaqgxodwjatrxfu.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Windows\wxnidzvpnfbzcnauiqklb.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Windows\wxnidzvpnfbzcnauiqklb.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Windows\tpaqgxodwjatrxfu.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Windows\uthatnhzvlfbclwoagy.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Windows\axjarjbrlzrlkraqa.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Windows\hhwqkfatqhczblxqdkdd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Windows\hhwqkfatqhczblxqdkdd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Windows\uthatnhzvlfbclwoagy.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Windows\jhumexqhcrkffnxoze.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Windows\hhwqkfatqhczblxqdkdd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Windows\wxnidzvpnfbzcnauiqklb.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Windows\tpaqgxodwjatrxfu.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
N/A N/A C:\Windows\axjarjbrlzrlkraqa.exe N/A
N/A N/A C:\Windows\jhumexqhcrkffnxoze.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
N/A N/A C:\Windows\tpaqgxodwjatrxfu.exe N/A
N/A N/A C:\Windows\uthatnhzvlfbclwoagy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\whhmr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\whhmr.exe N/A
N/A N/A C:\Windows\axjarjbrlzrlkraqa.exe N/A
N/A N/A C:\Windows\uthatnhzvlfbclwoagy.exe N/A
N/A N/A C:\Windows\hhwqkfatqhczblxqdkdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
N/A N/A C:\Windows\uthatnhzvlfbclwoagy.exe N/A
N/A N/A C:\Windows\uthatnhzvlfbclwoagy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
N/A N/A C:\Windows\wxnidzvpnfbzcnauiqklb.exe N/A
N/A N/A C:\Windows\uthatnhzvlfbclwoagy.exe N/A
N/A N/A C:\Windows\wxnidzvpnfbzcnauiqklb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
N/A N/A C:\Windows\tpaqgxodwjatrxfu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
N/A N/A C:\Windows\hhwqkfatqhczblxqdkdd.exe N/A
N/A N/A C:\Windows\uthatnhzvlfbclwoagy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
N/A N/A C:\Windows\axjarjbrlzrlkraqa.exe N/A
N/A N/A C:\Windows\hhwqkfatqhczblxqdkdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
N/A N/A C:\Windows\tpaqgxodwjatrxfu.exe N/A
N/A N/A C:\Windows\hhwqkfatqhczblxqdkdd.exe N/A
N/A N/A C:\Windows\axjarjbrlzrlkraqa.exe N/A
N/A N/A C:\Windows\wxnidzvpnfbzcnauiqklb.exe N/A
N/A N/A C:\Windows\axjarjbrlzrlkraqa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
N/A N/A C:\Windows\jhumexqhcrkffnxoze.exe N/A
N/A N/A C:\Windows\hhwqkfatqhczblxqdkdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
N/A N/A C:\Windows\wxnidzvpnfbzcnauiqklb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
N/A N/A C:\Windows\tpaqgxodwjatrxfu.exe N/A

Impair Defenses: Safe Mode Boot

defense_evasion
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc C:\Users\Admin\AppData\Local\Temp\whhmr.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power C:\Users\Admin\AppData\Local\Temp\whhmr.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys C:\Users\Admin\AppData\Local\Temp\whhmr.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc C:\Users\Admin\AppData\Local\Temp\whhmr.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager C:\Users\Admin\AppData\Local\Temp\whhmr.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys C:\Users\Admin\AppData\Local\Temp\whhmr.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ldkwivitiret = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jhumexqhcrkffnxoze.exe" C:\Users\Admin\AppData\Local\Temp\whhmr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\oflwhtfpdlx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hhwqkfatqhczblxqdkdd.exe ." C:\Users\Admin\AppData\Local\Temp\whhmr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\htuagn = "jhumexqhcrkffnxoze.exe" C:\Users\Admin\AppData\Local\Temp\whhmr.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\htuagn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\uthatnhzvlfbclwoagy.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\htuagn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\axjarjbrlzrlkraqa.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\oflwhtfpdlx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tpaqgxodwjatrxfu.exe ." C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\tjoyitenah = "hhwqkfatqhczblxqdkdd.exe ." C:\Users\Admin\AppData\Local\Temp\whhmr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\oflwhtfpdlx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\uthatnhzvlfbclwoagy.exe ." C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aptclvfnz = "tpaqgxodwjatrxfu.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\oflwhtfpdlx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tpaqgxodwjatrxfu.exe ." C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\tjoyitenah = "uthatnhzvlfbclwoagy.exe ." C:\Users\Admin\AppData\Local\Temp\whhmr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\uhjqxfn = "jhumexqhcrkffnxoze.exe ." C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aptclvfnz = "jhumexqhcrkffnxoze.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\tjoyitenah = "hhwqkfatqhczblxqdkdd.exe ." C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\uhjqxfn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wxnidzvpnfbzcnauiqklb.exe ." C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aptclvfnz = "hhwqkfatqhczblxqdkdd.exe" C:\Users\Admin\AppData\Local\Temp\whhmr.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\tjoyitenah = "wxnidzvpnfbzcnauiqklb.exe ." C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\htuagn = "jhumexqhcrkffnxoze.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\tjoyitenah = "wxnidzvpnfbzcnauiqklb.exe ." C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ldkwivitiret = "C:\\Users\\Admin\\AppData\\Local\\Temp\\axjarjbrlzrlkraqa.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\oflwhtfpdlx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hhwqkfatqhczblxqdkdd.exe ." C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\oflwhtfpdlx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\uthatnhzvlfbclwoagy.exe ." C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\uhjqxfn = "uthatnhzvlfbclwoagy.exe ." C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\tjoyitenah = "jhumexqhcrkffnxoze.exe ." C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ldkwivitiret = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tpaqgxodwjatrxfu.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\oflwhtfpdlx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tpaqgxodwjatrxfu.exe ." C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\uhjqxfn = "jhumexqhcrkffnxoze.exe ." C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ldkwivitiret = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wxnidzvpnfbzcnauiqklb.exe" C:\Users\Admin\AppData\Local\Temp\whhmr.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\tjoyitenah = "jhumexqhcrkffnxoze.exe ." C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\htuagn = "hhwqkfatqhczblxqdkdd.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\htuagn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jhumexqhcrkffnxoze.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\oflwhtfpdlx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wxnidzvpnfbzcnauiqklb.exe ." C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\uhjqxfn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\axjarjbrlzrlkraqa.exe ." C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\uhjqxfn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tpaqgxodwjatrxfu.exe ." C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\htuagn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tpaqgxodwjatrxfu.exe" C:\Users\Admin\AppData\Local\Temp\whhmr.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aptclvfnz = "tpaqgxodwjatrxfu.exe" C:\Users\Admin\AppData\Local\Temp\whhmr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ldkwivitiret = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tpaqgxodwjatrxfu.exe" C:\Users\Admin\AppData\Local\Temp\whhmr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\uhjqxfn = "jhumexqhcrkffnxoze.exe ." C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\oflwhtfpdlx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tpaqgxodwjatrxfu.exe ." C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\uhjqxfn = "hhwqkfatqhczblxqdkdd.exe ." C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\uhjqxfn = "jhumexqhcrkffnxoze.exe ." C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\htuagn = "axjarjbrlzrlkraqa.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\htuagn = "axjarjbrlzrlkraqa.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aptclvfnz = "uthatnhzvlfbclwoagy.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\oflwhtfpdlx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wxnidzvpnfbzcnauiqklb.exe ." C:\Users\Admin\AppData\Local\Temp\whhmr.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\uhjqxfn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jhumexqhcrkffnxoze.exe ." C:\Users\Admin\AppData\Local\Temp\whhmr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ldkwivitiret = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wxnidzvpnfbzcnauiqklb.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\htuagn = "jhumexqhcrkffnxoze.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\htuagn = "axjarjbrlzrlkraqa.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aptclvfnz = "jhumexqhcrkffnxoze.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\oflwhtfpdlx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\uthatnhzvlfbclwoagy.exe ." C:\Users\Admin\AppData\Local\Temp\whhmr.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\uhjqxfn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tpaqgxodwjatrxfu.exe ." C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\uhjqxfn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tpaqgxodwjatrxfu.exe ." C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aptclvfnz = "uthatnhzvlfbclwoagy.exe" C:\Users\Admin\AppData\Local\Temp\whhmr.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aptclvfnz = "axjarjbrlzrlkraqa.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\uhjqxfn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wxnidzvpnfbzcnauiqklb.exe ." C:\Users\Admin\AppData\Local\Temp\whhmr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\htuagn = "uthatnhzvlfbclwoagy.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\htuagn = "hhwqkfatqhczblxqdkdd.exe" C:\Users\Admin\AppData\Local\Temp\whhmr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ldkwivitiret = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hhwqkfatqhczblxqdkdd.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\uhjqxfn = "hhwqkfatqhczblxqdkdd.exe ." C:\Users\Admin\AppData\Local\Temp\whhmr.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\tjoyitenah = "tpaqgxodwjatrxfu.exe ." C:\Users\Admin\AppData\Local\Temp\whhmr.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\htuagn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hhwqkfatqhczblxqdkdd.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aptclvfnz = "uthatnhzvlfbclwoagy.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\htuagn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wxnidzvpnfbzcnauiqklb.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A

Checks whether UAC is enabled

defense_evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\whhmr.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\whhmr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\whhmr.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\whhmr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A

Hijack Execution Flow: Executable Installer File Permissions Weakness

defense_evasion persistence privilege_escalation
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\whhmr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\whhmr.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A www.whatismyip.ca N/A N/A
N/A www.whatismyip.ca N/A N/A
N/A whatismyip.everdot.org N/A N/A
N/A www.whatismyip.ca N/A N/A
N/A whatismyip.everdot.org N/A N/A
N/A whatismyipaddress.com N/A N/A
N/A www.showmyipaddress.com N/A N/A
N/A whatismyip.everdot.org N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\jhumexqhcrkffnxoze.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\SysWOW64\jhumexqhcrkffnxoze.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\SysWOW64\npgcyvsnmfcbfrfapytvmi.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\SysWOW64\jhumexqhcrkffnxoze.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\SysWOW64\jhumexqhcrkffnxoze.exe C:\Users\Admin\AppData\Local\Temp\whhmr.exe N/A
File opened for modification C:\Windows\SysWOW64\npgcyvsnmfcbfrfapytvmi.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\SysWOW64\tpaqgxodwjatrxfu.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\SysWOW64\npgcyvsnmfcbfrfapytvmi.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\SysWOW64\wxnidzvpnfbzcnauiqklb.exe C:\Users\Admin\AppData\Local\Temp\whhmr.exe N/A
File opened for modification C:\Windows\SysWOW64\uthatnhzvlfbclwoagy.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\SysWOW64\tpaqgxodwjatrxfu.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\SysWOW64\axjarjbrlzrlkraqa.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\SysWOW64\uthatnhzvlfbclwoagy.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\SysWOW64\hhwqkfatqhczblxqdkdd.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\SysWOW64\npgcyvsnmfcbfrfapytvmi.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\SysWOW64\npgcyvsnmfcbfrfapytvmi.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\SysWOW64\axjarjbrlzrlkraqa.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\SysWOW64\axjarjbrlzrlkraqa.exe C:\Users\Admin\AppData\Local\Temp\whhmr.exe N/A
File created C:\Windows\SysWOW64\yfbcdfhhljlpypiicqqxtuv.zzd C:\Users\Admin\AppData\Local\Temp\whhmr.exe N/A
File opened for modification C:\Windows\SysWOW64\npgcyvsnmfcbfrfapytvmi.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\SysWOW64\jhumexqhcrkffnxoze.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\SysWOW64\npgcyvsnmfcbfrfapytvmi.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\SysWOW64\wxnidzvpnfbzcnauiqklb.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\SysWOW64\jhumexqhcrkffnxoze.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\SysWOW64\uthatnhzvlfbclwoagy.exe C:\Users\Admin\AppData\Local\Temp\whhmr.exe N/A
File opened for modification C:\Windows\SysWOW64\axjarjbrlzrlkraqa.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\SysWOW64\jhumexqhcrkffnxoze.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\SysWOW64\uthatnhzvlfbclwoagy.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\SysWOW64\wxnidzvpnfbzcnauiqklb.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\SysWOW64\tpaqgxodwjatrxfu.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\SysWOW64\tpaqgxodwjatrxfu.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\SysWOW64\axjarjbrlzrlkraqa.exe C:\Users\Admin\AppData\Local\Temp\whhmr.exe N/A
File opened for modification C:\Windows\SysWOW64\npgcyvsnmfcbfrfapytvmi.exe C:\Users\Admin\AppData\Local\Temp\whhmr.exe N/A
File opened for modification C:\Windows\SysWOW64\jhumexqhcrkffnxoze.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\SysWOW64\hhwqkfatqhczblxqdkdd.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\SysWOW64\axjarjbrlzrlkraqa.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\SysWOW64\wxnidzvpnfbzcnauiqklb.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\SysWOW64\axjarjbrlzrlkraqa.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\SysWOW64\jhumexqhcrkffnxoze.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\SysWOW64\wxnidzvpnfbzcnauiqklb.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\SysWOW64\jhumexqhcrkffnxoze.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\SysWOW64\npgcyvsnmfcbfrfapytvmi.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\SysWOW64\axjarjbrlzrlkraqa.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\SysWOW64\hhwqkfatqhczblxqdkdd.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\SysWOW64\wxnidzvpnfbzcnauiqklb.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\SysWOW64\hhwqkfatqhczblxqdkdd.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\SysWOW64\tpaqgxodwjatrxfu.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\SysWOW64\hhwqkfatqhczblxqdkdd.exe C:\Users\Admin\AppData\Local\Temp\whhmr.exe N/A
File opened for modification C:\Windows\SysWOW64\uthatnhzvlfbclwoagy.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\SysWOW64\axjarjbrlzrlkraqa.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\SysWOW64\axjarjbrlzrlkraqa.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\SysWOW64\hhwqkfatqhczblxqdkdd.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\SysWOW64\npgcyvsnmfcbfrfapytvmi.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\SysWOW64\uthatnhzvlfbclwoagy.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\SysWOW64\uthatnhzvlfbclwoagy.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\SysWOW64\tpaqgxodwjatrxfu.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\SysWOW64\axjarjbrlzrlkraqa.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\SysWOW64\axjarjbrlzrlkraqa.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\SysWOW64\ldkwivitiretnptejitlseqdqbqzmbvxbm.qbt C:\Users\Admin\AppData\Local\Temp\whhmr.exe N/A
File opened for modification C:\Windows\SysWOW64\hhwqkfatqhczblxqdkdd.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\SysWOW64\jhumexqhcrkffnxoze.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\SysWOW64\npgcyvsnmfcbfrfapytvmi.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\SysWOW64\tpaqgxodwjatrxfu.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\SysWOW64\uthatnhzvlfbclwoagy.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\yfbcdfhhljlpypiicqqxtuv.zzd C:\Users\Admin\AppData\Local\Temp\whhmr.exe N/A
File created C:\Program Files (x86)\yfbcdfhhljlpypiicqqxtuv.zzd C:\Users\Admin\AppData\Local\Temp\whhmr.exe N/A
File opened for modification C:\Program Files (x86)\ldkwivitiretnptejitlseqdqbqzmbvxbm.qbt C:\Users\Admin\AppData\Local\Temp\whhmr.exe N/A
File created C:\Program Files (x86)\ldkwivitiretnptejitlseqdqbqzmbvxbm.qbt C:\Users\Admin\AppData\Local\Temp\whhmr.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\axjarjbrlzrlkraqa.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\hhwqkfatqhczblxqdkdd.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\wxnidzvpnfbzcnauiqklb.exe C:\Users\Admin\AppData\Local\Temp\whhmr.exe N/A
File opened for modification C:\Windows\jhumexqhcrkffnxoze.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\jhumexqhcrkffnxoze.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\wxnidzvpnfbzcnauiqklb.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\axjarjbrlzrlkraqa.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\tpaqgxodwjatrxfu.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\npgcyvsnmfcbfrfapytvmi.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File created C:\Windows\yfbcdfhhljlpypiicqqxtuv.zzd C:\Users\Admin\AppData\Local\Temp\whhmr.exe N/A
File opened for modification C:\Windows\ldkwivitiretnptejitlseqdqbqzmbvxbm.qbt C:\Users\Admin\AppData\Local\Temp\whhmr.exe N/A
File opened for modification C:\Windows\axjarjbrlzrlkraqa.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\wxnidzvpnfbzcnauiqklb.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\jhumexqhcrkffnxoze.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\tpaqgxodwjatrxfu.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\jhumexqhcrkffnxoze.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\npgcyvsnmfcbfrfapytvmi.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\hhwqkfatqhczblxqdkdd.exe C:\Users\Admin\AppData\Local\Temp\whhmr.exe N/A
File opened for modification C:\Windows\yfbcdfhhljlpypiicqqxtuv.zzd C:\Users\Admin\AppData\Local\Temp\whhmr.exe N/A
File opened for modification C:\Windows\wxnidzvpnfbzcnauiqklb.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\npgcyvsnmfcbfrfapytvmi.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\hhwqkfatqhczblxqdkdd.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\hhwqkfatqhczblxqdkdd.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\npgcyvsnmfcbfrfapytvmi.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\tpaqgxodwjatrxfu.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\jhumexqhcrkffnxoze.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\jhumexqhcrkffnxoze.exe C:\Users\Admin\AppData\Local\Temp\whhmr.exe N/A
File opened for modification C:\Windows\jhumexqhcrkffnxoze.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\tpaqgxodwjatrxfu.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\npgcyvsnmfcbfrfapytvmi.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\axjarjbrlzrlkraqa.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\uthatnhzvlfbclwoagy.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\axjarjbrlzrlkraqa.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\wxnidzvpnfbzcnauiqklb.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\uthatnhzvlfbclwoagy.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\jhumexqhcrkffnxoze.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\hhwqkfatqhczblxqdkdd.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\hhwqkfatqhczblxqdkdd.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\jhumexqhcrkffnxoze.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\uthatnhzvlfbclwoagy.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\tpaqgxodwjatrxfu.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\npgcyvsnmfcbfrfapytvmi.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\tpaqgxodwjatrxfu.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\npgcyvsnmfcbfrfapytvmi.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\tpaqgxodwjatrxfu.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\hhwqkfatqhczblxqdkdd.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\tpaqgxodwjatrxfu.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\uthatnhzvlfbclwoagy.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\axjarjbrlzrlkraqa.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\uthatnhzvlfbclwoagy.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\hhwqkfatqhczblxqdkdd.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\jhumexqhcrkffnxoze.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\axjarjbrlzrlkraqa.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\tpaqgxodwjatrxfu.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\hhwqkfatqhczblxqdkdd.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\wxnidzvpnfbzcnauiqklb.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\tpaqgxodwjatrxfu.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\axjarjbrlzrlkraqa.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\wxnidzvpnfbzcnauiqklb.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\uthatnhzvlfbclwoagy.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\tpaqgxodwjatrxfu.exe C:\Users\Admin\AppData\Local\Temp\whhmr.exe N/A
File opened for modification C:\Windows\jhumexqhcrkffnxoze.exe C:\Users\Admin\AppData\Local\Temp\whhmr.exe N/A
File opened for modification C:\Windows\tpaqgxodwjatrxfu.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\tpaqgxodwjatrxfu.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\wxnidzvpnfbzcnauiqklb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\uthatnhzvlfbclwoagy.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\tpaqgxodwjatrxfu.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\wxnidzvpnfbzcnauiqklb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\tpaqgxodwjatrxfu.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\wxnidzvpnfbzcnauiqklb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\hhwqkfatqhczblxqdkdd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\hhwqkfatqhczblxqdkdd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\wxnidzvpnfbzcnauiqklb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\tpaqgxodwjatrxfu.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\hhwqkfatqhczblxqdkdd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\wxnidzvpnfbzcnauiqklb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\uthatnhzvlfbclwoagy.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\whhmr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\axjarjbrlzrlkraqa.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\jhumexqhcrkffnxoze.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\wxnidzvpnfbzcnauiqklb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\axjarjbrlzrlkraqa.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\tpaqgxodwjatrxfu.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\hhwqkfatqhczblxqdkdd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\wxnidzvpnfbzcnauiqklb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\tpaqgxodwjatrxfu.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\uthatnhzvlfbclwoagy.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\hhwqkfatqhczblxqdkdd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\wxnidzvpnfbzcnauiqklb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\jhumexqhcrkffnxoze.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\jhumexqhcrkffnxoze.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\jhumexqhcrkffnxoze.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\uthatnhzvlfbclwoagy.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\whhmr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\whhmr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\whhmr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\whhmr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\whhmr.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4268 wrote to memory of 5688 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
PID 4268 wrote to memory of 5688 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
PID 4268 wrote to memory of 5688 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
PID 4708 wrote to memory of 4968 N/A C:\Windows\system32\cmd.exe C:\Windows\axjarjbrlzrlkraqa.exe
PID 4708 wrote to memory of 4968 N/A C:\Windows\system32\cmd.exe C:\Windows\axjarjbrlzrlkraqa.exe
PID 4708 wrote to memory of 4968 N/A C:\Windows\system32\cmd.exe C:\Windows\axjarjbrlzrlkraqa.exe
PID 5040 wrote to memory of 3648 N/A C:\Windows\system32\cmd.exe C:\Windows\jhumexqhcrkffnxoze.exe
PID 5040 wrote to memory of 3648 N/A C:\Windows\system32\cmd.exe C:\Windows\jhumexqhcrkffnxoze.exe
PID 5040 wrote to memory of 3648 N/A C:\Windows\system32\cmd.exe C:\Windows\jhumexqhcrkffnxoze.exe
PID 3648 wrote to memory of 4964 N/A C:\Windows\jhumexqhcrkffnxoze.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
PID 3648 wrote to memory of 4964 N/A C:\Windows\jhumexqhcrkffnxoze.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
PID 3648 wrote to memory of 4964 N/A C:\Windows\jhumexqhcrkffnxoze.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
PID 4908 wrote to memory of 5400 N/A C:\Windows\system32\cmd.exe C:\Windows\tpaqgxodwjatrxfu.exe
PID 4908 wrote to memory of 5400 N/A C:\Windows\system32\cmd.exe C:\Windows\tpaqgxodwjatrxfu.exe
PID 4908 wrote to memory of 5400 N/A C:\Windows\system32\cmd.exe C:\Windows\tpaqgxodwjatrxfu.exe
PID 5088 wrote to memory of 4140 N/A C:\Windows\system32\cmd.exe C:\Windows\uthatnhzvlfbclwoagy.exe
PID 5088 wrote to memory of 4140 N/A C:\Windows\system32\cmd.exe C:\Windows\uthatnhzvlfbclwoagy.exe
PID 5088 wrote to memory of 4140 N/A C:\Windows\system32\cmd.exe C:\Windows\uthatnhzvlfbclwoagy.exe
PID 5252 wrote to memory of 4328 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe
PID 5252 wrote to memory of 4328 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe
PID 5252 wrote to memory of 4328 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe
PID 6140 wrote to memory of 4796 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe
PID 6140 wrote to memory of 4796 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe
PID 6140 wrote to memory of 4796 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe
PID 4140 wrote to memory of 2380 N/A C:\Windows\uthatnhzvlfbclwoagy.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
PID 4140 wrote to memory of 2380 N/A C:\Windows\uthatnhzvlfbclwoagy.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
PID 4140 wrote to memory of 2380 N/A C:\Windows\uthatnhzvlfbclwoagy.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
PID 4796 wrote to memory of 5300 N/A C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe
PID 4796 wrote to memory of 5300 N/A C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe
PID 4796 wrote to memory of 5300 N/A C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe
PID 2152 wrote to memory of 1432 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe
PID 2152 wrote to memory of 1432 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe
PID 2152 wrote to memory of 1432 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe
PID 2856 wrote to memory of 1860 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe
PID 2856 wrote to memory of 1860 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe
PID 2856 wrote to memory of 1860 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe
PID 1860 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
PID 1860 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
PID 1860 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
PID 5688 wrote to memory of 6060 N/A C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe C:\Users\Admin\AppData\Local\Temp\whhmr.exe
PID 5688 wrote to memory of 6060 N/A C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe C:\Users\Admin\AppData\Local\Temp\whhmr.exe
PID 5688 wrote to memory of 6060 N/A C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe C:\Users\Admin\AppData\Local\Temp\whhmr.exe
PID 5688 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe C:\Users\Admin\AppData\Local\Temp\whhmr.exe
PID 5688 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe C:\Users\Admin\AppData\Local\Temp\whhmr.exe
PID 5688 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe C:\Users\Admin\AppData\Local\Temp\whhmr.exe
PID 6080 wrote to memory of 1236 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe
PID 6080 wrote to memory of 1236 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe
PID 6080 wrote to memory of 1236 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe
PID 2924 wrote to memory of 5828 N/A C:\Windows\system32\cmd.exe C:\Windows\uthatnhzvlfbclwoagy.exe
PID 2924 wrote to memory of 5828 N/A C:\Windows\system32\cmd.exe C:\Windows\uthatnhzvlfbclwoagy.exe
PID 2924 wrote to memory of 5828 N/A C:\Windows\system32\cmd.exe C:\Windows\uthatnhzvlfbclwoagy.exe
PID 2392 wrote to memory of 3268 N/A C:\Windows\system32\cmd.exe C:\Windows\hhwqkfatqhczblxqdkdd.exe
PID 2392 wrote to memory of 3268 N/A C:\Windows\system32\cmd.exe C:\Windows\hhwqkfatqhczblxqdkdd.exe
PID 2392 wrote to memory of 3268 N/A C:\Windows\system32\cmd.exe C:\Windows\hhwqkfatqhczblxqdkdd.exe
PID 3268 wrote to memory of 3124 N/A C:\Windows\hhwqkfatqhczblxqdkdd.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
PID 3268 wrote to memory of 3124 N/A C:\Windows\hhwqkfatqhczblxqdkdd.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
PID 3268 wrote to memory of 3124 N/A C:\Windows\hhwqkfatqhczblxqdkdd.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
PID 3336 wrote to memory of 632 N/A C:\Windows\system32\cmd.exe C:\Windows\uthatnhzvlfbclwoagy.exe
PID 3336 wrote to memory of 632 N/A C:\Windows\system32\cmd.exe C:\Windows\uthatnhzvlfbclwoagy.exe
PID 3336 wrote to memory of 632 N/A C:\Windows\system32\cmd.exe C:\Windows\uthatnhzvlfbclwoagy.exe
PID 5892 wrote to memory of 5716 N/A C:\Windows\system32\cmd.exe C:\Windows\uthatnhzvlfbclwoagy.exe
PID 5892 wrote to memory of 5716 N/A C:\Windows\system32\cmd.exe C:\Windows\uthatnhzvlfbclwoagy.exe
PID 5892 wrote to memory of 5716 N/A C:\Windows\system32\cmd.exe C:\Windows\uthatnhzvlfbclwoagy.exe
PID 632 wrote to memory of 6088 N/A C:\Windows\uthatnhzvlfbclwoagy.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

