Malware Analysis Report

2025-08-10 16:34

Sample ID 250418-ny4qpa11ev
Target JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02
SHA256 a7ba2a0628020aa108b91798907146015ab98527a7b59ac8836865c6d9e1e12b
Tags
pykspa defense_evasion discovery persistence privilege_escalation trojan worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a7ba2a0628020aa108b91798907146015ab98527a7b59ac8836865c6d9e1e12b

Threat Level: Known bad

The file JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02 was found to be: Known bad.

Malicious Activity Summary

pykspa defense_evasion discovery persistence privilege_escalation trojan worm

UAC bypass

Modifies WinLogon for persistence

Pykspa family

Pykspa

Detect Pykspa worm

Disables RegEdit via registry modification

Adds policy Run key to start application

Checks computer location settings

Impair Defenses: Safe Mode Boot

Executes dropped EXE

Adds Run key to start application

Hijack Execution Flow: Executable Installer File Permissions Weakness

Looks up external IP address via web service

Checks whether UAC is enabled

Drops autorun.inf file

Drops file in System32 directory

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

System Location Discovery: System Language Discovery

System policy modification

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-04-18 11:49

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2025-04-18 11:49

Reported

2025-04-18 11:51

Platform

win11-20250410-en

Max time kernel

58s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\wgosv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\wgosv.exe N/A

Pykspa

worm pykspa

Pykspa family

pykspa

UAC bypass

defense_evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\wgosv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\wgosv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\wgosv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\wgosv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\wgosv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\wgosv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\wgosv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\wgosv.exe N/A

Detect Pykspa worm

worm
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ugqwbck = "awqgvgyumzxopgcpy.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nwdg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wwuohwssofhchcctggkki.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ugqwbck = "awqgvgyumzxopgcpy.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nwdg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hgdwocxwrhicgazpbadc.exe" C:\Users\Admin\AppData\Local\Temp\wgosv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ugqwbck = "hgdwocxwrhicgazpbadc.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nwdg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wwuohwssofhchcctggkki.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ugqwbck = "hgdwocxwrhicgazpbadc.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ugqwbck = "wwuohwssofhchcctggkki.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nwdg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wwuohwssofhchcctggkki.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\wgosv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ugqwbck = "jgbsiunkdrqikcznxu.exe" C:\Users\Admin\AppData\Local\Temp\wgosv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nwdg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\usogxkecwllehaynywy.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ugqwbck = "jgbsiunkdrqikcznxu.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ugqwbck = "tohwkulgxjgwwmht.exe" C:\Users\Admin\AppData\Local\Temp\wgosv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nwdg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jgbsiunkdrqikcznxu.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ugqwbck = "hgdwocxwrhicgazpbadc.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ugqwbck = "usogxkecwllehaynywy.exe" C:\Users\Admin\AppData\Local\Temp\wgosv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nwdg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tohwkulgxjgwwmht.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ugqwbck = "jgbsiunkdrqikcznxu.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nwdg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\awqgvgyumzxopgcpy.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nwdg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jgbsiunkdrqikcznxu.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ugqwbck = "tohwkulgxjgwwmht.exe" C:\Users\Admin\AppData\Local\Temp\wgosv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nwdg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wwuohwssofhchcctggkki.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nwdg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hgdwocxwrhicgazpbadc.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nwdg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\usogxkecwllehaynywy.exe" C:\Users\Admin\AppData\Local\Temp\wgosv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nwdg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hgdwocxwrhicgazpbadc.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ugqwbck = "wwuohwssofhchcctggkki.exe" C:\Users\Admin\AppData\Local\Temp\wgosv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ugqwbck = "awqgvgyumzxopgcpy.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nwdg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\usogxkecwllehaynywy.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nwdg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hgdwocxwrhicgazpbadc.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ugqwbck = "jgbsiunkdrqikcznxu.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ugqwbck = "wwuohwssofhchcctggkki.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nwdg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tohwkulgxjgwwmht.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ugqwbck = "hgdwocxwrhicgazpbadc.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nwdg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wwuohwssofhchcctggkki.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ugqwbck = "jgbsiunkdrqikcznxu.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ugqwbck = "wwuohwssofhchcctggkki.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ugqwbck = "awqgvgyumzxopgcpy.exe" C:\Users\Admin\AppData\Local\Temp\wgosv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ugqwbck = "usogxkecwllehaynywy.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ugqwbck = "awqgvgyumzxopgcpy.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nwdg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tohwkulgxjgwwmht.exe" C:\Users\Admin\AppData\Local\Temp\wgosv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nwdg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\awqgvgyumzxopgcpy.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nwdg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hgdwocxwrhicgazpbadc.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nwdg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\awqgvgyumzxopgcpy.exe" C:\Users\Admin\AppData\Local\Temp\wgosv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A

Disables RegEdit via registry modification

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\wgosv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\wgosv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\wgosv.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\wgosv.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
N/A N/A C:\Windows\jgbsiunkdrqikcznxu.exe N/A
N/A N/A C:\Windows\jgbsiunkdrqikcznxu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
N/A N/A C:\Windows\hgdwocxwrhicgazpbadc.exe N/A
N/A N/A C:\Windows\jgbsiunkdrqikcznxu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wgosv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wgosv.exe N/A
N/A N/A C:\Windows\jgbsiunkdrqikcznxu.exe N/A
N/A N/A C:\Windows\hgdwocxwrhicgazpbadc.exe N/A
N/A N/A C:\Windows\jgbsiunkdrqikcznxu.exe N/A
N/A N/A C:\Windows\tohwkulgxjgwwmht.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
N/A N/A C:\Windows\tohwkulgxjgwwmht.exe N/A
N/A N/A C:\Windows\wwuohwssofhchcctggkki.exe N/A
N/A N/A C:\Windows\awqgvgyumzxopgcpy.exe N/A
N/A N/A C:\Windows\jgbsiunkdrqikcznxu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
N/A N/A C:\Windows\jgbsiunkdrqikcznxu.exe N/A
N/A N/A C:\Windows\hgdwocxwrhicgazpbadc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
N/A N/A C:\Windows\tohwkulgxjgwwmht.exe N/A
N/A N/A C:\Windows\wwuohwssofhchcctggkki.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
N/A N/A C:\Windows\usogxkecwllehaynywy.exe N/A
N/A N/A C:\Windows\hgdwocxwrhicgazpbadc.exe N/A
N/A N/A C:\Windows\wwuohwssofhchcctggkki.exe N/A
N/A N/A C:\Windows\awqgvgyumzxopgcpy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
N/A N/A C:\Windows\usogxkecwllehaynywy.exe N/A
N/A N/A C:\Windows\wwuohwssofhchcctggkki.exe N/A
N/A N/A C:\Windows\usogxkecwllehaynywy.exe N/A
N/A N/A C:\Windows\tohwkulgxjgwwmht.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
N/A N/A C:\Windows\jgbsiunkdrqikcznxu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe N/A

Impair Defenses: Safe Mode Boot

defense_evasion
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc C:\Users\Admin\AppData\Local\Temp\wgosv.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager C:\Users\Admin\AppData\Local\Temp\wgosv.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys C:\Users\Admin\AppData\Local\Temp\wgosv.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc C:\Users\Admin\AppData\Local\Temp\wgosv.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power C:\Users\Admin\AppData\Local\Temp\wgosv.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys C:\Users\Admin\AppData\Local\Temp\wgosv.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tivemqbqbh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\usogxkecwllehaynywy.exe ." C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\hsbgkk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hgdwocxwrhicgazpbadc.exe ." C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hsbgkk = "jgbsiunkdrqikcznxu.exe ." C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tivemqbqbh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wwuohwssofhchcctggkki.exe ." C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tivemqbqbh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jgbsiunkdrqikcznxu.exe ." C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wgosv = "usogxkecwllehaynywy.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tivemqbqbh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tohwkulgxjgwwmht.exe ." C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\wgosv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tohwkulgxjgwwmht.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\wgosv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hgdwocxwrhicgazpbadc.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\wgosv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jgbsiunkdrqikcznxu.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\aoaipscqa = "tohwkulgxjgwwmht.exe ." C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\jwhouwfs = "tohwkulgxjgwwmht.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\hsbgkk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jgbsiunkdrqikcznxu.exe ." C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\jwhouwfs = "jgbsiunkdrqikcznxu.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wgosv = "jgbsiunkdrqikcznxu.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\oesclqcseld = "C:\\Users\\Admin\\AppData\\Local\\Temp\\awqgvgyumzxopgcpy.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tivemqbqbh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\usogxkecwllehaynywy.exe ." C:\Users\Admin\AppData\Local\Temp\wgosv.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\aoaipscqa = "usogxkecwllehaynywy.exe ." C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\aoaipscqa = "awqgvgyumzxopgcpy.exe ." C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wgosv = "wwuohwssofhchcctggkki.exe" C:\Users\Admin\AppData\Local\Temp\wgosv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hsbgkk = "tohwkulgxjgwwmht.exe ." C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hsbgkk = "usogxkecwllehaynywy.exe ." C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\oesclqcseld = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tohwkulgxjgwwmht.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hsbgkk = "jgbsiunkdrqikcznxu.exe ." C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\hsbgkk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\awqgvgyumzxopgcpy.exe ." C:\Users\Admin\AppData\Local\Temp\wgosv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tivemqbqbh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\usogxkecwllehaynywy.exe ." C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hsbgkk = "usogxkecwllehaynywy.exe ." C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\oesclqcseld = "C:\\Users\\Admin\\AppData\\Local\\Temp\\awqgvgyumzxopgcpy.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\jwhouwfs = "usogxkecwllehaynywy.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tivemqbqbh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tohwkulgxjgwwmht.exe ." C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\jwhouwfs = "usogxkecwllehaynywy.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\hsbgkk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\usogxkecwllehaynywy.exe ." C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\wgosv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\awqgvgyumzxopgcpy.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hsbgkk = "hgdwocxwrhicgazpbadc.exe ." C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tivemqbqbh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\awqgvgyumzxopgcpy.exe ." C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\oesclqcseld = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tohwkulgxjgwwmht.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hsbgkk = "tohwkulgxjgwwmht.exe ." C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\jwhouwfs = "wwuohwssofhchcctggkki.exe" C:\Users\Admin\AppData\Local\Temp\wgosv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hsbgkk = "jgbsiunkdrqikcznxu.exe ." C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wgosv = "hgdwocxwrhicgazpbadc.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wgosv = "hgdwocxwrhicgazpbadc.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\wgosv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\usogxkecwllehaynywy.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hsbgkk = "wwuohwssofhchcctggkki.exe ." C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\aoaipscqa = "wwuohwssofhchcctggkki.exe ." C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\wgosv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tohwkulgxjgwwmht.exe" C:\Users\Admin\AppData\Local\Temp\wgosv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tivemqbqbh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\awqgvgyumzxopgcpy.exe ." C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tivemqbqbh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\awqgvgyumzxopgcpy.exe ." C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tivemqbqbh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wwuohwssofhchcctggkki.exe ." C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\hsbgkk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\usogxkecwllehaynywy.exe ." C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wgosv = "wwuohwssofhchcctggkki.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\aoaipscqa = "jgbsiunkdrqikcznxu.exe ." C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\oesclqcseld = "C:\\Users\\Admin\\AppData\\Local\\Temp\\usogxkecwllehaynywy.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\wgosv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tohwkulgxjgwwmht.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\aoaipscqa = "jgbsiunkdrqikcznxu.exe ." C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hsbgkk = "wwuohwssofhchcctggkki.exe ." C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wgosv = "hgdwocxwrhicgazpbadc.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\aoaipscqa = "awqgvgyumzxopgcpy.exe ." C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\wgosv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hgdwocxwrhicgazpbadc.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\wgosv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\awqgvgyumzxopgcpy.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hsbgkk = "hgdwocxwrhicgazpbadc.exe ." C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\aoaipscqa = "wwuohwssofhchcctggkki.exe ." C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wgosv = "hgdwocxwrhicgazpbadc.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wgosv = "awqgvgyumzxopgcpy.exe" C:\Users\Admin\AppData\Local\Temp\wgosv.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\hsbgkk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\usogxkecwllehaynywy.exe ." C:\Users\Admin\AppData\Local\Temp\wgosv.exe N/A

Checks whether UAC is enabled

defense_evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\wgosv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\wgosv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\wgosv.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\wgosv.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A

Hijack Execution Flow: Executable Installer File Permissions Weakness

defense_evasion persistence privilege_escalation
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\wgosv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\wgosv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A whatismyip.everdot.org N/A N/A
N/A www.whatismyip.ca N/A N/A
N/A whatismyipaddress.com N/A N/A
N/A www.showmyipaddress.com N/A N/A

Drops autorun.inf file

Description Indicator Process Target
File created C:\autorun.inf C:\Users\Admin\AppData\Local\Temp\wgosv.exe N/A
File opened for modification F:\autorun.inf C:\Users\Admin\AppData\Local\Temp\wgosv.exe N/A
File created F:\autorun.inf C:\Users\Admin\AppData\Local\Temp\wgosv.exe N/A
File opened for modification C:\autorun.inf C:\Users\Admin\AppData\Local\Temp\wgosv.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\wwuohwssofhchcctggkki.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\SysWOW64\usogxkecwllehaynywy.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\SysWOW64\wwuohwssofhchcctggkki.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\SysWOW64\tohwkulgxjgwwmht.exe C:\Users\Admin\AppData\Local\Temp\wgosv.exe N/A
File opened for modification C:\Windows\SysWOW64\wwuohwssofhchcctggkki.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\SysWOW64\tohwkulgxjgwwmht.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\SysWOW64\awqgvgyumzxopgcpy.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\SysWOW64\tohwkulgxjgwwmht.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\SysWOW64\tohwkulgxjgwwmht.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\SysWOW64\usogxkecwllehaynywy.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\SysWOW64\nonicspqnfiekghznotuto.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\SysWOW64\wwuohwssofhchcctggkki.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\SysWOW64\tohwkulgxjgwwmht.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\SysWOW64\hgdwocxwrhicgazpbadc.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\SysWOW64\hgdwocxwrhicgazpbadc.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\SysWOW64\nonicspqnfiekghznotuto.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\SysWOW64\nonicspqnfiekghznotuto.exe C:\Users\Admin\AppData\Local\Temp\wgosv.exe N/A
File opened for modification C:\Windows\SysWOW64\awqgvgyumzxopgcpy.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\SysWOW64\usogxkecwllehaynywy.exe C:\Users\Admin\AppData\Local\Temp\wgosv.exe N/A
File opened for modification C:\Windows\SysWOW64\usogxkecwllehaynywy.exe C:\Users\Admin\AppData\Local\Temp\wgosv.exe N/A
File opened for modification C:\Windows\SysWOW64\kcsepwkcqztgdqirwokcsepwkcqztgdqirw.kcs C:\Users\Admin\AppData\Local\Temp\wgosv.exe N/A
File opened for modification C:\Windows\SysWOW64\wwuohwssofhchcctggkki.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\SysWOW64\tohwkulgxjgwwmht.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\SysWOW64\jgbsiunkdrqikcznxu.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\SysWOW64\usogxkecwllehaynywy.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\SysWOW64\awqgvgyumzxopgcpy.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\SysWOW64\hgdwocxwrhicgazpbadc.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\SysWOW64\wwuohwssofhchcctggkki.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\SysWOW64\awqgvgyumzxopgcpy.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\SysWOW64\hgdwocxwrhicgazpbadc.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\SysWOW64\usogxkecwllehaynywy.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\SysWOW64\jgbsiunkdrqikcznxu.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\SysWOW64\hgdwocxwrhicgazpbadc.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\SysWOW64\awqgvgyumzxopgcpy.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\SysWOW64\tohwkulgxjgwwmht.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\SysWOW64\awqgvgyumzxopgcpy.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\SysWOW64\jgbsiunkdrqikcznxu.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\SysWOW64\awqgvgyumzxopgcpy.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\SysWOW64\hgdwocxwrhicgazpbadc.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\SysWOW64\hgdwocxwrhicgazpbadc.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\SysWOW64\hgdwocxwrhicgazpbadc.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\SysWOW64\tohwkulgxjgwwmht.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\SysWOW64\jgbsiunkdrqikcznxu.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\SysWOW64\usogxkecwllehaynywy.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\SysWOW64\hgdwocxwrhicgazpbadc.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\SysWOW64\awqgvgyumzxopgcpy.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\SysWOW64\usogxkecwllehaynywy.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\SysWOW64\awqgvgyumzxopgcpy.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\SysWOW64\hgdwocxwrhicgazpbadc.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\SysWOW64\nonicspqnfiekghznotuto.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\SysWOW64\wwuohwssofhchcctggkki.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\SysWOW64\jgbsiunkdrqikcznxu.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\SysWOW64\tohwkulgxjgwwmht.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\SysWOW64\awqgvgyumzxopgcpy.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\SysWOW64\wwuohwssofhchcctggkki.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\SysWOW64\hgdwocxwrhicgazpbadc.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File created C:\Windows\SysWOW64\kcsepwkcqztgdqirwokcsepwkcqztgdqirw.kcs C:\Users\Admin\AppData\Local\Temp\wgosv.exe N/A
File opened for modification C:\Windows\SysWOW64\usogxkecwllehaynywy.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\SysWOW64\tohwkulgxjgwwmht.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\SysWOW64\jgbsiunkdrqikcznxu.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\SysWOW64\tohwkulgxjgwwmht.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\SysWOW64\usogxkecwllehaynywy.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\SysWOW64\awqgvgyumzxopgcpy.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\SysWOW64\hgdwocxwrhicgazpbadc.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\binooknuxvegsubztalsxyyu.ehf C:\Users\Admin\AppData\Local\Temp\wgosv.exe N/A
File created C:\Program Files (x86)\binooknuxvegsubztalsxyyu.ehf C:\Users\Admin\AppData\Local\Temp\wgosv.exe N/A
File opened for modification C:\Program Files (x86)\kcsepwkcqztgdqirwokcsepwkcqztgdqirw.kcs C:\Users\Admin\AppData\Local\Temp\wgosv.exe N/A
File created C:\Program Files (x86)\kcsepwkcqztgdqirwokcsepwkcqztgdqirw.kcs C:\Users\Admin\AppData\Local\Temp\wgosv.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\awqgvgyumzxopgcpy.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\jgbsiunkdrqikcznxu.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\kcsepwkcqztgdqirwokcsepwkcqztgdqirw.kcs C:\Users\Admin\AppData\Local\Temp\wgosv.exe N/A
File opened for modification C:\Windows\awqgvgyumzxopgcpy.exe C:\Users\Admin\AppData\Local\Temp\wgosv.exe N/A
File opened for modification C:\Windows\awqgvgyumzxopgcpy.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\usogxkecwllehaynywy.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\usogxkecwllehaynywy.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\wwuohwssofhchcctggkki.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\awqgvgyumzxopgcpy.exe C:\Users\Admin\AppData\Local\Temp\wgosv.exe N/A
File opened for modification C:\Windows\nonicspqnfiekghznotuto.exe C:\Users\Admin\AppData\Local\Temp\wgosv.exe N/A
File opened for modification C:\Windows\wwuohwssofhchcctggkki.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\nonicspqnfiekghznotuto.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\hgdwocxwrhicgazpbadc.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\wwuohwssofhchcctggkki.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\jgbsiunkdrqikcznxu.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\nonicspqnfiekghznotuto.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\usogxkecwllehaynywy.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\hgdwocxwrhicgazpbadc.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\hgdwocxwrhicgazpbadc.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\usogxkecwllehaynywy.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\wwuohwssofhchcctggkki.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\hgdwocxwrhicgazpbadc.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\nonicspqnfiekghznotuto.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\hgdwocxwrhicgazpbadc.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\usogxkecwllehaynywy.exe C:\Users\Admin\AppData\Local\Temp\wgosv.exe N/A
File opened for modification C:\Windows\hgdwocxwrhicgazpbadc.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\usogxkecwllehaynywy.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\wwuohwssofhchcctggkki.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\usogxkecwllehaynywy.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\nonicspqnfiekghznotuto.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\usogxkecwllehaynywy.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\tohwkulgxjgwwmht.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\jgbsiunkdrqikcznxu.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\awqgvgyumzxopgcpy.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\awqgvgyumzxopgcpy.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\tohwkulgxjgwwmht.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\nonicspqnfiekghznotuto.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\hgdwocxwrhicgazpbadc.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\tohwkulgxjgwwmht.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\usogxkecwllehaynywy.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\nonicspqnfiekghznotuto.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\tohwkulgxjgwwmht.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\hgdwocxwrhicgazpbadc.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\wwuohwssofhchcctggkki.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\jgbsiunkdrqikcznxu.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\usogxkecwllehaynywy.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\nonicspqnfiekghznotuto.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\awqgvgyumzxopgcpy.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\awqgvgyumzxopgcpy.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\awqgvgyumzxopgcpy.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\jgbsiunkdrqikcznxu.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\awqgvgyumzxopgcpy.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\jgbsiunkdrqikcznxu.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\jgbsiunkdrqikcznxu.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\nonicspqnfiekghznotuto.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\usogxkecwllehaynywy.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\awqgvgyumzxopgcpy.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\wwuohwssofhchcctggkki.exe C:\Users\Admin\AppData\Local\Temp\wgosv.exe N/A
File opened for modification C:\Windows\tohwkulgxjgwwmht.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\jgbsiunkdrqikcznxu.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\hgdwocxwrhicgazpbadc.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\nonicspqnfiekghznotuto.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\usogxkecwllehaynywy.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\jgbsiunkdrqikcznxu.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\tohwkulgxjgwwmht.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\awqgvgyumzxopgcpy.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\hgdwocxwrhicgazpbadc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\tohwkulgxjgwwmht.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\wwuohwssofhchcctggkki.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\jgbsiunkdrqikcznxu.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\hgdwocxwrhicgazpbadc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\wwuohwssofhchcctggkki.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\usogxkecwllehaynywy.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\hgdwocxwrhicgazpbadc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\wwuohwssofhchcctggkki.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\wwuohwssofhchcctggkki.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\tohwkulgxjgwwmht.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\wwuohwssofhchcctggkki.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\awqgvgyumzxopgcpy.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\wwuohwssofhchcctggkki.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\awqgvgyumzxopgcpy.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\jgbsiunkdrqikcznxu.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\jgbsiunkdrqikcznxu.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\jgbsiunkdrqikcznxu.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\hgdwocxwrhicgazpbadc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\jgbsiunkdrqikcznxu.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\jgbsiunkdrqikcznxu.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\usogxkecwllehaynywy.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\hgdwocxwrhicgazpbadc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\tohwkulgxjgwwmht.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\hgdwocxwrhicgazpbadc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\usogxkecwllehaynywy.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\jgbsiunkdrqikcznxu.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\hgdwocxwrhicgazpbadc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\jgbsiunkdrqikcznxu.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\wgosv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\hgdwocxwrhicgazpbadc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wgosv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wgosv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wgosv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wgosv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\wgosv.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3120 wrote to memory of 3508 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
PID 3120 wrote to memory of 3508 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
PID 3120 wrote to memory of 3508 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
PID 4556 wrote to memory of 2004 N/A C:\Windows\system32\cmd.exe C:\Windows\jgbsiunkdrqikcznxu.exe
PID 4556 wrote to memory of 2004 N/A C:\Windows\system32\cmd.exe C:\Windows\jgbsiunkdrqikcznxu.exe
PID 4556 wrote to memory of 2004 N/A C:\Windows\system32\cmd.exe C:\Windows\jgbsiunkdrqikcznxu.exe
PID 1684 wrote to memory of 4904 N/A C:\Windows\system32\cmd.exe C:\Windows\jgbsiunkdrqikcznxu.exe
PID 1684 wrote to memory of 4904 N/A C:\Windows\system32\cmd.exe C:\Windows\jgbsiunkdrqikcznxu.exe
PID 1684 wrote to memory of 4904 N/A C:\Windows\system32\cmd.exe C:\Windows\jgbsiunkdrqikcznxu.exe
PID 4904 wrote to memory of 4952 N/A C:\Windows\jgbsiunkdrqikcznxu.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
PID 4904 wrote to memory of 4952 N/A C:\Windows\jgbsiunkdrqikcznxu.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
PID 4904 wrote to memory of 4952 N/A C:\Windows\jgbsiunkdrqikcznxu.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
PID 4988 wrote to memory of 5072 N/A C:\Windows\system32\cmd.exe C:\Windows\hgdwocxwrhicgazpbadc.exe
PID 4988 wrote to memory of 5072 N/A C:\Windows\system32\cmd.exe C:\Windows\hgdwocxwrhicgazpbadc.exe
PID 4988 wrote to memory of 5072 N/A C:\Windows\system32\cmd.exe C:\Windows\hgdwocxwrhicgazpbadc.exe
PID 3348 wrote to memory of 2320 N/A C:\Windows\system32\cmd.exe C:\Windows\jgbsiunkdrqikcznxu.exe
PID 3348 wrote to memory of 2320 N/A C:\Windows\system32\cmd.exe C:\Windows\jgbsiunkdrqikcznxu.exe
PID 3348 wrote to memory of 2320 N/A C:\Windows\system32\cmd.exe C:\Windows\jgbsiunkdrqikcznxu.exe
PID 944 wrote to memory of 3164 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe
PID 944 wrote to memory of 3164 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe
PID 944 wrote to memory of 3164 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe
PID 2320 wrote to memory of 1416 N/A C:\Windows\jgbsiunkdrqikcznxu.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
PID 2320 wrote to memory of 1416 N/A C:\Windows\jgbsiunkdrqikcznxu.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
PID 2320 wrote to memory of 1416 N/A C:\Windows\jgbsiunkdrqikcznxu.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
PID 4944 wrote to memory of 5084 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe
PID 4944 wrote to memory of 5084 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe
PID 4944 wrote to memory of 5084 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe
PID 5084 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
PID 5084 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
PID 5084 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
PID 3404 wrote to memory of 4352 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe
PID 3404 wrote to memory of 4352 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe
PID 3404 wrote to memory of 4352 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe
PID 3408 wrote to memory of 3760 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe
PID 3408 wrote to memory of 3760 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe
PID 3408 wrote to memory of 3760 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe
PID 3760 wrote to memory of 3784 N/A C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
PID 3760 wrote to memory of 3784 N/A C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
PID 3760 wrote to memory of 3784 N/A C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
PID 3508 wrote to memory of 1376 N/A C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe C:\Users\Admin\AppData\Local\Temp\wgosv.exe
PID 3508 wrote to memory of 1376 N/A C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe C:\Users\Admin\AppData\Local\Temp\wgosv.exe
PID 3508 wrote to memory of 1376 N/A C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe C:\Users\Admin\AppData\Local\Temp\wgosv.exe
PID 3508 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe C:\Users\Admin\AppData\Local\Temp\wgosv.exe
PID 3508 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe C:\Users\Admin\AppData\Local\Temp\wgosv.exe
PID 3508 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe C:\Users\Admin\AppData\Local\Temp\wgosv.exe
PID 6032 wrote to memory of 1760 N/A C:\Windows\system32\cmd.exe C:\Windows\jgbsiunkdrqikcznxu.exe
PID 6032 wrote to memory of 1760 N/A C:\Windows\system32\cmd.exe C:\Windows\jgbsiunkdrqikcznxu.exe
PID 5312 wrote to memory of 4280 N/A C:\Windows\system32\cmd.exe C:\Windows\hgdwocxwrhicgazpbadc.exe
PID 6032 wrote to memory of 1760 N/A C:\Windows\system32\cmd.exe C:\Windows\jgbsiunkdrqikcznxu.exe
PID 5312 wrote to memory of 4280 N/A C:\Windows\system32\cmd.exe C:\Windows\hgdwocxwrhicgazpbadc.exe
PID 5312 wrote to memory of 4280 N/A C:\Windows\system32\cmd.exe C:\Windows\hgdwocxwrhicgazpbadc.exe
PID 488 wrote to memory of 5952 N/A C:\Windows\system32\cmd.exe C:\Windows\jgbsiunkdrqikcznxu.exe
PID 488 wrote to memory of 5952 N/A C:\Windows\system32\cmd.exe C:\Windows\jgbsiunkdrqikcznxu.exe
PID 488 wrote to memory of 5952 N/A C:\Windows\system32\cmd.exe C:\Windows\jgbsiunkdrqikcznxu.exe
PID 3032 wrote to memory of 3112 N/A C:\Windows\system32\cmd.exe C:\Windows\tohwkulgxjgwwmht.exe
PID 3032 wrote to memory of 3112 N/A C:\Windows\system32\cmd.exe C:\Windows\tohwkulgxjgwwmht.exe
PID 3032 wrote to memory of 3112 N/A C:\Windows\system32\cmd.exe C:\Windows\tohwkulgxjgwwmht.exe
PID 5952 wrote to memory of 3000 N/A C:\Windows\jgbsiunkdrqikcznxu.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
PID 5952 wrote to memory of 3000 N/A C:\Windows\jgbsiunkdrqikcznxu.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
PID 5952 wrote to memory of 3000 N/A C:\Windows\jgbsiunkdrqikcznxu.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
PID 3112 wrote to memory of 5452 N/A C:\Windows\tohwkulgxjgwwmht.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
PID 3112 wrote to memory of 5452 N/A C:\Windows\tohwkulgxjgwwmht.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
PID 3112 wrote to memory of 5452 N/A C:\Windows\tohwkulgxjgwwmht.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
PID 1044 wrote to memory of 2812 N/A C:\Windows\system32\cmd.exe C:\Windows\tohwkulgxjgwwmht.exe