System policy modification

defense_evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\whhmr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\whhmr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" C:\Users\Admin\AppData\Local\Temp\whhmr.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\whhmr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\whhmr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" C:\Users\Admin\AppData\Local\Temp\whhmr.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\whhmr.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\whhmr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\whhmr.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" C:\Users\Admin\AppData\Local\Temp\whhmr.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\whhmr.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\whhmr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" C:\Users\Admin\AppData\Local\Temp\whhmr.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\whhmr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Users\Admin\AppData\Local\Temp\whhmr.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\AppData\Local\Temp\whhmr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" C:\Users\Admin\AppData\Local\Temp\whhmr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Users\Admin\AppData\Local\Temp\whhmr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\whhmr.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\AppData\Local\Temp\whhmr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe"

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\jaffacakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe*"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c axjarjbrlzrlkraqa.exe

C:\Windows\axjarjbrlzrlkraqa.exe

axjarjbrlzrlkraqa.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c jhumexqhcrkffnxoze.exe .

C:\Windows\jhumexqhcrkffnxoze.exe

jhumexqhcrkffnxoze.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c tpaqgxodwjatrxfu.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\jhumexqhcrkffnxoze.exe*."

C:\Windows\tpaqgxodwjatrxfu.exe

tpaqgxodwjatrxfu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c uthatnhzvlfbclwoagy.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe

C:\Windows\uthatnhzvlfbclwoagy.exe

uthatnhzvlfbclwoagy.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe .

C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe

C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe

C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe

C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\uthatnhzvlfbclwoagy.exe*."

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\uthatnhzvlfbclwoagy.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe .

C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe

C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe

C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe

C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\tpaqgxodwjatrxfu.exe*."

C:\Users\Admin\AppData\Local\Temp\whhmr.exe

"C:\Users\Admin\AppData\Local\Temp\whhmr.exe" "-c:\users\admin\appdata\local\temp\jaffacakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe"

C:\Users\Admin\AppData\Local\Temp\whhmr.exe

"C:\Users\Admin\AppData\Local\Temp\whhmr.exe" "-c:\users\admin\appdata\local\temp\jaffacakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c axjarjbrlzrlkraqa.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c uthatnhzvlfbclwoagy.exe

C:\Windows\axjarjbrlzrlkraqa.exe

axjarjbrlzrlkraqa.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c hhwqkfatqhczblxqdkdd.exe .

C:\Windows\uthatnhzvlfbclwoagy.exe

uthatnhzvlfbclwoagy.exe

C:\Windows\hhwqkfatqhczblxqdkdd.exe

hhwqkfatqhczblxqdkdd.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c uthatnhzvlfbclwoagy.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c uthatnhzvlfbclwoagy.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\hhwqkfatqhczblxqdkdd.exe*."

C:\Windows\uthatnhzvlfbclwoagy.exe

uthatnhzvlfbclwoagy.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c uthatnhzvlfbclwoagy.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wxnidzvpnfbzcnauiqklb.exe

C:\Windows\uthatnhzvlfbclwoagy.exe

uthatnhzvlfbclwoagy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wxnidzvpnfbzcnauiqklb.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\uthatnhzvlfbclwoagy.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe .

C:\Windows\wxnidzvpnfbzcnauiqklb.exe

wxnidzvpnfbzcnauiqklb.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c tpaqgxodwjatrxfu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe .

C:\Windows\uthatnhzvlfbclwoagy.exe

uthatnhzvlfbclwoagy.exe .

C:\Windows\wxnidzvpnfbzcnauiqklb.exe

wxnidzvpnfbzcnauiqklb.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe

C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe

C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe .

C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe

C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\uthatnhzvlfbclwoagy.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe .

C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe

C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\wxnidzvpnfbzcnauiqklb.exe*."

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\tpaqgxodwjatrxfu.exe*."

C:\Windows\tpaqgxodwjatrxfu.exe

tpaqgxodwjatrxfu.exe

C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe

C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe .

C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe

C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe .

C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe

C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe .

C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe

C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe

C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe

C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c hhwqkfatqhczblxqdkdd.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\uthatnhzvlfbclwoagy.exe*."

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\tpaqgxodwjatrxfu.exe*."

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\uthatnhzvlfbclwoagy.exe*."

C:\Windows\hhwqkfatqhczblxqdkdd.exe

hhwqkfatqhczblxqdkdd.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c uthatnhzvlfbclwoagy.exe .

C:\Windows\uthatnhzvlfbclwoagy.exe

uthatnhzvlfbclwoagy.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c axjarjbrlzrlkraqa.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\uthatnhzvlfbclwoagy.exe*."

C:\Windows\axjarjbrlzrlkraqa.exe

axjarjbrlzrlkraqa.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c hhwqkfatqhczblxqdkdd.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe

C:\Windows\hhwqkfatqhczblxqdkdd.exe

hhwqkfatqhczblxqdkdd.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe .

C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe

C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\hhwqkfatqhczblxqdkdd.exe*."

C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe

C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\wxnidzvpnfbzcnauiqklb.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe .

C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe

C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe

C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe

C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\wxnidzvpnfbzcnauiqklb.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c tpaqgxodwjatrxfu.exe

C:\Windows\tpaqgxodwjatrxfu.exe

tpaqgxodwjatrxfu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c hhwqkfatqhczblxqdkdd.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c axjarjbrlzrlkraqa.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wxnidzvpnfbzcnauiqklb.exe

C:\Windows\hhwqkfatqhczblxqdkdd.exe

hhwqkfatqhczblxqdkdd.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c axjarjbrlzrlkraqa.exe .

C:\Windows\axjarjbrlzrlkraqa.exe

axjarjbrlzrlkraqa.exe .

C:\Windows\wxnidzvpnfbzcnauiqklb.exe

wxnidzvpnfbzcnauiqklb.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c jhumexqhcrkffnxoze.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c hhwqkfatqhczblxqdkdd.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wxnidzvpnfbzcnauiqklb.exe .

C:\Windows\axjarjbrlzrlkraqa.exe

axjarjbrlzrlkraqa.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c tpaqgxodwjatrxfu.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\axjarjbrlzrlkraqa.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c hhwqkfatqhczblxqdkdd.exe .

C:\Windows\jhumexqhcrkffnxoze.exe

jhumexqhcrkffnxoze.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c uthatnhzvlfbclwoagy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe .

C:\Windows\hhwqkfatqhczblxqdkdd.exe

hhwqkfatqhczblxqdkdd.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\axjarjbrlzrlkraqa.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c hhwqkfatqhczblxqdkdd.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe

C:\Windows\wxnidzvpnfbzcnauiqklb.exe

wxnidzvpnfbzcnauiqklb.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\hhwqkfatqhczblxqdkdd.exe*."

C:\Windows\tpaqgxodwjatrxfu.exe

tpaqgxodwjatrxfu.exe

C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe

C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\wxnidzvpnfbzcnauiqklb.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe

C:\Windows\hhwqkfatqhczblxqdkdd.exe

hhwqkfatqhczblxqdkdd.exe .

C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe

C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe

C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe

C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe .

C:\Windows\hhwqkfatqhczblxqdkdd.exe

hhwqkfatqhczblxqdkdd.exe .

C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe

C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe .

C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe

C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe

C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe

C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe

C:\Windows\uthatnhzvlfbclwoagy.exe

uthatnhzvlfbclwoagy.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\hhwqkfatqhczblxqdkdd.exe*."

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\axjarjbrlzrlkraqa.exe*."

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\hhwqkfatqhczblxqdkdd.exe*."

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\hhwqkfatqhczblxqdkdd.exe*."

C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe

C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe .

C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe

C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe

C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe

C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe .

C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe

C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe

C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe

C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\jhumexqhcrkffnxoze.exe*."

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\axjarjbrlzrlkraqa.exe*."

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\hhwqkfatqhczblxqdkdd.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wxnidzvpnfbzcnauiqklb.exe

C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe

C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe .

C:\Windows\wxnidzvpnfbzcnauiqklb.exe

wxnidzvpnfbzcnauiqklb.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c jhumexqhcrkffnxoze.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\wxnidzvpnfbzcnauiqklb.exe*."

C:\Windows\jhumexqhcrkffnxoze.exe

jhumexqhcrkffnxoze.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\jhumexqhcrkffnxoze.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c jhumexqhcrkffnxoze.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wxnidzvpnfbzcnauiqklb.exe .

C:\Windows\jhumexqhcrkffnxoze.exe

jhumexqhcrkffnxoze.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe

C:\Windows\wxnidzvpnfbzcnauiqklb.exe

wxnidzvpnfbzcnauiqklb.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe .

C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe

C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\wxnidzvpnfbzcnauiqklb.exe*."

C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe

C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\wxnidzvpnfbzcnauiqklb.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe

C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe

C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe

C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\hhwqkfatqhczblxqdkdd.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c uthatnhzvlfbclwoagy.exe

C:\Windows\uthatnhzvlfbclwoagy.exe

uthatnhzvlfbclwoagy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c jhumexqhcrkffnxoze.exe .

C:\Windows\jhumexqhcrkffnxoze.exe

jhumexqhcrkffnxoze.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c jhumexqhcrkffnxoze.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\jhumexqhcrkffnxoze.exe*."

C:\Windows\jhumexqhcrkffnxoze.exe

jhumexqhcrkffnxoze.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c hhwqkfatqhczblxqdkdd.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\hhwqkfatqhczblxqdkdd.exe

hhwqkfatqhczblxqdkdd.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe .

C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe

C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\hhwqkfatqhczblxqdkdd.exe*."

C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe

C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\hhwqkfatqhczblxqdkdd.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe .

C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe

C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe

C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe

C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\uthatnhzvlfbclwoagy.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c hhwqkfatqhczblxqdkdd.exe

C:\Windows\hhwqkfatqhczblxqdkdd.exe

hhwqkfatqhczblxqdkdd.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c axjarjbrlzrlkraqa.exe .

C:\Windows\axjarjbrlzrlkraqa.exe

axjarjbrlzrlkraqa.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c axjarjbrlzrlkraqa.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\axjarjbrlzrlkraqa.exe

axjarjbrlzrlkraqa.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\axjarjbrlzrlkraqa.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c tpaqgxodwjatrxfu.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe

C:\Windows\tpaqgxodwjatrxfu.exe

tpaqgxodwjatrxfu.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe .

C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe

C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\tpaqgxodwjatrxfu.exe*."

C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe

C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\jhumexqhcrkffnxoze.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe .

C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe

C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe

C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe

C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\tpaqgxodwjatrxfu.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c uthatnhzvlfbclwoagy.exe

C:\Windows\uthatnhzvlfbclwoagy.exe

uthatnhzvlfbclwoagy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c jhumexqhcrkffnxoze.exe .

C:\Windows\jhumexqhcrkffnxoze.exe

jhumexqhcrkffnxoze.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c tpaqgxodwjatrxfu.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\jhumexqhcrkffnxoze.exe*."

C:\Windows\tpaqgxodwjatrxfu.exe

tpaqgxodwjatrxfu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wxnidzvpnfbzcnauiqklb.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe

C:\Windows\wxnidzvpnfbzcnauiqklb.exe

wxnidzvpnfbzcnauiqklb.exe .

C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe

C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\wxnidzvpnfbzcnauiqklb.exe*."

C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe

C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\tpaqgxodwjatrxfu.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe

C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe

C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe

C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\hhwqkfatqhczblxqdkdd.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wxnidzvpnfbzcnauiqklb.exe

C:\Windows\wxnidzvpnfbzcnauiqklb.exe

wxnidzvpnfbzcnauiqklb.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c uthatnhzvlfbclwoagy.exe .

C:\Windows\uthatnhzvlfbclwoagy.exe

uthatnhzvlfbclwoagy.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c uthatnhzvlfbclwoagy.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\uthatnhzvlfbclwoagy.exe*."

C:\Windows\uthatnhzvlfbclwoagy.exe

uthatnhzvlfbclwoagy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c uthatnhzvlfbclwoagy.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\uthatnhzvlfbclwoagy.exe

uthatnhzvlfbclwoagy.exe .

C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe

C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\uthatnhzvlfbclwoagy.exe*."

C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe

C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\axjarjbrlzrlkraqa.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe .

C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe

C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe

C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe

C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\uthatnhzvlfbclwoagy.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c jhumexqhcrkffnxoze.exe

C:\Windows\jhumexqhcrkffnxoze.exe

jhumexqhcrkffnxoze.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c hhwqkfatqhczblxqdkdd.exe .

C:\Windows\hhwqkfatqhczblxqdkdd.exe

hhwqkfatqhczblxqdkdd.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c tpaqgxodwjatrxfu.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\hhwqkfatqhczblxqdkdd.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c tpaqgxodwjatrxfu.exe .

C:\Windows\tpaqgxodwjatrxfu.exe

tpaqgxodwjatrxfu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe

C:\Windows\tpaqgxodwjatrxfu.exe

tpaqgxodwjatrxfu.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wxnidzvpnfbzcnauiqklb.exe

C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe

C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\tpaqgxodwjatrxfu.exe*."

C:\Windows\wxnidzvpnfbzcnauiqklb.exe

wxnidzvpnfbzcnauiqklb.exe

C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe

C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c hhwqkfatqhczblxqdkdd.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wxnidzvpnfbzcnauiqklb.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\uthatnhzvlfbclwoagy.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe

C:\Windows\hhwqkfatqhczblxqdkdd.exe

hhwqkfatqhczblxqdkdd.exe

C:\Windows\wxnidzvpnfbzcnauiqklb.exe

wxnidzvpnfbzcnauiqklb.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c jhumexqhcrkffnxoze.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c uthatnhzvlfbclwoagy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe .

C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe

C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c tpaqgxodwjatrxfu.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c tpaqgxodwjatrxfu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\wxnidzvpnfbzcnauiqklb.exe*."

C:\Windows\uthatnhzvlfbclwoagy.exe

uthatnhzvlfbclwoagy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c tpaqgxodwjatrxfu.exe .

C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe

C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe

C:\Windows\jhumexqhcrkffnxoze.exe

jhumexqhcrkffnxoze.exe .

C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe

C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe

C:\Windows\tpaqgxodwjatrxfu.exe

tpaqgxodwjatrxfu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe .

C:\Windows\tpaqgxodwjatrxfu.exe

tpaqgxodwjatrxfu.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\jhumexqhcrkffnxoze.exe*."

C:\Windows\tpaqgxodwjatrxfu.exe

tpaqgxodwjatrxfu.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\hhwqkfatqhczblxqdkdd.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\tpaqgxodwjatrxfu.exe*."

C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe

C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe

C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe

C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\tpaqgxodwjatrxfu.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\uthatnhzvlfbclwoagy.exe*."

C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe

C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe .

C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe

C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe

C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe

C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe .

C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe

C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c uthatnhzvlfbclwoagy.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\wxnidzvpnfbzcnauiqklb.exe*."

C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe

C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\wxnidzvpnfbzcnauiqklb.exe*."

C:\Windows\uthatnhzvlfbclwoagy.exe

uthatnhzvlfbclwoagy.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\wxnidzvpnfbzcnauiqklb.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c uthatnhzvlfbclwoagy.exe .

C:\Windows\uthatnhzvlfbclwoagy.exe

uthatnhzvlfbclwoagy.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wxnidzvpnfbzcnauiqklb.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\uthatnhzvlfbclwoagy.exe*."

C:\Windows\wxnidzvpnfbzcnauiqklb.exe

wxnidzvpnfbzcnauiqklb.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c jhumexqhcrkffnxoze.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\jhumexqhcrkffnxoze.exe

jhumexqhcrkffnxoze.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\jhumexqhcrkffnxoze.exe*."

C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe

C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe

C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe

C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\tpaqgxodwjatrxfu.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe .

C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe

C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe

C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe

C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\wxnidzvpnfbzcnauiqklb.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c hhwqkfatqhczblxqdkdd.exe

C:\Windows\hhwqkfatqhczblxqdkdd.exe

hhwqkfatqhczblxqdkdd.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c hhwqkfatqhczblxqdkdd.exe .

C:\Windows\hhwqkfatqhczblxqdkdd.exe

hhwqkfatqhczblxqdkdd.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wxnidzvpnfbzcnauiqklb.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\hhwqkfatqhczblxqdkdd.exe*."

C:\Windows\wxnidzvpnfbzcnauiqklb.exe

wxnidzvpnfbzcnauiqklb.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c tpaqgxodwjatrxfu.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe

C:\Windows\tpaqgxodwjatrxfu.exe

tpaqgxodwjatrxfu.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe .

C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe

C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\tpaqgxodwjatrxfu.exe*."

C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe

C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\tpaqgxodwjatrxfu.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe .

C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe

C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe

C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe

C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\wxnidzvpnfbzcnauiqklb.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c jhumexqhcrkffnxoze.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\jhumexqhcrkffnxoze.exe

jhumexqhcrkffnxoze.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c uthatnhzvlfbclwoagy.exe .

C:\Windows\uthatnhzvlfbclwoagy.exe

uthatnhzvlfbclwoagy.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c tpaqgxodwjatrxfu.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\uthatnhzvlfbclwoagy.exe*."

C:\Windows\tpaqgxodwjatrxfu.exe

tpaqgxodwjatrxfu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wxnidzvpnfbzcnauiqklb.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe

C:\Windows\wxnidzvpnfbzcnauiqklb.exe

wxnidzvpnfbzcnauiqklb.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe .

C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe

C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\wxnidzvpnfbzcnauiqklb.exe*."

C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe

C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\tpaqgxodwjatrxfu.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe .

C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe

C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe

C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe

C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\axjarjbrlzrlkraqa.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c uthatnhzvlfbclwoagy.exe

C:\Windows\uthatnhzvlfbclwoagy.exe

uthatnhzvlfbclwoagy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c tpaqgxodwjatrxfu.exe .

C:\Windows\tpaqgxodwjatrxfu.exe

tpaqgxodwjatrxfu.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c uthatnhzvlfbclwoagy.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\tpaqgxodwjatrxfu.exe*."

C:\Windows\uthatnhzvlfbclwoagy.exe

uthatnhzvlfbclwoagy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wxnidzvpnfbzcnauiqklb.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe

C:\Windows\wxnidzvpnfbzcnauiqklb.exe

wxnidzvpnfbzcnauiqklb.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe .

C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe

C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\wxnidzvpnfbzcnauiqklb.exe*."

C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe

C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\axjarjbrlzrlkraqa.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe .

C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe

C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe

C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe

C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\jhumexqhcrkffnxoze.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c uthatnhzvlfbclwoagy.exe

C:\Windows\uthatnhzvlfbclwoagy.exe

uthatnhzvlfbclwoagy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c hhwqkfatqhczblxqdkdd.exe .

C:\Windows\hhwqkfatqhczblxqdkdd.exe

hhwqkfatqhczblxqdkdd.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c tpaqgxodwjatrxfu.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\hhwqkfatqhczblxqdkdd.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c hhwqkfatqhczblxqdkdd.exe .

C:\Windows\tpaqgxodwjatrxfu.exe

tpaqgxodwjatrxfu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe

C:\Windows\hhwqkfatqhczblxqdkdd.exe

hhwqkfatqhczblxqdkdd.exe .

C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe

C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\hhwqkfatqhczblxqdkdd.exe*."

C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe

C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\hhwqkfatqhczblxqdkdd.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe .

C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe

C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe

C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe

C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\tpaqgxodwjatrxfu.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c hhwqkfatqhczblxqdkdd.exe

C:\Windows\hhwqkfatqhczblxqdkdd.exe

hhwqkfatqhczblxqdkdd.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c jhumexqhcrkffnxoze.exe .

C:\Windows\jhumexqhcrkffnxoze.exe

jhumexqhcrkffnxoze.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c hhwqkfatqhczblxqdkdd.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\jhumexqhcrkffnxoze.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c jhumexqhcrkffnxoze.exe .

C:\Windows\hhwqkfatqhczblxqdkdd.exe

hhwqkfatqhczblxqdkdd.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe

C:\Windows\jhumexqhcrkffnxoze.exe

jhumexqhcrkffnxoze.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe .

C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe

C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\jhumexqhcrkffnxoze.exe*."

C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe

C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\tpaqgxodwjatrxfu.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe .

C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe

C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe

C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe

C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wxnidzvpnfbzcnauiqklb.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\tpaqgxodwjatrxfu.exe*."

C:\Windows\wxnidzvpnfbzcnauiqklb.exe

wxnidzvpnfbzcnauiqklb.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c hhwqkfatqhczblxqdkdd.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c uthatnhzvlfbclwoagy.exe

C:\Windows\hhwqkfatqhczblxqdkdd.exe

hhwqkfatqhczblxqdkdd.exe .

C:\Windows\uthatnhzvlfbclwoagy.exe

uthatnhzvlfbclwoagy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c tpaqgxodwjatrxfu.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c hhwqkfatqhczblxqdkdd.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c uthatnhzvlfbclwoagy.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\hhwqkfatqhczblxqdkdd.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c axjarjbrlzrlkraqa.exe

C:\Windows\hhwqkfatqhczblxqdkdd.exe

hhwqkfatqhczblxqdkdd.exe

C:\Windows\tpaqgxodwjatrxfu.exe

tpaqgxodwjatrxfu.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c uthatnhzvlfbclwoagy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c tpaqgxodwjatrxfu.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c jhumexqhcrkffnxoze.exe .