System policy modification

defense_evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\wgosv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\wgosv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\wgosv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\wgosv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\wgosv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Users\Admin\AppData\Local\Temp\wgosv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Users\Admin\AppData\Local\Temp\wgosv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" C:\Users\Admin\AppData\Local\Temp\wgosv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\wgosv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\AppData\Local\Temp\wgosv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\wgosv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" C:\Users\Admin\AppData\Local\Temp\wgosv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\wgosv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\wgosv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" C:\Users\Admin\AppData\Local\Temp\wgosv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" C:\Users\Admin\AppData\Local\Temp\wgosv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\wgosv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe"

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\jaffacakes118_bdec6237d2f7f80e1250e09df51e3d02.exe*"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c jgbsiunkdrqikcznxu.exe

C:\Windows\jgbsiunkdrqikcznxu.exe

jgbsiunkdrqikcznxu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c jgbsiunkdrqikcznxu.exe .

C:\Windows\jgbsiunkdrqikcznxu.exe

jgbsiunkdrqikcznxu.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\jgbsiunkdrqikcznxu.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c hgdwocxwrhicgazpbadc.exe

C:\Windows\hgdwocxwrhicgazpbadc.exe

hgdwocxwrhicgazpbadc.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c jgbsiunkdrqikcznxu.exe .

C:\Windows\jgbsiunkdrqikcznxu.exe

jgbsiunkdrqikcznxu.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe

C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe

C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\jgbsiunkdrqikcznxu.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe .

C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe

C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\tohwkulgxjgwwmht.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe

C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe

C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe .

C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe

C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\hgdwocxwrhicgazpbadc.exe*."

C:\Users\Admin\AppData\Local\Temp\wgosv.exe

"C:\Users\Admin\AppData\Local\Temp\wgosv.exe" "-C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe"

C:\Users\Admin\AppData\Local\Temp\wgosv.exe

"C:\Users\Admin\AppData\Local\Temp\wgosv.exe" "-C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c jgbsiunkdrqikcznxu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c hgdwocxwrhicgazpbadc.exe

C:\Windows\jgbsiunkdrqikcznxu.exe

jgbsiunkdrqikcznxu.exe

C:\Windows\hgdwocxwrhicgazpbadc.exe

hgdwocxwrhicgazpbadc.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c jgbsiunkdrqikcznxu.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c tohwkulgxjgwwmht.exe .

C:\Windows\jgbsiunkdrqikcznxu.exe

jgbsiunkdrqikcznxu.exe .

C:\Windows\tohwkulgxjgwwmht.exe

tohwkulgxjgwwmht.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c tohwkulgxjgwwmht.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wwuohwssofhchcctggkki.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c awqgvgyumzxopgcpy.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c jgbsiunkdrqikcznxu.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\jgbsiunkdrqikcznxu.exe*."

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\tohwkulgxjgwwmht.exe*."

C:\Windows\tohwkulgxjgwwmht.exe

tohwkulgxjgwwmht.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe

C:\Windows\wwuohwssofhchcctggkki.exe

wwuohwssofhchcctggkki.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe .

C:\Windows\awqgvgyumzxopgcpy.exe

awqgvgyumzxopgcpy.exe .

C:\Windows\jgbsiunkdrqikcznxu.exe

jgbsiunkdrqikcznxu.exe .

C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe

C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe

C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe

C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe .

C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe

C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe .

C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe

C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\awqgvgyumzxopgcpy.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\jgbsiunkdrqikcznxu.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\tohwkulgxjgwwmht.exe*."

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\usogxkecwllehaynywy.exe*."

C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe

C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe .

C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe

C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe

C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe

C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe .

C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe

C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\jgbsiunkdrqikcznxu.exe*."

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\usogxkecwllehaynywy.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c jgbsiunkdrqikcznxu.exe

C:\Windows\jgbsiunkdrqikcznxu.exe

jgbsiunkdrqikcznxu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c hgdwocxwrhicgazpbadc.exe .

C:\Windows\hgdwocxwrhicgazpbadc.exe

hgdwocxwrhicgazpbadc.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\hgdwocxwrhicgazpbadc.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c tohwkulgxjgwwmht.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wwuohwssofhchcctggkki.exe .

C:\Windows\tohwkulgxjgwwmht.exe

tohwkulgxjgwwmht.exe

C:\Windows\wwuohwssofhchcctggkki.exe

wwuohwssofhchcctggkki.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\wwuohwssofhchcctggkki.exe*."

C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe

C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe .

C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe

C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\wwuohwssofhchcctggkki.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe

C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe

C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe .

C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe

C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\wwuohwssofhchcctggkki.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c usogxkecwllehaynywy.exe

C:\Windows\usogxkecwllehaynywy.exe

usogxkecwllehaynywy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wwuohwssofhchcctggkki.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c hgdwocxwrhicgazpbadc.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c awqgvgyumzxopgcpy.exe

C:\Windows\hgdwocxwrhicgazpbadc.exe

hgdwocxwrhicgazpbadc.exe .

C:\Windows\wwuohwssofhchcctggkki.exe

wwuohwssofhchcctggkki.exe

C:\Windows\awqgvgyumzxopgcpy.exe

awqgvgyumzxopgcpy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c usogxkecwllehaynywy.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\hgdwocxwrhicgazpbadc.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wwuohwssofhchcctggkki.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c usogxkecwllehaynywy.exe .

C:\Windows\usogxkecwllehaynywy.exe

usogxkecwllehaynywy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c tohwkulgxjgwwmht.exe .

C:\Windows\wwuohwssofhchcctggkki.exe

wwuohwssofhchcctggkki.exe .

C:\Windows\usogxkecwllehaynywy.exe

usogxkecwllehaynywy.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c jgbsiunkdrqikcznxu.exe

C:\Windows\tohwkulgxjgwwmht.exe

tohwkulgxjgwwmht.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c usogxkecwllehaynywy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wwuohwssofhchcctggkki.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\usogxkecwllehaynywy.exe*."

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\wwuohwssofhchcctggkki.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c hgdwocxwrhicgazpbadc.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe

C:\Windows\jgbsiunkdrqikcznxu.exe

jgbsiunkdrqikcznxu.exe

C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe

C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\tohwkulgxjgwwmht.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe .

C:\Windows\wwuohwssofhchcctggkki.exe

wwuohwssofhchcctggkki.exe .

C:\Windows\usogxkecwllehaynywy.exe

usogxkecwllehaynywy.exe

C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe

C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe

C:\Windows\hgdwocxwrhicgazpbadc.exe

hgdwocxwrhicgazpbadc.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe .

C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe

C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe

C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe

C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\wwuohwssofhchcctggkki.exe*."

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\jgbsiunkdrqikcznxu.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe .

C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe

C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe

C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe

C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe

C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe

C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\hgdwocxwrhicgazpbadc.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe .

C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe

C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\hgdwocxwrhicgazpbadc.exe*."

C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe

C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe .

C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe

C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe

C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe

C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c jgbsiunkdrqikcznxu.exe

C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe

C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\usogxkecwllehaynywy.exe*."

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\awqgvgyumzxopgcpy.exe*."

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\awqgvgyumzxopgcpy.exe*."

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\usogxkecwllehaynywy.exe*."

C:\Windows\jgbsiunkdrqikcznxu.exe

jgbsiunkdrqikcznxu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wwuohwssofhchcctggkki.exe .

C:\Windows\wwuohwssofhchcctggkki.exe

wwuohwssofhchcctggkki.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wwuohwssofhchcctggkki.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\wwuohwssofhchcctggkki.exe*."

C:\Windows\wwuohwssofhchcctggkki.exe

wwuohwssofhchcctggkki.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c tohwkulgxjgwwmht.exe .

C:\Windows\tohwkulgxjgwwmht.exe

tohwkulgxjgwwmht.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe

C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe

C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\tohwkulgxjgwwmht.exe*."

C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe

C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\hgdwocxwrhicgazpbadc.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe

C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe

C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe .

C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe

C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\usogxkecwllehaynywy.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c jgbsiunkdrqikcznxu.exe

C:\Windows\jgbsiunkdrqikcznxu.exe

jgbsiunkdrqikcznxu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c tohwkulgxjgwwmht.exe .

C:\Windows\tohwkulgxjgwwmht.exe

tohwkulgxjgwwmht.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wwuohwssofhchcctggkki.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\tohwkulgxjgwwmht.exe*."

C:\Windows\wwuohwssofhchcctggkki.exe

wwuohwssofhchcctggkki.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c tohwkulgxjgwwmht.exe .

C:\Windows\tohwkulgxjgwwmht.exe

tohwkulgxjgwwmht.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\tohwkulgxjgwwmht.exe*."

C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe

C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe .

C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe

C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\usogxkecwllehaynywy.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe

C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe

C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe .

C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe

C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\hgdwocxwrhicgazpbadc.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c tohwkulgxjgwwmht.exe

C:\Windows\tohwkulgxjgwwmht.exe

tohwkulgxjgwwmht.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wwuohwssofhchcctggkki.exe .

C:\Windows\wwuohwssofhchcctggkki.exe

wwuohwssofhchcctggkki.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c jgbsiunkdrqikcznxu.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\wwuohwssofhchcctggkki.exe*."

C:\Windows\jgbsiunkdrqikcznxu.exe

jgbsiunkdrqikcznxu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c usogxkecwllehaynywy.exe .

C:\Windows\usogxkecwllehaynywy.exe

usogxkecwllehaynywy.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe

C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe

C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\usogxkecwllehaynywy.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe

C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\jgbsiunkdrqikcznxu.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe

C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe

C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe .

C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe

C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\hgdwocxwrhicgazpbadc.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c hgdwocxwrhicgazpbadc.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\hgdwocxwrhicgazpbadc.exe

hgdwocxwrhicgazpbadc.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c jgbsiunkdrqikcznxu.exe .

C:\Windows\jgbsiunkdrqikcznxu.exe

jgbsiunkdrqikcznxu.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c jgbsiunkdrqikcznxu.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\jgbsiunkdrqikcznxu.exe*."

C:\Windows\jgbsiunkdrqikcznxu.exe

jgbsiunkdrqikcznxu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c hgdwocxwrhicgazpbadc.exe .

C:\Windows\hgdwocxwrhicgazpbadc.exe

hgdwocxwrhicgazpbadc.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe

C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe

C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\hgdwocxwrhicgazpbadc.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe .

C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe

C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\hgdwocxwrhicgazpbadc.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe

C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe

C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe .

C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe

C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\tohwkulgxjgwwmht.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wwuohwssofhchcctggkki.exe

C:\Windows\wwuohwssofhchcctggkki.exe

wwuohwssofhchcctggkki.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c usogxkecwllehaynywy.exe .

C:\Windows\usogxkecwllehaynywy.exe

usogxkecwllehaynywy.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\usogxkecwllehaynywy.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wwuohwssofhchcctggkki.exe

C:\Windows\wwuohwssofhchcctggkki.exe

wwuohwssofhchcctggkki.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c tohwkulgxjgwwmht.exe .

C:\Windows\tohwkulgxjgwwmht.exe

tohwkulgxjgwwmht.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe

C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe

C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\tohwkulgxjgwwmht.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe .

C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe

C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\awqgvgyumzxopgcpy.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe

C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe

C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe .

C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe

C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\awqgvgyumzxopgcpy.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c tohwkulgxjgwwmht.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\tohwkulgxjgwwmht.exe

tohwkulgxjgwwmht.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wwuohwssofhchcctggkki.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\wwuohwssofhchcctggkki.exe

wwuohwssofhchcctggkki.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c tohwkulgxjgwwmht.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\wwuohwssofhchcctggkki.exe*."

C:\Windows\tohwkulgxjgwwmht.exe

tohwkulgxjgwwmht.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c usogxkecwllehaynywy.exe .

C:\Windows\usogxkecwllehaynywy.exe

usogxkecwllehaynywy.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe

C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe

C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\usogxkecwllehaynywy.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe .

C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe

C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\usogxkecwllehaynywy.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe

C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe

C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe

C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\awqgvgyumzxopgcpy.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c hgdwocxwrhicgazpbadc.exe

C:\Windows\hgdwocxwrhicgazpbadc.exe

hgdwocxwrhicgazpbadc.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c hgdwocxwrhicgazpbadc.exe .

C:\Windows\hgdwocxwrhicgazpbadc.exe

hgdwocxwrhicgazpbadc.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\hgdwocxwrhicgazpbadc.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c usogxkecwllehaynywy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c awqgvgyumzxopgcpy.exe

C:\Windows\usogxkecwllehaynywy.exe

usogxkecwllehaynywy.exe

C:\Windows\awqgvgyumzxopgcpy.exe

awqgvgyumzxopgcpy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c awqgvgyumzxopgcpy.exe .

C:\Windows\awqgvgyumzxopgcpy.exe

awqgvgyumzxopgcpy.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c jgbsiunkdrqikcznxu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c awqgvgyumzxopgcpy.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\awqgvgyumzxopgcpy.exe*."

C:\Windows\jgbsiunkdrqikcznxu.exe

jgbsiunkdrqikcznxu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe .

C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe

C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe

C:\Windows\awqgvgyumzxopgcpy.exe

awqgvgyumzxopgcpy.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c hgdwocxwrhicgazpbadc.exe .

C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe

C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c tohwkulgxjgwwmht.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\awqgvgyumzxopgcpy.exe*."

C:\Windows\hgdwocxwrhicgazpbadc.exe

hgdwocxwrhicgazpbadc.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c jgbsiunkdrqikcznxu.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\awqgvgyumzxopgcpy.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wwuohwssofhchcctggkki.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe

C:\Windows\tohwkulgxjgwwmht.exe

tohwkulgxjgwwmht.exe

C:\Windows\jgbsiunkdrqikcznxu.exe

jgbsiunkdrqikcznxu.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wwuohwssofhchcctggkki.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\hgdwocxwrhicgazpbadc.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe

C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe

C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe

C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe

C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\jgbsiunkdrqikcznxu.exe*."

C:\Windows\wwuohwssofhchcctggkki.exe

wwuohwssofhchcctggkki.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe

C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe

C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe .

C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe

C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe .

C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe

C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe .

C:\Windows\wwuohwssofhchcctggkki.exe

wwuohwssofhchcctggkki.exe .

C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe

C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c jgbsiunkdrqikcznxu.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\awqgvgyumzxopgcpy.exe*."

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\awqgvgyumzxopgcpy.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe .

C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe

C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe

C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe

C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c usogxkecwllehaynywy.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\jgbsiunkdrqikcznxu.exe*."

C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe

C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\wwuohwssofhchcctggkki.exe*."

C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe

C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\wwuohwssofhchcctggkki.exe*."

C:\Windows\jgbsiunkdrqikcznxu.exe

jgbsiunkdrqikcznxu.exe

C:\Windows\usogxkecwllehaynywy.exe

usogxkecwllehaynywy.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c jgbsiunkdrqikcznxu.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\wwuohwssofhchcctggkki.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c tohwkulgxjgwwmht.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\usogxkecwllehaynywy.exe*."

C:\Windows\jgbsiunkdrqikcznxu.exe

jgbsiunkdrqikcznxu.exe

C:\Windows\tohwkulgxjgwwmht.exe

tohwkulgxjgwwmht.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe

C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe

C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\tohwkulgxjgwwmht.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe .

C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe

C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\jgbsiunkdrqikcznxu.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe

C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe

C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe .

C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe

C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\usogxkecwllehaynywy.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c awqgvgyumzxopgcpy.exe

C:\Windows\awqgvgyumzxopgcpy.exe

awqgvgyumzxopgcpy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c hgdwocxwrhicgazpbadc.exe .

C:\Windows\hgdwocxwrhicgazpbadc.exe

hgdwocxwrhicgazpbadc.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wwuohwssofhchcctggkki.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\hgdwocxwrhicgazpbadc.exe*."

C:\Windows\wwuohwssofhchcctggkki.exe

wwuohwssofhchcctggkki.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c usogxkecwllehaynywy.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe

C:\Windows\usogxkecwllehaynywy.exe

usogxkecwllehaynywy.exe .

C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe

C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\usogxkecwllehaynywy.exe*."

C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe

C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\awqgvgyumzxopgcpy.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe

C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe

C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe

C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\hgdwocxwrhicgazpbadc.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c usogxkecwllehaynywy.exe

C:\Windows\usogxkecwllehaynywy.exe

usogxkecwllehaynywy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c hgdwocxwrhicgazpbadc.exe .

C:\Windows\hgdwocxwrhicgazpbadc.exe

hgdwocxwrhicgazpbadc.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c hgdwocxwrhicgazpbadc.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\hgdwocxwrhicgazpbadc.exe*."

C:\Windows\hgdwocxwrhicgazpbadc.exe

hgdwocxwrhicgazpbadc.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c awqgvgyumzxopgcpy.exe .

C:\Windows\awqgvgyumzxopgcpy.exe

awqgvgyumzxopgcpy.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe

C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe

C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\awqgvgyumzxopgcpy.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe

C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\usogxkecwllehaynywy.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe

C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe

C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe .

C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe

C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\awqgvgyumzxopgcpy.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c usogxkecwllehaynywy.exe

C:\Windows\usogxkecwllehaynywy.exe

usogxkecwllehaynywy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c tohwkulgxjgwwmht.exe .

C:\Windows\tohwkulgxjgwwmht.exe

tohwkulgxjgwwmht.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c tohwkulgxjgwwmht.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\tohwkulgxjgwwmht.exe*."

C:\Windows\tohwkulgxjgwwmht.exe

tohwkulgxjgwwmht.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c awqgvgyumzxopgcpy.exe .

C:\Windows\awqgvgyumzxopgcpy.exe

awqgvgyumzxopgcpy.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe

C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe

C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\awqgvgyumzxopgcpy.exe*."

C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe

C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\awqgvgyumzxopgcpy.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe

C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe

C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe .

C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe

C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\jgbsiunkdrqikcznxu.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c tohwkulgxjgwwmht.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\tohwkulgxjgwwmht.exe

tohwkulgxjgwwmht.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c usogxkecwllehaynywy.exe .

C:\Windows\usogxkecwllehaynywy.exe

usogxkecwllehaynywy.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\usogxkecwllehaynywy.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wwuohwssofhchcctggkki.exe

C:\Windows\wwuohwssofhchcctggkki.exe

wwuohwssofhchcctggkki.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c hgdwocxwrhicgazpbadc.exe .

C:\Windows\hgdwocxwrhicgazpbadc.exe

hgdwocxwrhicgazpbadc.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe

C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe

C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\hgdwocxwrhicgazpbadc.exe*."

C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe

C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\usogxkecwllehaynywy.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe

C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe

C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe .

C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe

C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\jgbsiunkdrqikcznxu.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c hgdwocxwrhicgazpbadc.exe

C:\Windows\hgdwocxwrhicgazpbadc.exe

hgdwocxwrhicgazpbadc.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wwuohwssofhchcctggkki.exe .

C:\Windows\wwuohwssofhchcctggkki.exe

wwuohwssofhchcctggkki.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c jgbsiunkdrqikcznxu.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\wwuohwssofhchcctggkki.exe*."

C:\Windows\jgbsiunkdrqikcznxu.exe

jgbsiunkdrqikcznxu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wwuohwssofhchcctggkki.exe .

C:\Windows\wwuohwssofhchcctggkki.exe

wwuohwssofhchcctggkki.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe

C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\wwuohwssofhchcctggkki.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe .

C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe

C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\wwuohwssofhchcctggkki.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe

C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe

C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe .

C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe

C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\usogxkecwllehaynywy.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c awqgvgyumzxopgcpy.exe

C:\Windows\awqgvgyumzxopgcpy.exe

awqgvgyumzxopgcpy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c jgbsiunkdrqikcznxu.exe .

C:\Windows\jgbsiunkdrqikcznxu.exe

jgbsiunkdrqikcznxu.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\jgbsiunkdrqikcznxu.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c jgbsiunkdrqikcznxu.exe

C:\Windows\jgbsiunkdrqikcznxu.exe

jgbsiunkdrqikcznxu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c jgbsiunkdrqikcznxu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c jgbsiunkdrqikcznxu.exe .

C:\Windows\jgbsiunkdrqikcznxu.exe

jgbsiunkdrqikcznxu.exe

C:\Windows\jgbsiunkdrqikcznxu.exe

jgbsiunkdrqikcznxu.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c awqgvgyumzxopgcpy.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c usogxkecwllehaynywy.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\jgbsiunkdrqikcznxu.exe*."

C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe

C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\awqgvgyumzxopgcpy.exe

awqgvgyumzxopgcpy.exe .

C:\Windows\usogxkecwllehaynywy.exe

usogxkecwllehaynywy.exe

C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe

C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\awqgvgyumzxopgcpy.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c usogxkecwllehaynywy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c tohwkulgxjgwwmht.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\awqgvgyumzxopgcpy.exe*."

C:\Windows\usogxkecwllehaynywy.exe

usogxkecwllehaynywy.exe

C:\Windows\tohwkulgxjgwwmht.exe

tohwkulgxjgwwmht.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c usogxkecwllehaynywy.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c tohwkulgxjgwwmht.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\tohwkulgxjgwwmht.exe*."

C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe

C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe

C:\Windows\usogxkecwllehaynywy.exe

usogxkecwllehaynywy.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c jgbsiunkdrqikcznxu.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe

C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe

C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe

C:\Windows\tohwkulgxjgwwmht.exe

tohwkulgxjgwwmht.exe

C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe

C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\usogxkecwllehaynywy.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe

C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe

C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe

C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\wwuohwssofhchcctggkki.exe*."

C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe

C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\tohwkulgxjgwwmht.exe*."

C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe

C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe

C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe

C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wwuohwssofhchcctggkki.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\jgbsiunkdrqikcznxu.exe*."

C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe

C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe

C:\Windows\wwuohwssofhchcctggkki.exe

wwuohwssofhchcctggkki.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\wwuohwssofhchcctggkki.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c usogxkecwllehaynywy.exe .

C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe

C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe .

C:\Windows\usogxkecwllehaynywy.exe

usogxkecwllehaynywy.exe .

C:\Windows\jgbsiunkdrqikcznxu.exe

jgbsiunkdrqikcznxu.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\usogxkecwllehaynywy.exe*."

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\usogxkecwllehaynywy.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c jgbsiunkdrqikcznxu.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\jgbsiunkdrqikcznxu.exe*."

C:\Windows\jgbsiunkdrqikcznxu.exe

jgbsiunkdrqikcznxu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c awqgvgyumzxopgcpy.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\awqgvgyumzxopgcpy.exe

awqgvgyumzxopgcpy.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe

C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\awqgvgyumzxopgcpy.exe*."

C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe

C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\wwuohwssofhchcctggkki.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe

C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe

C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe .

C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe

C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\awqgvgyumzxopgcpy.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c jgbsiunkdrqikcznxu.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\jgbsiunkdrqikcznxu.exe

jgbsiunkdrqikcznxu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c jgbsiunkdrqikcznxu.exe .

C:\Windows\jgbsiunkdrqikcznxu.exe

jgbsiunkdrqikcznxu.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c jgbsiunkdrqikcznxu.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\jgbsiunkdrqikcznxu.exe*."

C:\Windows\jgbsiunkdrqikcznxu.exe

jgbsiunkdrqikcznxu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c jgbsiunkdrqikcznxu.exe .

C:\Windows\jgbsiunkdrqikcznxu.exe

jgbsiunkdrqikcznxu.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\jgbsiunkdrqikcznxu.exe*."

C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe

C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe .

C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe

C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\tohwkulgxjgwwmht.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe

C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe

C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe .

C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe

C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\tohwkulgxjgwwmht.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c awqgvgyumzxopgcpy.exe

C:\Windows\awqgvgyumzxopgcpy.exe

awqgvgyumzxopgcpy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wwuohwssofhchcctggkki.exe .

C:\Windows\wwuohwssofhchcctggkki.exe

wwuohwssofhchcctggkki.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wwuohwssofhchcctggkki.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\wwuohwssofhchcctggkki.exe*."

C:\Windows\wwuohwssofhchcctggkki.exe

wwuohwssofhchcctggkki.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c tohwkulgxjgwwmht.exe .

C:\Windows\tohwkulgxjgwwmht.exe

tohwkulgxjgwwmht.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\tohwkulgxjgwwmht.exe*."

C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe

C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe .

C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe

C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\tohwkulgxjgwwmht.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe

C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe

C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe .

C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe

C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\usogxkecwllehaynywy.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wwuohwssofhchcctggkki.exe

C:\Windows\wwuohwssofhchcctggkki.exe

wwuohwssofhchcctggkki.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c jgbsiunkdrqikcznxu.exe .

C:\Windows\jgbsiunkdrqikcznxu.exe

jgbsiunkdrqikcznxu.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\jgbsiunkdrqikcznxu.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wwuohwssofhchcctggkki.exe

C:\Windows\wwuohwssofhchcctggkki.exe

wwuohwssofhchcctggkki.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c jgbsiunkdrqikcznxu.exe .

C:\Windows\jgbsiunkdrqikcznxu.exe

jgbsiunkdrqikcznxu.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe

C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe

C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\jgbsiunkdrqikcznxu.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe .

C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe

C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\hgdwocxwrhicgazpbadc.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe

C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe

C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe .

C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe

C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\hgdwocxwrhicgazpbadc.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c jgbsiunkdrqikcznxu.exe

C:\Windows\jgbsiunkdrqikcznxu.exe

jgbsiunkdrqikcznxu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wwuohwssofhchcctggkki.exe .

C:\Windows\wwuohwssofhchcctggkki.exe

wwuohwssofhchcctggkki.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c hgdwocxwrhicgazpbadc.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\wwuohwssofhchcctggkki.exe*."

C:\Windows\hgdwocxwrhicgazpbadc.exe

hgdwocxwrhicgazpbadc.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c awqgvgyumzxopgcpy.exe .

C:\Windows\awqgvgyumzxopgcpy.exe

awqgvgyumzxopgcpy.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe

C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe

C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\awqgvgyumzxopgcpy.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe .

C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe

C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\tohwkulgxjgwwmht.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe

C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe .

C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe

C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\hgdwocxwrhicgazpbadc.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c hgdwocxwrhicgazpbadc.exe

C:\Windows\hgdwocxwrhicgazpbadc.exe

hgdwocxwrhicgazpbadc.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c hgdwocxwrhicgazpbadc.exe .

C:\Windows\hgdwocxwrhicgazpbadc.exe

hgdwocxwrhicgazpbadc.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\hgdwocxwrhicgazpbadc.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c usogxkecwllehaynywy.exe

C:\Windows\usogxkecwllehaynywy.exe

usogxkecwllehaynywy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wwuohwssofhchcctggkki.exe .

C:\Windows\wwuohwssofhchcctggkki.exe

wwuohwssofhchcctggkki.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe

C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\wwuohwssofhchcctggkki.exe*."

C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe

C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\wwuohwssofhchcctggkki.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe

C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe

C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe .

C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe

C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\hgdwocxwrhicgazpbadc.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c hgdwocxwrhicgazpbadc.exe

C:\Windows\hgdwocxwrhicgazpbadc.exe

hgdwocxwrhicgazpbadc.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c awqgvgyumzxopgcpy.exe .

C:\Windows\awqgvgyumzxopgcpy.exe

awqgvgyumzxopgcpy.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\awqgvgyumzxopgcpy.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wwuohwssofhchcctggkki.exe

C:\Windows\wwuohwssofhchcctggkki.exe

wwuohwssofhchcctggkki.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wwuohwssofhchcctggkki.exe .

C:\Windows\wwuohwssofhchcctggkki.exe

wwuohwssofhchcctggkki.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe

C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe

C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c tohwkulgxjgwwmht.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\wwuohwssofhchcctggkki.exe*."

C:\Windows\tohwkulgxjgwwmht.exe

tohwkulgxjgwwmht.exe

C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe

C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c jgbsiunkdrqikcznxu.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\tohwkulgxjgwwmht.exe*."

C:\Windows\jgbsiunkdrqikcznxu.exe

jgbsiunkdrqikcznxu.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wwuohwssofhchcctggkki.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\jgbsiunkdrqikcznxu.exe*."

C:\Windows\wwuohwssofhchcctggkki.exe

wwuohwssofhchcctggkki.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wwuohwssofhchcctggkki.exe

C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe

C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\wwuohwssofhchcctggkki.exe

wwuohwssofhchcctggkki.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c usogxkecwllehaynywy.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c jgbsiunkdrqikcznxu.exe .

C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe

C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe

C:\Windows\jgbsiunkdrqikcznxu.exe

jgbsiunkdrqikcznxu.exe .

C:\Windows\usogxkecwllehaynywy.exe

usogxkecwllehaynywy.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c usogxkecwllehaynywy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\tohwkulgxjgwwmht.exe*."

C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe

C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c hgdwocxwrhicgazpbadc.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\usogxkecwllehaynywy.exe*."

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\jgbsiunkdrqikcznxu.exe*."

C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe

C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe

C:\Windows\usogxkecwllehaynywy.exe

usogxkecwllehaynywy.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\tohwkulgxjgwwmht.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe

C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wwuohwssofhchcctggkki.exe

C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe

C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe

C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe

C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe .

C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe

C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe .

C:\Windows\wwuohwssofhchcctggkki.exe

wwuohwssofhchcctggkki.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c usogxkecwllehaynywy.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\jgbsiunkdrqikcznxu.exe*."

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\jgbsiunkdrqikcznxu.exe*."

C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe

C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe .

C:\Windows\usogxkecwllehaynywy.exe

usogxkecwllehaynywy.exe .

C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe

C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c usogxkecwllehaynywy.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\usogxkecwllehaynywy.exe*."

C:\Windows\usogxkecwllehaynywy.exe

usogxkecwllehaynywy.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\jgbsiunkdrqikcznxu.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c hgdwocxwrhicgazpbadc.exe .

C:\Windows\hgdwocxwrhicgazpbadc.exe

hgdwocxwrhicgazpbadc.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe

C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe

C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\hgdwocxwrhicgazpbadc.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe .

C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe

C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\tohwkulgxjgwwmht.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe

C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe

C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe .

C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe

C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\jgbsiunkdrqikcznxu.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c hgdwocxwrhicgazpbadc.exe

C:\Windows\hgdwocxwrhicgazpbadc.exe

hgdwocxwrhicgazpbadc.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c tohwkulgxjgwwmht.exe .

C:\Windows\tohwkulgxjgwwmht.exe

tohwkulgxjgwwmht.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\tohwkulgxjgwwmht.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c hgdwocxwrhicgazpbadc.exe

C:\Windows\hgdwocxwrhicgazpbadc.exe

hgdwocxwrhicgazpbadc.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c hgdwocxwrhicgazpbadc.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\hgdwocxwrhicgazpbadc.exe

hgdwocxwrhicgazpbadc.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe

C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe

C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\hgdwocxwrhicgazpbadc.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe .

C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe

C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\awqgvgyumzxopgcpy.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe

C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe

C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe

C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\jgbsiunkdrqikcznxu.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c hgdwocxwrhicgazpbadc.exe

C:\Windows\hgdwocxwrhicgazpbadc.exe

hgdwocxwrhicgazpbadc.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c awqgvgyumzxopgcpy.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\awqgvgyumzxopgcpy.exe

awqgvgyumzxopgcpy.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\awqgvgyumzxopgcpy.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c jgbsiunkdrqikcznxu.exe

C:\Windows\jgbsiunkdrqikcznxu.exe

jgbsiunkdrqikcznxu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c awqgvgyumzxopgcpy.exe .

C:\Windows\awqgvgyumzxopgcpy.exe

awqgvgyumzxopgcpy.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe

C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe

C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\awqgvgyumzxopgcpy.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe .

C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe

C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\usogxkecwllehaynywy.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe

C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe

C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\wwuohwssofhchcctggkki.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wwuohwssofhchcctggkki.exe

C:\Windows\wwuohwssofhchcctggkki.exe

wwuohwssofhchcctggkki.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c awqgvgyumzxopgcpy.exe .

C:\Windows\awqgvgyumzxopgcpy.exe

awqgvgyumzxopgcpy.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wwuohwssofhchcctggkki.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\awqgvgyumzxopgcpy.exe*."

C:\Windows\wwuohwssofhchcctggkki.exe

wwuohwssofhchcctggkki.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c tohwkulgxjgwwmht.exe .

C:\Windows\tohwkulgxjgwwmht.exe

tohwkulgxjgwwmht.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe

C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe

C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\tohwkulgxjgwwmht.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe .

C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe

C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\tohwkulgxjgwwmht.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe

C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe

C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe

C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\tohwkulgxjgwwmht.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c usogxkecwllehaynywy.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\usogxkecwllehaynywy.exe

usogxkecwllehaynywy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c usogxkecwllehaynywy.exe .

C:\Windows\usogxkecwllehaynywy.exe

usogxkecwllehaynywy.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\usogxkecwllehaynywy.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c tohwkulgxjgwwmht.exe

C:\Windows\tohwkulgxjgwwmht.exe

tohwkulgxjgwwmht.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c hgdwocxwrhicgazpbadc.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\hgdwocxwrhicgazpbadc.exe

hgdwocxwrhicgazpbadc.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe

C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe

C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\hgdwocxwrhicgazpbadc.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe

C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\awqgvgyumzxopgcpy.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe

C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe

C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe

C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\usogxkecwllehaynywy.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c hgdwocxwrhicgazpbadc.exe

C:\Windows\hgdwocxwrhicgazpbadc.exe

hgdwocxwrhicgazpbadc.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wwuohwssofhchcctggkki.exe .

C:\Windows\wwuohwssofhchcctggkki.exe

wwuohwssofhchcctggkki.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\wwuohwssofhchcctggkki.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c tohwkulgxjgwwmht.exe

C:\Windows\tohwkulgxjgwwmht.exe

tohwkulgxjgwwmht.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c tohwkulgxjgwwmht.exe .

C:\Windows\tohwkulgxjgwwmht.exe

tohwkulgxjgwwmht.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe

C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe

C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\tohwkulgxjgwwmht.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe .

C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe

C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\tohwkulgxjgwwmht.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe

C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe

C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe

C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\awqgvgyumzxopgcpy.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c hgdwocxwrhicgazpbadc.exe

C:\Windows\hgdwocxwrhicgazpbadc.exe

hgdwocxwrhicgazpbadc.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c hgdwocxwrhicgazpbadc.exe .

C:\Windows\hgdwocxwrhicgazpbadc.exe

hgdwocxwrhicgazpbadc.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\hgdwocxwrhicgazpbadc.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c jgbsiunkdrqikcznxu.exe

C:\Windows\jgbsiunkdrqikcznxu.exe

jgbsiunkdrqikcznxu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c tohwkulgxjgwwmht.exe .

C:\Windows\tohwkulgxjgwwmht.exe

tohwkulgxjgwwmht.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\tohwkulgxjgwwmht.exe*."

C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe

C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe .

C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe

C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\wwuohwssofhchcctggkki.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe

C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe .

C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe

C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c jgbsiunkdrqikcznxu.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\jgbsiunkdrqikcznxu.exe

jgbsiunkdrqikcznxu.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\awqgvgyumzxopgcpy.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c awqgvgyumzxopgcpy.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wwuohwssofhchcctggkki.exe

C:\Windows\awqgvgyumzxopgcpy.exe

awqgvgyumzxopgcpy.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c awqgvgyumzxopgcpy.exe

C:\Windows\wwuohwssofhchcctggkki.exe

wwuohwssofhchcctggkki.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\awqgvgyumzxopgcpy.exe*."

C:\Windows\awqgvgyumzxopgcpy.exe

awqgvgyumzxopgcpy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c hgdwocxwrhicgazpbadc.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c usogxkecwllehaynywy.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c awqgvgyumzxopgcpy.exe

C:\Windows\usogxkecwllehaynywy.exe

usogxkecwllehaynywy.exe .

C:\Windows\hgdwocxwrhicgazpbadc.exe

hgdwocxwrhicgazpbadc.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe

C:\Windows\awqgvgyumzxopgcpy.exe

awqgvgyumzxopgcpy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c hgdwocxwrhicgazpbadc.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\usogxkecwllehaynywy.exe*."

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\hgdwocxwrhicgazpbadc.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c awqgvgyumzxopgcpy.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe

C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c awqgvgyumzxopgcpy.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\hgdwocxwrhicgazpbadc.exe

hgdwocxwrhicgazpbadc.exe

C:\Windows\awqgvgyumzxopgcpy.exe

awqgvgyumzxopgcpy.exe .

C:\Windows\awqgvgyumzxopgcpy.exe

awqgvgyumzxopgcpy.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c hgdwocxwrhicgazpbadc.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wwuohwssofhchcctggkki.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe .

C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe

C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\awqgvgyumzxopgcpy.exe*."

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\awqgvgyumzxopgcpy.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe

C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe

C:\Windows\hgdwocxwrhicgazpbadc.exe

hgdwocxwrhicgazpbadc.exe

C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe

C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe .

C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe

C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe

C:\Windows\wwuohwssofhchcctggkki.exe

wwuohwssofhchcctggkki.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe .

C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe

C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\usogxkecwllehaynywy.exe*."

C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe

C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe

C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe

C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\wwuohwssofhchcctggkki.exe*."

C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe

C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\wwuohwssofhchcctggkki.exe*."

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\wwuohwssofhchcctggkki.exe*."

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\awqgvgyumzxopgcpy.exe*."

C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe

C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe

C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe

C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe .

C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe

C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\tohwkulgxjgwwmht.exe*."

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\awqgvgyumzxopgcpy.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c tohwkulgxjgwwmht.exe

C:\Windows\tohwkulgxjgwwmht.exe

tohwkulgxjgwwmht.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c jgbsiunkdrqikcznxu.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\jgbsiunkdrqikcznxu.exe

jgbsiunkdrqikcznxu.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c tohwkulgxjgwwmht.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\jgbsiunkdrqikcznxu.exe*."

C:\Windows\tohwkulgxjgwwmht.exe

tohwkulgxjgwwmht.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c jgbsiunkdrqikcznxu.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\jgbsiunkdrqikcznxu.exe

jgbsiunkdrqikcznxu.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe

C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe

C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\jgbsiunkdrqikcznxu.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe .

C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe

C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\tohwkulgxjgwwmht.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe

C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe

C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe .

C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe

C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\jgbsiunkdrqikcznxu.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c usogxkecwllehaynywy.exe

C:\Windows\usogxkecwllehaynywy.exe

usogxkecwllehaynywy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c hgdwocxwrhicgazpbadc.exe .

C:\Windows\hgdwocxwrhicgazpbadc.exe

hgdwocxwrhicgazpbadc.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c tohwkulgxjgwwmht.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\hgdwocxwrhicgazpbadc.exe*."

C:\Windows\tohwkulgxjgwwmht.exe

tohwkulgxjgwwmht.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c usogxkecwllehaynywy.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\usogxkecwllehaynywy.exe

usogxkecwllehaynywy.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\usogxkecwllehaynywy.exe*."