C:\Windows\axjarjbrlzrlkraqa.exe

axjarjbrlzrlkraqa.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\tpaqgxodwjatrxfu.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\uthatnhzvlfbclwoagy.exe

uthatnhzvlfbclwoagy.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c jhumexqhcrkffnxoze.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c jhumexqhcrkffnxoze.exe .

C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe

C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe .

C:\Windows\uthatnhzvlfbclwoagy.exe

uthatnhzvlfbclwoagy.exe

C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe

C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\uthatnhzvlfbclwoagy.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe

C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe

C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe

C:\Windows\tpaqgxodwjatrxfu.exe

tpaqgxodwjatrxfu.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\hhwqkfatqhczblxqdkdd.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe .

C:\Windows\jhumexqhcrkffnxoze.exe

jhumexqhcrkffnxoze.exe

C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe

C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe .

C:\Windows\jhumexqhcrkffnxoze.exe

jhumexqhcrkffnxoze.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\tpaqgxodwjatrxfu.exe*."

C:\Windows\jhumexqhcrkffnxoze.exe

jhumexqhcrkffnxoze.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe .

C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe

C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\jhumexqhcrkffnxoze.exe*."

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\hhwqkfatqhczblxqdkdd.exe*."

C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe

C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe .

C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe

C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\jhumexqhcrkffnxoze.exe*."

C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe

C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe .

C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe

C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe .

C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe

C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe .

C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe

C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\axjarjbrlzrlkraqa.exe*."

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\wxnidzvpnfbzcnauiqklb.exe*."

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\jhumexqhcrkffnxoze.exe*."

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\uthatnhzvlfbclwoagy.exe*."

C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe

C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c uthatnhzvlfbclwoagy.exe

C:\Windows\uthatnhzvlfbclwoagy.exe

uthatnhzvlfbclwoagy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c axjarjbrlzrlkraqa.exe .

C:\Windows\axjarjbrlzrlkraqa.exe

axjarjbrlzrlkraqa.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c jhumexqhcrkffnxoze.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\axjarjbrlzrlkraqa.exe*."

C:\Windows\jhumexqhcrkffnxoze.exe

jhumexqhcrkffnxoze.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c hhwqkfatqhczblxqdkdd.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe

C:\Windows\hhwqkfatqhczblxqdkdd.exe

hhwqkfatqhczblxqdkdd.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe .

C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe

C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\hhwqkfatqhczblxqdkdd.exe*."

C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe

C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\wxnidzvpnfbzcnauiqklb.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe .

C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe

C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe

C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe

C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\uthatnhzvlfbclwoagy.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wxnidzvpnfbzcnauiqklb.exe

C:\Windows\wxnidzvpnfbzcnauiqklb.exe

wxnidzvpnfbzcnauiqklb.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c uthatnhzvlfbclwoagy.exe .

C:\Windows\uthatnhzvlfbclwoagy.exe

uthatnhzvlfbclwoagy.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c uthatnhzvlfbclwoagy.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\uthatnhzvlfbclwoagy.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c tpaqgxodwjatrxfu.exe .

C:\Windows\uthatnhzvlfbclwoagy.exe

uthatnhzvlfbclwoagy.exe

C:\Windows\tpaqgxodwjatrxfu.exe

tpaqgxodwjatrxfu.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe

C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe

C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\tpaqgxodwjatrxfu.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe .

C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe

C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\tpaqgxodwjatrxfu.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe .

C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe

C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe

C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe

C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\axjarjbrlzrlkraqa.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c jhumexqhcrkffnxoze.exe

C:\Windows\jhumexqhcrkffnxoze.exe

jhumexqhcrkffnxoze.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c uthatnhzvlfbclwoagy.exe .

C:\Windows\uthatnhzvlfbclwoagy.exe

uthatnhzvlfbclwoagy.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c uthatnhzvlfbclwoagy.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\uthatnhzvlfbclwoagy.exe*."

C:\Windows\uthatnhzvlfbclwoagy.exe

uthatnhzvlfbclwoagy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c uthatnhzvlfbclwoagy.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe

C:\Windows\uthatnhzvlfbclwoagy.exe

uthatnhzvlfbclwoagy.exe .

C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe

C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\uthatnhzvlfbclwoagy.exe*."

C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe

C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\axjarjbrlzrlkraqa.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe .

C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe

C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe

C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe

C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\axjarjbrlzrlkraqa.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c uthatnhzvlfbclwoagy.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\uthatnhzvlfbclwoagy.exe

uthatnhzvlfbclwoagy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c jhumexqhcrkffnxoze.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\jhumexqhcrkffnxoze.exe

jhumexqhcrkffnxoze.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c uthatnhzvlfbclwoagy.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\jhumexqhcrkffnxoze.exe*."

C:\Windows\uthatnhzvlfbclwoagy.exe

uthatnhzvlfbclwoagy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c uthatnhzvlfbclwoagy.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe

C:\Windows\uthatnhzvlfbclwoagy.exe

uthatnhzvlfbclwoagy.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe .

C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe

C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\uthatnhzvlfbclwoagy.exe*."

C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe

C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\hhwqkfatqhczblxqdkdd.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe .

C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe

C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe

C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe

C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\hhwqkfatqhczblxqdkdd.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c hhwqkfatqhczblxqdkdd.exe

C:\Windows\hhwqkfatqhczblxqdkdd.exe

hhwqkfatqhczblxqdkdd.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c jhumexqhcrkffnxoze.exe .

C:\Windows\jhumexqhcrkffnxoze.exe

jhumexqhcrkffnxoze.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c jhumexqhcrkffnxoze.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\jhumexqhcrkffnxoze.exe*."

C:\Windows\jhumexqhcrkffnxoze.exe

jhumexqhcrkffnxoze.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c hhwqkfatqhczblxqdkdd.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe

C:\Windows\hhwqkfatqhczblxqdkdd.exe

hhwqkfatqhczblxqdkdd.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe .

C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe

C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\hhwqkfatqhczblxqdkdd.exe*."

C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe

C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\hhwqkfatqhczblxqdkdd.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe

C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe

C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe .

C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe

C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\tpaqgxodwjatrxfu.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c axjarjbrlzrlkraqa.exe

C:\Windows\axjarjbrlzrlkraqa.exe

axjarjbrlzrlkraqa.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c axjarjbrlzrlkraqa.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c jhumexqhcrkffnxoze.exe

C:\Windows\axjarjbrlzrlkraqa.exe

axjarjbrlzrlkraqa.exe .

C:\Windows\jhumexqhcrkffnxoze.exe

jhumexqhcrkffnxoze.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c jhumexqhcrkffnxoze.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\axjarjbrlzrlkraqa.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c tpaqgxodwjatrxfu.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wxnidzvpnfbzcnauiqklb.exe .

C:\Windows\jhumexqhcrkffnxoze.exe

jhumexqhcrkffnxoze.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c jhumexqhcrkffnxoze.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe

C:\Windows\tpaqgxodwjatrxfu.exe

tpaqgxodwjatrxfu.exe .

C:\Windows\wxnidzvpnfbzcnauiqklb.exe

wxnidzvpnfbzcnauiqklb.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c axjarjbrlzrlkraqa.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\tpaqgxodwjatrxfu.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c tpaqgxodwjatrxfu.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wxnidzvpnfbzcnauiqklb.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe

C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\wxnidzvpnfbzcnauiqklb.exe*."

C:\Windows\jhumexqhcrkffnxoze.exe

jhumexqhcrkffnxoze.exe

C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe

C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe

C:\Windows\axjarjbrlzrlkraqa.exe

axjarjbrlzrlkraqa.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c hhwqkfatqhczblxqdkdd.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe

C:\Windows\wxnidzvpnfbzcnauiqklb.exe

wxnidzvpnfbzcnauiqklb.exe .

C:\Windows\tpaqgxodwjatrxfu.exe

tpaqgxodwjatrxfu.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c jhumexqhcrkffnxoze.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\tpaqgxodwjatrxfu.exe*."

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe

C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe

C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\tpaqgxodwjatrxfu.exe*."

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\wxnidzvpnfbzcnauiqklb.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe

C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe

C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe .

C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe

C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe

C:\Windows\hhwqkfatqhczblxqdkdd.exe

hhwqkfatqhczblxqdkdd.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe .

C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe

C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe .

C:\Windows\jhumexqhcrkffnxoze.exe

jhumexqhcrkffnxoze.exe .

C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe

C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe

C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe

C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe .

C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe

C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c axjarjbrlzrlkraqa.exe

C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe

C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\tpaqgxodwjatrxfu.exe*."

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\hhwqkfatqhczblxqdkdd.exe*."

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\jhumexqhcrkffnxoze.exe*."

C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe

C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\jhumexqhcrkffnxoze.exe*."

C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe

C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c jhumexqhcrkffnxoze.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\uthatnhzvlfbclwoagy.exe*."

C:\Windows\axjarjbrlzrlkraqa.exe

axjarjbrlzrlkraqa.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\hhwqkfatqhczblxqdkdd.exe*."

C:\Windows\jhumexqhcrkffnxoze.exe

jhumexqhcrkffnxoze.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c jhumexqhcrkffnxoze.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\jhumexqhcrkffnxoze.exe*."

C:\Windows\jhumexqhcrkffnxoze.exe

jhumexqhcrkffnxoze.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c jhumexqhcrkffnxoze.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe

C:\Windows\jhumexqhcrkffnxoze.exe

jhumexqhcrkffnxoze.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe .

C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe

C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\jhumexqhcrkffnxoze.exe*."

C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe

C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\wxnidzvpnfbzcnauiqklb.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe .

C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe

C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe

C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe

C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\hhwqkfatqhczblxqdkdd.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c hhwqkfatqhczblxqdkdd.exe

C:\Windows\hhwqkfatqhczblxqdkdd.exe

hhwqkfatqhczblxqdkdd.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c hhwqkfatqhczblxqdkdd.exe .

C:\Windows\hhwqkfatqhczblxqdkdd.exe

hhwqkfatqhczblxqdkdd.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c jhumexqhcrkffnxoze.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\hhwqkfatqhczblxqdkdd.exe*."

C:\Windows\jhumexqhcrkffnxoze.exe

jhumexqhcrkffnxoze.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c hhwqkfatqhczblxqdkdd.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe

C:\Windows\hhwqkfatqhczblxqdkdd.exe

hhwqkfatqhczblxqdkdd.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe .

C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe

C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\hhwqkfatqhczblxqdkdd.exe*."

C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe

C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\hhwqkfatqhczblxqdkdd.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe .

C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe

C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe

C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe

C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\wxnidzvpnfbzcnauiqklb.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c tpaqgxodwjatrxfu.exe

C:\Windows\tpaqgxodwjatrxfu.exe

tpaqgxodwjatrxfu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c jhumexqhcrkffnxoze.exe .

C:\Windows\jhumexqhcrkffnxoze.exe

jhumexqhcrkffnxoze.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wxnidzvpnfbzcnauiqklb.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\jhumexqhcrkffnxoze.exe*."

C:\Windows\wxnidzvpnfbzcnauiqklb.exe

wxnidzvpnfbzcnauiqklb.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c tpaqgxodwjatrxfu.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe

C:\Windows\tpaqgxodwjatrxfu.exe

tpaqgxodwjatrxfu.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe .

C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe

C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\tpaqgxodwjatrxfu.exe*."

C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe

C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\jhumexqhcrkffnxoze.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe .

C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe

C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe

C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe

C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\jhumexqhcrkffnxoze.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c uthatnhzvlfbclwoagy.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\uthatnhzvlfbclwoagy.exe

uthatnhzvlfbclwoagy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c jhumexqhcrkffnxoze.exe .

C:\Windows\jhumexqhcrkffnxoze.exe

jhumexqhcrkffnxoze.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c axjarjbrlzrlkraqa.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c axjarjbrlzrlkraqa.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\jhumexqhcrkffnxoze.exe*."

C:\Windows\axjarjbrlzrlkraqa.exe

axjarjbrlzrlkraqa.exe

C:\Windows\axjarjbrlzrlkraqa.exe

axjarjbrlzrlkraqa.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\axjarjbrlzrlkraqa.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe .

C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe

C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe

C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe

C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\wxnidzvpnfbzcnauiqklb.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe .

C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe

C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe

C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe

C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\axjarjbrlzrlkraqa.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c uthatnhzvlfbclwoagy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c tpaqgxodwjatrxfu.exe .

C:\Windows\uthatnhzvlfbclwoagy.exe

uthatnhzvlfbclwoagy.exe

C:\Windows\tpaqgxodwjatrxfu.exe

tpaqgxodwjatrxfu.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c hhwqkfatqhczblxqdkdd.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\tpaqgxodwjatrxfu.exe*."

C:\Windows\hhwqkfatqhczblxqdkdd.exe

hhwqkfatqhczblxqdkdd.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c uthatnhzvlfbclwoagy.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe

C:\Windows\uthatnhzvlfbclwoagy.exe

uthatnhzvlfbclwoagy.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe .

C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe

C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\uthatnhzvlfbclwoagy.exe*."

C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe

C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\jhumexqhcrkffnxoze.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe .

C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe

C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe

C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe

C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\hhwqkfatqhczblxqdkdd.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c jhumexqhcrkffnxoze.exe

C:\Windows\jhumexqhcrkffnxoze.exe

jhumexqhcrkffnxoze.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c hhwqkfatqhczblxqdkdd.exe .

C:\Windows\hhwqkfatqhczblxqdkdd.exe

hhwqkfatqhczblxqdkdd.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c tpaqgxodwjatrxfu.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\hhwqkfatqhczblxqdkdd.exe*."

C:\Windows\tpaqgxodwjatrxfu.exe

tpaqgxodwjatrxfu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c axjarjbrlzrlkraqa.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe

C:\Windows\axjarjbrlzrlkraqa.exe

axjarjbrlzrlkraqa.exe .

C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe

C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\axjarjbrlzrlkraqa.exe*."

C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe

C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\wxnidzvpnfbzcnauiqklb.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c uthatnhzvlfbclwoagy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe

C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c uthatnhzvlfbclwoagy.exe .

C:\Windows\uthatnhzvlfbclwoagy.exe

uthatnhzvlfbclwoagy.exe

C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe

C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe .

C:\Windows\uthatnhzvlfbclwoagy.exe

uthatnhzvlfbclwoagy.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\jhumexqhcrkffnxoze.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wxnidzvpnfbzcnauiqklb.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c tpaqgxodwjatrxfu.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\uthatnhzvlfbclwoagy.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c axjarjbrlzrlkraqa.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c hhwqkfatqhczblxqdkdd.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe

C:\Windows\tpaqgxodwjatrxfu.exe

tpaqgxodwjatrxfu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe .

C:\Windows\axjarjbrlzrlkraqa.exe

axjarjbrlzrlkraqa.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c tpaqgxodwjatrxfu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wxnidzvpnfbzcnauiqklb.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe

C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe .

C:\Windows\hhwqkfatqhczblxqdkdd.exe

hhwqkfatqhczblxqdkdd.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wxnidzvpnfbzcnauiqklb.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c axjarjbrlzrlkraqa.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe

C:\Windows\tpaqgxodwjatrxfu.exe

tpaqgxodwjatrxfu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\axjarjbrlzrlkraqa.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c hhwqkfatqhczblxqdkdd.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\wxnidzvpnfbzcnauiqklb.exe*."

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\hhwqkfatqhczblxqdkdd.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c jhumexqhcrkffnxoze.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe

C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe

C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe .

C:\Windows\axjarjbrlzrlkraqa.exe

axjarjbrlzrlkraqa.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe .

C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe

C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\axjarjbrlzrlkraqa.exe*."

C:\Windows\hhwqkfatqhczblxqdkdd.exe

hhwqkfatqhczblxqdkdd.exe

C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe

C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\jhumexqhcrkffnxoze.exe

jhumexqhcrkffnxoze.exe .

C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe

C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\wxnidzvpnfbzcnauiqklb.exe*."

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\jhumexqhcrkffnxoze.exe*."

C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe

C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe

C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe

C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe .

C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe

C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe .

C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe

C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe .

C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe

C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe

C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe

C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\tpaqgxodwjatrxfu.exe*."

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\tpaqgxodwjatrxfu.exe*."

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\uthatnhzvlfbclwoagy.exe*."

C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe

C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe .

C:\Windows\wxnidzvpnfbzcnauiqklb.exe

wxnidzvpnfbzcnauiqklb.exe

C:\Windows\wxnidzvpnfbzcnauiqklb.exe

wxnidzvpnfbzcnauiqklb.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\uthatnhzvlfbclwoagy.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c uthatnhzvlfbclwoagy.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\wxnidzvpnfbzcnauiqklb.exe*."

C:\Windows\uthatnhzvlfbclwoagy.exe

uthatnhzvlfbclwoagy.exe

C:\Windows\wxnidzvpnfbzcnauiqklb.exe

wxnidzvpnfbzcnauiqklb.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c uthatnhzvlfbclwoagy.exe .

C:\Windows\uthatnhzvlfbclwoagy.exe

uthatnhzvlfbclwoagy.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c hhwqkfatqhczblxqdkdd.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\uthatnhzvlfbclwoagy.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c hhwqkfatqhczblxqdkdd.exe .

C:\Windows\hhwqkfatqhczblxqdkdd.exe

hhwqkfatqhczblxqdkdd.exe

C:\Windows\hhwqkfatqhczblxqdkdd.exe

hhwqkfatqhczblxqdkdd.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe

C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe

C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\hhwqkfatqhczblxqdkdd.exe*."

C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe

C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\wxnidzvpnfbzcnauiqklb.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe

C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe

C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe .

C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe

C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\wxnidzvpnfbzcnauiqklb.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c axjarjbrlzrlkraqa.exe

C:\Windows\axjarjbrlzrlkraqa.exe

axjarjbrlzrlkraqa.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c jhumexqhcrkffnxoze.exe .

C:\Windows\jhumexqhcrkffnxoze.exe

jhumexqhcrkffnxoze.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c tpaqgxodwjatrxfu.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\jhumexqhcrkffnxoze.exe*."

C:\Windows\tpaqgxodwjatrxfu.exe

tpaqgxodwjatrxfu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c hhwqkfatqhczblxqdkdd.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe

C:\Windows\hhwqkfatqhczblxqdkdd.exe

hhwqkfatqhczblxqdkdd.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe

C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\hhwqkfatqhczblxqdkdd.exe*."

C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe

C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\uthatnhzvlfbclwoagy.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe .

C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe

C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe

C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe

C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\jhumexqhcrkffnxoze.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c hhwqkfatqhczblxqdkdd.exe

C:\Windows\hhwqkfatqhczblxqdkdd.exe

hhwqkfatqhczblxqdkdd.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c uthatnhzvlfbclwoagy.exe .

C:\Windows\uthatnhzvlfbclwoagy.exe

uthatnhzvlfbclwoagy.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c axjarjbrlzrlkraqa.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\uthatnhzvlfbclwoagy.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c hhwqkfatqhczblxqdkdd.exe .

C:\Windows\axjarjbrlzrlkraqa.exe

axjarjbrlzrlkraqa.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe

C:\Windows\hhwqkfatqhczblxqdkdd.exe

hhwqkfatqhczblxqdkdd.exe .

C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe

C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\hhwqkfatqhczblxqdkdd.exe*."

C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe

C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\uthatnhzvlfbclwoagy.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe .

C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe

C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe

C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe

C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\jhumexqhcrkffnxoze.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c hhwqkfatqhczblxqdkdd.exe

C:\Windows\hhwqkfatqhczblxqdkdd.exe

hhwqkfatqhczblxqdkdd.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c tpaqgxodwjatrxfu.exe .

C:\Windows\tpaqgxodwjatrxfu.exe

tpaqgxodwjatrxfu.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c uthatnhzvlfbclwoagy.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\tpaqgxodwjatrxfu.exe*."

C:\Windows\uthatnhzvlfbclwoagy.exe

uthatnhzvlfbclwoagy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c hhwqkfatqhczblxqdkdd.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe

C:\Windows\hhwqkfatqhczblxqdkdd.exe

hhwqkfatqhczblxqdkdd.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe .

C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe

C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\hhwqkfatqhczblxqdkdd.exe*."

C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe

C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\tpaqgxodwjatrxfu.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe

C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe

C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe

C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\hhwqkfatqhczblxqdkdd.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c axjarjbrlzrlkraqa.exe

C:\Windows\axjarjbrlzrlkraqa.exe

axjarjbrlzrlkraqa.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c tpaqgxodwjatrxfu.exe .

C:\Windows\tpaqgxodwjatrxfu.exe

tpaqgxodwjatrxfu.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c uthatnhzvlfbclwoagy.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\tpaqgxodwjatrxfu.exe*."

C:\Windows\uthatnhzvlfbclwoagy.exe

uthatnhzvlfbclwoagy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c hhwqkfatqhczblxqdkdd.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\hhwqkfatqhczblxqdkdd.exe

hhwqkfatqhczblxqdkdd.exe .

C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe

C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\hhwqkfatqhczblxqdkdd.exe*."

C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe

C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\axjarjbrlzrlkraqa.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe .

C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe

C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe

C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe

C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\hhwqkfatqhczblxqdkdd.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c tpaqgxodwjatrxfu.exe

C:\Windows\tpaqgxodwjatrxfu.exe

tpaqgxodwjatrxfu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c axjarjbrlzrlkraqa.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c uthatnhzvlfbclwoagy.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\axjarjbrlzrlkraqa.exe

axjarjbrlzrlkraqa.exe .

C:\Windows\uthatnhzvlfbclwoagy.exe

uthatnhzvlfbclwoagy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c jhumexqhcrkffnxoze.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\axjarjbrlzrlkraqa.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c hhwqkfatqhczblxqdkdd.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c uthatnhzvlfbclwoagy.exe .

C:\Windows\jhumexqhcrkffnxoze.exe

jhumexqhcrkffnxoze.exe

C:\Windows\hhwqkfatqhczblxqdkdd.exe

hhwqkfatqhczblxqdkdd.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c tpaqgxodwjatrxfu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c axjarjbrlzrlkraqa.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\uthatnhzvlfbclwoagy.exe

uthatnhzvlfbclwoagy.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\hhwqkfatqhczblxqdkdd.exe*."

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c uthatnhzvlfbclwoagy.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c axjarjbrlzrlkraqa.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe

C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe

C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\uthatnhzvlfbclwoagy.exe*."

C:\Windows\tpaqgxodwjatrxfu.exe

tpaqgxodwjatrxfu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c hhwqkfatqhczblxqdkdd.exe

C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe

C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe .

C:\Windows\axjarjbrlzrlkraqa.exe

axjarjbrlzrlkraqa.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c jhumexqhcrkffnxoze.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe

C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe

C:\Windows\uthatnhzvlfbclwoagy.exe

uthatnhzvlfbclwoagy.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\tpaqgxodwjatrxfu.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe .

C:\Windows\axjarjbrlzrlkraqa.exe

axjarjbrlzrlkraqa.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\uthatnhzvlfbclwoagy.exe*."

C:\Windows\hhwqkfatqhczblxqdkdd.exe

hhwqkfatqhczblxqdkdd.exe

C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe

C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe

C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe

C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe

C:\Windows\jhumexqhcrkffnxoze.exe

jhumexqhcrkffnxoze.exe .

C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe

C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe .

C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe

C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe

C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe

C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\axjarjbrlzrlkraqa.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe .

C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe

C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\tpaqgxodwjatrxfu.exe*."

C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe

C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\jhumexqhcrkffnxoze.exe*."

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\jhumexqhcrkffnxoze.exe*."