C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe

C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe .

C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe

C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\jgbsiunkdrqikcznxu.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe

C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe

C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe

C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\wwuohwssofhchcctggkki.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c hgdwocxwrhicgazpbadc.exe

C:\Windows\hgdwocxwrhicgazpbadc.exe

hgdwocxwrhicgazpbadc.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wwuohwssofhchcctggkki.exe .

C:\Windows\wwuohwssofhchcctggkki.exe

wwuohwssofhchcctggkki.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c usogxkecwllehaynywy.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\wwuohwssofhchcctggkki.exe*."

C:\Windows\usogxkecwllehaynywy.exe

usogxkecwllehaynywy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c hgdwocxwrhicgazpbadc.exe .

C:\Windows\hgdwocxwrhicgazpbadc.exe

hgdwocxwrhicgazpbadc.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe

C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe

C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\hgdwocxwrhicgazpbadc.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe .

C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe

C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\wwuohwssofhchcctggkki.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe

C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe

C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe .

C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe

C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\hgdwocxwrhicgazpbadc.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wwuohwssofhchcctggkki.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\wwuohwssofhchcctggkki.exe

wwuohwssofhchcctggkki.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c awqgvgyumzxopgcpy.exe .

C:\Windows\awqgvgyumzxopgcpy.exe

awqgvgyumzxopgcpy.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c awqgvgyumzxopgcpy.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\awqgvgyumzxopgcpy.exe*."

C:\Windows\awqgvgyumzxopgcpy.exe

awqgvgyumzxopgcpy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c jgbsiunkdrqikcznxu.exe .

C:\Windows\jgbsiunkdrqikcznxu.exe

jgbsiunkdrqikcznxu.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe

C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe

C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\jgbsiunkdrqikcznxu.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe .

C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe

C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\hgdwocxwrhicgazpbadc.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe

C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe

C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe .

C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe

C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\tohwkulgxjgwwmht.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c usogxkecwllehaynywy.exe

C:\Windows\usogxkecwllehaynywy.exe

usogxkecwllehaynywy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c usogxkecwllehaynywy.exe .

C:\Windows\usogxkecwllehaynywy.exe

usogxkecwllehaynywy.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\usogxkecwllehaynywy.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c jgbsiunkdrqikcznxu.exe

C:\Windows\jgbsiunkdrqikcznxu.exe

jgbsiunkdrqikcznxu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c awqgvgyumzxopgcpy.exe .

C:\Windows\awqgvgyumzxopgcpy.exe

awqgvgyumzxopgcpy.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe

C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe

C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\awqgvgyumzxopgcpy.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe .

C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe

C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\jgbsiunkdrqikcznxu.exe*."

Network

Country Destination Domain Proto
US 8.8.8.8:53 whatismyip.everdot.org udp
US 104.19.222.79:80 whatismyipaddress.com tcp
US 172.67.155.175:80 www.showmyipaddress.com tcp
US 172.67.155.175:80 www.showmyipaddress.com tcp
US 172.66.43.169:80 www.whatismyip.com tcp
US 172.66.43.169:80 www.whatismyip.com tcp
US 104.19.222.79:80 whatismyipaddress.com tcp
US 172.66.43.169:80 www.whatismyip.com tcp
US 172.67.155.175:80 www.showmyipaddress.com tcp
US 172.66.43.169:80 www.whatismyip.com tcp
US 104.19.222.79:80 whatismyipaddress.com tcp
US 172.67.155.175:80 www.showmyipaddress.com tcp
US 104.19.222.79:80 whatismyipaddress.com tcp
GB 157.240.214.35:80 www.facebook.com tcp
IT 93.123.86.9:23203 tcp
DE 85.214.228.140:80 gyuuym.org tcp
SG 18.142.91.111:80 unxfuild.info tcp
US 104.156.155.94:80 cydlrge.info tcp
US 69.245.157.101:30273 tcp
US 8.8.8.8:53 gsxwsgnsdfm.net udp
US 8.8.8.8:53 zgrjrexb.net udp
BG 91.139.214.253:20276 tcp
US 8.8.8.8:53 ekqqcc.org udp
US 8.8.8.8:53 dflqknsl.net udp
US 8.8.8.8:53 cupgcwpec.net udp
BG 87.121.48.227:18645 tcp
US 8.8.8.8:53 sukeymiqsogc.com udp
US 8.8.8.8:53 qqgwew.com udp
US 8.8.8.8:53 njmyupro.net udp
US 8.8.8.8:53 acnurezwh.info udp
US 8.8.8.8:53 dwpmcwemx.net udp
BG 77.76.191.142:31825 tcp
US 8.8.8.8:53 uwcuws.org udp
US 8.8.8.8:53 ekkjfgfbyf.info udp
US 8.8.8.8:53 wcugug.com udp
US 8.8.8.8:53 wipkgxsenef.info udp
LT 78.60.90.47:26746 tcp
US 8.8.8.8:53 zbnxmkjiojkt.info udp
CA 68.232.80.223:39238 tcp
US 8.8.8.8:53 wawaoiyk.com udp
US 8.8.8.8:53 dazulnj.org udp
US 8.8.8.8:53 kwtyrov.net udp
BG 77.71.43.98:28558 tcp
US 8.8.8.8:53 pqycjkwkd.info udp
US 8.8.8.8:53 lvliwxsju.net udp
BG 89.252.192.21:30518 tcp
US 8.8.8.8:53 zknshmx.net udp
US 8.8.8.8:53 bylbrlymcwwl.info udp
US 8.8.8.8:53 nzjcxyhv.info udp
MD 109.185.208.228:21375 tcp
US 8.8.8.8:53 kkiamiym.com udp
US 8.8.8.8:53 qixefwzij.net udp
LT 85.232.153.97:16140 tcp
US 8.8.8.8:53 rqlutxf.net udp
US 8.8.8.8:53 vicjjczgxif.net udp
LT 78.63.97.7:45675 tcp
US 8.8.8.8:53 byjllzwmuylz.net udp
US 8.8.8.8:53 edbotl.net udp
LT 78.59.240.39:34119 tcp
US 8.8.8.8:53 hsfspwfirsr.org udp
US 8.8.8.8:53 qyjxvcif.net udp
US 8.8.8.8:53 zdhnfmzmptc.info udp
US 8.8.8.8:53 seimkycy.org udp
LT 78.56.108.181:26764 tcp
US 8.8.8.8:53 fskeffl.info udp
US 8.8.8.8:53 xpkzrtlv.net udp
US 8.8.8.8:53 rkjyfrxybqd.net udp
BG 89.25.109.59:23813 tcp
US 8.8.8.8:53 sgdzhklkvfso.info udp
US 8.8.8.8:53 ggbfhz.info udp
US 8.8.8.8:53 dkdczgl.info udp
BG 212.233.218.98:38397 tcp
US 8.8.8.8:53 gsxrzdalt.info udp
US 8.8.8.8:53 kyeuysrbnt.info udp
US 8.8.8.8:53 qyffooarp.info udp
US 8.8.8.8:53 gnusbw.net udp
US 8.8.8.8:53 owuucyeeiwyu.com udp
BG 212.50.76.8:13875 tcp
US 8.8.8.8:53 fevpfshvp.org udp
US 8.8.8.8:53 fwokxwu.info udp
US 8.8.8.8:53 hylgpxjktx.net udp
US 8.8.8.8:53 giekgyskeiik.org udp
US 8.8.8.8:53 bavppixu.net udp
BG 212.233.218.98:38397 tcp
US 8.8.8.8:53 qiyssqigeq.com udp
US 8.8.8.8:53 zqxlmd.info udp
US 8.8.8.8:53 yofrzwf.info udp
US 8.8.8.8:53 fkgritslx.org udp
US 8.8.8.8:53 ifthpsgujm.net udp
LT 78.62.93.5:28700 tcp
US 8.8.8.8:53 eeeiusoc.com udp
LT 85.255.51.15:13558 tcp
US 8.8.8.8:53 wgcoiykyaeoe.org udp
US 8.8.8.8:53 fweoxxz.com udp
US 8.8.8.8:53 nrztjt.net udp
US 8.8.8.8:53 jntxuexoq.net udp
US 8.8.8.8:53 nfchzxla.net udp
US 8.8.8.8:53 awtrjqbmv.net udp
US 8.8.8.8:53 wadkfduaknw.info udp
US 8.8.8.8:53 osnqusdqj.net udp
US 8.8.8.8:53 bctsrdfp.net udp
US 8.8.8.8:53 ejpdqikairvo.info udp
US 8.8.8.8:53 sdzydb.info udp
US 8.8.8.8:53 aummicksog.org udp
US 8.8.8.8:53 qtnvfwaay.net udp
US 8.8.8.8:53 reprsq.info udp

Files

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

MD5 23bff39547f2d5b201693f9ad0a48638
SHA1 777e0e2133205eadab020eae72aebce000bc431e
SHA256 23d2d49d3baf0fb03c223267d2f9f00e95d3447a66fb12b9cc2ba0d31e4b936d
SHA512 f710bdcaefc281429821c0481a3225e52dda6db488fec627bf774d12c3dfbc992b1c0b428601b464e3a80058e5ae68cccd6795b0ea98b0cc8df9f7f573571bb9

C:\Windows\SysWOW64\jgbsiunkdrqikcznxu.exe

MD5 bdec6237d2f7f80e1250e09df51e3d02
SHA1 73bbd2918a981f181299342a44b8afc0e0923f7d
SHA256 a7ba2a0628020aa108b91798907146015ab98527a7b59ac8836865c6d9e1e12b
SHA512 e0c1276cabc70b4fe6c936854e10eafba6c5860824d82007c2513d408d1167611b24ae6d5fe992ce12500d6d08ace5b966535ad236bb142af5f677f0ade1af8b

C:\Users\Admin\AppData\Local\Temp\wgosv.exe

MD5 5d1aac9cdfd58a9c5dbf0f9b37604c7c
SHA1 1c7f1dd85fe87858031e152ff9bbb7830536dfce
SHA256 8d359c0eb1b03f8b7f35bb44a92758a3a911ae533c27e461bef727ecef972daf
SHA512 3a02581067f15e16b8745e7984b51b91838e8fc97ac7913fdd779e0f5b7b1038b0e4fb47a7c16046d1d13a9d1074c6dcc04e2f1d322acdb37d1b606a71ecfeae

C:\Users\Admin\AppData\Local\binooknuxvegsubztalsxyyu.ehf

MD5 53161fa6d01c965f8c3f32ace579d555
SHA1 881eeb45e6a774166cb99761845ed1c08d30c3b4
SHA256 961ca600bfddfaa7c24e39aa4e369e0ab4e7c8cd0cc3521448d1c3b8d47cac15
SHA512 02b1119efa2e22cd0f3114c6a3aef8af1a6cdf081383af16179cad4d37ad8c838b757f7bb6e77af605833d6b3cb7301eadb1acb8e758b87f3991a2ce6f784bd6

C:\Users\Admin\AppData\Local\kcsepwkcqztgdqirwokcsepwkcqztgdqirw.kcs

MD5 d06c4687b5c046575f5391ebb20e365d
SHA1 17943bdc4966f7923ad1f980ba84f76967d81a9c
SHA256 60bc580ca18eb1997cde8d3776e6c4cbbc5ffd188fbf3f305374e8e693a28a40
SHA512 6865d5eb2e69f7cb738c4ef76a798f8f7995f74bb94ffc57229dd59f5b18e1f2d6052f4ce7f69ee8fb5615111503d163e53fea2c043731d3320a955d867bdfe0

C:\Program Files (x86)\binooknuxvegsubztalsxyyu.ehf

MD5 2ab0b00262003dc4a19cc4774ff68618
SHA1 349efa365e8c716599eb1ba40a7650bccedd755d
SHA256 eeba2148afb8a456cd03c71894ce071e27469e9ee5bbbd773f2db5bf4d754f8c
SHA512 27e664dbea77200ba777cf7de51a80dad50156308ddaa3fcee760c12653afae59cf6d61718a8944b07b35be7cd381136a5c52b7cca20501d4fdd47103875149f

C:\Program Files (x86)\binooknuxvegsubztalsxyyu.ehf

MD5 1c0a2596648fcbaa109ee9ddf980a0ad
SHA1 059dbdc2ddcd11898dc3d70406cdc55cbcc9b0ee
SHA256 67a5c241a948a5db412099c4f72bdb9d2f69df6bd2cdecae8f56bf842e21b427
SHA512 c72e0f5fc9ae65adffda15b2534bfc0d4ddb35304b012d72d2374bc3d144a25c6f8277d754890479430e77ebd51c23a9814cd48546990e28bb614981752fb491

C:\Program Files (x86)\binooknuxvegsubztalsxyyu.ehf

MD5 7f27c938fa5b29231ba289d142dfc968
SHA1 a519fa249b84d3d5c4a228ecb71ccd7ebb106396
SHA256 49e4bab6a97c55ea404229dba890b688a04fed67ac3411840744bb02e6a6cda8
SHA512 cfeff3146d7c989691c2ad90888ae4dcb22f84d73190853c5ae94e68634b1b5fdf1797c1a00ee960b177656ede570ff672d18cbca6ef6a0f273ca1310e5945dc

C:\Program Files (x86)\binooknuxvegsubztalsxyyu.ehf

MD5 6a065f12f5318d17cbcd6deb19ddc23c
SHA1 f7b613ea1d90e983e17933f6777f8e6501a6b3a2
SHA256 ad060ec0f3e1142c81dcd4b8b0468140c7e2d8793659a55c68d5ce255a42091a
SHA512 5a97262a0a84e4e8aa674326fd93f48fa340702b8a3c31de23ee4bda6e5ec13186bbc006adca7a6fad3ed1759ab1d271c3f846bdcb8e731e1dc0a5fcba933066

C:\Program Files (x86)\binooknuxvegsubztalsxyyu.ehf

MD5 37063fb7e559ad67bcd57878b90bab40
SHA1 ef969d94e2e8931aeabfa7cc32444019d60e773e
SHA256 50e4a8a0dfefa125d22fbb94c4ecf850669cf76ec5117fffc80dafb0fc563658
SHA512 a777568e707bf443dc2231658117e9b36ae7b2d11d1d768fc4fb2e8f9e9c0b54e9099654d1e100c545207aedbac08ac29815dcbaa3841e408e1fe77427e7cd93

C:\Program Files (x86)\binooknuxvegsubztalsxyyu.ehf

MD5 99e43e082dbf17d1ac1a49efa9fbbf1e
SHA1 8d2c5ca5be42b670f875c76826f5a98bdd34883f
SHA256 5d6cc2976f1afd966ccdbc3cab5a2862081e6ed982aeea4728e326e9d8c4082e
SHA512 211d085c323f0371bb61c54cc43382e6c4bb8ab73fc990f08fe47f833fd42b8304cee26900b1ca4308af5c50fcddc864c617feff3ec31f11c8cbc978a09e641b

Analysis: behavioral1

Detonation Overview

Submitted

2025-04-18 11:49

Reported

2025-04-18 11:51

Platform

win10v2004-20250314-en

Max time kernel

45s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\gmsghs.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\gmsghs.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A

Pykspa

worm pykspa

Pykspa family

pykspa

UAC bypass

defense_evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\gmsghs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\gmsghs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\gmsghs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\gmsghs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\gmsghs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\gmsghs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\gmsghs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\gmsghs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A

Detect Pykspa worm

worm
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nyjciyfrzlx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gauwlkavmhczblxqdkcw.exe" C:\Users\Admin\AppData\Local\Temp\gmsghs.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kymirkujujyplp = "tmfgushbrlfbclwoagx.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kymirkujujyplp = "vqloeevrjfbzcnauiqjez.exe" C:\Users\Admin\AppData\Local\Temp\gmsghs.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nyjciyfrzlx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmfgushbrlfbclwoagx.exe" C:\Users\Admin\AppData\Local\Temp\gmsghs.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kymirkujujyplp = "zqhgsobthzrlkraqa.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kymirkujujyplp = "iassfcqjyrkffnxoze.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kymirkujujyplp = "siywhcofsjatrxfu.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nyjciyfrzlx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iassfcqjyrkffnxoze.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kymirkujujyplp = "siywhcofsjatrxfu.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kymirkujujyplp = "gauwlkavmhczblxqdkcw.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kymirkujujyplp = "vqloeevrjfbzcnauiqjez.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nyjciyfrzlx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gauwlkavmhczblxqdkcw.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nyjciyfrzlx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iassfcqjyrkffnxoze.exe" C:\Users\Admin\AppData\Local\Temp\gmsghs.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kymirkujujyplp = "iassfcqjyrkffnxoze.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\gmsghs.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kymirkujujyplp = "zqhgsobthzrlkraqa.exe" C:\Users\Admin\AppData\Local\Temp\gmsghs.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nyjciyfrzlx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iassfcqjyrkffnxoze.exe" C:\Users\Admin\AppData\Local\Temp\gmsghs.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nyjciyfrzlx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\siywhcofsjatrxfu.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nyjciyfrzlx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vqloeevrjfbzcnauiqjez.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nyjciyfrzlx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iassfcqjyrkffnxoze.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nyjciyfrzlx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmfgushbrlfbclwoagx.exe" C:\Users\Admin\AppData\Local\Temp\gmsghs.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kymirkujujyplp = "gauwlkavmhczblxqdkcw.exe" C:\Users\Admin\AppData\Local\Temp\gmsghs.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kymirkujujyplp = "zqhgsobthzrlkraqa.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kymirkujujyplp = "tmfgushbrlfbclwoagx.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kymirkujujyplp = "tmfgushbrlfbclwoagx.exe" C:\Users\Admin\AppData\Local\Temp\gmsghs.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nyjciyfrzlx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gauwlkavmhczblxqdkcw.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kymirkujujyplp = "siywhcofsjatrxfu.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kymirkujujyplp = "iassfcqjyrkffnxoze.exe" C:\Users\Admin\AppData\Local\Temp\gmsghs.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nyjciyfrzlx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gauwlkavmhczblxqdkcw.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kymirkujujyplp = "gauwlkavmhczblxqdkcw.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\gmsghs.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nyjciyfrzlx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iassfcqjyrkffnxoze.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kymirkujujyplp = "iassfcqjyrkffnxoze.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nyjciyfrzlx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zqhgsobthzrlkraqa.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nyjciyfrzlx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zqhgsobthzrlkraqa.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nyjciyfrzlx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gauwlkavmhczblxqdkcw.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kymirkujujyplp = "gauwlkavmhczblxqdkcw.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nyjciyfrzlx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zqhgsobthzrlkraqa.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kymirkujujyplp = "zqhgsobthzrlkraqa.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nyjciyfrzlx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gauwlkavmhczblxqdkcw.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nyjciyfrzlx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vqloeevrjfbzcnauiqjez.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nyjciyfrzlx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\siywhcofsjatrxfu.exe" C:\Users\Admin\AppData\Local\Temp\gmsghs.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nyjciyfrzlx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iassfcqjyrkffnxoze.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kymirkujujyplp = "iassfcqjyrkffnxoze.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nyjciyfrzlx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vqloeevrjfbzcnauiqjez.exe" C:\Users\Admin\AppData\Local\Temp\gmsghs.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nyjciyfrzlx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zqhgsobthzrlkraqa.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kymirkujujyplp = "tmfgushbrlfbclwoagx.exe" C:\Users\Admin\AppData\Local\Temp\gmsghs.exe N/A

Disables RegEdit via registry modification

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\gmsghs.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\gmsghs.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\gmsghs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\gmsghs.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Windows\siywhcofsjatrxfu.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Windows\zqhgsobthzrlkraqa.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Windows\iassfcqjyrkffnxoze.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Windows\vqloeevrjfbzcnauiqjez.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Windows\iassfcqjyrkffnxoze.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Windows\tmfgushbrlfbclwoagx.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Windows\tmfgushbrlfbclwoagx.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Windows\gauwlkavmhczblxqdkcw.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Windows\tmfgushbrlfbclwoagx.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Windows\siywhcofsjatrxfu.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Windows\siywhcofsjatrxfu.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Windows\siywhcofsjatrxfu.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Windows\vqloeevrjfbzcnauiqjez.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Windows\gauwlkavmhczblxqdkcw.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Windows\zqhgsobthzrlkraqa.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Windows\siywhcofsjatrxfu.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Windows\siywhcofsjatrxfu.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Windows\zqhgsobthzrlkraqa.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Windows\vqloeevrjfbzcnauiqjez.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Windows\vqloeevrjfbzcnauiqjez.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Windows\zqhgsobthzrlkraqa.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Windows\siywhcofsjatrxfu.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Windows\iassfcqjyrkffnxoze.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Windows\zqhgsobthzrlkraqa.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Windows\gauwlkavmhczblxqdkcw.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Windows\zqhgsobthzrlkraqa.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Windows\siywhcofsjatrxfu.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Windows\gauwlkavmhczblxqdkcw.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Windows\iassfcqjyrkffnxoze.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
N/A N/A C:\Windows\zqhgsobthzrlkraqa.exe N/A
N/A N/A C:\Windows\iassfcqjyrkffnxoze.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
N/A N/A C:\Windows\vqloeevrjfbzcnauiqjez.exe N/A
N/A N/A C:\Windows\gauwlkavmhczblxqdkcw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gmsghs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gmsghs.exe N/A
N/A N/A C:\Windows\gauwlkavmhczblxqdkcw.exe N/A
N/A N/A C:\Windows\vqloeevrjfbzcnauiqjez.exe N/A
N/A N/A C:\Windows\siywhcofsjatrxfu.exe N/A
N/A N/A C:\Windows\iassfcqjyrkffnxoze.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
N/A N/A C:\Windows\vqloeevrjfbzcnauiqjez.exe N/A
N/A N/A C:\Windows\siywhcofsjatrxfu.exe N/A
N/A N/A C:\Windows\tmfgushbrlfbclwoagx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe N/A
N/A N/A C:\Windows\zqhgsobthzrlkraqa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
N/A N/A C:\Windows\iassfcqjyrkffnxoze.exe N/A
N/A N/A C:\Windows\zqhgsobthzrlkraqa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
N/A N/A C:\Windows\vqloeevrjfbzcnauiqjez.exe N/A
N/A N/A C:\Windows\iassfcqjyrkffnxoze.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
N/A N/A C:\Windows\vqloeevrjfbzcnauiqjez.exe N/A
N/A N/A C:\Windows\gauwlkavmhczblxqdkcw.exe N/A
N/A N/A C:\Windows\vqloeevrjfbzcnauiqjez.exe N/A
N/A N/A C:\Windows\siywhcofsjatrxfu.exe N/A
N/A N/A C:\Windows\iassfcqjyrkffnxoze.exe N/A
N/A N/A C:\Windows\siywhcofsjatrxfu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
N/A N/A C:\Windows\zqhgsobthzrlkraqa.exe N/A
N/A N/A C:\Windows\vqloeevrjfbzcnauiqjez.exe N/A
N/A N/A C:\Windows\tmfgushbrlfbclwoagx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe N/A

Impair Defenses: Safe Mode Boot

defense_evasion
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc C:\Users\Admin\AppData\Local\Temp\gmsghs.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager C:\Users\Admin\AppData\Local\Temp\gmsghs.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys C:\Users\Admin\AppData\Local\Temp\gmsghs.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc C:\Users\Admin\AppData\Local\Temp\gmsghs.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power C:\Users\Admin\AppData\Local\Temp\gmsghs.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys C:\Users\Admin\AppData\Local\Temp\gmsghs.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ncroysdtfvldafm = "vqloeevrjfbzcnauiqjez.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kwicjaiveret = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iassfcqjyrkffnxoze.exe" C:\Users\Admin\AppData\Local\Temp\gmsghs.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kwicjaiveret = "iassfcqjyrkffnxoze.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kwicjaiveret = "zqhgsobthzrlkraqa.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\jwjemenblzndy = "siywhcofsjatrxfu.exe ." C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\siywhcofsjatrxfu = "gauwlkavmhczblxqdkcw.exe ." C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zqhgsobthzrlkraqa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gauwlkavmhczblxqdkcw.exe ." C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kwicjaiveret = "gauwlkavmhczblxqdkcw.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iassfcqjyrkffnxoze = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmfgushbrlfbclwoagx.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kwicjaiveret = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zqhgsobthzrlkraqa.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kwicjaiveret = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zqhgsobthzrlkraqa.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kwicjaiveret = "siywhcofsjatrxfu.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ncroysdtfvldafm = "iassfcqjyrkffnxoze.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\jwjemenblzndy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gauwlkavmhczblxqdkcw.exe ." C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\siywhcofsjatrxfu = "zqhgsobthzrlkraqa.exe ." C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zqhgsobthzrlkraqa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gauwlkavmhczblxqdkcw.exe ." C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iassfcqjyrkffnxoze = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vqloeevrjfbzcnauiqjez.exe" C:\Users\Admin\AppData\Local\Temp\gmsghs.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iassfcqjyrkffnxoze = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zqhgsobthzrlkraqa.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kwicjaiveret = "vqloeevrjfbzcnauiqjez.exe" C:\Users\Admin\AppData\Local\Temp\gmsghs.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kwicjaiveret = "zqhgsobthzrlkraqa.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\jwjemenblzndy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vqloeevrjfbzcnauiqjez.exe ." C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\siywhcofsjatrxfu = "iassfcqjyrkffnxoze.exe ." C:\Users\Admin\AppData\Local\Temp\gmsghs.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kwicjaiveret = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zqhgsobthzrlkraqa.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\siywhcofsjatrxfu = "vqloeevrjfbzcnauiqjez.exe ." C:\Users\Admin\AppData\Local\Temp\gmsghs.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iassfcqjyrkffnxoze = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vqloeevrjfbzcnauiqjez.exe" C:\Users\Admin\AppData\Local\Temp\gmsghs.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kwicjaiveret = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iassfcqjyrkffnxoze.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zqhgsobthzrlkraqa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iassfcqjyrkffnxoze.exe ." C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ncroysdtfvldafm = "vqloeevrjfbzcnauiqjez.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\jwjemenblzndy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gauwlkavmhczblxqdkcw.exe ." C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\siywhcofsjatrxfu = "zqhgsobthzrlkraqa.exe ." C:\Users\Admin\AppData\Local\Temp\gmsghs.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iassfcqjyrkffnxoze = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iassfcqjyrkffnxoze.exe" C:\Users\Admin\AppData\Local\Temp\gmsghs.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kwicjaiveret = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vqloeevrjfbzcnauiqjez.exe" C:\Users\Admin\AppData\Local\Temp\gmsghs.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\jwjemenblzndy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iassfcqjyrkffnxoze.exe ." C:\Users\Admin\AppData\Local\Temp\gmsghs.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\jwjemenblzndy = "tmfgushbrlfbclwoagx.exe ." C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zqhgsobthzrlkraqa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gauwlkavmhczblxqdkcw.exe ." C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kwicjaiveret = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gauwlkavmhczblxqdkcw.exe" C:\Users\Admin\AppData\Local\Temp\gmsghs.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\siywhcofsjatrxfu = "iassfcqjyrkffnxoze.exe ." C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kwicjaiveret = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zqhgsobthzrlkraqa.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\jwjemenblzndy = "vqloeevrjfbzcnauiqjez.exe ." C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ncroysdtfvldafm = "tmfgushbrlfbclwoagx.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iassfcqjyrkffnxoze = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zqhgsobthzrlkraqa.exe" C:\Users\Admin\AppData\Local\Temp\gmsghs.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kwicjaiveret = "C:\\Users\\Admin\\AppData\\Local\\Temp\\siywhcofsjatrxfu.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ncroysdtfvldafm = "tmfgushbrlfbclwoagx.exe" C:\Users\Admin\AppData\Local\Temp\gmsghs.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\jwjemenblzndy = "iassfcqjyrkffnxoze.exe ." C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zqhgsobthzrlkraqa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gauwlkavmhczblxqdkcw.exe ." C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\jwjemenblzndy = "siywhcofsjatrxfu.exe ." C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zqhgsobthzrlkraqa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gauwlkavmhczblxqdkcw.exe ." C:\Users\Admin\AppData\Local\Temp\gmsghs.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\siywhcofsjatrxfu = "iassfcqjyrkffnxoze.exe ." C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iassfcqjyrkffnxoze = "C:\\Users\\Admin\\AppData\\Local\\Temp\\siywhcofsjatrxfu.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iassfcqjyrkffnxoze = "C:\\Users\\Admin\\AppData\\Local\\Temp\\siywhcofsjatrxfu.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kwicjaiveret = "tmfgushbrlfbclwoagx.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kwicjaiveret = "gauwlkavmhczblxqdkcw.exe" C:\Users\Admin\AppData\Local\Temp\gmsghs.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kwicjaiveret = "iassfcqjyrkffnxoze.exe" C:\Users\Admin\AppData\Local\Temp\gmsghs.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iassfcqjyrkffnxoze = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmfgushbrlfbclwoagx.exe" C:\Users\Admin\AppData\Local\Temp\gmsghs.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kwicjaiveret = "C:\\Users\\Admin\\AppData\\Local\\Temp\\siywhcofsjatrxfu.exe" C:\Users\Admin\AppData\Local\Temp\gmsghs.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\jwjemenblzndy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zqhgsobthzrlkraqa.exe ." C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\jwjemenblzndy = "gauwlkavmhczblxqdkcw.exe ." C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\jwjemenblzndy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmfgushbrlfbclwoagx.exe ." C:\Users\Admin\AppData\Local\Temp\gmsghs.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\siywhcofsjatrxfu = "gauwlkavmhczblxqdkcw.exe ." C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zqhgsobthzrlkraqa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\siywhcofsjatrxfu.exe ." C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zqhgsobthzrlkraqa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\siywhcofsjatrxfu.exe ." C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kwicjaiveret = "siywhcofsjatrxfu.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kwicjaiveret = "iassfcqjyrkffnxoze.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kwicjaiveret = "zqhgsobthzrlkraqa.exe" C:\Users\Admin\AppData\Local\Temp\gmsghs.exe N/A

Checks whether UAC is enabled

defense_evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\gmsghs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\gmsghs.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\gmsghs.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\gmsghs.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A

Hijack Execution Flow: Executable Installer File Permissions Weakness

defense_evasion persistence privilege_escalation
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\gmsghs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\gmsghs.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A www.showmyipaddress.com N/A N/A
N/A www.whatismyip.ca N/A N/A
N/A whatismyip.everdot.org N/A N/A
N/A www.whatismyip.ca N/A N/A
N/A www.whatismyip.ca N/A N/A
N/A whatismyipaddress.com N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\tmfgushbrlfbclwoagx.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\SysWOW64\mieizaspifcbfrfapysoko.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\SysWOW64\vqloeevrjfbzcnauiqjez.exe C:\Users\Admin\AppData\Local\Temp\gmsghs.exe N/A
File opened for modification C:\Windows\SysWOW64\iassfcqjyrkffnxoze.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\SysWOW64\vqloeevrjfbzcnauiqjez.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\SysWOW64\zqhgsobthzrlkraqa.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\SysWOW64\tmfgushbrlfbclwoagx.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\SysWOW64\wwwezeabyzadlbtslywwwe.eab C:\Users\Admin\AppData\Local\Temp\gmsghs.exe N/A
File opened for modification C:\Windows\SysWOW64\iassfcqjyrkffnxoze.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\SysWOW64\vqloeevrjfbzcnauiqjez.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\SysWOW64\zqhgsobthzrlkraqa.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\SysWOW64\vqloeevrjfbzcnauiqjez.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\SysWOW64\gauwlkavmhczblxqdkcw.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\SysWOW64\iassfcqjyrkffnxoze.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\SysWOW64\siywhcofsjatrxfu.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\SysWOW64\tmfgushbrlfbclwoagx.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\SysWOW64\iassfcqjyrkffnxoze.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\SysWOW64\tmfgushbrlfbclwoagx.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\SysWOW64\vqloeevrjfbzcnauiqjez.exe C:\Users\Admin\AppData\Local\Temp\gmsghs.exe N/A
File opened for modification C:\Windows\SysWOW64\nyjciyfrzlxlefiswudozsyovhpbnbuvy.mkt C:\Users\Admin\AppData\Local\Temp\gmsghs.exe N/A
File opened for modification C:\Windows\SysWOW64\vqloeevrjfbzcnauiqjez.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\SysWOW64\siywhcofsjatrxfu.exe C:\Users\Admin\AppData\Local\Temp\gmsghs.exe N/A
File opened for modification C:\Windows\SysWOW64\tmfgushbrlfbclwoagx.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\SysWOW64\vqloeevrjfbzcnauiqjez.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\SysWOW64\zqhgsobthzrlkraqa.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\SysWOW64\tmfgushbrlfbclwoagx.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\SysWOW64\mieizaspifcbfrfapysoko.exe C:\Users\Admin\AppData\Local\Temp\gmsghs.exe N/A
File opened for modification C:\Windows\SysWOW64\vqloeevrjfbzcnauiqjez.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\SysWOW64\iassfcqjyrkffnxoze.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\SysWOW64\gauwlkavmhczblxqdkcw.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\SysWOW64\siywhcofsjatrxfu.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\SysWOW64\iassfcqjyrkffnxoze.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\SysWOW64\gauwlkavmhczblxqdkcw.exe C:\Users\Admin\AppData\Local\Temp\gmsghs.exe N/A
File opened for modification C:\Windows\SysWOW64\iassfcqjyrkffnxoze.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\SysWOW64\tmfgushbrlfbclwoagx.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\SysWOW64\mieizaspifcbfrfapysoko.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\SysWOW64\gauwlkavmhczblxqdkcw.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\SysWOW64\mieizaspifcbfrfapysoko.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\SysWOW64\vqloeevrjfbzcnauiqjez.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\SysWOW64\iassfcqjyrkffnxoze.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\SysWOW64\gauwlkavmhczblxqdkcw.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\SysWOW64\gauwlkavmhczblxqdkcw.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\SysWOW64\tmfgushbrlfbclwoagx.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\SysWOW64\gauwlkavmhczblxqdkcw.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\SysWOW64\vqloeevrjfbzcnauiqjez.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\SysWOW64\gauwlkavmhczblxqdkcw.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\SysWOW64\siywhcofsjatrxfu.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\SysWOW64\iassfcqjyrkffnxoze.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\SysWOW64\iassfcqjyrkffnxoze.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\SysWOW64\tmfgushbrlfbclwoagx.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\SysWOW64\mieizaspifcbfrfapysoko.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\SysWOW64\zqhgsobthzrlkraqa.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\SysWOW64\siywhcofsjatrxfu.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\SysWOW64\gauwlkavmhczblxqdkcw.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\SysWOW64\siywhcofsjatrxfu.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\SysWOW64\vqloeevrjfbzcnauiqjez.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\SysWOW64\iassfcqjyrkffnxoze.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\SysWOW64\gauwlkavmhczblxqdkcw.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\SysWOW64\tmfgushbrlfbclwoagx.exe C:\Users\Admin\AppData\Local\Temp\gmsghs.exe N/A
File opened for modification C:\Windows\SysWOW64\vqloeevrjfbzcnauiqjez.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\SysWOW64\iassfcqjyrkffnxoze.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\SysWOW64\zqhgsobthzrlkraqa.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\SysWOW64\zqhgsobthzrlkraqa.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\SysWOW64\siywhcofsjatrxfu.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\wwwezeabyzadlbtslywwwe.eab C:\Users\Admin\AppData\Local\Temp\gmsghs.exe N/A
File created C:\Program Files (x86)\wwwezeabyzadlbtslywwwe.eab C:\Users\Admin\AppData\Local\Temp\gmsghs.exe N/A
File opened for modification C:\Program Files (x86)\nyjciyfrzlxlefiswudozsyovhpbnbuvy.mkt C:\Users\Admin\AppData\Local\Temp\gmsghs.exe N/A
File created C:\Program Files (x86)\nyjciyfrzlxlefiswudozsyovhpbnbuvy.mkt C:\Users\Admin\AppData\Local\Temp\gmsghs.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\tmfgushbrlfbclwoagx.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\vqloeevrjfbzcnauiqjez.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\zqhgsobthzrlkraqa.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\gauwlkavmhczblxqdkcw.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File created C:\Windows\wwwezeabyzadlbtslywwwe.eab C:\Users\Admin\AppData\Local\Temp\gmsghs.exe N/A
File opened for modification C:\Windows\zqhgsobthzrlkraqa.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\iassfcqjyrkffnxoze.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\gauwlkavmhczblxqdkcw.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\vqloeevrjfbzcnauiqjez.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\zqhgsobthzrlkraqa.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\vqloeevrjfbzcnauiqjez.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\iassfcqjyrkffnxoze.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\tmfgushbrlfbclwoagx.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\zqhgsobthzrlkraqa.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\siywhcofsjatrxfu.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\tmfgushbrlfbclwoagx.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\vqloeevrjfbzcnauiqjez.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\zqhgsobthzrlkraqa.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\tmfgushbrlfbclwoagx.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\siywhcofsjatrxfu.exe C:\Users\Admin\AppData\Local\Temp\gmsghs.exe N/A
File opened for modification C:\Windows\zqhgsobthzrlkraqa.exe C:\Users\Admin\AppData\Local\Temp\gmsghs.exe N/A
File opened for modification C:\Windows\gauwlkavmhczblxqdkcw.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\zqhgsobthzrlkraqa.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\siywhcofsjatrxfu.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\zqhgsobthzrlkraqa.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\vqloeevrjfbzcnauiqjez.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\tmfgushbrlfbclwoagx.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\iassfcqjyrkffnxoze.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\mieizaspifcbfrfapysoko.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\mieizaspifcbfrfapysoko.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\siywhcofsjatrxfu.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\mieizaspifcbfrfapysoko.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\gauwlkavmhczblxqdkcw.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\zqhgsobthzrlkraqa.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\siywhcofsjatrxfu.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File created C:\Windows\nyjciyfrzlxlefiswudozsyovhpbnbuvy.mkt C:\Users\Admin\AppData\Local\Temp\gmsghs.exe N/A
File opened for modification C:\Windows\vqloeevrjfbzcnauiqjez.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\iassfcqjyrkffnxoze.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\tmfgushbrlfbclwoagx.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\gauwlkavmhczblxqdkcw.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\iassfcqjyrkffnxoze.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\siywhcofsjatrxfu.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\vqloeevrjfbzcnauiqjez.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\tmfgushbrlfbclwoagx.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\tmfgushbrlfbclwoagx.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\mieizaspifcbfrfapysoko.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\iassfcqjyrkffnxoze.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\siywhcofsjatrxfu.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\zqhgsobthzrlkraqa.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\iassfcqjyrkffnxoze.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\zqhgsobthzrlkraqa.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\gauwlkavmhczblxqdkcw.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\zqhgsobthzrlkraqa.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\tmfgushbrlfbclwoagx.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\iassfcqjyrkffnxoze.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\mieizaspifcbfrfapysoko.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\mieizaspifcbfrfapysoko.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\mieizaspifcbfrfapysoko.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\vqloeevrjfbzcnauiqjez.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\iassfcqjyrkffnxoze.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\mieizaspifcbfrfapysoko.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\siywhcofsjatrxfu.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\gauwlkavmhczblxqdkcw.exe C:\Users\Admin\AppData\Local\Temp\gmsghs.exe N/A
File opened for modification C:\Windows\iassfcqjyrkffnxoze.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\iassfcqjyrkffnxoze.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\siywhcofsjatrxfu.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\iassfcqjyrkffnxoze.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\tmfgushbrlfbclwoagx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\vqloeevrjfbzcnauiqjez.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\gmsghs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\tmfgushbrlfbclwoagx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\gauwlkavmhczblxqdkcw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\iassfcqjyrkffnxoze.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\gauwlkavmhczblxqdkcw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\siywhcofsjatrxfu.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\gauwlkavmhczblxqdkcw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\siywhcofsjatrxfu.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\gauwlkavmhczblxqdkcw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\zqhgsobthzrlkraqa.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\zqhgsobthzrlkraqa.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\tmfgushbrlfbclwoagx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\gauwlkavmhczblxqdkcw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\vqloeevrjfbzcnauiqjez.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\siywhcofsjatrxfu.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\siywhcofsjatrxfu.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\iassfcqjyrkffnxoze.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\vqloeevrjfbzcnauiqjez.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\tmfgushbrlfbclwoagx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\vqloeevrjfbzcnauiqjez.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\siywhcofsjatrxfu.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\siywhcofsjatrxfu.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\siywhcofsjatrxfu.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\iassfcqjyrkffnxoze.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\tmfgushbrlfbclwoagx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\siywhcofsjatrxfu.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\vqloeevrjfbzcnauiqjez.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gmsghs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gmsghs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gmsghs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gmsghs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\gmsghs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2276 wrote to memory of 5236 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
PID 2276 wrote to memory of 5236 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
PID 2276 wrote to memory of 5236 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
PID 1012 wrote to memory of 4640 N/A C:\Windows\system32\cmd.exe C:\Windows\zqhgsobthzrlkraqa.exe
PID 1012 wrote to memory of 4640 N/A C:\Windows\system32\cmd.exe C:\Windows\zqhgsobthzrlkraqa.exe
PID 1012 wrote to memory of 4640 N/A C:\Windows\system32\cmd.exe C:\Windows\zqhgsobthzrlkraqa.exe
PID 4756 wrote to memory of 4848 N/A C:\Windows\system32\cmd.exe C:\Windows\iassfcqjyrkffnxoze.exe
PID 4756 wrote to memory of 4848 N/A C:\Windows\system32\cmd.exe C:\Windows\iassfcqjyrkffnxoze.exe
PID 4756 wrote to memory of 4848 N/A C:\Windows\system32\cmd.exe C:\Windows\iassfcqjyrkffnxoze.exe
PID 4848 wrote to memory of 2884 N/A C:\Windows\iassfcqjyrkffnxoze.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
PID 4848 wrote to memory of 2884 N/A C:\Windows\iassfcqjyrkffnxoze.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
PID 4848 wrote to memory of 2884 N/A C:\Windows\iassfcqjyrkffnxoze.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
PID 4752 wrote to memory of 4704 N/A C:\Windows\system32\cmd.exe C:\Windows\vqloeevrjfbzcnauiqjez.exe
PID 4752 wrote to memory of 4704 N/A C:\Windows\system32\cmd.exe C:\Windows\vqloeevrjfbzcnauiqjez.exe
PID 4752 wrote to memory of 4704 N/A C:\Windows\system32\cmd.exe C:\Windows\vqloeevrjfbzcnauiqjez.exe
PID 3420 wrote to memory of 5056 N/A C:\Windows\system32\cmd.exe C:\Windows\gauwlkavmhczblxqdkcw.exe
PID 3420 wrote to memory of 5056 N/A C:\Windows\system32\cmd.exe C:\Windows\gauwlkavmhczblxqdkcw.exe
PID 3420 wrote to memory of 5056 N/A C:\Windows\system32\cmd.exe C:\Windows\gauwlkavmhczblxqdkcw.exe
PID 864 wrote to memory of 4984 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe
PID 864 wrote to memory of 4984 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe
PID 864 wrote to memory of 4984 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe
PID 5056 wrote to memory of 5004 N/A C:\Windows\gauwlkavmhczblxqdkcw.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
PID 5056 wrote to memory of 5004 N/A C:\Windows\gauwlkavmhczblxqdkcw.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
PID 5056 wrote to memory of 5004 N/A C:\Windows\gauwlkavmhczblxqdkcw.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
PID 3068 wrote to memory of 3292 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe
PID 3068 wrote to memory of 3292 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe
PID 3068 wrote to memory of 3292 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe
PID 3292 wrote to memory of 4156 N/A C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
PID 3292 wrote to memory of 4156 N/A C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
PID 3292 wrote to memory of 4156 N/A C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
PID 2184 wrote to memory of 1928 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe
PID 2184 wrote to memory of 1928 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe
PID 2184 wrote to memory of 1928 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe
PID 6096 wrote to memory of 3452 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe
PID 6096 wrote to memory of 3452 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe
PID 6096 wrote to memory of 3452 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe
PID 3452 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
PID 3452 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
PID 3452 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
PID 5236 wrote to memory of 3680 N/A C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe C:\Users\Admin\AppData\Local\Temp\gmsghs.exe
PID 5236 wrote to memory of 3680 N/A C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe C:\Users\Admin\AppData\Local\Temp\gmsghs.exe
PID 5236 wrote to memory of 3680 N/A C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe C:\Users\Admin\AppData\Local\Temp\gmsghs.exe
PID 5236 wrote to memory of 4616 N/A C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe C:\Users\Admin\AppData\Local\Temp\gmsghs.exe
PID 5236 wrote to memory of 4616 N/A C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe C:\Users\Admin\AppData\Local\Temp\gmsghs.exe
PID 5236 wrote to memory of 4616 N/A C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe C:\Users\Admin\AppData\Local\Temp\gmsghs.exe
PID 5640 wrote to memory of 944 N/A C:\Windows\system32\cmd.exe C:\Windows\gauwlkavmhczblxqdkcw.exe
PID 5640 wrote to memory of 944 N/A C:\Windows\system32\cmd.exe C:\Windows\gauwlkavmhczblxqdkcw.exe
PID 5640 wrote to memory of 944 N/A C:\Windows\system32\cmd.exe C:\Windows\gauwlkavmhczblxqdkcw.exe
PID 4236 wrote to memory of 3192 N/A C:\Windows\system32\cmd.exe C:\Windows\vqloeevrjfbzcnauiqjez.exe
PID 4236 wrote to memory of 3192 N/A C:\Windows\system32\cmd.exe C:\Windows\vqloeevrjfbzcnauiqjez.exe
PID 4236 wrote to memory of 3192 N/A C:\Windows\system32\cmd.exe C:\Windows\vqloeevrjfbzcnauiqjez.exe
PID 5864 wrote to memory of 4408 N/A C:\Windows\system32\cmd.exe C:\Windows\siywhcofsjatrxfu.exe
PID 5864 wrote to memory of 4408 N/A C:\Windows\system32\cmd.exe C:\Windows\siywhcofsjatrxfu.exe
PID 5864 wrote to memory of 4408 N/A C:\Windows\system32\cmd.exe C:\Windows\siywhcofsjatrxfu.exe
PID 1728 wrote to memory of 912 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Conhost.exe
PID 1728 wrote to memory of 912 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Conhost.exe
PID 1728 wrote to memory of 912 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Conhost.exe
PID 4408 wrote to memory of 3104 N/A C:\Windows\siywhcofsjatrxfu.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
PID 4408 wrote to memory of 3104 N/A C:\Windows\siywhcofsjatrxfu.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
PID 4408 wrote to memory of 3104 N/A C:\Windows\siywhcofsjatrxfu.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
PID 912 wrote to memory of 960 N/A C:\Windows\iassfcqjyrkffnxoze.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
PID 912 wrote to memory of 960 N/A C:\Windows\iassfcqjyrkffnxoze.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
PID 912 wrote to memory of 960 N/A C:\Windows\iassfcqjyrkffnxoze.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
PID 4092 wrote to memory of 224 N/A C:\Windows\system32\cmd.exe C:\Windows\vqloeevrjfbzcnauiqjez.exe

System policy modification

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\gmsghs.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\gmsghs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" C:\Users\Admin\AppData\Local\Temp\gmsghs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\gmsghs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Users\Admin\AppData\Local\Temp\gmsghs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" C:\Users\Admin\AppData\Local\Temp\gmsghs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\AppData\Local\Temp\gmsghs.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\gmsghs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" C:\Users\Admin\AppData\Local\Temp\gmsghs.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\gmsghs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\gmsghs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\AppData\Local\Temp\gmsghs.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" C:\Users\Admin\AppData\Local\Temp\gmsghs.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\gmsghs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" C:\Users\Admin\AppData\Local\Temp\gmsghs.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\gmsghs.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\gmsghs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Users\Admin\AppData\Local\Temp\gmsghs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\gmsghs.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\gmsghs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\gmsghs.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe"

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\jaffacakes118_bdec6237d2f7f80e1250e09df51e3d02.exe*"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zqhgsobthzrlkraqa.exe

C:\Windows\zqhgsobthzrlkraqa.exe

zqhgsobthzrlkraqa.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c iassfcqjyrkffnxoze.exe .