Network

Country Destination Domain Proto
US 8.8.8.8:53 whatismyipaddress.com udp
US 104.19.223.79:80 whatismyipaddress.com tcp
US 8.8.8.8:53 www.showmyipaddress.com udp
US 104.21.74.56:80 www.showmyipaddress.com tcp
US 8.8.8.8:53 whatismyip.everdot.org udp
US 8.8.8.8:53 www.whatismyip.ca udp
US 8.8.8.8:53 www.whatismyip.com udp
US 172.66.43.169:80 www.whatismyip.com tcp
US 104.21.74.56:80 www.showmyipaddress.com tcp
US 104.19.223.79:80 whatismyipaddress.com tcp
US 8.8.8.8:53 www.whatismyip.ca udp
US 8.8.8.8:53 whatismyip.everdot.org udp
US 104.21.74.56:80 www.showmyipaddress.com tcp
US 104.21.74.56:80 www.showmyipaddress.com tcp
US 104.19.223.79:80 whatismyipaddress.com tcp
US 104.19.223.79:80 whatismyipaddress.com tcp
US 8.8.8.8:53 www.whatismyip.ca udp
US 104.21.74.56:80 www.showmyipaddress.com tcp
US 8.8.8.8:53 whatismyip.everdot.org udp
US 172.66.43.169:80 www.whatismyip.com tcp
US 104.19.223.79:80 whatismyipaddress.com tcp
US 172.66.43.169:80 www.whatismyip.com tcp
US 104.19.223.79:80 whatismyipaddress.com tcp
US 8.8.8.8:53 www.adobe.com udp
GB 2.19.252.142:80 www.adobe.com tcp
GB 142.250.187.195:80 c.pki.goog tcp
US 8.8.8.8:53 www.myspace.com udp
US 34.111.176.156:80 www.myspace.com tcp
BG 89.215.188.160:17364 tcp
US 8.8.8.8:53 gyuuym.org udp
DE 85.214.228.140:80 gyuuym.org tcp
US 8.8.8.8:53 vixeyml.org udp
US 8.8.8.8:53 jfamjz.net udp
US 8.8.8.8:53 unxfuild.info udp
SG 18.142.91.111:80 unxfuild.info tcp
LT 78.62.20.97:14365 tcp
LT 78.63.85.38:22474 tcp
BG 89.215.38.82:21301 tcp
US 8.8.8.8:53 jouerpzu.info udp
US 8.8.8.8:53 bhxpgyru.net udp
US 8.8.8.8:53 zylacipesou.info udp
CY 213.7.147.164:14151 tcp
US 8.8.8.8:53 tnbsvoiez.info udp
US 8.8.8.8:53 ywfojfbqxgb.info udp
US 8.8.8.8:53 ggoiukqgsikq.org udp
US 8.8.8.8:53 udzdjiddn.net udp
US 8.8.8.8:53 zyuzopbtlq.net udp
US 8.8.8.8:53 fffglbh.org udp
US 8.8.8.8:53 fadgruvodnvg.info udp
US 8.8.8.8:53 sopodotkd.info udp
US 8.8.8.8:53 aeaieoiqyewc.com udp
US 8.8.8.8:53 ufmdcv.info udp
US 8.8.8.8:53 ygoukmwg.org udp
US 8.8.8.8:53 aquiagkwko.com udp
US 8.8.8.8:53 ertcganbd.info udp
US 8.8.8.8:53 yxvlcp.net udp
US 8.8.8.8:53 pcqumbtzb.org udp
US 8.8.8.8:53 cydlrge.info udp
US 104.156.155.94:80 cydlrge.info tcp
US 8.8.8.8:53 ksokymqagy.com udp
US 8.8.8.8:53 xngxgeldjm.net udp
US 8.8.8.8:53 oasokkim.com udp
US 8.8.8.8:53 mjotpzfbosdh.info udp
US 8.8.8.8:53 izrzxfant.net udp
US 8.8.8.8:53 oyxjzglbsbwn.net udp
US 8.8.8.8:53 jqkvtsqsbmj.com udp
US 8.8.8.8:53 luvehemiri.info udp
US 8.8.8.8:53 godkogz.info udp
US 8.8.8.8:53 vknyfehcj.org udp
US 8.8.8.8:53 lalckpw.org udp
US 8.8.8.8:53 mskityfix.info udp
US 8.8.8.8:53 qopbhqp.net udp
US 8.8.8.8:53 tasyvqzmz.info udp
US 8.8.8.8:53 hmfurcniz.info udp
US 8.8.8.8:53 cnbscgxaiuv.info udp
US 8.8.8.8:53 qqawkwkiawuu.com udp
US 8.8.8.8:53 oyiacseoky.com udp
US 8.8.8.8:53 wsiusmaqyuus.com udp
US 8.8.8.8:53 qcwckw.org udp
US 8.8.8.8:53 guqecwocem.com udp
US 8.8.8.8:53 rnozhndhgj.info udp
US 8.8.8.8:53 ddpobim.org udp
US 8.8.8.8:53 abzgjamqp.info udp
US 8.8.8.8:53 iugeqgskqoes.com udp
US 8.8.8.8:53 trgcqufmzizj.info udp
US 8.8.8.8:53 uewemigwqaku.com udp
US 8.8.8.8:53 ewhqxezcwwc.net udp
US 8.8.8.8:53 iqjcdybekjl.net udp
US 8.8.8.8:53 uuuxor.net udp
US 8.8.8.8:53 aiosocow.org udp
US 8.8.8.8:53 macguv.info udp
US 8.8.8.8:53 euaeeo.com udp
US 8.8.8.8:53 tjeups.net udp
US 8.8.8.8:53 yoaoooewyeeo.com udp
US 8.8.8.8:53 bkfbuizq.info udp
US 8.8.8.8:53 masuce.org udp
US 8.8.8.8:53 mdhpuesj.net udp
US 8.8.8.8:53 sbjatavb.info udp
US 8.8.8.8:53 meueoaykmwmm.com udp
US 8.8.8.8:53 timtcaebmlsi.info udp
US 8.8.8.8:53 jtznnsx.info udp
US 8.8.8.8:53 rsrtksvsmq.info udp
US 8.8.8.8:53 dqjrswwie.com udp
US 8.8.8.8:53 zkgcposmhdp.info udp
US 8.8.8.8:53 oujkfmh.info udp
US 8.8.8.8:53 vrxmprngmlhk.net udp
US 8.8.8.8:53 itpkbzd.net udp
US 8.8.8.8:53 wqqysoaaei.org udp
US 8.8.8.8:53 urbvuqt.net udp
US 8.8.8.8:53 vioktojcz.info udp
US 8.8.8.8:53 hcyals.info udp
US 8.8.8.8:53 lwakfxmq.info udp
MD 92.114.143.205:14909 tcp
US 8.8.8.8:53 ehlwnqv.net udp
US 8.8.8.8:53 caqoomko.org udp
US 8.8.8.8:53 ydgmbeigpep.info udp
US 8.8.8.8:53 eznabol.net udp
US 8.8.8.8:53 jbmfgsdhixqp.net udp
US 8.8.8.8:53 zeagfxhz.net udp
US 8.8.8.8:53 klqmnybibg.net udp
US 8.8.8.8:53 qhfqvojanyh.net udp
US 8.8.8.8:53 lenibyekxyv.info udp
US 8.8.8.8:53 hekogukffjjs.net udp
US 8.8.8.8:53 lyxmnybibg.info udp
US 8.8.8.8:53 hiwchewmzkge.net udp
US 8.8.8.8:53 tgliuodiu.com udp
US 8.8.8.8:53 lcvffplcdbwd.net udp
US 8.8.8.8:53 dkouvubcpovf.info udp
US 8.8.8.8:53 qmfnhfxkh.info udp
US 8.8.8.8:53 rbhajqjgxun.info udp
US 8.8.8.8:53 xyvmqzpiiw.net udp
US 8.8.8.8:53 elyorhnv.info udp
US 8.8.8.8:53 cuqmwgaumq.com udp
US 8.8.8.8:53 lggkpgvhp.com udp
US 8.8.8.8:53 ugcygcyup.info udp
US 8.8.8.8:53 kuoqmsakuo.org udp
US 8.8.8.8:53 jkzxjpbitkv.info udp
US 8.8.8.8:53 zyfitez.info udp
US 8.8.8.8:53 lmjkjd.info udp
US 8.8.8.8:53 polcvcnmw.info udp
US 8.8.8.8:53 wycewq.org udp
US 8.8.8.8:53 vbiblqupi.com udp
US 8.8.8.8:53 leqdurjb.net udp
US 8.8.8.8:53 oavepmbqny.info udp
US 8.8.8.8:53 umqegg.com udp
US 8.8.8.8:53 ncshwn.net udp
US 8.8.8.8:53 ykzzgb.net udp
US 8.8.8.8:53 hqfzqntdhhz.org udp
US 8.8.8.8:53 eozvtyi.net udp
US 8.8.8.8:53 dxikspgshgbk.info udp
US 8.8.8.8:53 gsmmohjnjbln.info udp
US 8.8.8.8:53 ueirvjxxlh.net udp
US 8.8.8.8:53 lgmwshpwdp.net udp
US 8.8.8.8:53 uaiaoacq.org udp
US 8.8.8.8:53 nawwvylul.info udp
US 8.8.8.8:53 bhpmiura.info udp
US 8.8.8.8:53 tubqnhaq.info udp
US 8.8.8.8:53 zgrjrexb.net udp
BG 93.152.140.68:22227 tcp
US 8.8.8.8:53 hbowpc.info udp
US 8.8.8.8:53 gwoulyvd.net udp
US 8.8.8.8:53 gvlliv.net udp
US 8.8.8.8:53 zndmeitwdxv.org udp
US 8.8.8.8:53 lofoabbqebr.net udp
US 8.8.8.8:53 eeueccewmeem.com udp
US 8.8.8.8:53 ncnpflbqh.org udp
US 8.8.8.8:53 yemmhoaqcgu.info udp
US 8.8.8.8:53 kpvipxfatg.info udp
US 8.8.8.8:53 qepnjwzsuai.net udp
US 8.8.8.8:53 gthoprfe.net udp
US 8.8.8.8:53 dkhgjgc.com udp
US 8.8.8.8:53 zvhjumbkrexn.info udp
US 8.8.8.8:53 bhbexwnv.info udp
US 8.8.8.8:53 urlktaykf.info udp
US 8.8.8.8:53 bqfrjyi.net udp
US 8.8.8.8:53 gmhgjm.info udp
US 8.8.8.8:53 tyxtwjxsfk.net udp
US 8.8.8.8:53 vlpxze.info udp
US 8.8.8.8:53 xptqveoglb.info udp
US 8.8.8.8:53 oyfxxr.info udp
US 8.8.8.8:53 drbxhnek.net udp
US 8.8.8.8:53 qhtvsohf.net udp
US 8.8.8.8:53 skywyumxq.net udp
US 8.8.8.8:53 rgxledaohfbs.net udp
US 8.8.8.8:53 ceiwggwiewus.org udp
US 8.8.8.8:53 ggpanll.info udp
US 8.8.8.8:53 whlulmi.info udp
US 8.8.8.8:53 akueai.com udp
US 8.8.8.8:53 gzwufttddhbn.net udp
US 8.8.8.8:53 fnhmmghwp.com udp
US 8.8.8.8:53 frujpmsf.info udp
US 8.8.8.8:53 nshdioh.net udp
US 8.8.8.8:53 qxpnvdlsnknf.info udp
US 8.8.8.8:53 mcrsbyx.info udp
US 8.8.8.8:53 yksgusqg.org udp
BG 85.196.183.38:32018 tcp
US 8.8.8.8:53 dkhorijbr.info udp
US 8.8.8.8:53 ekqqcc.org udp
US 8.8.8.8:53 zspwvvhrzzge.info udp
US 8.8.8.8:53 iybscblusc.net udp
US 8.8.8.8:53 pgghfkx.info udp
US 8.8.8.8:53 vkdkrhjaj.com udp
US 8.8.8.8:53 ucoscauq.com udp
US 8.8.8.8:53 shdbtspqbgr.info udp
US 8.8.8.8:53 ycyeemamem.org udp
US 8.8.8.8:53 dwfkeogzvhjn.info udp
US 8.8.8.8:53 twibtwisycr.org udp
US 8.8.8.8:53 cphzyb.net udp
US 8.8.8.8:53 rowscl.info udp
US 8.8.8.8:53 ggdyzmybvip.info udp
US 8.8.8.8:53 aaliqunsnuv.info udp
US 8.8.8.8:53 qqlcfqhyprx.info udp
US 8.8.8.8:53 dflqknsl.net udp
US 8.8.8.8:53 fkjctuf.com udp
US 8.8.8.8:53 hsfzjawa.info udp
US 8.8.8.8:53 cyyltaholag.info udp
US 8.8.8.8:53 kqlqlqzoi.info udp
US 8.8.8.8:53 qtgqqinahbp.info udp
US 8.8.8.8:53 zpokdoo.org udp
US 8.8.8.8:53 dekxlrpihr.net udp
US 8.8.8.8:53 akuwmw.com udp
US 8.8.8.8:53 tcvuvhjwh.info udp
US 8.8.8.8:53 jftbmggsar.info udp
BG 78.154.23.239:30079 tcp
US 8.8.8.8:53 bxteiqiypzj.net udp
US 8.8.8.8:53 xcjshdzfzzj.net udp
US 8.8.8.8:53 bnlmxgz.com udp
US 8.8.8.8:53 iczwzsy.info udp
US 8.8.8.8:53 jubvpax.info udp
US 8.8.8.8:53 nogbdz.net udp
US 8.8.8.8:53 thnidplde.net udp
US 8.8.8.8:53 zebskofwmtc.org udp
US 8.8.8.8:53 aknsgwkcl.net udp
US 8.8.8.8:53 obnwfmzxjodu.info udp
US 8.8.8.8:53 xoffpr.net udp
US 8.8.8.8:53 iuiuqvk.info udp
US 8.8.8.8:53 ecbwysbz.info udp
US 8.8.8.8:53 vvikfqnavsxs.net udp
US 8.8.8.8:53 vsuuoui.info udp
US 8.8.8.8:53 lqnmpytum.info udp
US 8.8.8.8:53 njmyupro.net udp
US 8.8.8.8:53 akpmzeber.net udp
US 8.8.8.8:53 ocyarojchal.info udp
US 8.8.8.8:53 qmlnpqahwgsu.info udp
US 8.8.8.8:53 xrpwmsl.info udp
US 8.8.8.8:53 hmwutyrzvjq.info udp
US 8.8.8.8:53 ttgfvdvenk.net udp
US 8.8.8.8:53 iusioomq.org udp
US 8.8.8.8:53 lsvwtj.net udp
US 8.8.8.8:53 bxbznytnei.info udp
US 8.8.8.8:53 didppcnmb.info udp
US 8.8.8.8:53 wcsbrpz.net udp
US 8.8.8.8:53 mwlkrce.net udp
US 8.8.8.8:53 rpecwiq.info udp
US 8.8.8.8:53 omqjjcjjfr.net udp
US 8.8.8.8:53 dpvajdvu.net udp
US 8.8.8.8:53 zybspgpxr.com udp
US 8.8.8.8:53 uwcuws.org udp
US 8.8.8.8:53 txgchkhep.org udp
US 8.8.8.8:53 htecemp.info udp
US 8.8.8.8:53 gckzqp.info udp
US 8.8.8.8:53 weckqk.com udp
US 8.8.8.8:53 wqqmyk.com udp
US 8.8.8.8:53 gifnbyxotha.net udp
US 8.8.8.8:53 azlfou.info udp
US 8.8.8.8:53 vtwblsrkx.com udp
US 8.8.8.8:53 umyicieyee.org udp
US 8.8.8.8:53 wbfqtmtdtvle.info udp
US 8.8.8.8:53 pngqhitepiz.info udp
US 8.8.8.8:53 hybjmgmzerjz.info udp
US 8.8.8.8:53 ycsyskgqayum.org udp
US 8.8.8.8:53 qyfarqhcyow.net udp
US 8.8.8.8:53 vcsuct.net udp
US 8.8.8.8:53 tohgfcpaq.info udp
US 8.8.8.8:53 qgrevs.net udp
US 8.8.8.8:53 xxcsfot.com udp
US 8.8.8.8:53 mulcvdg.info udp
US 8.8.8.8:53 fsyczawoha.info udp
US 8.8.8.8:53 dqnhjkjgasf.com udp
US 8.8.8.8:53 siggqwnovln.net udp
US 8.8.8.8:53 nebmlmbvdbt.net udp
US 8.8.8.8:53 zndcrtkztl.info udp
US 8.8.8.8:53 pfqfcw.info udp
US 8.8.8.8:53 janrpedad.net udp
US 8.8.8.8:53 atkzfclhbift.info udp
US 8.8.8.8:53 wchkrdcmtbz.net udp
US 8.8.8.8:53 xdwxvmgmv.info udp
BG 79.124.34.169:14148 tcp
US 8.8.8.8:53 dyfohnu.info udp
US 8.8.8.8:53 qgxeagrfp.info udp
US 8.8.8.8:53 wueysyqiyg.org udp
US 8.8.8.8:53 itwwovfpb.net udp
US 8.8.8.8:53 uolxayt.net udp
US 8.8.8.8:53 ueiewkmwyqqu.com udp
US 8.8.8.8:53 vyzwprpfzyh.net udp
US 8.8.8.8:53 jjrefkv.net udp
US 8.8.8.8:53 vteivueg.net udp
US 8.8.8.8:53 uuesbj.info udp
US 8.8.8.8:53 kjskvzf.info udp
US 8.8.8.8:53 zsymnwiep.org udp
US 8.8.8.8:53 fmzdvwqcyr.net udp
US 8.8.8.8:53 pkrdwuipfrfr.info udp

Files

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

MD5 1bfab26466074e48dbf0d35886b0929d
SHA1 849d8dc497d1ba446ba748e9e579885573f7247a
SHA256 8d366cb18fdc73a1f5247e36ae1a049a2f04ca997a2c982d4785b1b263023511
SHA512 c126cfdd6281805cc7ac0d269981e616f89d66021876370cc75581cf329573095329919738d51a163e2b3399876bf6413348a4ebac9e14e96ccd07ecc1def0d8

C:\Windows\SysWOW64\jhumexqhcrkffnxoze.exe

MD5 bbd7b871140426c0f77e65b9c18dbcf1
SHA1 f107fdc5b346882994efb09ba63b85e696679e4d
SHA256 2e69cd89b60105229d7465e33802b3ff410aa6c470320732b23b88fa48572f9b
SHA512 c30ec761442c26b0f8c86eae2aebbd09c864a2587a27ca300b7c4669eb91efd88a2a05aae21020ae3c08ba690f472a551bc85b9d83967160758aaa3c9c6ff322

C:\Users\Admin\AppData\Local\Temp\whhmr.exe

MD5 2ef8661866c21e2bd6d43351fb4d9021
SHA1 9c1788f29cabe212af943e1b73ab5c7bcbfb9aaa
SHA256 7c2d79e1f350f1f0a9f34ddb7f3944ba06e7a7c59480cd3feb705093286c9115
SHA512 1ce99538aee6aa4a4972abdcbfaecb36bf8d9cd2c92520ab3308dbbf467f0a4f737fc370c8127f3f03f34f3f82c368a508180d016d3319f6146d002b22a16807

C:\Users\Admin\AppData\Local\ldkwivitiretnptejitlseqdqbqzmbvxbm.qbt

MD5 62fd636fe768981cc8279437a0a76594
SHA1 fbde71dd35f1a5d6e180eeeb75afa99efe8559af
SHA256 2f4418ebdc18ddd5d10eee073cfb128054e833b75ae645a5ad1fbebf0beb133e
SHA512 1798ed912de4f4d8bf1c870c9ec1b56c953b3836d702a790ae7d3f244aeed01d86cc0057b7ba91c685a34feacb971625b130a2f9cccda8f5eb976de16c49a922

C:\Users\Admin\AppData\Local\yfbcdfhhljlpypiicqqxtuv.zzd

MD5 c0a9e3512d04736fcedeac2493480e12
SHA1 7dc964fcf841e63b0d15b09baad440361e47b22d
SHA256 c69a5a336cf04f8273e18e47d69dc45272679ae83b1e34806b1e2617f799d502
SHA512 be5ad815b667e09a4e5a630b5c149e08101d6cc418f92ad1033101bf6ce5d5c60dda196331606c0b27f873f99074c79444685bf3a42d7d045b9b3cf6f638c234

C:\Program Files (x86)\yfbcdfhhljlpypiicqqxtuv.zzd

MD5 036947fa848999b46e716e77f12162f5
SHA1 93a98886d66b09a92db40bc19ca183697d9e8654
SHA256 ca5b542a622bae59d9be14eb816dd259fa403ff7e683b30303cf4b01de491f5c
SHA512 7924a67d74e2dd7aa7553ddca4b8cfc55d272d793ee731ffbf76b89a7b8f888d1e6634d76a9d1766413c786ae3824361301aff68adca5d406fe8d5e8603e67cc

C:\Program Files (x86)\yfbcdfhhljlpypiicqqxtuv.zzd

MD5 2e3d36e67888255e81d42a7a2ee99f33
SHA1 c4ae8426543eb8ab823a66953c7925a86578f96a
SHA256 a2f7618d0320242e907106ff3b41e6ab4a21bfa23d2c8ba3e692756fe61ff3d9
SHA512 552344e546e019eeff9f6f689651c56f5030e4ccb6a20064b6a994733c02798553c1974ef5ca255f62288a184a50af31c7111b939eb83ff66ede0bd73c254537

C:\Program Files (x86)\yfbcdfhhljlpypiicqqxtuv.zzd

MD5 e1de8676ad80893e57a4fc4fbbccc99b
SHA1 cc9c57abf5289bf7cf1edf262b6e38c78201be70
SHA256 f200885998e7f72bd2b81968db7b29bf67950d0520d206b17de7fcafaa4a7478
SHA512 74c65539d7ccd72440df26902cfaa6cf13d91814485edbbb7044ae404cbe55d8bddb9519c9d9b18286a0279b1345f33a6820acc7fa26ed9601eec35e7ed100cc

C:\Program Files (x86)\yfbcdfhhljlpypiicqqxtuv.zzd

MD5 e16243ab4bfdd9863ac814d6a98eeee4
SHA1 59fbfd444729f6385e54baa3e51e93b52be719e2
SHA256 6b8150a511584bb6415700707abcaede53c6a1b098842e369f0efce19d47cab4
SHA512 146b398c880f0a60849668776fa9922388c53d0dcd43b4a60b2f08956a2e4efdaef3b26b3fab71a675edd0040826e4d1ab74bac749f98f5f343a40ff9cefd43c

Analysis: behavioral2

Detonation Overview

Submitted

2025-04-18 00:44

Reported

2025-04-18 00:47

Platform

win11-20250411-en

Max time kernel

60s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\tghqbep.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\tghqbep.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A

Pykspa

worm pykspa

Pykspa family

pykspa

UAC bypass

defense_evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\tghqbep.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\tghqbep.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\tghqbep.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\tghqbep.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\tghqbep.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\tghqbep.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\tghqbep.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\tghqbep.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A

Detect Pykspa worm

worm
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds policy Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zorcpuhqy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zwhavidukxouzbthl.exe" C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zorcpuhqy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gguqoecwpfziqvqhozcc.exe" C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kciwmukwhpbc = "tsfaxmjcujckrvpflvx.exe" C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kciwmukwhpbc = "igsmiwskbphouxqfkt.exe" C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kciwmukwhpbc = "soyqkwqgvhxcghyl.exe" C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zorcpuhqy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\soyqkwqgvhxcghyl.exe" C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kciwmukwhpbc = "gguqoecwpfziqvqhozcc.exe" C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kciwmukwhpbc = "zwhavidukxouzbthl.exe" C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zorcpuhqy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tsfaxmjcujckrvpflvx.exe" C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zorcpuhqy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tsfaxmjcujckrvpflvx.exe" C:\Users\Admin\AppData\Local\Temp\tghqbep.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kciwmukwhpbc = "zwhavidukxouzbthl.exe" C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zorcpuhqy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\igsmiwskbphouxqfkt.exe" C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kciwmukwhpbc = "igsmiwskbphouxqfkt.exe" C:\Users\Admin\AppData\Local\Temp\tghqbep.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zorcpuhqy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\igsmiwskbphouxqfkt.exe" C:\Users\Admin\AppData\Local\Temp\tghqbep.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kciwmukwhpbc = "gguqoecwpfziqvqhozcc.exe" C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kciwmukwhpbc = "gguqoecwpfziqvqhozcc.exe" C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zorcpuhqy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gguqoecwpfziqvqhozcc.exe" C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kciwmukwhpbc = "zwhavidukxouzbthl.exe" C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kciwmukwhpbc = "zwhavidukxouzbthl.exe" C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zorcpuhqy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gguqoecwpfziqvqhozcc.exe" C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zorcpuhqy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zwhavidukxouzbthl.exe" C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kciwmukwhpbc = "soyqkwqgvhxcghyl.exe" C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zorcpuhqy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vwlihyxsmdyirxtltfjkz.exe" C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zorcpuhqy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\soyqkwqgvhxcghyl.exe" C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zorcpuhqy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tsfaxmjcujckrvpflvx.exe" C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kciwmukwhpbc = "igsmiwskbphouxqfkt.exe" C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kciwmukwhpbc = "vwlihyxsmdyirxtltfjkz.exe" C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kciwmukwhpbc = "soyqkwqgvhxcghyl.exe" C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kciwmukwhpbc = "zwhavidukxouzbthl.exe" C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kciwmukwhpbc = "vwlihyxsmdyirxtltfjkz.exe" C:\Users\Admin\AppData\Local\Temp\tghqbep.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zorcpuhqy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tsfaxmjcujckrvpflvx.exe" C:\Users\Admin\AppData\Local\Temp\tghqbep.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zorcpuhqy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zwhavidukxouzbthl.exe" C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zorcpuhqy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tsfaxmjcujckrvpflvx.exe" C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zorcpuhqy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\igsmiwskbphouxqfkt.exe" C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zorcpuhqy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\soyqkwqgvhxcghyl.exe" C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zorcpuhqy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\igsmiwskbphouxqfkt.exe" C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zorcpuhqy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\soyqkwqgvhxcghyl.exe" C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zorcpuhqy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zwhavidukxouzbthl.exe" C:\Users\Admin\AppData\Local\Temp\tghqbep.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kciwmukwhpbc = "soyqkwqgvhxcghyl.exe" C:\Users\Admin\AppData\Local\Temp\tghqbep.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zorcpuhqy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gguqoecwpfziqvqhozcc.exe" C:\Users\Admin\AppData\Local\Temp\tghqbep.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zorcpuhqy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gguqoecwpfziqvqhozcc.exe" C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zorcpuhqy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vwlihyxsmdyirxtltfjkz.exe" C:\Users\Admin\AppData\Local\Temp\tghqbep.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kciwmukwhpbc = "vwlihyxsmdyirxtltfjkz.exe" C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kciwmukwhpbc = "tsfaxmjcujckrvpflvx.exe" C:\Users\Admin\AppData\Local\Temp\tghqbep.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kciwmukwhpbc = "soyqkwqgvhxcghyl.exe" C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zorcpuhqy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vwlihyxsmdyirxtltfjkz.exe" C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kciwmukwhpbc = "zwhavidukxouzbthl.exe" C:\Users\Admin\AppData\Local\Temp\tghqbep.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kciwmukwhpbc = "zwhavidukxouzbthl.exe" C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A

Disables RegEdit via registry modification

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\tghqbep.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\tghqbep.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\tghqbep.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\tghqbep.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
N/A N/A C:\Windows\igsmiwskbphouxqfkt.exe N/A
N/A N/A C:\Windows\vwlihyxsmdyirxtltfjkz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
N/A N/A C:\Windows\tsfaxmjcujckrvpflvx.exe N/A
N/A N/A C:\Windows\igsmiwskbphouxqfkt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tghqbep.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tghqbep.exe N/A
N/A N/A C:\Windows\tsfaxmjcujckrvpflvx.exe N/A
N/A N/A C:\Windows\gguqoecwpfziqvqhozcc.exe N/A
N/A N/A C:\Windows\tsfaxmjcujckrvpflvx.exe N/A
N/A N/A C:\Windows\gguqoecwpfziqvqhozcc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
N/A N/A C:\Windows\vwlihyxsmdyirxtltfjkz.exe N/A
N/A N/A C:\Windows\zwhavidukxouzbthl.exe N/A
N/A N/A C:\Windows\gguqoecwpfziqvqhozcc.exe N/A
N/A N/A C:\Windows\gguqoecwpfziqvqhozcc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe N/A
N/A N/A C:\Windows\gguqoecwpfziqvqhozcc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe N/A
N/A N/A C:\Windows\gguqoecwpfziqvqhozcc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
N/A N/A C:\Windows\igsmiwskbphouxqfkt.exe N/A
N/A N/A C:\Windows\vwlihyxsmdyirxtltfjkz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
N/A N/A C:\Windows\gguqoecwpfziqvqhozcc.exe N/A
N/A N/A C:\Windows\zwhavidukxouzbthl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
N/A N/A C:\Windows\soyqkwqgvhxcghyl.exe N/A
N/A N/A C:\Windows\vwlihyxsmdyirxtltfjkz.exe N/A
N/A N/A C:\Windows\gguqoecwpfziqvqhozcc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe N/A
N/A N/A C:\Windows\tsfaxmjcujckrvpflvx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe N/A
N/A N/A C:\Windows\gguqoecwpfziqvqhozcc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
N/A N/A C:\Windows\gguqoecwpfziqvqhozcc.exe N/A

Impair Defenses: Safe Mode Boot

defense_evasion
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager C:\Users\Admin\AppData\Local\Temp\tghqbep.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys C:\Users\Admin\AppData\Local\Temp\tghqbep.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc C:\Users\Admin\AppData\Local\Temp\tghqbep.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power C:\Users\Admin\AppData\Local\Temp\tghqbep.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys C:\Users\Admin\AppData\Local\Temp\tghqbep.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc C:\Users\Admin\AppData\Local\Temp\tghqbep.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\nejwlshscju = "C:\\Users\\Admin\\AppData\\Local\\Temp\\soyqkwqgvhxcghyl.exe ." C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\Run\jcjypypcoxkmn = "igsmiwskbphouxqfkt.exe" C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\Run\jcjypypcoxkmn = "tsfaxmjcujckrvpflvx.exe" C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\Run\simymsgqzf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vwlihyxsmdyirxtltfjkz.exe" C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\nejwlshscju = "C:\\Users\\Admin\\AppData\\Local\\Temp\\soyqkwqgvhxcghyl.exe ." C:\Users\Admin\AppData\Local\Temp\tghqbep.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\soyqkwqgvhxcghyl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vwlihyxsmdyirxtltfjkz.exe" C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\simymsgqzf = "gguqoecwpfziqvqhozcc.exe" C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\nejwlshscju = "C:\\Users\\Admin\\AppData\\Local\\Temp\\igsmiwskbphouxqfkt.exe ." C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\nejwlshscju = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tsfaxmjcujckrvpflvx.exe ." C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\nejwlshscju = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gguqoecwpfziqvqhozcc.exe ." C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\nejwlshscju = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vwlihyxsmdyirxtltfjkz.exe ." C:\Users\Admin\AppData\Local\Temp\tghqbep.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\niribmfuitimppf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\igsmiwskbphouxqfkt.exe ." C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\soyqkwqgvhxcghyl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vwlihyxsmdyirxtltfjkz.exe" C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\soyqkwqgvhxcghyl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\soyqkwqgvhxcghyl.exe" C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\soyqkwqgvhxcghyl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zwhavidukxouzbthl.exe" C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\kemcuewkxhvyaz = "soyqkwqgvhxcghyl.exe ." C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\soyqkwqgvhxcghyl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\soyqkwqgvhxcghyl.exe" C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\Run\jcjypypcoxkmn = "zwhavidukxouzbthl.exe" C:\Users\Admin\AppData\Local\Temp\tghqbep.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\kemcuewkxhvyaz = "igsmiwskbphouxqfkt.exe ." C:\Users\Admin\AppData\Local\Temp\tghqbep.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nejwlshscju = "zwhavidukxouzbthl.exe ." C:\Users\Admin\AppData\Local\Temp\tghqbep.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nejwlshscju = "igsmiwskbphouxqfkt.exe ." C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\niribmfuitimppf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\igsmiwskbphouxqfkt.exe ." C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nejwlshscju = "tsfaxmjcujckrvpflvx.exe ." C:\Users\Admin\AppData\Local\Temp\tghqbep.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\Run\jcjypypcoxkmn = "soyqkwqgvhxcghyl.exe" C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\simymsgqzf = "gguqoecwpfziqvqhozcc.exe" C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\simymsgqzf = "gguqoecwpfziqvqhozcc.exe" C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\Run\jcjypypcoxkmn = "tsfaxmjcujckrvpflvx.exe" C:\Users\Admin\AppData\Local\Temp\tghqbep.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nejwlshscju = "zwhavidukxouzbthl.exe ." C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\simymsgqzf = "vwlihyxsmdyirxtltfjkz.exe" C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nejwlshscju = "tsfaxmjcujckrvpflvx.exe ." C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\kemcuewkxhvyaz = "tsfaxmjcujckrvpflvx.exe ." C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\Run\simymsgqzf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tsfaxmjcujckrvpflvx.exe" C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\Run\simymsgqzf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vwlihyxsmdyirxtltfjkz.exe" C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\kemcuewkxhvyaz = "tsfaxmjcujckrvpflvx.exe ." C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\soyqkwqgvhxcghyl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tsfaxmjcujckrvpflvx.exe" C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\Run\jcjypypcoxkmn = "igsmiwskbphouxqfkt.exe" C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\Run\jcjypypcoxkmn = "soyqkwqgvhxcghyl.exe" C:\Users\Admin\AppData\Local\Temp\tghqbep.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\nejwlshscju = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zwhavidukxouzbthl.exe ." C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\Run\simymsgqzf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\soyqkwqgvhxcghyl.exe" C:\Users\Admin\AppData\Local\Temp\tghqbep.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nejwlshscju = "soyqkwqgvhxcghyl.exe ." C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\nejwlshscju = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tsfaxmjcujckrvpflvx.exe ." C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\kemcuewkxhvyaz = "vwlihyxsmdyirxtltfjkz.exe ." C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\Run\jcjypypcoxkmn = "soyqkwqgvhxcghyl.exe" C:\Users\Admin\AppData\Local\Temp\tghqbep.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\nejwlshscju = "C:\\Users\\Admin\\AppData\\Local\\Temp\\igsmiwskbphouxqfkt.exe ." C:\Users\Admin\AppData\Local\Temp\tghqbep.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\Run\simymsgqzf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zwhavidukxouzbthl.exe" C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\simymsgqzf = "gguqoecwpfziqvqhozcc.exe" C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nejwlshscju = "vwlihyxsmdyirxtltfjkz.exe ." C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\Run\jcjypypcoxkmn = "zwhavidukxouzbthl.exe" C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nejwlshscju = "zwhavidukxouzbthl.exe ." C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\nejwlshscju = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gguqoecwpfziqvqhozcc.exe ." C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\niribmfuitimppf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zwhavidukxouzbthl.exe ." C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\kemcuewkxhvyaz = "igsmiwskbphouxqfkt.exe ." C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\niribmfuitimppf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\soyqkwqgvhxcghyl.exe ." C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\niribmfuitimppf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\soyqkwqgvhxcghyl.exe ." C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\Run\jcjypypcoxkmn = "gguqoecwpfziqvqhozcc.exe" C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\simymsgqzf = "soyqkwqgvhxcghyl.exe" C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\kemcuewkxhvyaz = "tsfaxmjcujckrvpflvx.exe ." C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\nejwlshscju = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vwlihyxsmdyirxtltfjkz.exe ." C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nejwlshscju = "soyqkwqgvhxcghyl.exe ." C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\Run\simymsgqzf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vwlihyxsmdyirxtltfjkz.exe" C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\soyqkwqgvhxcghyl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vwlihyxsmdyirxtltfjkz.exe" C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\kemcuewkxhvyaz = "vwlihyxsmdyirxtltfjkz.exe ." C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nejwlshscju = "gguqoecwpfziqvqhozcc.exe ." C:\Users\Admin\AppData\Local\Temp\tghqbep.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\Run\jcjypypcoxkmn = "gguqoecwpfziqvqhozcc.exe" C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A

Checks whether UAC is enabled

defense_evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\tghqbep.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\tghqbep.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\tghqbep.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\tghqbep.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A

Hijack Execution Flow: Executable Installer File Permissions Weakness

defense_evasion persistence privilege_escalation
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\tghqbep.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\tghqbep.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A whatismyip.everdot.org N/A N/A
N/A whatismyipaddress.com N/A N/A
N/A www.showmyipaddress.com N/A N/A
N/A www.whatismyip.ca N/A N/A
N/A whatismyip.everdot.org N/A N/A

Drops autorun.inf file

Description Indicator Process Target
File created C:\autorun.inf C:\Users\Admin\AppData\Local\Temp\tghqbep.exe N/A
File opened for modification F:\autorun.inf C:\Users\Admin\AppData\Local\Temp\tghqbep.exe N/A
File created F:\autorun.inf C:\Users\Admin\AppData\Local\Temp\tghqbep.exe N/A
File opened for modification C:\autorun.inf C:\Users\Admin\AppData\Local\Temp\tghqbep.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\tsfaxmjcujckrvpflvx.exe C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
File opened for modification C:\Windows\SysWOW64\igsmiwskbphouxqfkt.exe C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
File opened for modification C:\Windows\SysWOW64\tsfaxmjcujckrvpflvx.exe C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
File opened for modification C:\Windows\SysWOW64\tsfaxmjcujckrvpflvx.exe C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
File opened for modification C:\Windows\SysWOW64\igsmiwskbphouxqfkt.exe C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
File opened for modification C:\Windows\SysWOW64\moeccuuqldzkubyransuki.exe C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
File opened for modification C:\Windows\SysWOW64\soyqkwqgvhxcghyl.exe C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
File opened for modification C:\Windows\SysWOW64\tsfaxmjcujckrvpflvx.exe C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
File opened for modification C:\Windows\SysWOW64\zwhavidukxouzbthl.exe C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
File opened for modification C:\Windows\SysWOW64\tsfaxmjcujckrvpflvx.exe C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
File opened for modification C:\Windows\SysWOW64\zwhavidukxouzbthl.exe C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
File opened for modification C:\Windows\SysWOW64\soyqkwqgvhxcghyl.exe C:\Users\Admin\AppData\Local\Temp\tghqbep.exe N/A
File opened for modification C:\Windows\SysWOW64\gguqoecwpfziqvqhozcc.exe C:\Users\Admin\AppData\Local\Temp\tghqbep.exe N/A
File opened for modification C:\Windows\SysWOW64\soyqkwqgvhxcghyl.exe C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
File opened for modification C:\Windows\SysWOW64\wcwycyccbxxmalmjwnwcwy.ycc C:\Users\Admin\AppData\Local\Temp\tghqbep.exe N/A
File opened for modification C:\Windows\SysWOW64\gguqoecwpfziqvqhozcc.exe C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
File opened for modification C:\Windows\SysWOW64\tsfaxmjcujckrvpflvx.exe C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
File opened for modification C:\Windows\SysWOW64\soyqkwqgvhxcghyl.exe C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
File opened for modification C:\Windows\SysWOW64\moeccuuqldzkubyransuki.exe C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
File opened for modification C:\Windows\SysWOW64\zwhavidukxouzbthl.exe C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
File opened for modification C:\Windows\SysWOW64\gguqoecwpfziqvqhozcc.exe C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
File opened for modification C:\Windows\SysWOW64\vwlihyxsmdyirxtltfjkz.exe C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
File opened for modification C:\Windows\SysWOW64\moeccuuqldzkubyransuki.exe C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
File opened for modification C:\Windows\SysWOW64\soyqkwqgvhxcghyl.exe C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
File opened for modification C:\Windows\SysWOW64\moeccuuqldzkubyransuki.exe C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
File opened for modification C:\Windows\SysWOW64\vwlihyxsmdyirxtltfjkz.exe C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
File opened for modification C:\Windows\SysWOW64\gguqoecwpfziqvqhozcc.exe C:\Users\Admin\AppData\Local\Temp\tghqbep.exe N/A
File opened for modification C:\Windows\SysWOW64\vwlihyxsmdyirxtltfjkz.exe C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
File opened for modification C:\Windows\SysWOW64\soyqkwqgvhxcghyl.exe C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
File opened for modification C:\Windows\SysWOW64\zwhavidukxouzbthl.exe C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
File opened for modification C:\Windows\SysWOW64\soyqkwqgvhxcghyl.exe C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
File opened for modification C:\Windows\SysWOW64\gguqoecwpfziqvqhozcc.exe C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
File opened for modification C:\Windows\SysWOW64\igsmiwskbphouxqfkt.exe C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
File opened for modification C:\Windows\SysWOW64\gguqoecwpfziqvqhozcc.exe C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
File opened for modification C:\Windows\SysWOW64\vwlihyxsmdyirxtltfjkz.exe C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
File opened for modification C:\Windows\SysWOW64\vwlihyxsmdyirxtltfjkz.exe C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
File opened for modification C:\Windows\SysWOW64\tsfaxmjcujckrvpflvx.exe C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
File opened for modification C:\Windows\SysWOW64\soyqkwqgvhxcghyl.exe C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
File opened for modification C:\Windows\SysWOW64\soyqkwqgvhxcghyl.exe C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
File opened for modification C:\Windows\SysWOW64\vwlihyxsmdyirxtltfjkz.exe C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
File opened for modification C:\Windows\SysWOW64\soyqkwqgvhxcghyl.exe C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
File opened for modification C:\Windows\SysWOW64\soyqkwqgvhxcghyl.exe C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
File opened for modification C:\Windows\SysWOW64\igsmiwskbphouxqfkt.exe C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
File opened for modification C:\Windows\SysWOW64\gguqoecwpfziqvqhozcc.exe C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
File opened for modification C:\Windows\SysWOW64\gguqoecwpfziqvqhozcc.exe C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
File opened for modification C:\Windows\SysWOW64\igsmiwskbphouxqfkt.exe C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
File opened for modification C:\Windows\SysWOW64\vwlihyxsmdyirxtltfjkz.exe C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
File opened for modification C:\Windows\SysWOW64\soyqkwqgvhxcghyl.exe C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
File opened for modification C:\Windows\SysWOW64\zwhavidukxouzbthl.exe C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
File opened for modification C:\Windows\SysWOW64\tsfaxmjcujckrvpflvx.exe C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
File opened for modification C:\Windows\SysWOW64\soyqkwqgvhxcghyl.exe C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
File opened for modification C:\Windows\SysWOW64\soyqkwqgvhxcghyl.exe C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
File opened for modification C:\Windows\SysWOW64\zwhavidukxouzbthl.exe C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
File opened for modification C:\Windows\SysWOW64\tsfaxmjcujckrvpflvx.exe C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
File opened for modification C:\Windows\SysWOW64\tsfaxmjcujckrvpflvx.exe C:\Users\Admin\AppData\Local\Temp\tghqbep.exe N/A
File opened for modification C:\Windows\SysWOW64\soyqkwqgvhxcghyl.exe C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
File opened for modification C:\Windows\SysWOW64\igsmiwskbphouxqfkt.exe C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
File opened for modification C:\Windows\SysWOW64\gguqoecwpfziqvqhozcc.exe C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
File opened for modification C:\Windows\SysWOW64\igsmiwskbphouxqfkt.exe C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
File opened for modification C:\Windows\SysWOW64\soyqkwqgvhxcghyl.exe C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
File opened for modification C:\Windows\SysWOW64\tsfaxmjcujckrvpflvx.exe C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
File opened for modification C:\Windows\SysWOW64\gguqoecwpfziqvqhozcc.exe C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
File opened for modification C:\Windows\SysWOW64\tsfaxmjcujckrvpflvx.exe C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
File opened for modification C:\Windows\SysWOW64\gguqoecwpfziqvqhozcc.exe C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\wcwycyccbxxmalmjwnwcwy.ycc C:\Users\Admin\AppData\Local\Temp\tghqbep.exe N/A
File created C:\Program Files (x86)\wcwycyccbxxmalmjwnwcwy.ycc C:\Users\Admin\AppData\Local\Temp\tghqbep.exe N/A
File opened for modification C:\Program Files (x86)\nejwlshscjuutpbjhjduzmbixiszkkjfr.xzt C:\Users\Admin\AppData\Local\Temp\tghqbep.exe N/A
File created C:\Program Files (x86)\nejwlshscjuutpbjhjduzmbixiszkkjfr.xzt C:\Users\Admin\AppData\Local\Temp\tghqbep.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\igsmiwskbphouxqfkt.exe C:\Users\Admin\AppData\Local\Temp\tghqbep.exe N/A
File opened for modification C:\Windows\moeccuuqldzkubyransuki.exe C:\Users\Admin\AppData\Local\Temp\tghqbep.exe N/A
File opened for modification C:\Windows\zwhavidukxouzbthl.exe C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
File opened for modification C:\Windows\soyqkwqgvhxcghyl.exe C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
File opened for modification C:\Windows\igsmiwskbphouxqfkt.exe C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
File opened for modification C:\Windows\soyqkwqgvhxcghyl.exe C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
File opened for modification C:\Windows\gguqoecwpfziqvqhozcc.exe C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
File opened for modification C:\Windows\soyqkwqgvhxcghyl.exe C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
File opened for modification C:\Windows\igsmiwskbphouxqfkt.exe C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
File opened for modification C:\Windows\vwlihyxsmdyirxtltfjkz.exe C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
File opened for modification C:\Windows\moeccuuqldzkubyransuki.exe C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
File opened for modification C:\Windows\gguqoecwpfziqvqhozcc.exe C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
File opened for modification C:\Windows\tsfaxmjcujckrvpflvx.exe C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
File opened for modification C:\Windows\gguqoecwpfziqvqhozcc.exe C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
File opened for modification C:\Windows\gguqoecwpfziqvqhozcc.exe C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
File opened for modification C:\Windows\tsfaxmjcujckrvpflvx.exe C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
File opened for modification C:\Windows\tsfaxmjcujckrvpflvx.exe C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
File opened for modification C:\Windows\moeccuuqldzkubyransuki.exe C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
File opened for modification C:\Windows\soyqkwqgvhxcghyl.exe C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
File opened for modification C:\Windows\igsmiwskbphouxqfkt.exe C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
File opened for modification C:\Windows\tsfaxmjcujckrvpflvx.exe C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
File opened for modification C:\Windows\gguqoecwpfziqvqhozcc.exe C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
File opened for modification C:\Windows\tsfaxmjcujckrvpflvx.exe C:\Users\Admin\AppData\Local\Temp\tghqbep.exe N/A
File created C:\Windows\wcwycyccbxxmalmjwnwcwy.ycc C:\Users\Admin\AppData\Local\Temp\tghqbep.exe N/A
File opened for modification C:\Windows\igsmiwskbphouxqfkt.exe C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
File opened for modification C:\Windows\gguqoecwpfziqvqhozcc.exe C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
File opened for modification C:\Windows\zwhavidukxouzbthl.exe C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
File opened for modification C:\Windows\soyqkwqgvhxcghyl.exe C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
File opened for modification C:\Windows\igsmiwskbphouxqfkt.exe C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
File opened for modification C:\Windows\vwlihyxsmdyirxtltfjkz.exe C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
File opened for modification C:\Windows\moeccuuqldzkubyransuki.exe C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
File opened for modification C:\Windows\igsmiwskbphouxqfkt.exe C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
File opened for modification C:\Windows\tsfaxmjcujckrvpflvx.exe C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
File opened for modification C:\Windows\soyqkwqgvhxcghyl.exe C:\Users\Admin\AppData\Local\Temp\tghqbep.exe N/A
File opened for modification C:\Windows\igsmiwskbphouxqfkt.exe C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
File opened for modification C:\Windows\zwhavidukxouzbthl.exe C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
File opened for modification C:\Windows\igsmiwskbphouxqfkt.exe C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
File opened for modification C:\Windows\vwlihyxsmdyirxtltfjkz.exe C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
File opened for modification C:\Windows\igsmiwskbphouxqfkt.exe C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
File opened for modification C:\Windows\zwhavidukxouzbthl.exe C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
File opened for modification C:\Windows\soyqkwqgvhxcghyl.exe C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
File opened for modification C:\Windows\moeccuuqldzkubyransuki.exe C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
File opened for modification C:\Windows\moeccuuqldzkubyransuki.exe C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
File opened for modification C:\Windows\vwlihyxsmdyirxtltfjkz.exe C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
File opened for modification C:\Windows\igsmiwskbphouxqfkt.exe C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
File opened for modification C:\Windows\vwlihyxsmdyirxtltfjkz.exe C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
File opened for modification C:\Windows\igsmiwskbphouxqfkt.exe C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
File opened for modification C:\Windows\zwhavidukxouzbthl.exe C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
File opened for modification C:\Windows\soyqkwqgvhxcghyl.exe C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
File opened for modification C:\Windows\vwlihyxsmdyirxtltfjkz.exe C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
File opened for modification C:\Windows\moeccuuqldzkubyransuki.exe C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
File opened for modification C:\Windows\moeccuuqldzkubyransuki.exe C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
File opened for modification C:\Windows\zwhavidukxouzbthl.exe C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
File opened for modification C:\Windows\tsfaxmjcujckrvpflvx.exe C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
File opened for modification C:\Windows\moeccuuqldzkubyransuki.exe C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
File opened for modification C:\Windows\igsmiwskbphouxqfkt.exe C:\Users\Admin\AppData\Local\Temp\tghqbep.exe N/A
File opened for modification C:\Windows\nejwlshscjuutpbjhjduzmbixiszkkjfr.xzt C:\Users\Admin\AppData\Local\Temp\tghqbep.exe N/A
File opened for modification C:\Windows\gguqoecwpfziqvqhozcc.exe C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
File opened for modification C:\Windows\zwhavidukxouzbthl.exe C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
File opened for modification C:\Windows\vwlihyxsmdyirxtltfjkz.exe C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
File opened for modification C:\Windows\moeccuuqldzkubyransuki.exe C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
File opened for modification C:\Windows\tsfaxmjcujckrvpflvx.exe C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
File opened for modification C:\Windows\zwhavidukxouzbthl.exe C:\Users\Admin\AppData\Local\Temp\tghqbep.exe N/A
File opened for modification C:\Windows\soyqkwqgvhxcghyl.exe C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\vwlihyxsmdyirxtltfjkz.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\vwlihyxsmdyirxtltfjkz.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\igsmiwskbphouxqfkt.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\gguqoecwpfziqvqhozcc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\soyqkwqgvhxcghyl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\gguqoecwpfziqvqhozcc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\igsmiwskbphouxqfkt.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\gguqoecwpfziqvqhozcc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\tsfaxmjcujckrvpflvx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\tsfaxmjcujckrvpflvx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\tsfaxmjcujckrvpflvx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\tsfaxmjcujckrvpflvx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\igsmiwskbphouxqfkt.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\zwhavidukxouzbthl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\zwhavidukxouzbthl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\gguqoecwpfziqvqhozcc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\tsfaxmjcujckrvpflvx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\soyqkwqgvhxcghyl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\zwhavidukxouzbthl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\zwhavidukxouzbthl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\soyqkwqgvhxcghyl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\zwhavidukxouzbthl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\soyqkwqgvhxcghyl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\soyqkwqgvhxcghyl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\zwhavidukxouzbthl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\igsmiwskbphouxqfkt.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\gguqoecwpfziqvqhozcc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\igsmiwskbphouxqfkt.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tghqbep.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\vwlihyxsmdyirxtltfjkz.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\igsmiwskbphouxqfkt.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\gguqoecwpfziqvqhozcc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\soyqkwqgvhxcghyl.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tghqbep.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tghqbep.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tghqbep.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tghqbep.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tghqbep.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2056 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
PID 2056 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
PID 2056 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
PID 4736 wrote to memory of 5036 N/A C:\Windows\system32\cmd.exe C:\Windows\igsmiwskbphouxqfkt.exe
PID 4736 wrote to memory of 5036 N/A C:\Windows\system32\cmd.exe C:\Windows\igsmiwskbphouxqfkt.exe
PID 4736 wrote to memory of 5036 N/A C:\Windows\system32\cmd.exe C:\Windows\igsmiwskbphouxqfkt.exe
PID 5076 wrote to memory of 5020 N/A C:\Windows\system32\cmd.exe C:\Windows\vwlihyxsmdyirxtltfjkz.exe
PID 5076 wrote to memory of 5020 N/A C:\Windows\system32\cmd.exe C:\Windows\vwlihyxsmdyirxtltfjkz.exe
PID 5076 wrote to memory of 5020 N/A C:\Windows\system32\cmd.exe C:\Windows\vwlihyxsmdyirxtltfjkz.exe
PID 5020 wrote to memory of 3480 N/A C:\Windows\vwlihyxsmdyirxtltfjkz.exe C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
PID 5020 wrote to memory of 3480 N/A C:\Windows\vwlihyxsmdyirxtltfjkz.exe C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
PID 5020 wrote to memory of 3480 N/A C:\Windows\vwlihyxsmdyirxtltfjkz.exe C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
PID 3236 wrote to memory of 6012 N/A C:\Windows\system32\cmd.exe C:\Windows\tsfaxmjcujckrvpflvx.exe
PID 3236 wrote to memory of 6012 N/A C:\Windows\system32\cmd.exe C:\Windows\tsfaxmjcujckrvpflvx.exe
PID 3236 wrote to memory of 6012 N/A C:\Windows\system32\cmd.exe C:\Windows\tsfaxmjcujckrvpflvx.exe
PID 3512 wrote to memory of 464 N/A C:\Windows\system32\cmd.exe C:\Windows\igsmiwskbphouxqfkt.exe
PID 3512 wrote to memory of 464 N/A C:\Windows\system32\cmd.exe C:\Windows\igsmiwskbphouxqfkt.exe
PID 3512 wrote to memory of 464 N/A C:\Windows\system32\cmd.exe C:\Windows\igsmiwskbphouxqfkt.exe
PID 464 wrote to memory of 4324 N/A C:\Windows\igsmiwskbphouxqfkt.exe C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
PID 464 wrote to memory of 4324 N/A C:\Windows\igsmiwskbphouxqfkt.exe C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
PID 464 wrote to memory of 4324 N/A C:\Windows\igsmiwskbphouxqfkt.exe C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
PID 2364 wrote to memory of 4444 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe
PID 2364 wrote to memory of 4444 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe
PID 2364 wrote to memory of 4444 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe
PID 4784 wrote to memory of 2748 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe
PID 4784 wrote to memory of 2748 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe
PID 4784 wrote to memory of 2748 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe
PID 2748 wrote to memory of 3576 N/A C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
PID 2748 wrote to memory of 3576 N/A C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
PID 2748 wrote to memory of 3576 N/A C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
PID 2000 wrote to memory of 5324 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe
PID 2000 wrote to memory of 5324 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe
PID 2000 wrote to memory of 5324 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe
PID 1368 wrote to memory of 5468 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe
PID 1368 wrote to memory of 5468 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe
PID 1368 wrote to memory of 5468 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe
PID 5468 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
PID 5468 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
PID 5468 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
PID 1048 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe C:\Users\Admin\AppData\Local\Temp\tghqbep.exe
PID 1048 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe C:\Users\Admin\AppData\Local\Temp\tghqbep.exe
PID 1048 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe C:\Users\Admin\AppData\Local\Temp\tghqbep.exe
PID 1048 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe C:\Users\Admin\AppData\Local\Temp\tghqbep.exe
PID 1048 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe C:\Users\Admin\AppData\Local\Temp\tghqbep.exe
PID 1048 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe C:\Users\Admin\AppData\Local\Temp\tghqbep.exe
PID 3864 wrote to memory of 2372 N/A C:\Windows\system32\cmd.exe C:\Windows\tsfaxmjcujckrvpflvx.exe
PID 3864 wrote to memory of 2372 N/A C:\Windows\system32\cmd.exe C:\Windows\tsfaxmjcujckrvpflvx.exe
PID 3864 wrote to memory of 2372 N/A C:\Windows\system32\cmd.exe C:\Windows\tsfaxmjcujckrvpflvx.exe
PID 3984 wrote to memory of 1680 N/A C:\Windows\system32\cmd.exe C:\Windows\gguqoecwpfziqvqhozcc.exe
PID 3984 wrote to memory of 1680 N/A C:\Windows\system32\cmd.exe C:\Windows\gguqoecwpfziqvqhozcc.exe
PID 3984 wrote to memory of 1680 N/A C:\Windows\system32\cmd.exe C:\Windows\gguqoecwpfziqvqhozcc.exe
PID 5992 wrote to memory of 2116 N/A C:\Windows\system32\cmd.exe C:\Windows\tsfaxmjcujckrvpflvx.exe
PID 5992 wrote to memory of 2116 N/A C:\Windows\system32\cmd.exe C:\Windows\tsfaxmjcujckrvpflvx.exe
PID 5992 wrote to memory of 2116 N/A C:\Windows\system32\cmd.exe C:\Windows\tsfaxmjcujckrvpflvx.exe
PID 6088 wrote to memory of 3408 N/A C:\Windows\system32\cmd.exe C:\Windows\gguqoecwpfziqvqhozcc.exe
PID 6088 wrote to memory of 3408 N/A C:\Windows\system32\cmd.exe C:\Windows\gguqoecwpfziqvqhozcc.exe
PID 6088 wrote to memory of 3408 N/A C:\Windows\system32\cmd.exe C:\Windows\gguqoecwpfziqvqhozcc.exe
PID 2116 wrote to memory of 3484 N/A C:\Windows\tsfaxmjcujckrvpflvx.exe C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
PID 2116 wrote to memory of 3484 N/A C:\Windows\tsfaxmjcujckrvpflvx.exe C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
PID 2116 wrote to memory of 3484 N/A C:\Windows\tsfaxmjcujckrvpflvx.exe C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
PID 3408 wrote to memory of 4868 N/A C:\Windows\gguqoecwpfziqvqhozcc.exe C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
PID 3408 wrote to memory of 4868 N/A C:\Windows\gguqoecwpfziqvqhozcc.exe C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
PID 3408 wrote to memory of 4868 N/A C:\Windows\gguqoecwpfziqvqhozcc.exe C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
PID 4892 wrote to memory of 5828 N/A C:\Windows\system32\cmd.exe C:\Windows\vwlihyxsmdyirxtltfjkz.exe