C:\Windows\iassfcqjyrkffnxoze.exe

iassfcqjyrkffnxoze.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vqloeevrjfbzcnauiqjez.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\iassfcqjyrkffnxoze.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c gauwlkavmhczblxqdkcw.exe .

C:\Windows\vqloeevrjfbzcnauiqjez.exe

vqloeevrjfbzcnauiqjez.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe

C:\Windows\gauwlkavmhczblxqdkcw.exe

gauwlkavmhczblxqdkcw.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe .

C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe

C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\gauwlkavmhczblxqdkcw.exe*."

C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe

C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe .

C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe

C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\siywhcofsjatrxfu.exe*."

C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe

C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\gauwlkavmhczblxqdkcw.exe*."

C:\Users\Admin\AppData\Local\Temp\gmsghs.exe

"C:\Users\Admin\AppData\Local\Temp\gmsghs.exe" "-C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe"

C:\Users\Admin\AppData\Local\Temp\gmsghs.exe

"C:\Users\Admin\AppData\Local\Temp\gmsghs.exe" "-C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vqloeevrjfbzcnauiqjez.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c gauwlkavmhczblxqdkcw.exe

C:\Windows\gauwlkavmhczblxqdkcw.exe

gauwlkavmhczblxqdkcw.exe

C:\Windows\vqloeevrjfbzcnauiqjez.exe

vqloeevrjfbzcnauiqjez.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c iassfcqjyrkffnxoze.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c siywhcofsjatrxfu.exe .

C:\Windows\iassfcqjyrkffnxoze.exe

iassfcqjyrkffnxoze.exe .

C:\Windows\siywhcofsjatrxfu.exe

siywhcofsjatrxfu.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c tmfgushbrlfbclwoagx.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vqloeevrjfbzcnauiqjez.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c siywhcofsjatrxfu.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\siywhcofsjatrxfu.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zqhgsobthzrlkraqa.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\iassfcqjyrkffnxoze.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe .

C:\Windows\vqloeevrjfbzcnauiqjez.exe

vqloeevrjfbzcnauiqjez.exe

C:\Windows\siywhcofsjatrxfu.exe

siywhcofsjatrxfu.exe .

C:\Windows\tmfgushbrlfbclwoagx.exe

tmfgushbrlfbclwoagx.exe

C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe

C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe

C:\Windows\zqhgsobthzrlkraqa.exe

zqhgsobthzrlkraqa.exe .

C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe

C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe .

C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe

C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\siywhcofsjatrxfu.exe*."

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\gauwlkavmhczblxqdkcw.exe*."

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\zqhgsobthzrlkraqa.exe*."

C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe

C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe .

C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe

C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe .

C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe

C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe

C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe

C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe .

C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe

C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\zqhgsobthzrlkraqa.exe*."

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\tmfgushbrlfbclwoagx.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c iassfcqjyrkffnxoze.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\iassfcqjyrkffnxoze.exe*."

C:\Windows\iassfcqjyrkffnxoze.exe

iassfcqjyrkffnxoze.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zqhgsobthzrlkraqa.exe .

C:\Windows\zqhgsobthzrlkraqa.exe

zqhgsobthzrlkraqa.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vqloeevrjfbzcnauiqjez.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\zqhgsobthzrlkraqa.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c iassfcqjyrkffnxoze.exe .

C:\Windows\vqloeevrjfbzcnauiqjez.exe

vqloeevrjfbzcnauiqjez.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe

C:\Windows\iassfcqjyrkffnxoze.exe

iassfcqjyrkffnxoze.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe .

C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe

C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\iassfcqjyrkffnxoze.exe*."

C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe

C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\gauwlkavmhczblxqdkcw.exe*."

C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe

C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe .

C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe

C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\zqhgsobthzrlkraqa.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vqloeevrjfbzcnauiqjez.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vqloeevrjfbzcnauiqjez.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c gauwlkavmhczblxqdkcw.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\vqloeevrjfbzcnauiqjez.exe

vqloeevrjfbzcnauiqjez.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c siywhcofsjatrxfu.exe .

C:\Windows\gauwlkavmhczblxqdkcw.exe

gauwlkavmhczblxqdkcw.exe

C:\Windows\vqloeevrjfbzcnauiqjez.exe

vqloeevrjfbzcnauiqjez.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c iassfcqjyrkffnxoze.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c siywhcofsjatrxfu.exe .

C:\Windows\siywhcofsjatrxfu.exe

siywhcofsjatrxfu.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vqloeevrjfbzcnauiqjez.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zqhgsobthzrlkraqa.exe

C:\Windows\iassfcqjyrkffnxoze.exe

iassfcqjyrkffnxoze.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c tmfgushbrlfbclwoagx.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c iassfcqjyrkffnxoze.exe

C:\Windows\siywhcofsjatrxfu.exe

siywhcofsjatrxfu.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c iassfcqjyrkffnxoze.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\siywhcofsjatrxfu.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c gauwlkavmhczblxqdkcw.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\siywhcofsjatrxfu.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\iassfcqjyrkffnxoze.exe*."

C:\Windows\zqhgsobthzrlkraqa.exe

zqhgsobthzrlkraqa.exe

C:\Windows\vqloeevrjfbzcnauiqjez.exe

vqloeevrjfbzcnauiqjez.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe

C:\Windows\tmfgushbrlfbclwoagx.exe

tmfgushbrlfbclwoagx.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe

C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe .

C:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exe

C:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe .

C:\Windows\gauwlkavmhczblxqdkcw.exe

gauwlkavmhczblxqdkcw.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\tmfgushbrlfbclwoagx.exe*."

C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe

C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe

C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe

C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\gauwlkavmhczblxqdkcw.exe*."

C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe

C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe .

C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe

C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe

C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe

C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe .

C:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exe

C:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\gauwlkavmhczblxqdkcw.exe*."

C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe

C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe .

C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe

C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\tmfgushbrlfbclwoagx.exe*."

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\iassfcqjyrkffnxoze.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zqhgsobthzrlkraqa.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\tmfgushbrlfbclwoagx.exe*."

C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe

C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe .

C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe

C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe .

C:\Windows\zqhgsobthzrlkraqa.exe

zqhgsobthzrlkraqa.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\zqhgsobthzrlkraqa.exe*."

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\zqhgsobthzrlkraqa.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c gauwlkavmhczblxqdkcw.exe .

C:\Windows\iassfcqjyrkffnxoze.exe

iassfcqjyrkffnxoze.exe

C:\Windows\iassfcqjyrkffnxoze.exe

iassfcqjyrkffnxoze.exe .

C:\Windows\gauwlkavmhczblxqdkcw.exe

gauwlkavmhczblxqdkcw.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\iassfcqjyrkffnxoze.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c siywhcofsjatrxfu.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\gauwlkavmhczblxqdkcw.exe*."

C:\Windows\siywhcofsjatrxfu.exe

siywhcofsjatrxfu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c iassfcqjyrkffnxoze.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe

C:\Windows\iassfcqjyrkffnxoze.exe

iassfcqjyrkffnxoze.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe .

C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe

C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe

C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe

C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\iassfcqjyrkffnxoze.exe*."

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\siywhcofsjatrxfu.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe .

C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe

C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe

C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe

C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\siywhcofsjatrxfu.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zqhgsobthzrlkraqa.exe

C:\Windows\zqhgsobthzrlkraqa.exe

zqhgsobthzrlkraqa.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c gauwlkavmhczblxqdkcw.exe .

C:\Windows\gauwlkavmhczblxqdkcw.exe

gauwlkavmhczblxqdkcw.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c iassfcqjyrkffnxoze.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\gauwlkavmhczblxqdkcw.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c siywhcofsjatrxfu.exe .

C:\Windows\iassfcqjyrkffnxoze.exe

iassfcqjyrkffnxoze.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe

C:\Windows\siywhcofsjatrxfu.exe

siywhcofsjatrxfu.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe .

C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe

C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\siywhcofsjatrxfu.exe*."

C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe

C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\iassfcqjyrkffnxoze.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe .

C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe

C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe

C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe

C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\siywhcofsjatrxfu.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c siywhcofsjatrxfu.exe

C:\Windows\siywhcofsjatrxfu.exe

siywhcofsjatrxfu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c iassfcqjyrkffnxoze.exe .

C:\Windows\iassfcqjyrkffnxoze.exe

iassfcqjyrkffnxoze.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vqloeevrjfbzcnauiqjez.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c gauwlkavmhczblxqdkcw.exe .

C:\Windows\vqloeevrjfbzcnauiqjez.exe

vqloeevrjfbzcnauiqjez.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\iassfcqjyrkffnxoze.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe

C:\Windows\gauwlkavmhczblxqdkcw.exe

gauwlkavmhczblxqdkcw.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe .

C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe

C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\gauwlkavmhczblxqdkcw.exe*."

C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe

C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\zqhgsobthzrlkraqa.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe .

C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe

C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe

C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe

C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\gauwlkavmhczblxqdkcw.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vqloeevrjfbzcnauiqjez.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\vqloeevrjfbzcnauiqjez.exe

vqloeevrjfbzcnauiqjez.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c siywhcofsjatrxfu.exe .

C:\Windows\siywhcofsjatrxfu.exe

siywhcofsjatrxfu.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c iassfcqjyrkffnxoze.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zqhgsobthzrlkraqa.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\siywhcofsjatrxfu.exe*."

C:\Windows\iassfcqjyrkffnxoze.exe

iassfcqjyrkffnxoze.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exe

C:\Windows\zqhgsobthzrlkraqa.exe

zqhgsobthzrlkraqa.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe .

C:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exe

C:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\zqhgsobthzrlkraqa.exe*."

C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe

C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\gauwlkavmhczblxqdkcw.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe .

C:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exe

C:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exe

C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe

C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\zqhgsobthzrlkraqa.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c iassfcqjyrkffnxoze.exe

C:\Windows\iassfcqjyrkffnxoze.exe

iassfcqjyrkffnxoze.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c tmfgushbrlfbclwoagx.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c iassfcqjyrkffnxoze.exe

C:\Windows\tmfgushbrlfbclwoagx.exe

tmfgushbrlfbclwoagx.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c tmfgushbrlfbclwoagx.exe .

C:\Windows\iassfcqjyrkffnxoze.exe

iassfcqjyrkffnxoze.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\tmfgushbrlfbclwoagx.exe*."

C:\Windows\tmfgushbrlfbclwoagx.exe

tmfgushbrlfbclwoagx.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe .

C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe

C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\tmfgushbrlfbclwoagx.exe*."

C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe

C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\tmfgushbrlfbclwoagx.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe .

C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe

C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe

C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe

C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\iassfcqjyrkffnxoze.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c tmfgushbrlfbclwoagx.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c siywhcofsjatrxfu.exe .

C:\Windows\tmfgushbrlfbclwoagx.exe

tmfgushbrlfbclwoagx.exe

C:\Windows\siywhcofsjatrxfu.exe

siywhcofsjatrxfu.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c gauwlkavmhczblxqdkcw.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\siywhcofsjatrxfu.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c gauwlkavmhczblxqdkcw.exe .

C:\Windows\gauwlkavmhczblxqdkcw.exe

gauwlkavmhczblxqdkcw.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c gauwlkavmhczblxqdkcw.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c siywhcofsjatrxfu.exe

C:\Windows\gauwlkavmhczblxqdkcw.exe

gauwlkavmhczblxqdkcw.exe

C:\Windows\gauwlkavmhczblxqdkcw.exe

gauwlkavmhczblxqdkcw.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c iassfcqjyrkffnxoze.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c siywhcofsjatrxfu.exe .

C:\Windows\siywhcofsjatrxfu.exe

siywhcofsjatrxfu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c siywhcofsjatrxfu.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\gauwlkavmhczblxqdkcw.exe*."

C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe

C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vqloeevrjfbzcnauiqjez.exe .

C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe

C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe .

C:\Windows\siywhcofsjatrxfu.exe

siywhcofsjatrxfu.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c tmfgushbrlfbclwoagx.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\iassfcqjyrkffnxoze.exe

iassfcqjyrkffnxoze.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vqloeevrjfbzcnauiqjez.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\gauwlkavmhczblxqdkcw.exe*."

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\siywhcofsjatrxfu.exe*."

C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe

C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe

C:\Windows\siywhcofsjatrxfu.exe

siywhcofsjatrxfu.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\iassfcqjyrkffnxoze.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe .

C:\Windows\vqloeevrjfbzcnauiqjez.exe

vqloeevrjfbzcnauiqjez.exe .

C:\Windows\tmfgushbrlfbclwoagx.exe

tmfgushbrlfbclwoagx.exe

C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe

C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c siywhcofsjatrxfu.exe

C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe

C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe .

C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe

C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe .

C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe

C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe

C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe

C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe

C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe

C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\vqloeevrjfbzcnauiqjez.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c iassfcqjyrkffnxoze.exe .

C:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exe

C:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\iassfcqjyrkffnxoze.exe*."

C:\Windows\vqloeevrjfbzcnauiqjez.exe

vqloeevrjfbzcnauiqjez.exe .

C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe

C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\tmfgushbrlfbclwoagx.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c tmfgushbrlfbclwoagx.exe

C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe

C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\gauwlkavmhczblxqdkcw.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vqloeevrjfbzcnauiqjez.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\siywhcofsjatrxfu.exe

siywhcofsjatrxfu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\vqloeevrjfbzcnauiqjez.exe*."

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\tmfgushbrlfbclwoagx.exe*."

C:\Windows\iassfcqjyrkffnxoze.exe

iassfcqjyrkffnxoze.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\siywhcofsjatrxfu.exe*."

C:\Windows\tmfgushbrlfbclwoagx.exe

tmfgushbrlfbclwoagx.exe

C:\Windows\vqloeevrjfbzcnauiqjez.exe

vqloeevrjfbzcnauiqjez.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe

C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe

C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe .

C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe

C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\iassfcqjyrkffnxoze.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\vqloeevrjfbzcnauiqjez.exe*."

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\gauwlkavmhczblxqdkcw.exe*."

C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe

C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe

C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe

C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\iassfcqjyrkffnxoze.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c iassfcqjyrkffnxoze.exe

C:\Windows\iassfcqjyrkffnxoze.exe

iassfcqjyrkffnxoze.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c gauwlkavmhczblxqdkcw.exe .

C:\Windows\gauwlkavmhczblxqdkcw.exe

gauwlkavmhczblxqdkcw.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c gauwlkavmhczblxqdkcw.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c gauwlkavmhczblxqdkcw.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\gauwlkavmhczblxqdkcw.exe*."

C:\Windows\gauwlkavmhczblxqdkcw.exe

gauwlkavmhczblxqdkcw.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe

C:\Windows\gauwlkavmhczblxqdkcw.exe

gauwlkavmhczblxqdkcw.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe

C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\gauwlkavmhczblxqdkcw.exe*."

C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe

C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\gauwlkavmhczblxqdkcw.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe .

C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe

C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe

C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe

C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\gauwlkavmhczblxqdkcw.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c gauwlkavmhczblxqdkcw.exe

C:\Windows\gauwlkavmhczblxqdkcw.exe

gauwlkavmhczblxqdkcw.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vqloeevrjfbzcnauiqjez.exe .

C:\Windows\vqloeevrjfbzcnauiqjez.exe

vqloeevrjfbzcnauiqjez.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c tmfgushbrlfbclwoagx.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\vqloeevrjfbzcnauiqjez.exe*."

C:\Windows\tmfgushbrlfbclwoagx.exe

tmfgushbrlfbclwoagx.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c siywhcofsjatrxfu.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe

C:\Windows\siywhcofsjatrxfu.exe

siywhcofsjatrxfu.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe

C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\siywhcofsjatrxfu.exe*."

C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe

C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\gauwlkavmhczblxqdkcw.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe .

C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe

C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe

C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe

C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\iassfcqjyrkffnxoze.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vqloeevrjfbzcnauiqjez.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vqloeevrjfbzcnauiqjez.exe .

C:\Windows\vqloeevrjfbzcnauiqjez.exe

vqloeevrjfbzcnauiqjez.exe

C:\Windows\vqloeevrjfbzcnauiqjez.exe

vqloeevrjfbzcnauiqjez.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c iassfcqjyrkffnxoze.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\vqloeevrjfbzcnauiqjez.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c siywhcofsjatrxfu.exe .

C:\Windows\iassfcqjyrkffnxoze.exe

iassfcqjyrkffnxoze.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe

C:\Windows\siywhcofsjatrxfu.exe

siywhcofsjatrxfu.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe .

C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe

C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\siywhcofsjatrxfu.exe*."

C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe

C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\tmfgushbrlfbclwoagx.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe

C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe

C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe

C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\tmfgushbrlfbclwoagx.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c tmfgushbrlfbclwoagx.exe

C:\Windows\tmfgushbrlfbclwoagx.exe

tmfgushbrlfbclwoagx.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c siywhcofsjatrxfu.exe .

C:\Windows\siywhcofsjatrxfu.exe

siywhcofsjatrxfu.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vqloeevrjfbzcnauiqjez.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\siywhcofsjatrxfu.exe*."

C:\Windows\vqloeevrjfbzcnauiqjez.exe

vqloeevrjfbzcnauiqjez.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c tmfgushbrlfbclwoagx.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\tmfgushbrlfbclwoagx.exe

tmfgushbrlfbclwoagx.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe .

C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe

C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\tmfgushbrlfbclwoagx.exe*."

C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe

C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\iassfcqjyrkffnxoze.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exe .

C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe

C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe

C:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exe

C:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\vqloeevrjfbzcnauiqjez.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c tmfgushbrlfbclwoagx.exe

C:\Windows\tmfgushbrlfbclwoagx.exe

tmfgushbrlfbclwoagx.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c siywhcofsjatrxfu.exe .

C:\Windows\siywhcofsjatrxfu.exe

siywhcofsjatrxfu.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c tmfgushbrlfbclwoagx.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\siywhcofsjatrxfu.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c siywhcofsjatrxfu.exe .

C:\Windows\tmfgushbrlfbclwoagx.exe

tmfgushbrlfbclwoagx.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe

C:\Windows\siywhcofsjatrxfu.exe

siywhcofsjatrxfu.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c iassfcqjyrkffnxoze.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zqhgsobthzrlkraqa.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe

C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\siywhcofsjatrxfu.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c siywhcofsjatrxfu.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zqhgsobthzrlkraqa.exe .

C:\Windows\zqhgsobthzrlkraqa.exe

zqhgsobthzrlkraqa.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe

C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe

C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe .

C:\Windows\iassfcqjyrkffnxoze.exe

iassfcqjyrkffnxoze.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c gauwlkavmhczblxqdkcw.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c tmfgushbrlfbclwoagx.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zqhgsobthzrlkraqa.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vqloeevrjfbzcnauiqjez.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe .

C:\Windows\siywhcofsjatrxfu.exe

siywhcofsjatrxfu.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\gauwlkavmhczblxqdkcw.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe

C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe

C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe

C:\Windows\zqhgsobthzrlkraqa.exe

zqhgsobthzrlkraqa.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\siywhcofsjatrxfu.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe .

C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe

C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe .

C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe

C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe

C:\Windows\zqhgsobthzrlkraqa.exe

zqhgsobthzrlkraqa.exe .

C:\Windows\tmfgushbrlfbclwoagx.exe

tmfgushbrlfbclwoagx.exe

C:\Windows\vqloeevrjfbzcnauiqjez.exe

vqloeevrjfbzcnauiqjez.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c siywhcofsjatrxfu.exe

C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe

C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\zqhgsobthzrlkraqa.exe*."

C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe

C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe

C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe

C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe .

C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe

C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zqhgsobthzrlkraqa.exe .

C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe

C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\zqhgsobthzrlkraqa.exe*."

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\vqloeevrjfbzcnauiqjez.exe*."

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\zqhgsobthzrlkraqa.exe*."

C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe

C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe .

C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe

C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c iassfcqjyrkffnxoze.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\siywhcofsjatrxfu.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vqloeevrjfbzcnauiqjez.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\tmfgushbrlfbclwoagx.exe*."

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\tmfgushbrlfbclwoagx.exe*."

C:\Windows\siywhcofsjatrxfu.exe

siywhcofsjatrxfu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe .

C:\Windows\zqhgsobthzrlkraqa.exe

zqhgsobthzrlkraqa.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\tmfgushbrlfbclwoagx.exe*."

C:\Windows\vqloeevrjfbzcnauiqjez.exe

vqloeevrjfbzcnauiqjez.exe .

C:\Windows\iassfcqjyrkffnxoze.exe

iassfcqjyrkffnxoze.exe

C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe

C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe

C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe

C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\zqhgsobthzrlkraqa.exe*."

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\vqloeevrjfbzcnauiqjez.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\tmfgushbrlfbclwoagx.exe*."

C:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exe

C:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exe

C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe

C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\gauwlkavmhczblxqdkcw.exe*."

C:\Windows\gauwlkavmhczblxqdkcw.exe

gauwlkavmhczblxqdkcw.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c siywhcofsjatrxfu.exe

C:\Windows\siywhcofsjatrxfu.exe

siywhcofsjatrxfu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c iassfcqjyrkffnxoze.exe .

C:\Windows\iassfcqjyrkffnxoze.exe

iassfcqjyrkffnxoze.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c gauwlkavmhczblxqdkcw.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\iassfcqjyrkffnxoze.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c siywhcofsjatrxfu.exe .

C:\Windows\gauwlkavmhczblxqdkcw.exe

gauwlkavmhczblxqdkcw.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exe

C:\Windows\siywhcofsjatrxfu.exe

siywhcofsjatrxfu.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe .

C:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exe

C:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exe

C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe

C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\siywhcofsjatrxfu.exe*."

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\tmfgushbrlfbclwoagx.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe .

C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe

C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe

C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe

C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\iassfcqjyrkffnxoze.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c iassfcqjyrkffnxoze.exe

C:\Windows\iassfcqjyrkffnxoze.exe

iassfcqjyrkffnxoze.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c iassfcqjyrkffnxoze.exe .

C:\Windows\iassfcqjyrkffnxoze.exe

iassfcqjyrkffnxoze.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c iassfcqjyrkffnxoze.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\iassfcqjyrkffnxoze.exe*."

C:\Windows\iassfcqjyrkffnxoze.exe

iassfcqjyrkffnxoze.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zqhgsobthzrlkraqa.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exe

C:\Windows\zqhgsobthzrlkraqa.exe

zqhgsobthzrlkraqa.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe .

C:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exe

C:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\zqhgsobthzrlkraqa.exe*."

C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe

C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\tmfgushbrlfbclwoagx.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe .

C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe

C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe

C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe

C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\iassfcqjyrkffnxoze.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zqhgsobthzrlkraqa.exe

C:\Windows\zqhgsobthzrlkraqa.exe

zqhgsobthzrlkraqa.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c tmfgushbrlfbclwoagx.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\tmfgushbrlfbclwoagx.exe

tmfgushbrlfbclwoagx.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c gauwlkavmhczblxqdkcw.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\tmfgushbrlfbclwoagx.exe*."

C:\Windows\gauwlkavmhczblxqdkcw.exe

gauwlkavmhczblxqdkcw.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c iassfcqjyrkffnxoze.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe

C:\Windows\iassfcqjyrkffnxoze.exe

iassfcqjyrkffnxoze.exe .

C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe

C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\iassfcqjyrkffnxoze.exe*."

C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe

C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\gauwlkavmhczblxqdkcw.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe .

C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe

C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe

C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe

C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\gauwlkavmhczblxqdkcw.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vqloeevrjfbzcnauiqjez.exe

C:\Windows\vqloeevrjfbzcnauiqjez.exe

vqloeevrjfbzcnauiqjez.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c iassfcqjyrkffnxoze.exe .

C:\Windows\iassfcqjyrkffnxoze.exe

iassfcqjyrkffnxoze.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vqloeevrjfbzcnauiqjez.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\iassfcqjyrkffnxoze.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c gauwlkavmhczblxqdkcw.exe .

C:\Windows\vqloeevrjfbzcnauiqjez.exe

vqloeevrjfbzcnauiqjez.exe

C:\Windows\gauwlkavmhczblxqdkcw.exe

gauwlkavmhczblxqdkcw.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\gauwlkavmhczblxqdkcw.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe .

C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe

C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe

C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe

C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\gauwlkavmhczblxqdkcw.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe .

C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe

C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe

C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe

C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\zqhgsobthzrlkraqa.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zqhgsobthzrlkraqa.exe

C:\Windows\zqhgsobthzrlkraqa.exe

zqhgsobthzrlkraqa.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c gauwlkavmhczblxqdkcw.exe .

C:\Windows\gauwlkavmhczblxqdkcw.exe

gauwlkavmhczblxqdkcw.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c gauwlkavmhczblxqdkcw.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\gauwlkavmhczblxqdkcw.exe*."

C:\Windows\gauwlkavmhczblxqdkcw.exe

gauwlkavmhczblxqdkcw.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vqloeevrjfbzcnauiqjez.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe

C:\Windows\vqloeevrjfbzcnauiqjez.exe

vqloeevrjfbzcnauiqjez.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe .

C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe

C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\vqloeevrjfbzcnauiqjez.exe*."

C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe

C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\siywhcofsjatrxfu.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe

C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe .

C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe

C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\zqhgsobthzrlkraqa.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c iassfcqjyrkffnxoze.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vqloeevrjfbzcnauiqjez.exe

C:\Windows\iassfcqjyrkffnxoze.exe

iassfcqjyrkffnxoze.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zqhgsobthzrlkraqa.exe .

C:\Windows\vqloeevrjfbzcnauiqjez.exe

vqloeevrjfbzcnauiqjez.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c siywhcofsjatrxfu.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c gauwlkavmhczblxqdkcw.exe

C:\Windows\zqhgsobthzrlkraqa.exe

zqhgsobthzrlkraqa.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vqloeevrjfbzcnauiqjez.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c tmfgushbrlfbclwoagx.exe

C:\Windows\gauwlkavmhczblxqdkcw.exe

gauwlkavmhczblxqdkcw.exe

C:\Windows\siywhcofsjatrxfu.exe

siywhcofsjatrxfu.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c gauwlkavmhczblxqdkcw.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c iassfcqjyrkffnxoze.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c tmfgushbrlfbclwoagx.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\zqhgsobthzrlkraqa.exe*."

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\siywhcofsjatrxfu.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c iassfcqjyrkffnxoze.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\tmfgushbrlfbclwoagx.exe

tmfgushbrlfbclwoagx.exe

C:\Windows\vqloeevrjfbzcnauiqjez.exe

vqloeevrjfbzcnauiqjez.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c siywhcofsjatrxfu.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe .

C:\Windows\gauwlkavmhczblxqdkcw.exe

gauwlkavmhczblxqdkcw.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe

C:\Windows\tmfgushbrlfbclwoagx.exe

tmfgushbrlfbclwoagx.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\iassfcqjyrkffnxoze.exe

iassfcqjyrkffnxoze.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe .

C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe

C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe

C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe

C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\gauwlkavmhczblxqdkcw.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe .

C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe

C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\iassfcqjyrkffnxoze.exe*."

C:\Windows\iassfcqjyrkffnxoze.exe

iassfcqjyrkffnxoze.exe

C:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exe

C:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\tmfgushbrlfbclwoagx.exe*."

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\tmfgushbrlfbclwoagx.exe*."

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\tmfgushbrlfbclwoagx.exe*."

C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe

C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe

C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe

C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe .

C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe

C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe

C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe

C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\tmfgushbrlfbclwoagx.exe*."

C:\Windows\siywhcofsjatrxfu.exe

siywhcofsjatrxfu.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c gauwlkavmhczblxqdkcw.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\siywhcofsjatrxfu.exe*."

C:\Windows\gauwlkavmhczblxqdkcw.exe

gauwlkavmhczblxqdkcw.exe

C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe

C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe .

C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe

C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c gauwlkavmhczblxqdkcw.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\zqhgsobthzrlkraqa.exe*."

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\zqhgsobthzrlkraqa.exe*."

C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe

C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe .

C:\Windows\gauwlkavmhczblxqdkcw.exe

gauwlkavmhczblxqdkcw.exe .

C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe

C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\zqhgsobthzrlkraqa.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zqhgsobthzrlkraqa.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\gauwlkavmhczblxqdkcw.exe*."

C:\Windows\zqhgsobthzrlkraqa.exe

zqhgsobthzrlkraqa.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c tmfgushbrlfbclwoagx.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe

C:\Windows\tmfgushbrlfbclwoagx.exe

tmfgushbrlfbclwoagx.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe .

C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe

C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\tmfgushbrlfbclwoagx.exe*."

C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe

C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\iassfcqjyrkffnxoze.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exe .

C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe

C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe

C:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exe

C:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\vqloeevrjfbzcnauiqjez.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c gauwlkavmhczblxqdkcw.exe

C:\Windows\gauwlkavmhczblxqdkcw.exe

gauwlkavmhczblxqdkcw.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vqloeevrjfbzcnauiqjez.exe .

C:\Windows\vqloeevrjfbzcnauiqjez.exe

vqloeevrjfbzcnauiqjez.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zqhgsobthzrlkraqa.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\vqloeevrjfbzcnauiqjez.exe*."

C:\Windows\zqhgsobthzrlkraqa.exe

zqhgsobthzrlkraqa.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c tmfgushbrlfbclwoagx.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe

C:\Windows\tmfgushbrlfbclwoagx.exe

tmfgushbrlfbclwoagx.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe .

C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe

C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\tmfgushbrlfbclwoagx.exe*."

C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe

C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\iassfcqjyrkffnxoze.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe .

C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe

C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe

C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe

C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\zqhgsobthzrlkraqa.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c gauwlkavmhczblxqdkcw.exe

C:\Windows\gauwlkavmhczblxqdkcw.exe

gauwlkavmhczblxqdkcw.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zqhgsobthzrlkraqa.exe .

C:\Windows\zqhgsobthzrlkraqa.exe

zqhgsobthzrlkraqa.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zqhgsobthzrlkraqa.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\zqhgsobthzrlkraqa.exe*."

C:\Windows\zqhgsobthzrlkraqa.exe

zqhgsobthzrlkraqa.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c iassfcqjyrkffnxoze.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe

C:\Windows\iassfcqjyrkffnxoze.exe

iassfcqjyrkffnxoze.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe .

C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe

C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\iassfcqjyrkffnxoze.exe*."

C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe

C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\zqhgsobthzrlkraqa.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe .

C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe

C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe

C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe

C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\iassfcqjyrkffnxoze.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vqloeevrjfbzcnauiqjez.exe

C:\Windows\vqloeevrjfbzcnauiqjez.exe

vqloeevrjfbzcnauiqjez.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zqhgsobthzrlkraqa.exe .

C:\Windows\zqhgsobthzrlkraqa.exe

zqhgsobthzrlkraqa.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c iassfcqjyrkffnxoze.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\zqhgsobthzrlkraqa.exe*."

C:\Windows\iassfcqjyrkffnxoze.exe

iassfcqjyrkffnxoze.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vqloeevrjfbzcnauiqjez.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\vqloeevrjfbzcnauiqjez.exe

vqloeevrjfbzcnauiqjez.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe .

C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe

C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\vqloeevrjfbzcnauiqjez.exe*."

C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe

C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\zqhgsobthzrlkraqa.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe

C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe

C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe

C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\iassfcqjyrkffnxoze.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zqhgsobthzrlkraqa.exe

C:\Windows\zqhgsobthzrlkraqa.exe

zqhgsobthzrlkraqa.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c tmfgushbrlfbclwoagx.exe .

C:\Windows\tmfgushbrlfbclwoagx.exe

tmfgushbrlfbclwoagx.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vqloeevrjfbzcnauiqjez.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\tmfgushbrlfbclwoagx.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zqhgsobthzrlkraqa.exe .

C:\Windows\vqloeevrjfbzcnauiqjez.exe

vqloeevrjfbzcnauiqjez.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\zqhgsobthzrlkraqa.exe

zqhgsobthzrlkraqa.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe .

C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe

C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\zqhgsobthzrlkraqa.exe*."

C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe

C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\tmfgushbrlfbclwoagx.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exe .

C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe

C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe

C:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exe

C:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\vqloeevrjfbzcnauiqjez.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c siywhcofsjatrxfu.exe

C:\Windows\siywhcofsjatrxfu.exe

siywhcofsjatrxfu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c siywhcofsjatrxfu.exe .

C:\Windows\siywhcofsjatrxfu.exe

siywhcofsjatrxfu.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c iassfcqjyrkffnxoze.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\siywhcofsjatrxfu.exe*."

C:\Windows\iassfcqjyrkffnxoze.exe

iassfcqjyrkffnxoze.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c gauwlkavmhczblxqdkcw.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exe

C:\Windows\gauwlkavmhczblxqdkcw.exe

gauwlkavmhczblxqdkcw.exe .

C:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exe

C:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\gauwlkavmhczblxqdkcw.exe*."

C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe

C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\iassfcqjyrkffnxoze.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vqloeevrjfbzcnauiqjez.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c tmfgushbrlfbclwoagx.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe .

C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe

C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe

C:\Windows\vqloeevrjfbzcnauiqjez.exe

vqloeevrjfbzcnauiqjez.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zqhgsobthzrlkraqa.exe .

C:\Windows\tmfgushbrlfbclwoagx.exe

tmfgushbrlfbclwoagx.exe

C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe

C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c siywhcofsjatrxfu.exe .

C:\Windows\zqhgsobthzrlkraqa.exe

zqhgsobthzrlkraqa.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c iassfcqjyrkffnxoze.exe

C:\Windows\siywhcofsjatrxfu.exe

siywhcofsjatrxfu.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\siywhcofsjatrxfu.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c tmfgushbrlfbclwoagx.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vqloeevrjfbzcnauiqjez.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\zqhgsobthzrlkraqa.exe*."

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\siywhcofsjatrxfu.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vqloeevrjfbzcnauiqjez.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe

C:\Windows\iassfcqjyrkffnxoze.exe

iassfcqjyrkffnxoze.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe .

C:\Windows\tmfgushbrlfbclwoagx.exe

tmfgushbrlfbclwoagx.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c tmfgushbrlfbclwoagx.exe

C:\Windows\vqloeevrjfbzcnauiqjez.exe

vqloeevrjfbzcnauiqjez.exe .

C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe

C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exe

C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe

C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe .

C:\Windows\vqloeevrjfbzcnauiqjez.exe

vqloeevrjfbzcnauiqjez.exe .

C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe

C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c gauwlkavmhczblxqdkcw.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\vqloeevrjfbzcnauiqjez.exe*."

C:\Windows\tmfgushbrlfbclwoagx.exe

tmfgushbrlfbclwoagx.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\tmfgushbrlfbclwoagx.exe*."

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\vqloeevrjfbzcnauiqjez.exe*."

C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe

C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c iassfcqjyrkffnxoze.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c gauwlkavmhczblxqdkcw.exe .

C:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exe

C:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exe

C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe

C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\gauwlkavmhczblxqdkcw.exe

gauwlkavmhczblxqdkcw.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\iassfcqjyrkffnxoze.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exe .

C:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exe

C:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exe .

C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe

C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe

C:\Windows\iassfcqjyrkffnxoze.exe

iassfcqjyrkffnxoze.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\gauwlkavmhczblxqdkcw.exe*."

C:\Windows\gauwlkavmhczblxqdkcw.exe

gauwlkavmhczblxqdkcw.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\gauwlkavmhczblxqdkcw.exe*."

C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe

C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\gauwlkavmhczblxqdkcw.exe*."

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\vqloeevrjfbzcnauiqjez.exe*."

C:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exe

C:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\vqloeevrjfbzcnauiqjez.exe*."

C:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exe

C:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exe

C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe

C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\zqhgsobthzrlkraqa.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zqhgsobthzrlkraqa.exe

C:\Windows\zqhgsobthzrlkraqa.exe

zqhgsobthzrlkraqa.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zqhgsobthzrlkraqa.exe .

C:\Windows\zqhgsobthzrlkraqa.exe

zqhgsobthzrlkraqa.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c gauwlkavmhczblxqdkcw.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\zqhgsobthzrlkraqa.exe*."

C:\Windows\gauwlkavmhczblxqdkcw.exe

gauwlkavmhczblxqdkcw.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zqhgsobthzrlkraqa.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe

C:\Windows\zqhgsobthzrlkraqa.exe

zqhgsobthzrlkraqa.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe .

C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe

C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\zqhgsobthzrlkraqa.exe*."

C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe

C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\siywhcofsjatrxfu.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe .

C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe

C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe

C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\tmfgushbrlfbclwoagx.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c tmfgushbrlfbclwoagx.exe

C:\Windows\tmfgushbrlfbclwoagx.exe

tmfgushbrlfbclwoagx.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zqhgsobthzrlkraqa.exe .

C:\Windows\zqhgsobthzrlkraqa.exe

zqhgsobthzrlkraqa.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zqhgsobthzrlkraqa.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\zqhgsobthzrlkraqa.exe*."

C:\Windows\zqhgsobthzrlkraqa.exe

zqhgsobthzrlkraqa.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c siywhcofsjatrxfu.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe

C:\Windows\siywhcofsjatrxfu.exe

siywhcofsjatrxfu.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe

C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\siywhcofsjatrxfu.exe*."

C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe

C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\siywhcofsjatrxfu.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exe .

C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe

C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe

C:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exe

C:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\vqloeevrjfbzcnauiqjez.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c siywhcofsjatrxfu.exe

C:\Windows\siywhcofsjatrxfu.exe

siywhcofsjatrxfu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zqhgsobthzrlkraqa.exe .

C:\Windows\zqhgsobthzrlkraqa.exe

zqhgsobthzrlkraqa.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c tmfgushbrlfbclwoagx.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\zqhgsobthzrlkraqa.exe*."

C:\Windows\tmfgushbrlfbclwoagx.exe

tmfgushbrlfbclwoagx.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c iassfcqjyrkffnxoze.exe .

C:\Windows\iassfcqjyrkffnxoze.exe

iassfcqjyrkffnxoze.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe

C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe

C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\iassfcqjyrkffnxoze.exe*."

C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe

C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\zqhgsobthzrlkraqa.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe

C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe

C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe

C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\zqhgsobthzrlkraqa.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c siywhcofsjatrxfu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zqhgsobthzrlkraqa.exe .

C:\Windows\siywhcofsjatrxfu.exe

siywhcofsjatrxfu.exe

C:\Windows\zqhgsobthzrlkraqa.exe

zqhgsobthzrlkraqa.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c tmfgushbrlfbclwoagx.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\zqhgsobthzrlkraqa.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c siywhcofsjatrxfu.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\tmfgushbrlfbclwoagx.exe

tmfgushbrlfbclwoagx.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exe

C:\Windows\siywhcofsjatrxfu.exe

siywhcofsjatrxfu.exe .

C:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exe

C:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\siywhcofsjatrxfu.exe*."

C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe

C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\siywhcofsjatrxfu.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe .

C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe

C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe

C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe

C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\iassfcqjyrkffnxoze.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c iassfcqjyrkffnxoze.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\iassfcqjyrkffnxoze.exe

iassfcqjyrkffnxoze.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c gauwlkavmhczblxqdkcw.exe .

C:\Windows\gauwlkavmhczblxqdkcw.exe

gauwlkavmhczblxqdkcw.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zqhgsobthzrlkraqa.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\gauwlkavmhczblxqdkcw.exe*."

C:\Windows\zqhgsobthzrlkraqa.exe

zqhgsobthzrlkraqa.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c tmfgushbrlfbclwoagx.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe

C:\Windows\tmfgushbrlfbclwoagx.exe

tmfgushbrlfbclwoagx.exe .

C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe

C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\tmfgushbrlfbclwoagx.exe*."

C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe

C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\iassfcqjyrkffnxoze.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe .

C:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exe

C:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exe

C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe

C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\tmfgushbrlfbclwoagx.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c siywhcofsjatrxfu.exe

C:\Windows\siywhcofsjatrxfu.exe

siywhcofsjatrxfu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c tmfgushbrlfbclwoagx.exe .

C:\Windows\tmfgushbrlfbclwoagx.exe

tmfgushbrlfbclwoagx.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c siywhcofsjatrxfu.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\tmfgushbrlfbclwoagx.exe*."

C:\Windows\siywhcofsjatrxfu.exe

siywhcofsjatrxfu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zqhgsobthzrlkraqa.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vqloeevrjfbzcnauiqjez.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c iassfcqjyrkffnxoze.exe

C:\Windows\zqhgsobthzrlkraqa.exe

zqhgsobthzrlkraqa.exe .

C:\Windows\vqloeevrjfbzcnauiqjez.exe

vqloeevrjfbzcnauiqjez.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vqloeevrjfbzcnauiqjez.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\zqhgsobthzrlkraqa.exe*."

C:\Windows\iassfcqjyrkffnxoze.exe

iassfcqjyrkffnxoze.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c siywhcofsjatrxfu.exe .

C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe

C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe

C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe

C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe .

C:\Windows\vqloeevrjfbzcnauiqjez.exe

vqloeevrjfbzcnauiqjez.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zqhgsobthzrlkraqa.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c iassfcqjyrkffnxoze.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c tmfgushbrlfbclwoagx.exe

C:\Windows\siywhcofsjatrxfu.exe

siywhcofsjatrxfu.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\iassfcqjyrkffnxoze.exe*."

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\vqloeevrjfbzcnauiqjez.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c gauwlkavmhczblxqdkcw.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe

C:\Windows\zqhgsobthzrlkraqa.exe

zqhgsobthzrlkraqa.exe

C:\Windows\iassfcqjyrkffnxoze.exe

iassfcqjyrkffnxoze.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\siywhcofsjatrxfu.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe .

C:\Windows\tmfgushbrlfbclwoagx.exe

tmfgushbrlfbclwoagx.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\iassfcqjyrkffnxoze.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe .

C:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exe

C:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe

C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe

C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe

C:\Windows\gauwlkavmhczblxqdkcw.exe

gauwlkavmhczblxqdkcw.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe

C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe .

C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe

C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe .

C:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exe

C:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exe .

C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe

C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zqhgsobthzrlkraqa.exe

C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe

C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe .

C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe

C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\gauwlkavmhczblxqdkcw.exe*."

C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe

C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c siywhcofsjatrxfu.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\siywhcofsjatrxfu.exe*."

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\vqloeevrjfbzcnauiqjez.exe*."

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\iassfcqjyrkffnxoze.exe*."