System policy modification

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\tghqbep.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\tghqbep.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" C:\Users\Admin\AppData\Local\Temp\tghqbep.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Users\Admin\AppData\Local\Temp\tghqbep.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\tghqbep.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" C:\Users\Admin\AppData\Local\Temp\tghqbep.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\tghqbep.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\AppData\Local\Temp\tghqbep.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Users\Admin\AppData\Local\Temp\tghqbep.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" C:\Users\Admin\AppData\Local\Temp\tghqbep.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\tghqbep.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" C:\Users\Admin\AppData\Local\Temp\tghqbep.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\tghqbep.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\AppData\Local\Temp\tghqbep.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\tghqbep.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\tghqbep.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\tghqbep.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" C:\Users\Admin\AppData\Local\Temp\tghqbep.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\tghqbep.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe"

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\jaffacakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe*"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c igsmiwskbphouxqfkt.exe

C:\Windows\igsmiwskbphouxqfkt.exe

igsmiwskbphouxqfkt.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vwlihyxsmdyirxtltfjkz.exe .

C:\Windows\vwlihyxsmdyirxtltfjkz.exe

vwlihyxsmdyirxtltfjkz.exe .

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\vwlihyxsmdyirxtltfjkz.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c tsfaxmjcujckrvpflvx.exe

C:\Windows\tsfaxmjcujckrvpflvx.exe

tsfaxmjcujckrvpflvx.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c igsmiwskbphouxqfkt.exe .

C:\Windows\igsmiwskbphouxqfkt.exe

igsmiwskbphouxqfkt.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\igsmiwskbphouxqfkt.exe*."

C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe

C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe .

C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe

C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe .

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\soyqkwqgvhxcghyl.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe

C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe

C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe .

C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe

C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe .

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\soyqkwqgvhxcghyl.exe*."

C:\Users\Admin\AppData\Local\Temp\tghqbep.exe

"C:\Users\Admin\AppData\Local\Temp\tghqbep.exe" "-c:\users\admin\appdata\local\temp\jaffacakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe"

C:\Users\Admin\AppData\Local\Temp\tghqbep.exe

"C:\Users\Admin\AppData\Local\Temp\tghqbep.exe" "-c:\users\admin\appdata\local\temp\jaffacakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c gguqoecwpfziqvqhozcc.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c tsfaxmjcujckrvpflvx.exe

C:\Windows\gguqoecwpfziqvqhozcc.exe

gguqoecwpfziqvqhozcc.exe

C:\Windows\tsfaxmjcujckrvpflvx.exe

tsfaxmjcujckrvpflvx.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c gguqoecwpfziqvqhozcc.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c tsfaxmjcujckrvpflvx.exe .

C:\Windows\tsfaxmjcujckrvpflvx.exe

tsfaxmjcujckrvpflvx.exe .

C:\Windows\gguqoecwpfziqvqhozcc.exe

gguqoecwpfziqvqhozcc.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zwhavidukxouzbthl.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vwlihyxsmdyirxtltfjkz.exe

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\tsfaxmjcujckrvpflvx.exe*."

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\gguqoecwpfziqvqhozcc.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c gguqoecwpfziqvqhozcc.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c gguqoecwpfziqvqhozcc.exe .

C:\Windows\vwlihyxsmdyirxtltfjkz.exe

vwlihyxsmdyirxtltfjkz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe

C:\Windows\zwhavidukxouzbthl.exe

zwhavidukxouzbthl.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe

C:\Windows\gguqoecwpfziqvqhozcc.exe

gguqoecwpfziqvqhozcc.exe .

C:\Windows\gguqoecwpfziqvqhozcc.exe

gguqoecwpfziqvqhozcc.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe .

C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe

C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe

C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe

C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\gguqoecwpfziqvqhozcc.exe*."

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\gguqoecwpfziqvqhozcc.exe*."

C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe

C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe .

C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe

C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe .

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\tsfaxmjcujckrvpflvx.exe*."

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\tsfaxmjcujckrvpflvx.exe*."

C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe

C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c gguqoecwpfziqvqhozcc.exe

C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe

C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe

C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe

C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe .

C:\Windows\gguqoecwpfziqvqhozcc.exe

gguqoecwpfziqvqhozcc.exe

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\soyqkwqgvhxcghyl.exe*."

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\soyqkwqgvhxcghyl.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c gguqoecwpfziqvqhozcc.exe .

C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe

C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe

C:\Windows\gguqoecwpfziqvqhozcc.exe

gguqoecwpfziqvqhozcc.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c igsmiwskbphouxqfkt.exe

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\gguqoecwpfziqvqhozcc.exe*."

C:\Windows\igsmiwskbphouxqfkt.exe

igsmiwskbphouxqfkt.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vwlihyxsmdyirxtltfjkz.exe .

C:\Windows\vwlihyxsmdyirxtltfjkz.exe

vwlihyxsmdyirxtltfjkz.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe

C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe

C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\vwlihyxsmdyirxtltfjkz.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe .

C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe

C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe .

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\zwhavidukxouzbthl.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe

C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe

C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe .

C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe

C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe .

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\gguqoecwpfziqvqhozcc.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c gguqoecwpfziqvqhozcc.exe

C:\Windows\gguqoecwpfziqvqhozcc.exe

gguqoecwpfziqvqhozcc.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zwhavidukxouzbthl.exe .

C:\Windows\zwhavidukxouzbthl.exe

zwhavidukxouzbthl.exe .

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\zwhavidukxouzbthl.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c soyqkwqgvhxcghyl.exe

C:\Windows\soyqkwqgvhxcghyl.exe

soyqkwqgvhxcghyl.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vwlihyxsmdyirxtltfjkz.exe .

C:\Windows\vwlihyxsmdyirxtltfjkz.exe

vwlihyxsmdyirxtltfjkz.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c gguqoecwpfziqvqhozcc.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c tsfaxmjcujckrvpflvx.exe

C:\Windows\gguqoecwpfziqvqhozcc.exe

gguqoecwpfziqvqhozcc.exe

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\vwlihyxsmdyirxtltfjkz.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe .

C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe

C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe

C:\Windows\tsfaxmjcujckrvpflvx.exe

tsfaxmjcujckrvpflvx.exe

C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe

C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c gguqoecwpfziqvqhozcc.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c gguqoecwpfziqvqhozcc.exe .

C:\Windows\gguqoecwpfziqvqhozcc.exe

gguqoecwpfziqvqhozcc.exe .

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\soyqkwqgvhxcghyl.exe*."

C:\Windows\gguqoecwpfziqvqhozcc.exe

gguqoecwpfziqvqhozcc.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c gguqoecwpfziqvqhozcc.exe

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\gguqoecwpfziqvqhozcc.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c soyqkwqgvhxcghyl.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\gguqoecwpfziqvqhozcc.exe*."

C:\Windows\gguqoecwpfziqvqhozcc.exe

gguqoecwpfziqvqhozcc.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vwlihyxsmdyirxtltfjkz.exe .

C:\Windows\soyqkwqgvhxcghyl.exe

soyqkwqgvhxcghyl.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c igsmiwskbphouxqfkt.exe .

C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe

C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe

C:\Windows\vwlihyxsmdyirxtltfjkz.exe

vwlihyxsmdyirxtltfjkz.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe .

C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe

C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe .

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\vwlihyxsmdyirxtltfjkz.exe*."

C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe

C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe .

C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe

C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe

C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe

C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe

C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe

C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe .

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\gguqoecwpfziqvqhozcc.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe .

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\tsfaxmjcujckrvpflvx.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe .

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\soyqkwqgvhxcghyl.exe*."

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe

C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe

C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe

C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe

C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe

C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe .

C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe

C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c igsmiwskbphouxqfkt.exe

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\igsmiwskbphouxqfkt.exe*."

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\vwlihyxsmdyirxtltfjkz.exe*."

C:\Windows\igsmiwskbphouxqfkt.exe

igsmiwskbphouxqfkt.exe

C:\Windows\igsmiwskbphouxqfkt.exe

igsmiwskbphouxqfkt.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c tsfaxmjcujckrvpflvx.exe .

C:\Windows\tsfaxmjcujckrvpflvx.exe

tsfaxmjcujckrvpflvx.exe .

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\igsmiwskbphouxqfkt.exe*."

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\tsfaxmjcujckrvpflvx.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zwhavidukxouzbthl.exe

C:\Windows\zwhavidukxouzbthl.exe

zwhavidukxouzbthl.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c igsmiwskbphouxqfkt.exe .

C:\Windows\igsmiwskbphouxqfkt.exe

igsmiwskbphouxqfkt.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe

C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe

C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\igsmiwskbphouxqfkt.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe .

C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe

C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe .

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\vwlihyxsmdyirxtltfjkz.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe

C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe

C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe .

C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe

C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe .

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\zwhavidukxouzbthl.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vwlihyxsmdyirxtltfjkz.exe

C:\Windows\vwlihyxsmdyirxtltfjkz.exe

vwlihyxsmdyirxtltfjkz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c soyqkwqgvhxcghyl.exe .

C:\Windows\soyqkwqgvhxcghyl.exe

soyqkwqgvhxcghyl.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vwlihyxsmdyirxtltfjkz.exe

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\soyqkwqgvhxcghyl.exe*."

C:\Windows\vwlihyxsmdyirxtltfjkz.exe

vwlihyxsmdyirxtltfjkz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c gguqoecwpfziqvqhozcc.exe .

C:\Windows\gguqoecwpfziqvqhozcc.exe

gguqoecwpfziqvqhozcc.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe

C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe

C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\gguqoecwpfziqvqhozcc.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe .

C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe

C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe .

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\zwhavidukxouzbthl.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe

C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe

C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe .

C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe

C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe .

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\igsmiwskbphouxqfkt.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c gguqoecwpfziqvqhozcc.exe

C:\Windows\gguqoecwpfziqvqhozcc.exe

gguqoecwpfziqvqhozcc.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zwhavidukxouzbthl.exe .

C:\Windows\zwhavidukxouzbthl.exe

zwhavidukxouzbthl.exe .

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\zwhavidukxouzbthl.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c igsmiwskbphouxqfkt.exe

C:\Windows\igsmiwskbphouxqfkt.exe

igsmiwskbphouxqfkt.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c igsmiwskbphouxqfkt.exe .

C:\Windows\igsmiwskbphouxqfkt.exe

igsmiwskbphouxqfkt.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\igsmiwskbphouxqfkt.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe .

C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe

C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe

C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe

C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe .

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\soyqkwqgvhxcghyl.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe

C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe

C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe .

C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe

C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe .

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\zwhavidukxouzbthl.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zwhavidukxouzbthl.exe

C:\Windows\zwhavidukxouzbthl.exe

zwhavidukxouzbthl.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c soyqkwqgvhxcghyl.exe .

C:\Windows\soyqkwqgvhxcghyl.exe

soyqkwqgvhxcghyl.exe .

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\soyqkwqgvhxcghyl.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c gguqoecwpfziqvqhozcc.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\gguqoecwpfziqvqhozcc.exe

gguqoecwpfziqvqhozcc.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c tsfaxmjcujckrvpflvx.exe .

C:\Windows\tsfaxmjcujckrvpflvx.exe

tsfaxmjcujckrvpflvx.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe

C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe

C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\tsfaxmjcujckrvpflvx.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe .

C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe

C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe .

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\soyqkwqgvhxcghyl.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe

C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe

C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe

C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe .

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\vwlihyxsmdyirxtltfjkz.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vwlihyxsmdyirxtltfjkz.exe

C:\Windows\vwlihyxsmdyirxtltfjkz.exe

vwlihyxsmdyirxtltfjkz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c soyqkwqgvhxcghyl.exe .

C:\Windows\soyqkwqgvhxcghyl.exe

soyqkwqgvhxcghyl.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c gguqoecwpfziqvqhozcc.exe

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\soyqkwqgvhxcghyl.exe*."

C:\Windows\gguqoecwpfziqvqhozcc.exe

gguqoecwpfziqvqhozcc.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c soyqkwqgvhxcghyl.exe .

C:\Windows\soyqkwqgvhxcghyl.exe

soyqkwqgvhxcghyl.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\soyqkwqgvhxcghyl.exe*."

C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe

C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe .

C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe

C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe .

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\zwhavidukxouzbthl.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe

C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe

C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe .

C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe

C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe .

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\vwlihyxsmdyirxtltfjkz.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c gguqoecwpfziqvqhozcc.exe

C:\Windows\gguqoecwpfziqvqhozcc.exe

gguqoecwpfziqvqhozcc.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c gguqoecwpfziqvqhozcc.exe .

C:\Windows\gguqoecwpfziqvqhozcc.exe

gguqoecwpfziqvqhozcc.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vwlihyxsmdyirxtltfjkz.exe

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\gguqoecwpfziqvqhozcc.exe*."

C:\Windows\vwlihyxsmdyirxtltfjkz.exe

vwlihyxsmdyirxtltfjkz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c soyqkwqgvhxcghyl.exe .

C:\Windows\soyqkwqgvhxcghyl.exe

soyqkwqgvhxcghyl.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe

C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe

C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\soyqkwqgvhxcghyl.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe .

C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe

C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe .

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\soyqkwqgvhxcghyl.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe

C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe

C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe .

C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe

C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe .

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\vwlihyxsmdyirxtltfjkz.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c gguqoecwpfziqvqhozcc.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\gguqoecwpfziqvqhozcc.exe

gguqoecwpfziqvqhozcc.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vwlihyxsmdyirxtltfjkz.exe .

C:\Windows\vwlihyxsmdyirxtltfjkz.exe

vwlihyxsmdyirxtltfjkz.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c igsmiwskbphouxqfkt.exe

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\vwlihyxsmdyirxtltfjkz.exe*."

C:\Windows\igsmiwskbphouxqfkt.exe

igsmiwskbphouxqfkt.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zwhavidukxouzbthl.exe .

C:\Windows\zwhavidukxouzbthl.exe

zwhavidukxouzbthl.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c gguqoecwpfziqvqhozcc.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\gguqoecwpfziqvqhozcc.exe

gguqoecwpfziqvqhozcc.exe

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\zwhavidukxouzbthl.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c soyqkwqgvhxcghyl.exe

C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe

C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe

C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe

C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe .

C:\Windows\soyqkwqgvhxcghyl.exe

soyqkwqgvhxcghyl.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c igsmiwskbphouxqfkt.exe .

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\igsmiwskbphouxqfkt.exe*."

C:\Windows\igsmiwskbphouxqfkt.exe

igsmiwskbphouxqfkt.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c soyqkwqgvhxcghyl.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\igsmiwskbphouxqfkt.exe*."

C:\Windows\soyqkwqgvhxcghyl.exe

soyqkwqgvhxcghyl.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c soyqkwqgvhxcghyl.exe

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\soyqkwqgvhxcghyl.exe*."

C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe

C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c igsmiwskbphouxqfkt.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c tsfaxmjcujckrvpflvx.exe

C:\Windows\soyqkwqgvhxcghyl.exe

soyqkwqgvhxcghyl.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe .

C:\Windows\igsmiwskbphouxqfkt.exe

igsmiwskbphouxqfkt.exe .

C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe

C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c tsfaxmjcujckrvpflvx.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe

C:\Windows\tsfaxmjcujckrvpflvx.exe

tsfaxmjcujckrvpflvx.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe .

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\zwhavidukxouzbthl.exe*."

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\igsmiwskbphouxqfkt.exe*."

C:\Windows\tsfaxmjcujckrvpflvx.exe

tsfaxmjcujckrvpflvx.exe .

C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe

C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe

C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe

C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe

C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe

C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe

C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\tsfaxmjcujckrvpflvx.exe*."

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\igsmiwskbphouxqfkt.exe*."

C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe

C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c gguqoecwpfziqvqhozcc.exe

C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe

C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\tsfaxmjcujckrvpflvx.exe*."

C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe

C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe .

C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe

C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe .

C:\Windows\gguqoecwpfziqvqhozcc.exe

gguqoecwpfziqvqhozcc.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vwlihyxsmdyirxtltfjkz.exe .

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\igsmiwskbphouxqfkt.exe*."

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\soyqkwqgvhxcghyl.exe*."

C:\Windows\vwlihyxsmdyirxtltfjkz.exe

vwlihyxsmdyirxtltfjkz.exe .

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\vwlihyxsmdyirxtltfjkz.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c gguqoecwpfziqvqhozcc.exe

C:\Windows\gguqoecwpfziqvqhozcc.exe

gguqoecwpfziqvqhozcc.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zwhavidukxouzbthl.exe .

C:\Windows\zwhavidukxouzbthl.exe

zwhavidukxouzbthl.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\zwhavidukxouzbthl.exe*."

C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe

C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe .

C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe

C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe .

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\soyqkwqgvhxcghyl.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe

C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe

C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe .

C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe

C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe .

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\igsmiwskbphouxqfkt.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c tsfaxmjcujckrvpflvx.exe

C:\Windows\tsfaxmjcujckrvpflvx.exe

tsfaxmjcujckrvpflvx.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c gguqoecwpfziqvqhozcc.exe .

C:\Windows\gguqoecwpfziqvqhozcc.exe

gguqoecwpfziqvqhozcc.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c tsfaxmjcujckrvpflvx.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\gguqoecwpfziqvqhozcc.exe*."

C:\Windows\tsfaxmjcujckrvpflvx.exe

tsfaxmjcujckrvpflvx.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c igsmiwskbphouxqfkt.exe .

C:\Windows\igsmiwskbphouxqfkt.exe

igsmiwskbphouxqfkt.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe

C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\igsmiwskbphouxqfkt.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe .

C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe

C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe .

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\tsfaxmjcujckrvpflvx.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe

C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe

C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe .

C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe

C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe .

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\tsfaxmjcujckrvpflvx.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c igsmiwskbphouxqfkt.exe

C:\Windows\igsmiwskbphouxqfkt.exe

igsmiwskbphouxqfkt.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zwhavidukxouzbthl.exe .

C:\Windows\zwhavidukxouzbthl.exe

zwhavidukxouzbthl.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c tsfaxmjcujckrvpflvx.exe

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\zwhavidukxouzbthl.exe*."

C:\Windows\tsfaxmjcujckrvpflvx.exe

tsfaxmjcujckrvpflvx.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c tsfaxmjcujckrvpflvx.exe .

C:\Windows\tsfaxmjcujckrvpflvx.exe

tsfaxmjcujckrvpflvx.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe

C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe

C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\tsfaxmjcujckrvpflvx.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe .

C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe

C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe .

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\vwlihyxsmdyirxtltfjkz.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe

C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe

C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe .

C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe

C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe .

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\gguqoecwpfziqvqhozcc.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c tsfaxmjcujckrvpflvx.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c tsfaxmjcujckrvpflvx.exe

C:\Windows\tsfaxmjcujckrvpflvx.exe

tsfaxmjcujckrvpflvx.exe

C:\Windows\tsfaxmjcujckrvpflvx.exe

tsfaxmjcujckrvpflvx.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zwhavidukxouzbthl.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\zwhavidukxouzbthl.exe

zwhavidukxouzbthl.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c gguqoecwpfziqvqhozcc.exe .

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\zwhavidukxouzbthl.exe*."

C:\Windows\gguqoecwpfziqvqhozcc.exe

gguqoecwpfziqvqhozcc.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c tsfaxmjcujckrvpflvx.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c igsmiwskbphouxqfkt.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vwlihyxsmdyirxtltfjkz.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zwhavidukxouzbthl.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\gguqoecwpfziqvqhozcc.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe .

C:\Windows\tsfaxmjcujckrvpflvx.exe

tsfaxmjcujckrvpflvx.exe

C:\Windows\vwlihyxsmdyirxtltfjkz.exe

vwlihyxsmdyirxtltfjkz.exe .

C:\Windows\igsmiwskbphouxqfkt.exe

igsmiwskbphouxqfkt.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c gguqoecwpfziqvqhozcc.exe

C:\Windows\zwhavidukxouzbthl.exe

zwhavidukxouzbthl.exe .

C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe

C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe

C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe

C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe .

C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe

C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\vwlihyxsmdyirxtltfjkz.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c soyqkwqgvhxcghyl.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe

C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe

C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe .

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\zwhavidukxouzbthl.exe*."

C:\Windows\gguqoecwpfziqvqhozcc.exe

gguqoecwpfziqvqhozcc.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\gguqoecwpfziqvqhozcc.exe*."

C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe

C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c gguqoecwpfziqvqhozcc.exe

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\igsmiwskbphouxqfkt.exe*."

C:\Windows\soyqkwqgvhxcghyl.exe

soyqkwqgvhxcghyl.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zwhavidukxouzbthl.exe .

C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe

C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe

C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe

C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe .

C:\Windows\gguqoecwpfziqvqhozcc.exe

gguqoecwpfziqvqhozcc.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\soyqkwqgvhxcghyl.exe*."

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe

C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe .

C:\Windows\zwhavidukxouzbthl.exe

zwhavidukxouzbthl.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\tsfaxmjcujckrvpflvx.exe*."

C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe

C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\soyqkwqgvhxcghyl.exe*."

C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe

C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe .

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\zwhavidukxouzbthl.exe*."

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\vwlihyxsmdyirxtltfjkz.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe .

C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe

C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe

C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe

C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe .

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\tsfaxmjcujckrvpflvx.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c soyqkwqgvhxcghyl.exe

C:\Windows\soyqkwqgvhxcghyl.exe

soyqkwqgvhxcghyl.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zwhavidukxouzbthl.exe .

C:\Windows\zwhavidukxouzbthl.exe

zwhavidukxouzbthl.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c tsfaxmjcujckrvpflvx.exe

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\zwhavidukxouzbthl.exe*."

C:\Windows\tsfaxmjcujckrvpflvx.exe

tsfaxmjcujckrvpflvx.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vwlihyxsmdyirxtltfjkz.exe .

C:\Windows\vwlihyxsmdyirxtltfjkz.exe

vwlihyxsmdyirxtltfjkz.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe

C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe

C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe .

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\vwlihyxsmdyirxtltfjkz.exe*."

C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe

C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe .

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\gguqoecwpfziqvqhozcc.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe

C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe

C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe .

C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe

C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe .

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\gguqoecwpfziqvqhozcc.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vwlihyxsmdyirxtltfjkz.exe

C:\Windows\vwlihyxsmdyirxtltfjkz.exe

vwlihyxsmdyirxtltfjkz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c igsmiwskbphouxqfkt.exe .

C:\Windows\igsmiwskbphouxqfkt.exe

igsmiwskbphouxqfkt.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c tsfaxmjcujckrvpflvx.exe

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\igsmiwskbphouxqfkt.exe*."

C:\Windows\tsfaxmjcujckrvpflvx.exe

tsfaxmjcujckrvpflvx.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c tsfaxmjcujckrvpflvx.exe .

C:\Windows\tsfaxmjcujckrvpflvx.exe

tsfaxmjcujckrvpflvx.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe

C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe

C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe .

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\tsfaxmjcujckrvpflvx.exe*."

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe

C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe .

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\vwlihyxsmdyirxtltfjkz.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe

C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe

C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe .

C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe

C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe .

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\gguqoecwpfziqvqhozcc.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zwhavidukxouzbthl.exe

C:\Windows\zwhavidukxouzbthl.exe

zwhavidukxouzbthl.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zwhavidukxouzbthl.exe .

C:\Windows\zwhavidukxouzbthl.exe

zwhavidukxouzbthl.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c igsmiwskbphouxqfkt.exe

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\zwhavidukxouzbthl.exe*."

C:\Windows\igsmiwskbphouxqfkt.exe

igsmiwskbphouxqfkt.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zwhavidukxouzbthl.exe .

C:\Windows\zwhavidukxouzbthl.exe

zwhavidukxouzbthl.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\zwhavidukxouzbthl.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe .

C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe

C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe

C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe

C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe .

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\igsmiwskbphouxqfkt.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe

C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe

C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe .

C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe

C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe .

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\vwlihyxsmdyirxtltfjkz.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c soyqkwqgvhxcghyl.exe

C:\Windows\soyqkwqgvhxcghyl.exe

soyqkwqgvhxcghyl.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c igsmiwskbphouxqfkt.exe .

C:\Windows\igsmiwskbphouxqfkt.exe

igsmiwskbphouxqfkt.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c igsmiwskbphouxqfkt.exe

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\igsmiwskbphouxqfkt.exe*."

C:\Windows\igsmiwskbphouxqfkt.exe

igsmiwskbphouxqfkt.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c tsfaxmjcujckrvpflvx.exe .

C:\Windows\tsfaxmjcujckrvpflvx.exe

tsfaxmjcujckrvpflvx.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe

C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe

C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe .

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\tsfaxmjcujckrvpflvx.exe*."

C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe

C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe .

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\zwhavidukxouzbthl.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe

C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe

C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe .

C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe

C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe .

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\tsfaxmjcujckrvpflvx.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c soyqkwqgvhxcghyl.exe

C:\Windows\soyqkwqgvhxcghyl.exe

soyqkwqgvhxcghyl.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c tsfaxmjcujckrvpflvx.exe .

C:\Windows\tsfaxmjcujckrvpflvx.exe

tsfaxmjcujckrvpflvx.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c igsmiwskbphouxqfkt.exe

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\tsfaxmjcujckrvpflvx.exe*."

C:\Windows\igsmiwskbphouxqfkt.exe

igsmiwskbphouxqfkt.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c tsfaxmjcujckrvpflvx.exe .

C:\Windows\tsfaxmjcujckrvpflvx.exe

tsfaxmjcujckrvpflvx.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe

C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe .

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\tsfaxmjcujckrvpflvx.exe*."

C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe

C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe .

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\gguqoecwpfziqvqhozcc.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe

C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe

C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe .

C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe

C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe .

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\gguqoecwpfziqvqhozcc.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c gguqoecwpfziqvqhozcc.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\gguqoecwpfziqvqhozcc.exe

gguqoecwpfziqvqhozcc.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c igsmiwskbphouxqfkt.exe .

C:\Windows\igsmiwskbphouxqfkt.exe

igsmiwskbphouxqfkt.exe .

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\igsmiwskbphouxqfkt.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vwlihyxsmdyirxtltfjkz.exe

C:\Windows\vwlihyxsmdyirxtltfjkz.exe

vwlihyxsmdyirxtltfjkz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c soyqkwqgvhxcghyl.exe .

C:\Windows\soyqkwqgvhxcghyl.exe

soyqkwqgvhxcghyl.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe

C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe

C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\soyqkwqgvhxcghyl.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe .

C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe

C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c igsmiwskbphouxqfkt.exe

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\vwlihyxsmdyirxtltfjkz.exe*."

C:\Windows\igsmiwskbphouxqfkt.exe

igsmiwskbphouxqfkt.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c igsmiwskbphouxqfkt.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe

C:\Windows\igsmiwskbphouxqfkt.exe

igsmiwskbphouxqfkt.exe

C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe

C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c tsfaxmjcujckrvpflvx.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c soyqkwqgvhxcghyl.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vwlihyxsmdyirxtltfjkz.exe

C:\Windows\tsfaxmjcujckrvpflvx.exe

tsfaxmjcujckrvpflvx.exe .

C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe

C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe .

C:\Windows\soyqkwqgvhxcghyl.exe

soyqkwqgvhxcghyl.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vwlihyxsmdyirxtltfjkz.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c tsfaxmjcujckrvpflvx.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\vwlihyxsmdyirxtltfjkz.exe

vwlihyxsmdyirxtltfjkz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c tsfaxmjcujckrvpflvx.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\soyqkwqgvhxcghyl.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe .

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\gguqoecwpfziqvqhozcc.exe*."

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\tsfaxmjcujckrvpflvx.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\vwlihyxsmdyirxtltfjkz.exe

vwlihyxsmdyirxtltfjkz.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe .

C:\Windows\tsfaxmjcujckrvpflvx.exe

tsfaxmjcujckrvpflvx.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vwlihyxsmdyirxtltfjkz.exe

C:\Windows\tsfaxmjcujckrvpflvx.exe

tsfaxmjcujckrvpflvx.exe .

C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe

C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\vwlihyxsmdyirxtltfjkz.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c tsfaxmjcujckrvpflvx.exe .

C:\Windows\vwlihyxsmdyirxtltfjkz.exe

vwlihyxsmdyirxtltfjkz.exe

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\tsfaxmjcujckrvpflvx.exe*."

C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe

C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe

C:\Windows\tsfaxmjcujckrvpflvx.exe

tsfaxmjcujckrvpflvx.exe .

C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe

C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c gguqoecwpfziqvqhozcc.exe

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\tsfaxmjcujckrvpflvx.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c igsmiwskbphouxqfkt.exe .

C:\Windows\gguqoecwpfziqvqhozcc.exe

gguqoecwpfziqvqhozcc.exe

C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe

C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe .

C:\Windows\igsmiwskbphouxqfkt.exe

igsmiwskbphouxqfkt.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe .

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\igsmiwskbphouxqfkt.exe*."

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\tsfaxmjcujckrvpflvx.exe*."

C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe

C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe .

C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe

C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe

C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe

C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\igsmiwskbphouxqfkt.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe .

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\tsfaxmjcujckrvpflvx.exe*."

C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe

C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe .

C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe

C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe .

C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe

C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe

C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe

C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe

C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe

C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe .

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\tsfaxmjcujckrvpflvx.exe*."

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\zwhavidukxouzbthl.exe*."

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\tsfaxmjcujckrvpflvx.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c igsmiwskbphouxqfkt.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\igsmiwskbphouxqfkt.exe

igsmiwskbphouxqfkt.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zwhavidukxouzbthl.exe .

C:\Windows\zwhavidukxouzbthl.exe

zwhavidukxouzbthl.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c igsmiwskbphouxqfkt.exe

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\zwhavidukxouzbthl.exe*."

C:\Windows\igsmiwskbphouxqfkt.exe

igsmiwskbphouxqfkt.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c tsfaxmjcujckrvpflvx.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\tsfaxmjcujckrvpflvx.exe

tsfaxmjcujckrvpflvx.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\tsfaxmjcujckrvpflvx.exe*."

C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe

C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe .

C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe

C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe .

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\soyqkwqgvhxcghyl.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe

C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe

C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe .

C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe

C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe .

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\tsfaxmjcujckrvpflvx.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zwhavidukxouzbthl.exe

C:\Windows\zwhavidukxouzbthl.exe

zwhavidukxouzbthl.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c soyqkwqgvhxcghyl.exe .

C:\Windows\soyqkwqgvhxcghyl.exe

soyqkwqgvhxcghyl.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c gguqoecwpfziqvqhozcc.exe

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\soyqkwqgvhxcghyl.exe*."

C:\Windows\gguqoecwpfziqvqhozcc.exe

gguqoecwpfziqvqhozcc.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c igsmiwskbphouxqfkt.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe

C:\Windows\igsmiwskbphouxqfkt.exe

igsmiwskbphouxqfkt.exe .

C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe

C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe .

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\igsmiwskbphouxqfkt.exe*."

C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe

C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe .

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\soyqkwqgvhxcghyl.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe

C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe

C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe .

C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe

C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe .

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\soyqkwqgvhxcghyl.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c gguqoecwpfziqvqhozcc.exe

C:\Windows\gguqoecwpfziqvqhozcc.exe

gguqoecwpfziqvqhozcc.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vwlihyxsmdyirxtltfjkz.exe .

C:\Windows\vwlihyxsmdyirxtltfjkz.exe

vwlihyxsmdyirxtltfjkz.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c igsmiwskbphouxqfkt.exe

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\vwlihyxsmdyirxtltfjkz.exe*."

C:\Windows\igsmiwskbphouxqfkt.exe

igsmiwskbphouxqfkt.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vwlihyxsmdyirxtltfjkz.exe .

C:\Windows\vwlihyxsmdyirxtltfjkz.exe

vwlihyxsmdyirxtltfjkz.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe

C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe

C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe .

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\vwlihyxsmdyirxtltfjkz.exe*."

C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe

C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe .

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\soyqkwqgvhxcghyl.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe

C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe

C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe .

C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe

C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe .

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\igsmiwskbphouxqfkt.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zwhavidukxouzbthl.exe

C:\Windows\zwhavidukxouzbthl.exe

zwhavidukxouzbthl.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c igsmiwskbphouxqfkt.exe .

C:\Windows\igsmiwskbphouxqfkt.exe

igsmiwskbphouxqfkt.exe .

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\igsmiwskbphouxqfkt.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zwhavidukxouzbthl.exe

C:\Windows\zwhavidukxouzbthl.exe

zwhavidukxouzbthl.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c gguqoecwpfziqvqhozcc.exe .

C:\Windows\gguqoecwpfziqvqhozcc.exe

gguqoecwpfziqvqhozcc.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe

C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe

C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\gguqoecwpfziqvqhozcc.exe*."

C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe

C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe .

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\igsmiwskbphouxqfkt.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe

C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe .

C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe

C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe .

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\igsmiwskbphouxqfkt.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c igsmiwskbphouxqfkt.exe

C:\Windows\igsmiwskbphouxqfkt.exe

igsmiwskbphouxqfkt.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c gguqoecwpfziqvqhozcc.exe .

C:\Windows\gguqoecwpfziqvqhozcc.exe

gguqoecwpfziqvqhozcc.exe .

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\gguqoecwpfziqvqhozcc.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vwlihyxsmdyirxtltfjkz.exe

C:\Windows\vwlihyxsmdyirxtltfjkz.exe

vwlihyxsmdyirxtltfjkz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vwlihyxsmdyirxtltfjkz.exe .

C:\Windows\vwlihyxsmdyirxtltfjkz.exe

vwlihyxsmdyirxtltfjkz.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe

C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe

C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\vwlihyxsmdyirxtltfjkz.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe .

C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe

C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe .

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\igsmiwskbphouxqfkt.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe

C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe .

C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe

C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe .

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\tsfaxmjcujckrvpflvx.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zwhavidukxouzbthl.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vwlihyxsmdyirxtltfjkz.exe

C:\Windows\zwhavidukxouzbthl.exe

zwhavidukxouzbthl.exe

C:\Windows\vwlihyxsmdyirxtltfjkz.exe

vwlihyxsmdyirxtltfjkz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vwlihyxsmdyirxtltfjkz.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c soyqkwqgvhxcghyl.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c igsmiwskbphouxqfkt.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\soyqkwqgvhxcghyl.exe

soyqkwqgvhxcghyl.exe .

C:\Windows\vwlihyxsmdyirxtltfjkz.exe

vwlihyxsmdyirxtltfjkz.exe .

C:\Windows\igsmiwskbphouxqfkt.exe

igsmiwskbphouxqfkt.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c gguqoecwpfziqvqhozcc.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c soyqkwqgvhxcghyl.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zwhavidukxouzbthl.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\vwlihyxsmdyirxtltfjkz.exe*."

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\soyqkwqgvhxcghyl.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c gguqoecwpfziqvqhozcc.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c gguqoecwpfziqvqhozcc.exe .

C:\Windows\zwhavidukxouzbthl.exe

zwhavidukxouzbthl.exe

C:\Windows\soyqkwqgvhxcghyl.exe

soyqkwqgvhxcghyl.exe .

C:\Windows\gguqoecwpfziqvqhozcc.exe

gguqoecwpfziqvqhozcc.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c gguqoecwpfziqvqhozcc.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe

C:\Windows\gguqoecwpfziqvqhozcc.exe

gguqoecwpfziqvqhozcc.exe .

C:\Windows\gguqoecwpfziqvqhozcc.exe

gguqoecwpfziqvqhozcc.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c tsfaxmjcujckrvpflvx.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\soyqkwqgvhxcghyl.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\gguqoecwpfziqvqhozcc.exe*."

C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe

C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\gguqoecwpfziqvqhozcc.exe*."

C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe

C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\tsfaxmjcujckrvpflvx.exe

tsfaxmjcujckrvpflvx.exe .

C:\Windows\gguqoecwpfziqvqhozcc.exe

gguqoecwpfziqvqhozcc.exe

C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe

C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe .

C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe

C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe .

C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe

C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe

C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe

C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe .

C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe

C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\tsfaxmjcujckrvpflvx.exe*."

C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe

C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe .

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\tsfaxmjcujckrvpflvx.exe*."

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\tsfaxmjcujckrvpflvx.exe*."

C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe

C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe .

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\soyqkwqgvhxcghyl.exe*."

C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe

C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe

C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe

C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe .

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\gguqoecwpfziqvqhozcc.exe*."

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\igsmiwskbphouxqfkt.exe*."

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\vwlihyxsmdyirxtltfjkz.exe*."

C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe

C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c gguqoecwpfziqvqhozcc.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\gguqoecwpfziqvqhozcc.exe

gguqoecwpfziqvqhozcc.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c soyqkwqgvhxcghyl.exe .

C:\Windows\soyqkwqgvhxcghyl.exe

soyqkwqgvhxcghyl.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c tsfaxmjcujckrvpflvx.exe

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\soyqkwqgvhxcghyl.exe*."

C:\Windows\tsfaxmjcujckrvpflvx.exe

tsfaxmjcujckrvpflvx.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c tsfaxmjcujckrvpflvx.exe .

C:\Windows\tsfaxmjcujckrvpflvx.exe

tsfaxmjcujckrvpflvx.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe

C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe

C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\tsfaxmjcujckrvpflvx.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe .

C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe

C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe .

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\igsmiwskbphouxqfkt.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe

C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe

C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe .

C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe

C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe .

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\zwhavidukxouzbthl.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zwhavidukxouzbthl.exe

C:\Windows\zwhavidukxouzbthl.exe

zwhavidukxouzbthl.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c tsfaxmjcujckrvpflvx.exe .

C:\Windows\tsfaxmjcujckrvpflvx.exe

tsfaxmjcujckrvpflvx.exe .

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\tsfaxmjcujckrvpflvx.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c igsmiwskbphouxqfkt.exe

C:\Windows\igsmiwskbphouxqfkt.exe

igsmiwskbphouxqfkt.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c igsmiwskbphouxqfkt.exe .

C:\Windows\igsmiwskbphouxqfkt.exe

igsmiwskbphouxqfkt.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\igsmiwskbphouxqfkt.exe*."

C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe

C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe .

C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe

C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe .

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\gguqoecwpfziqvqhozcc.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe

C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe

C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe .

C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe

C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe .

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\igsmiwskbphouxqfkt.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vwlihyxsmdyirxtltfjkz.exe

C:\Windows\vwlihyxsmdyirxtltfjkz.exe

vwlihyxsmdyirxtltfjkz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c igsmiwskbphouxqfkt.exe .

C:\Windows\igsmiwskbphouxqfkt.exe

igsmiwskbphouxqfkt.exe .

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\igsmiwskbphouxqfkt.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c soyqkwqgvhxcghyl.exe

C:\Windows\soyqkwqgvhxcghyl.exe

soyqkwqgvhxcghyl.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vwlihyxsmdyirxtltfjkz.exe .

C:\Windows\vwlihyxsmdyirxtltfjkz.exe

vwlihyxsmdyirxtltfjkz.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe

C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\vwlihyxsmdyirxtltfjkz.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe .

C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe

C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe .

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\tsfaxmjcujckrvpflvx.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe

C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe

C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe .

C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe

C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe .

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\zwhavidukxouzbthl.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c tsfaxmjcujckrvpflvx.exe

C:\Windows\tsfaxmjcujckrvpflvx.exe

tsfaxmjcujckrvpflvx.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c igsmiwskbphouxqfkt.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c igsmiwskbphouxqfkt.exe

C:\Windows\igsmiwskbphouxqfkt.exe

igsmiwskbphouxqfkt.exe .

C:\Windows\igsmiwskbphouxqfkt.exe

igsmiwskbphouxqfkt.exe

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\igsmiwskbphouxqfkt.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c tsfaxmjcujckrvpflvx.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c igsmiwskbphouxqfkt.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c gguqoecwpfziqvqhozcc.exe .

C:\Windows\tsfaxmjcujckrvpflvx.exe

tsfaxmjcujckrvpflvx.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe

C:\Windows\gguqoecwpfziqvqhozcc.exe

gguqoecwpfziqvqhozcc.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c tsfaxmjcujckrvpflvx.exe

C:\Windows\igsmiwskbphouxqfkt.exe

igsmiwskbphouxqfkt.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c soyqkwqgvhxcghyl.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c igsmiwskbphouxqfkt.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe

C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe

C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\gguqoecwpfziqvqhozcc.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe .

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\igsmiwskbphouxqfkt.exe*."

C:\Windows\soyqkwqgvhxcghyl.exe

soyqkwqgvhxcghyl.exe .

C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe

C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c igsmiwskbphouxqfkt.exe .

C:\Windows\tsfaxmjcujckrvpflvx.exe

tsfaxmjcujckrvpflvx.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe .

C:\Windows\igsmiwskbphouxqfkt.exe

igsmiwskbphouxqfkt.exe

C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe

C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe

C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe

C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe

C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe

C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe .

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\soyqkwqgvhxcghyl.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c tsfaxmjcujckrvpflvx.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe

C:\Windows\igsmiwskbphouxqfkt.exe

igsmiwskbphouxqfkt.exe .

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\gguqoecwpfziqvqhozcc.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c gguqoecwpfziqvqhozcc.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe .

C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe

C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\zwhavidukxouzbthl.exe*."

C:\Windows\tsfaxmjcujckrvpflvx.exe

tsfaxmjcujckrvpflvx.exe

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\igsmiwskbphouxqfkt.exe*."

C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe

C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe .

C:\Windows\gguqoecwpfziqvqhozcc.exe

gguqoecwpfziqvqhozcc.exe .

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\igsmiwskbphouxqfkt.exe*."

C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe

C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe

C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe

C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe .

C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe

C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe .

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\igsmiwskbphouxqfkt.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\gguqoecwpfziqvqhozcc.exe*."

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\vwlihyxsmdyirxtltfjkz.exe*."

C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe

C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe

C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe .

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\tsfaxmjcujckrvpflvx.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zwhavidukxouzbthl.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\zwhavidukxouzbthl.exe

zwhavidukxouzbthl.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c gguqoecwpfziqvqhozcc.exe .

C:\Windows\gguqoecwpfziqvqhozcc.exe

gguqoecwpfziqvqhozcc.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c soyqkwqgvhxcghyl.exe

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\gguqoecwpfziqvqhozcc.exe*."

C:\Windows\soyqkwqgvhxcghyl.exe

soyqkwqgvhxcghyl.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c tsfaxmjcujckrvpflvx.exe .

C:\Windows\tsfaxmjcujckrvpflvx.exe

tsfaxmjcujckrvpflvx.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe

C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe

C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\tsfaxmjcujckrvpflvx.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe .

C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe

C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe .

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\gguqoecwpfziqvqhozcc.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe

C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe

C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe

C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe .

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\zwhavidukxouzbthl.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c gguqoecwpfziqvqhozcc.exe

C:\Windows\gguqoecwpfziqvqhozcc.exe

gguqoecwpfziqvqhozcc.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c igsmiwskbphouxqfkt.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\igsmiwskbphouxqfkt.exe

igsmiwskbphouxqfkt.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c igsmiwskbphouxqfkt.exe

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\igsmiwskbphouxqfkt.exe*."

C:\Windows\igsmiwskbphouxqfkt.exe

igsmiwskbphouxqfkt.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c igsmiwskbphouxqfkt.exe .

C:\Windows\igsmiwskbphouxqfkt.exe

igsmiwskbphouxqfkt.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\igsmiwskbphouxqfkt.exe*."

C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe

C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe

C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe .

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\gguqoecwpfziqvqhozcc.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe

C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe

C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe .

C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe

C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe .

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\tsfaxmjcujckrvpflvx.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c igsmiwskbphouxqfkt.exe

C:\Windows\igsmiwskbphouxqfkt.exe

igsmiwskbphouxqfkt.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c gguqoecwpfziqvqhozcc.exe .

C:\Windows\gguqoecwpfziqvqhozcc.exe

gguqoecwpfziqvqhozcc.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c igsmiwskbphouxqfkt.exe

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\gguqoecwpfziqvqhozcc.exe*."

C:\Windows\igsmiwskbphouxqfkt.exe

igsmiwskbphouxqfkt.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vwlihyxsmdyirxtltfjkz.exe .

C:\Windows\vwlihyxsmdyirxtltfjkz.exe

vwlihyxsmdyirxtltfjkz.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe

C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe

C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe .

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\vwlihyxsmdyirxtltfjkz.exe*."

C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe

C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe .

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\tsfaxmjcujckrvpflvx.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe

C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe

C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe .

C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe

C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe .

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\igsmiwskbphouxqfkt.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zwhavidukxouzbthl.exe

C:\Windows\zwhavidukxouzbthl.exe

zwhavidukxouzbthl.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c igsmiwskbphouxqfkt.exe .

C:\Windows\igsmiwskbphouxqfkt.exe

igsmiwskbphouxqfkt.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c soyqkwqgvhxcghyl.exe

C:\Windows\soyqkwqgvhxcghyl.exe

soyqkwqgvhxcghyl.exe

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\igsmiwskbphouxqfkt.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zwhavidukxouzbthl.exe

C:\Windows\zwhavidukxouzbthl.exe

zwhavidukxouzbthl.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vwlihyxsmdyirxtltfjkz.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c tsfaxmjcujckrvpflvx.exe .

C:\Windows\vwlihyxsmdyirxtltfjkz.exe

vwlihyxsmdyirxtltfjkz.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe

C:\Windows\tsfaxmjcujckrvpflvx.exe

tsfaxmjcujckrvpflvx.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe .

Network

Country Destination Domain Proto
US 8.8.8.8:53 whatismyip.everdot.org udp
US 104.19.222.79:80 whatismyipaddress.com tcp
US 104.19.222.79:80 whatismyipaddress.com tcp
US 172.67.155.175:80 www.showmyipaddress.com tcp
US 104.19.222.79:80 whatismyipaddress.com tcp
US 172.67.155.175:80 www.showmyipaddress.com tcp
US 172.67.155.175:80 www.showmyipaddress.com tcp
US 172.67.155.175:80 www.showmyipaddress.com tcp
US 172.66.43.169:80 www.whatismyip.com tcp
US 172.67.155.175:80 www.showmyipaddress.com tcp
US 172.66.43.169:80 www.whatismyip.com tcp
US 172.66.43.169:80 www.whatismyip.com tcp
US 172.67.155.175:80 www.showmyipaddress.com tcp
US 172.66.43.169:80 www.whatismyip.com tcp
US 172.66.43.169:80 www.whatismyip.com tcp
US 172.66.43.169:80 www.whatismyip.com tcp
NL 172.217.218.93:80 www.youtube.com tcp
BG 89.215.67.123:31824 tcp
DE 85.214.228.140:80 gyuuym.org tcp
BG 90.154.234.72:42635 tcp
US 104.156.155.94:80 cydlrge.info tcp
US 8.8.8.8:53 bdxfkh.net udp
LT 78.61.21.121:28588 tcp
US 8.8.8.8:53 nmagxex.net udp
US 8.8.8.8:53 rzdphwz.info udp
US 8.8.8.8:53 eznabol.net udp
BG 85.217.202.45:19536 tcp
US 8.8.8.8:53 xptqveoglb.info udp
US 8.8.8.8:53 cnmkhmdz.net udp
LT 78.61.86.178:31894 tcp
US 8.8.8.8:53 dmqxfsz.info udp
US 8.8.8.8:53 dwfkeogzvhjn.info udp
US 8.8.8.8:53 emdlvlnet.info udp
US 8.8.8.8:53 tcvuvhjwh.info udp
ES 85.239.135.215:38560 tcp
US 8.8.8.8:53 ecbwysbz.info udp
US 8.8.8.8:53 zjhakx.net udp
US 89.117.78.161:16699 tcp
US 8.8.8.8:53 atkzfclhbift.info udp
US 8.8.8.8:53 nyhjezkiqo.net udp
US 8.8.8.8:53 bpzorpfuhtf.org udp
US 8.8.8.8:53 bkngmvgi.net udp
US 8.8.8.8:53 otryhsc.info udp
US 8.8.8.8:53 wfrcgjcwbdfg.net udp
US 8.8.8.8:53 fjusznt.com udp
US 8.8.8.8:53 qcwgwugsqi.org udp
US 8.8.8.8:53 kivwnwrfr.net udp
BG 93.183.174.83:26304 tcp
US 8.8.8.8:53 vtzezfjcpn.net udp
US 8.8.8.8:53 gyfkhqrdjql.net udp
GB 89.117.44.201:17518 tcp
US 8.8.8.8:53 tetvqitez.info udp
US 8.8.8.8:53 pznarkfmr.org udp
BG 93.123.120.12:28404 tcp
US 89.116.63.37:42204 tcp
US 8.8.8.8:53 maewqgqcqugm.com udp
US 8.8.8.8:53 kkooiksgfvz.info udp
BG 87.119.104.127:29091 tcp
US 8.8.8.8:53 iezzcskzjbde.net udp
US 8.8.8.8:53 wsslhctxrzh.net udp
US 8.8.8.8:53 izgljqnscuho.info udp
US 8.8.8.8:53 sgescokcmo.org udp
BG 78.90.45.235:33805 tcp
US 8.8.8.8:53 hixxsmxhv.net udp
US 8.8.8.8:53 hahxsttxpc.info udp
US 8.8.8.8:53 yfrzxvhvwojo.net udp
US 8.8.8.8:53 ciagiakywm.org udp
BG 87.254.161.251:45456 tcp
US 8.8.8.8:53 wwobhagm.net udp
US 89.116.63.37:42204 tcp
US 8.8.8.8:53 jbuvibpu.net udp
US 8.8.8.8:53 riggkatwk.info udp
US 8.8.8.8:53 hpxtzoxnrdqn.net udp
US 8.8.8.8:53 wqsqgu.org udp
US 8.8.8.8:53 ritlgwj.info udp
US 8.8.8.8:53 ekqaao.com udp
US 8.8.8.8:53 bifqmtxo.info udp
US 8.8.8.8:53 zmtwgmdm.info udp
US 8.8.8.8:53 rkjyfrxybqd.net udp
US 8.8.8.8:53 iuiwyqmeuc.com udp
US 8.8.8.8:53 vszcbexujew.com udp
US 8.8.8.8:53 khepozdfmhxg.net udp
US 8.8.8.8:53 bujcfix.com udp
US 8.8.8.8:53 wzjjowle.info udp
US 8.8.8.8:53 oektsf.info udp
US 8.8.8.8:53 zgmwokbtl.org udp
US 8.8.8.8:53 ldlrgk.info udp
US 8.8.8.8:53 bbjypjhimwt.com udp
US 8.8.8.8:53 radwbbbgrqj.net udp
US 8.8.8.8:53 owtumceqt.info udp
US 8.8.8.8:53 zqmxbmfokn.net udp
BG 109.121.205.21:45163 tcp
US 8.8.8.8:53 ndsizwsebym.info udp
US 8.8.8.8:53 kiswyo.org udp
US 8.8.8.8:53 ktjntvhm.net udp
US 8.8.8.8:53 zptttwxfn.net udp
US 8.8.8.8:53 glbibuf.net udp
US 8.8.8.8:53 yuayiqikmi.com udp
US 8.8.8.8:53 vmlkqafvnse.info udp
US 8.8.8.8:53 nxdecyvejdn.net udp
US 8.8.8.8:53 qlstpgkhcjbu.net udp
US 8.8.8.8:53 nzitfaav.info udp
US 8.8.8.8:53 saqwamcocqym.org udp
US 8.8.8.8:53 puxdmhrp.net udp
US 8.8.8.8:53 lktcrbw.com udp
US 8.8.8.8:53 ymlflqcr.info udp
US 8.8.8.8:53 kczcec.net udp
US 8.8.8.8:53 xlpbsxgos.org udp
US 8.8.8.8:53 hyjodgw.info udp
US 8.8.8.8:53 uqkosoyeecqy.org udp
US 8.8.8.8:53 zobkfubev.com udp
US 8.8.8.8:53 pbspki.info udp
US 8.8.8.8:53 eaictyqxc.info udp
US 8.8.8.8:53 xynivuf.info udp
US 8.8.8.8:53 fhhqur.info udp
US 8.8.8.8:53 yywswagqwm.org udp
US 8.8.8.8:53 vgqxvqngngx.info udp
US 8.8.8.8:53 gnusbw.net udp
US 8.8.8.8:53 cgzqtowog.info udp
US 8.8.8.8:53 ieooysmq.org udp
US 8.8.8.8:53 gtghfh.info udp
US 8.8.8.8:53 rhxcxga.org udp
US 8.8.8.8:53 culanyj.info udp
US 8.8.8.8:53 fevpfshvp.org udp
US 8.8.8.8:53 jaeyoux.info udp
US 8.8.8.8:53 mbdgpxjkghsq.info udp
US 8.8.8.8:53 qrgdwl.net udp
US 8.8.8.8:53 kcryxrris.info udp
US 8.8.8.8:53 wdfnrykkgd.net udp
US 8.8.8.8:53 ltyuvozd.info udp
US 8.8.8.8:53 pweetvxafcx.info udp
US 8.8.8.8:53 hxjblp.info udp
US 8.8.8.8:53 jafrwjovcmrn.info udp
US 8.8.8.8:53 npwaiifgfqlw.info udp
US 8.8.8.8:53 bavppixu.net udp
US 8.8.8.8:53 bozbdshql.info udp
US 8.8.8.8:53 bgtgxxn.info udp
US 8.8.8.8:53 ahgtpzynotau.info udp
US 8.8.8.8:53 eeeiusoc.com udp
US 8.8.8.8:53 ckwskymaem.org udp
US 8.8.8.8:53 vcmbhoxtxgpv.net udp
US 8.8.8.8:53 hvsffhbdwr.info udp
US 8.8.8.8:53 lxdcmum.org udp
US 8.8.8.8:53 qzdvod.info udp
US 8.8.8.8:53 zbqtpeerkb.net udp
US 8.8.8.8:53 fujspwj.net udp
US 8.8.8.8:53 qshpjwto.info udp
US 8.8.8.8:53 cdgjtwmv.info udp
US 8.8.8.8:53 pawuhgrucky.info udp
US 8.8.8.8:53 msaeugqyakco.org udp
US 8.8.8.8:53 dytxrd.net udp
US 8.8.8.8:53 twspwi.net udp
US 8.8.8.8:53 oseugvh.net udp
US 8.8.8.8:53 wndrdkrczckm.net udp
US 8.8.8.8:53 cxpupfpax.info udp
US 8.8.8.8:53 fzkrxmam.info udp
US 8.8.8.8:53 waqxkwjykid.info udp
US 8.8.8.8:53 bivfdh.info udp
US 8.8.8.8:53 wcmcgymwia.com udp
US 8.8.8.8:53 ptwakfh.info udp
US 8.8.8.8:53 yuyqamaicguk.org udp
US 8.8.8.8:53 bvrlxiawb.net udp
US 8.8.8.8:53 bujydax.net udp
US 8.8.8.8:53 hgerycix.net udp
US 8.8.8.8:53 lfrlruwayazs.info udp
US 8.8.8.8:53 goigwicsoemm.com udp
US 8.8.8.8:53 iudueul.net udp

Files

C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe

MD5 e417a08af652a452f7d11c105d31e115
SHA1 d14c6d2f80595d9e8ce0fcd95e9fde907ef2bb5f
SHA256 2b7ccee1ae4a47bcf3689fd64d3787a05bcf132a369274fea722a1f7c4ed1bcf
SHA512 0bf0135e476ced49d6bc6bee1b90f775af6a26c2b047bf808d4a8b2005151d86480f38922ecb3fe82832f6fa9feb7ad693a1af1e89a2518e5159e1e24bdf075d

C:\Windows\SysWOW64\igsmiwskbphouxqfkt.exe

MD5 bbd7b871140426c0f77e65b9c18dbcf1
SHA1 f107fdc5b346882994efb09ba63b85e696679e4d
SHA256 2e69cd89b60105229d7465e33802b3ff410aa6c470320732b23b88fa48572f9b
SHA512 c30ec761442c26b0f8c86eae2aebbd09c864a2587a27ca300b7c4669eb91efd88a2a05aae21020ae3c08ba690f472a551bc85b9d83967160758aaa3c9c6ff322

C:\Users\Admin\AppData\Local\Temp\tghqbep.exe

MD5 c8399f5e5f048cb6e38300019b14b00c
SHA1 77e57a0c2302525cbbf1be055778cff5f4f6e40f
SHA256 26b2dff7988792e884416bf89fe810d79ce1f4e39cb928d3360ba4a8f308aa0e
SHA512 c94d5d2ccf7dddff4a25a1d8d11f0d9f28e508997a87f520e8b3a4e77cfedd0bc154e670685e0bb33ab00a629b47afc8dac74ac69bbda84282e8deb72277d74a

C:\Users\Admin\AppData\Local\wcwycyccbxxmalmjwnwcwy.ycc

MD5 30b7a9069c1e515ff927cb9a2a4bb466
SHA1 af077b575d54549e5f1733779ac4ff5fc8731eab
SHA256 9e08cfca9cd51c1f49aff162b5a8f68a5763778025009e4ff68fe89afb1920aa
SHA512 bd101e821f20c8cc022a52b00de4f0a85f7f206ca5ee2fc2a1be67a7542b93a625d2f34f9015d8bab9992a023aa24e365a665f6361d43a5f9821ebcea3e13baa

C:\Users\Admin\AppData\Local\nejwlshscjuutpbjhjduzmbixiszkkjfr.xzt

MD5 028ef4278ee435cea688b89d2b90d8c8
SHA1 b988ef5124fc7875fd0d207d4f321c31780cd925
SHA256 134a8f46afe2e00dd5b5f28b4142d87afb8eedc765e15f0beced16fac8d98d9d
SHA512 a7d3d16e4cbda1cdcbe7eac1314324b2b086c80467c3e65bd7cd7e3e77a910b2b8bef427dffc906d093232ee0394bad69d6ead0509fdad78a692b49e1bd4634e

C:\Program Files (x86)\wcwycyccbxxmalmjwnwcwy.ycc

MD5 d2894cf8e0dd16faa08c5c431b2efbe3
SHA1 47b0b36488440e54ae7276255f933e70b8096d25
SHA256 2efaf56fc0ad3e14e02a4e57b3ca2b78e172bd15b50314098e81941fe9ee5067
SHA512 27088ad25d945ddd1cf6278fbe37639a9d966b5f3263adf70007c6cf9646a73e415c9ab1461212769855660e7cd4269d3844e096321becd93dce8e6ba239ee0d

C:\Program Files (x86)\wcwycyccbxxmalmjwnwcwy.ycc

MD5 0064b1e543614428260afcf09333a74c
SHA1 6038991e73532986e87b4f332f9e2dc36620986e
SHA256 93011c74311c020052de3001d678f35becf21477d7b6ab9d3db181542e7d9551
SHA512 5466adb2fc5b2905a17b1d5190302d0d1bfebd17bcafb09217f2fb176abe7911059b5ac919d30b67c159f7221cba13d1c78fcbbb91e1816829073d2bd0ace29a

C:\Program Files (x86)\wcwycyccbxxmalmjwnwcwy.ycc

MD5 fc0fcf09dcde29edf9b9096d7b306abf
SHA1 d29eb55d96d010e6936f55e1d228bb347960f545
SHA256 96014a65d61fc857a1e394f066a46ab941cbbcd20e8866e2cd01e9b579099c4a
SHA512 22cbc101d379c7948d0741a7784a19cd3e77c3500756ab6996fe5481135bf036de4196e1fabeddb7abf3f19506bf0837ca7d81d0a97b4e9e19452d570edacd8d

C:\Program Files (x86)\wcwycyccbxxmalmjwnwcwy.ycc

MD5 e34af927ee40e94a82ee17915a7295fa
SHA1 e3f50e55118e43cb2cc962e6bb21245998536c22
SHA256 ab23591d523f69555811ce8f8d08c0364b668901f0ab622073d5be86d8d19865
SHA512 2c4c674ff5020bb31f4487b1a9a89b8a4f169314f523da86147c69f1f955d679a23573aeb720839bb5cb4e37a36ef1d688f0742bf8d16ae76c91732f1628d6e8

C:\Program Files (x86)\wcwycyccbxxmalmjwnwcwy.ycc

MD5 43afc6d1a6a683709021fbafc77cd7f3
SHA1 3b4da58e3c9a7fcd87ac021b5ad14a3773dd5c4e
SHA256 d64603088955d9ea71d4f906b8951a24f3959637ad7b0be462ddf6a7de8daa30
SHA512 1b2492d0937f0ec5d4d00c471592ac19b3acd5aa61e29db22025e4efd11fd82010d18b3ff70730d13a294f43ee8c4462b818e0dadcd24f556c9e992afe298d78

C:\Program Files (x86)\wcwycyccbxxmalmjwnwcwy.ycc

MD5 002e4b1a8ae758b06c71a7d9f9451428
SHA1 049a198d52d8d92084fcaabf079ec6484104f1c3
SHA256 84dbaab5ddb02343acc3a02f70b2e755472fd5ef0391a1c92ead908c51b43954
SHA512 71aacaa79dc8acfa652e6fbfb02fdfdf41b271bc8937f0709fc323137e1907b22c1a01c4998270ba2f854bf66c83d420341da46585f2fb92fca62f3f030af5bd