C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe

C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 whatismyipaddress.com udp
US 104.19.222.79:80 whatismyipaddress.com tcp
US 8.8.8.8:53 www.showmyipaddress.com udp
US 172.67.155.175:80 www.showmyipaddress.com tcp
US 172.67.155.175:80 www.showmyipaddress.com tcp
US 104.19.222.79:80 whatismyipaddress.com tcp
US 8.8.8.8:53 www.whatismyip.com udp
US 172.66.43.169:80 www.whatismyip.com tcp
US 172.67.155.175:80 www.showmyipaddress.com tcp
US 8.8.8.8:53 www.whatismyip.ca udp
US 8.8.8.8:53 whatismyip.everdot.org udp
US 104.19.222.79:80 whatismyipaddress.com tcp
US 104.19.222.79:80 whatismyipaddress.com tcp
US 8.8.8.8:53 www.whatismyip.ca udp
US 104.19.222.79:80 whatismyipaddress.com tcp
US 172.67.155.175:80 www.showmyipaddress.com tcp
US 172.67.155.175:80 www.showmyipaddress.com tcp
US 8.8.8.8:53 www.whatismyip.ca udp
US 172.67.155.175:80 www.showmyipaddress.com tcp
US 172.66.43.169:80 www.whatismyip.com tcp
US 104.19.222.79:80 whatismyipaddress.com tcp
US 8.8.8.8:53 www.youtube.com udp
NL 142.251.31.91:80 www.youtube.com tcp
LT 86.100.209.26:16121 tcp
US 8.8.8.8:53 gyuuym.org udp
DE 85.214.228.140:80 gyuuym.org tcp
US 8.8.8.8:53 sehciwrxa.net udp
US 8.8.8.8:53 zvwhmmgiwwap.net udp
US 8.8.8.8:53 tcjqkah.info udp
US 8.8.8.8:53 unxfuild.info udp
SG 18.142.91.111:80 unxfuild.info tcp
US 8.8.8.8:53 oxzmxjbdyrhm.info udp
US 8.8.8.8:53 pplxtdbmwxe.org udp
US 8.8.8.8:53 zufoqnzxtstt.net udp
US 8.8.8.8:53 qimyei.com udp
US 8.8.8.8:53 ggoiukqgsikq.org udp
US 8.8.8.8:53 nchsnuj.org udp
US 8.8.8.8:53 aytqtwnyowi.info udp
US 8.8.8.8:53 bqjkcdhsdbbk.info udp
US 8.8.8.8:53 iiagyq.org udp
US 8.8.8.8:53 nrarfhhvdwlq.info udp
US 8.8.8.8:53 udzdjiddn.net udp
US 8.8.8.8:53 fffglbh.org udp
US 8.8.8.8:53 ygoukmwg.org udp
US 8.8.8.8:53 ohnxfkbt.info udp
US 8.8.8.8:53 jijfynbapk.info udp
US 8.8.8.8:53 sxtwlvlgg.net udp
US 8.8.8.8:53 vlmcopxk.info udp
US 8.8.8.8:53 cydlrge.info udp
US 104.156.155.94:80 cydlrge.info tcp
US 8.8.8.8:53 ksokymqagy.com udp
US 8.8.8.8:53 mjotpzfbosdh.info udp
US 8.8.8.8:53 vimmentvkjot.net udp
US 8.8.8.8:53 zwkgfgp.com udp
US 8.8.8.8:53 rrjohmhr.net udp
US 8.8.8.8:53 znvxpaelzat.info udp
US 8.8.8.8:53 bglhzv.net udp
US 8.8.8.8:53 kkococsmug.org udp
US 8.8.8.8:53 luvehemiri.info udp
US 8.8.8.8:53 kakuwkugok.org udp
US 8.8.8.8:53 lalckpw.org udp
US 8.8.8.8:53 kagmau.com udp
US 8.8.8.8:53 hmfurcniz.info udp
US 8.8.8.8:53 cnbscgxaiuv.info udp
US 8.8.8.8:53 cslbnypi.info udp
US 8.8.8.8:53 geaxvu.info udp
LT 78.58.37.209:13159 tcp
US 8.8.8.8:53 ekuhrilkd.info udp
US 8.8.8.8:53 ddpobim.org udp
US 8.8.8.8:53 jkdxjkzn.net udp
US 8.8.8.8:53 wsvoqtlyz.info udp
US 8.8.8.8:53 misiai.org udp
US 8.8.8.8:53 wcbrovxplcly.info udp
US 8.8.8.8:53 bfvanhve.info udp
US 8.8.8.8:53 nkxwhoehboh.net udp
US 8.8.8.8:53 ewhqxezcwwc.net udp
US 8.8.8.8:53 gujgzm.net udp
US 8.8.8.8:53 rblrzc.net udp
US 8.8.8.8:53 umuyiw.com udp
US 8.8.8.8:53 yoaoooewyeeo.com udp
US 8.8.8.8:53 rblwbk.info udp
US 8.8.8.8:53 hfpefw.net udp
US 8.8.8.8:53 wetokypar.info udp
US 8.8.8.8:53 mdhpuesj.net udp
US 8.8.8.8:53 fppdru.net udp
US 8.8.8.8:53 ccltlgp.info udp
US 8.8.8.8:53 mtvihkf.info udp
US 8.8.8.8:53 dqjrswwie.com udp
US 8.8.8.8:53 eogunlgw.net udp
US 8.8.8.8:53 ezyqglow.info udp
US 8.8.8.8:53 sdrqtcj.net udp
US 8.8.8.8:53 hbeqvpxbfvbo.net udp
US 8.8.8.8:53 vrxmprngmlhk.net udp
US 8.8.8.8:53 oumoigky.org udp
US 8.8.8.8:53 wlyuexf.net udp
US 8.8.8.8:53 eznabol.net udp
US 8.8.8.8:53 sxhrtgobgqfq.net udp
US 8.8.8.8:53 dynsrc.info udp
US 8.8.8.8:53 oabxja.net udp
US 8.8.8.8:53 klqmnybibg.net udp
US 8.8.8.8:53 wauclzddea.info udp
US 8.8.8.8:53 clhwhr.info udp
US 8.8.8.8:53 lyxmnybibg.info udp
US 8.8.8.8:53 dsbcpqdgmsx.net udp
US 8.8.8.8:53 ixhajic.net udp
US 8.8.8.8:53 suzwveb.net udp
US 8.8.8.8:53 dkouvubcpovf.info udp
US 8.8.8.8:53 tlhfmxplxszg.info udp
US 8.8.8.8:53 zuahvvfwncp.info udp
US 8.8.8.8:53 unxyhnhfacdb.info udp
US 8.8.8.8:53 kgrhjfmtlg.info udp
US 8.8.8.8:53 xolodqwajgg.net udp
US 8.8.8.8:53 jnfebdsaxkd.com udp
US 8.8.8.8:53 xyvmqzpiiw.net udp
US 8.8.8.8:53 aozejwylyqd.info udp
US 8.8.8.8:53 dqfhrafr.net udp
US 8.8.8.8:53 kgucribs.info udp
US 8.8.8.8:53 wnurqy.info udp
US 8.8.8.8:53 zizvduhjtq.net udp
US 8.8.8.8:53 zyfitez.info udp
US 8.8.8.8:53 pqhykuojyir.com udp
US 8.8.8.8:53 gkcaei.com udp
US 8.8.8.8:53 rxcgrgxo.info udp
US 8.8.8.8:53 leqdurjb.net udp
US 8.8.8.8:53 copncsxew.info udp
US 8.8.8.8:53 hofoxnlshhmp.net udp
US 8.8.8.8:53 vxuyrcqa.net udp
US 8.8.8.8:53 bajkjmlkl.info udp
BG 77.85.226.99:18761 tcp
US 8.8.8.8:53 yimotcl.net udp
US 8.8.8.8:53 dptefrxm.net udp
US 8.8.8.8:53 acmocycw.org udp
US 8.8.8.8:53 dxikspgshgbk.info udp
US 8.8.8.8:53 flnxsigobz.info udp
US 8.8.8.8:53 nlgcgvzaqfqg.info udp
US 8.8.8.8:53 scjqfcl.info udp
US 8.8.8.8:53 zmrzskzepnvo.net udp
US 8.8.8.8:53 lgmwshpwdp.net udp
US 8.8.8.8:53 xchkvpat.net udp
US 8.8.8.8:53 skggci.org udp
US 8.8.8.8:53 tcnfkvvbkr.net udp
US 8.8.8.8:53 yqkcuqwwiqic.com udp
US 8.8.8.8:53 bbfwtqcizj.info udp
US 8.8.8.8:53 zgrjrexb.net udp
US 8.8.8.8:53 agvwme.info udp
US 8.8.8.8:53 bozztmkzgh.info udp
US 8.8.8.8:53 eeueccewmeem.com udp
US 8.8.8.8:53 hgjmdwt.info udp
US 8.8.8.8:53 yemmhoaqcgu.info udp
US 8.8.8.8:53 vytvvat.org udp
US 8.8.8.8:53 elpsmjwcqdrk.net udp
US 8.8.8.8:53 civitlujb.net udp
US 8.8.8.8:53 gthoprfe.net udp
US 8.8.8.8:53 lnjvbpkc.net udp
US 8.8.8.8:53 ydzppbxyb.net udp
US 8.8.8.8:53 urlktaykf.info udp
US 8.8.8.8:53 kqdynkkicln.info udp
US 8.8.8.8:53 vlpxze.info udp
US 8.8.8.8:53 aegcig.com udp
US 8.8.8.8:53 zavcxy.info udp
US 8.8.8.8:53 ekrkjmba.info udp
US 8.8.8.8:53 skywyumxq.net udp
US 8.8.8.8:53 sodurdwmwwl.net udp
US 8.8.8.8:53 znzsjqslxcgg.net udp
US 8.8.8.8:53 gscwqw.com udp
US 8.8.8.8:53 egsmyysc.org udp
US 8.8.8.8:53 ztmwrwta.net udp
US 8.8.8.8:53 aaekcqagga.org udp
US 8.8.8.8:53 nshdioh.net udp
US 8.8.8.8:53 ojxplpnq.net udp
US 8.8.8.8:53 ekqqcc.org udp
US 8.8.8.8:53 emwauogimiqe.org udp
US 8.8.8.8:53 samiaai.net udp
US 8.8.8.8:53 biuhxczojm.info udp
LT 81.7.89.221:35922 tcp
US 8.8.8.8:53 zvpaml.net udp
US 8.8.8.8:53 dmpttocxeg.info udp
US 8.8.8.8:53 dwfkeogzvhjn.info udp
US 8.8.8.8:53 genixiporuz.net udp
US 8.8.8.8:53 egxuhfgou.info udp
US 8.8.8.8:53 hvfwdgd.info udp
US 8.8.8.8:53 dflqknsl.net udp
US 8.8.8.8:53 bjfsfiztdka.net udp
US 8.8.8.8:53 qtgqqinahbp.info udp
US 8.8.8.8:53 jmhitynsj.net udp
US 8.8.8.8:53 dahtliaj.net udp
US 8.8.8.8:53 forxzgh.info udp
US 8.8.8.8:53 vsbejpyc.net udp
US 8.8.8.8:53 xskfka.info udp
US 8.8.8.8:53 tcvuvhjwh.info udp
US 8.8.8.8:53 qsoknmnfjlzf.info udp
US 8.8.8.8:53 ygiywk.com udp
US 8.8.8.8:53 sobigdv.info udp
US 8.8.8.8:53 scoywommwkse.com udp
US 8.8.8.8:53 zuryddduf.com udp
US 8.8.8.8:53 gintmwcfhdz.info udp
US 8.8.8.8:53 jubvpax.info udp
US 8.8.8.8:53 hkpcjvjnvcb.info udp
US 8.8.8.8:53 owwkussqmqoq.org udp
US 8.8.8.8:53 yivymd.net udp
US 8.8.8.8:53 paurpzscia.info udp
US 8.8.8.8:53 aknsgwkcl.net udp
US 8.8.8.8:53 wcimsg.org udp
US 8.8.8.8:53 eewqmwso.com udp
US 8.8.8.8:53 orpxsexyh.info udp
US 8.8.8.8:53 gmcwscqwaaas.com udp
US 8.8.8.8:53 dyhytonij.com udp
US 8.8.8.8:53 ecbwysbz.info udp
US 8.8.8.8:53 nrtqaxuvsp.info udp
US 8.8.8.8:53 mhnkngexjb.info udp
US 8.8.8.8:53 njmyupro.net udp
US 8.8.8.8:53 sgukossswawk.org udp
US 8.8.8.8:53 ugxyozirf.net udp
US 8.8.8.8:53 ruzweolcr.org udp
US 8.8.8.8:53 riaxtjzzxwke.net udp
US 8.8.8.8:53 xrpwmsl.info udp
US 8.8.8.8:53 zghamis.net udp
US 8.8.8.8:53 ytkmqlxm.info udp
US 8.8.8.8:53 hmwutyrzvjq.info udp
US 8.8.8.8:53 oaaqbkcdjxx.info udp
US 8.8.8.8:53 midhaztyfunq.info udp
US 8.8.8.8:53 nipcbhgzdsjj.net udp
US 8.8.8.8:53 ezxcjtvhqaf.net udp
US 8.8.8.8:53 iusioomq.org udp
US 8.8.8.8:53 gkweqo.org udp
US 8.8.8.8:53 zhsolezzrm.net udp
US 8.8.8.8:53 iwqqwkeaogwm.com udp
US 8.8.8.8:53 norfab.info udp
US 8.8.8.8:53 wcsbrpz.net udp
US 8.8.8.8:53 dbiokrlu.net udp
US 8.8.8.8:53 popthjxbeny.info udp
US 8.8.8.8:53 couimmoc.com udp
US 8.8.8.8:53 olvkdumqgq.info udp
US 8.8.8.8:53 uwcuws.org udp
US 8.8.8.8:53 jiaihlx.com udp
US 8.8.8.8:53 gckzqp.info udp
US 8.8.8.8:53 azlfou.info udp
US 8.8.8.8:53 yuckeeckwu.com udp
BG 89.106.97.91:42152 tcp
US 8.8.8.8:53 vtwblsrkx.com udp
US 8.8.8.8:53 vtlhxlifz.com udp
US 8.8.8.8:53 umyicieyee.org udp
US 8.8.8.8:53 relcbiihawnj.info udp
US 8.8.8.8:53 doamvcjut.com udp
US 8.8.8.8:53 qfndzq.net udp
US 8.8.8.8:53 vcsuct.net udp
US 8.8.8.8:53 oyvscxkylev.info udp
US 8.8.8.8:53 tknsxkyox.org udp
US 8.8.8.8:53 hswuogrpnch.org udp
US 8.8.8.8:53 jjniskc.net udp
US 8.8.8.8:53 fsyczawoha.info udp
US 8.8.8.8:53 uoxcqdb.info udp
US 8.8.8.8:53 dqnhjkjgasf.com udp
US 8.8.8.8:53 xgkoesnqhqn.info udp
US 8.8.8.8:53 atkzfclhbift.info udp
US 8.8.8.8:53 xtdoosxyrmf.net udp
US 8.8.8.8:53 scrtoyzur.net udp
US 8.8.8.8:53 acyqkcqoko.org udp
US 8.8.8.8:53 dwhogmf.net udp
US 8.8.8.8:53 wueysyqiyg.org udp
US 8.8.8.8:53 itwwovfpb.net udp
US 8.8.8.8:53 rwzwjlfb.info udp
US 8.8.8.8:53 zvckwl.info udp
US 8.8.8.8:53 vxdtqmkmgwdh.info udp
US 8.8.8.8:53 jjrefkv.net udp
US 8.8.8.8:53 wipkgxsenef.info udp
US 8.8.8.8:53 wgieme.org udp
US 8.8.8.8:53 erfohgc.info udp
US 8.8.8.8:53 aquawwwoseec.org udp
US 8.8.8.8:53 kjskvzf.info udp
US 8.8.8.8:53 lzbjkx.info udp
US 8.8.8.8:53 xbahfcdypbh.info udp
US 8.8.8.8:53 bqpgwt.info udp
US 8.8.8.8:53 hyrztykhp.com udp
US 8.8.8.8:53 blriytvijot.com udp
US 8.8.8.8:53 gihuzdjfx.info udp
US 8.8.8.8:53 tahcpxf.info udp
US 8.8.8.8:53 iqcozon.net udp
US 8.8.8.8:53 kyilnx.net udp
US 8.8.8.8:53 fkfoblhtect.net udp
US 8.8.8.8:53 dgkare.info udp
US 8.8.8.8:53 gaufzuhtlm.net udp
US 8.8.8.8:53 esghdplg.net udp
US 8.8.8.8:53 rwlaxbv.net udp
US 8.8.8.8:53 gaqkygwq.org udp
US 8.8.8.8:53 pltmczynl.info udp
US 8.8.8.8:53 ntglts.net udp
US 8.8.8.8:53 bwnyduw.info udp
US 8.8.8.8:53 ogghlyuavuxz.net udp
US 8.8.8.8:53 vhtjmkpo.info udp
LT 78.62.154.180:42294 tcp
US 8.8.8.8:53 mmsvfey.net udp
US 8.8.8.8:53 eaykigwi.org udp
US 8.8.8.8:53 zyguunjincn.net udp
US 8.8.8.8:53 cnzlnepvveyh.info udp
US 8.8.8.8:53 jrbulad.info udp
US 8.8.8.8:53 lgtddzvs.info udp
US 8.8.8.8:53 bpzorpfuhtf.org udp
US 8.8.8.8:53 kekuimesam.com udp
US 8.8.8.8:53 rjttjryk.info udp
US 8.8.8.8:53 mqmchqvgb.info udp
US 8.8.8.8:53 bkngmvgi.net udp
US 8.8.8.8:53 fxjgxcddmqwh.info udp
US 8.8.8.8:53 otrncozw.info udp
US 8.8.8.8:53 hojlimfu.info udp
US 8.8.8.8:53 bdbpdxxapwo.net udp
US 8.8.8.8:53 bqdindvszcl.com udp
US 8.8.8.8:53 fkfsxmj.info udp
US 8.8.8.8:53 lynmqmisexnf.info udp
US 8.8.8.8:53 jjpyrgbgtoa.com udp
US 8.8.8.8:53 jvibdsjkch.net udp
US 8.8.8.8:53 azxqxmzepfz.net udp
US 8.8.8.8:53 nfjxxn.info udp
US 8.8.8.8:53 lwqnpvuu.net udp
US 8.8.8.8:53 xcxooibqtch.info udp
US 8.8.8.8:53 dykwknvmdfdj.info udp
US 8.8.8.8:53 awlplgukhmu.net udp
US 8.8.8.8:53 bbquoh.net udp
US 8.8.8.8:53 wawaoiyk.com udp
US 8.8.8.8:53 fednxrvm.info udp
US 8.8.8.8:53 citroy.info udp
US 8.8.8.8:53 bugihxnxrdoh.net udp
US 8.8.8.8:53 drjqqqjvbd.info udp
US 8.8.8.8:53 kxyuozlwmlhj.info udp
US 8.8.8.8:53 lczoradauoz.net udp
US 8.8.8.8:53 twynxgrbf.info udp
US 8.8.8.8:53 natyybmfc.org udp
US 8.8.8.8:53 kkrotfcn.net udp
US 8.8.8.8:53 lcvdlg.net udp
US 8.8.8.8:53 augmgogsoo.com udp
US 8.8.8.8:53 loyjuwhvpef.info udp
US 8.8.8.8:53 pyvnxkgdvagp.info udp
BG 77.85.226.99:18761 tcp
US 8.8.8.8:53 qetmxm.net udp
US 8.8.8.8:53 mgkgeh.info udp
US 8.8.8.8:53 dazulnj.org udp
US 8.8.8.8:53 fskyqgyx.info udp
US 8.8.8.8:53 mbawvtparsth.info udp
US 8.8.8.8:53 imtgyeqbr.info udp
US 8.8.8.8:53 roboqmdazwl.com udp
US 8.8.8.8:53 hjucwjcg.info udp
US 8.8.8.8:53 qdccxfllqw.info udp
US 8.8.8.8:53 uypqyvl.info udp
US 8.8.8.8:53 fjusznt.com udp
US 8.8.8.8:53 dmxlnsmgxndu.net udp
US 8.8.8.8:53 zuhmapbot.net udp
US 8.8.8.8:53 ukvdpgxa.net udp
US 8.8.8.8:53 ukpxnhrd.info udp
US 8.8.8.8:53 aigqkqmiaigi.com udp
US 8.8.8.8:53 lpisxdihpg.net udp
US 8.8.8.8:53 vjvlnnztmb.net udp
US 8.8.8.8:53 eqrjrrdgnld.info udp
US 8.8.8.8:53 omvayqj.info udp
US 8.8.8.8:53 plyebuj.net udp
US 8.8.8.8:53 majbxhzum.net udp
US 8.8.8.8:53 yojkaljecqs.info udp
US 8.8.8.8:53 eclqfz.info udp
US 8.8.8.8:53 uesahof.net udp
US 8.8.8.8:53 eokvub.info udp
US 8.8.8.8:53 gsscummmgs.org udp
US 8.8.8.8:53 ecegeakc.org udp
US 8.8.8.8:53 ymzepu.info udp
US 8.8.8.8:53 ekcscggiimws.com udp
US 8.8.8.8:53 miorzj.net udp
US 8.8.8.8:53 lttmgntl.net udp
US 8.8.8.8:53 wfdjjbuwx.net udp
US 8.8.8.8:53 ootkjdzphd.net udp
US 8.8.8.8:53 hxenopuehqeu.net udp
US 8.8.8.8:53 swguyosise.com udp
US 8.8.8.8:53 qhpxfiicix.info udp
US 8.8.8.8:53 aararuzmj.info udp
US 8.8.8.8:53 banxxjtu.info udp
US 8.8.8.8:53 fvmgrsz.info udp
US 8.8.8.8:53 zrizzt.net udp
US 8.8.8.8:53 aiudfswgldd.net udp
US 8.8.8.8:53 wkeoyc.com udp
US 8.8.8.8:53 xgfndjlmcqzo.info udp
US 8.8.8.8:53 dybrupvt.info udp
US 8.8.8.8:53 cczszraytqf.info udp
US 8.8.8.8:53 nsjnpn.net udp
US 8.8.8.8:53 ukicmwccsksg.org udp
US 8.8.8.8:53 uowtxj.net udp
US 8.8.8.8:53 iwvsdcv.net udp
US 8.8.8.8:53 ivewnr.info udp
US 8.8.8.8:53 aabbtrsevgil.net udp
US 8.8.8.8:53 jqfnrjmvckl.com udp
US 8.8.8.8:53 kqoqlq.info udp
GB 94.195.124.59:43889 tcp
US 8.8.8.8:53 rkmgeoyyf.com udp
US 8.8.8.8:53 zgsqwczun.com udp
US 8.8.8.8:53 xkrkxtgcren.info udp
US 8.8.8.8:53 uevvygcfaynz.net udp
US 8.8.8.8:53 stbkwekl.info udp
US 8.8.8.8:53 cguddd.info udp
US 8.8.8.8:53 nqxijbihvn.info udp
US 8.8.8.8:53 kktgbof.net udp
US 8.8.8.8:53 pttmxqqqbia.info udp
US 8.8.8.8:53 gsrlwi.info udp
US 8.8.8.8:53 jrdllvfg.info udp
US 8.8.8.8:53 yspynbdonzn.net udp
US 8.8.8.8:53 ksnelpckjan.info udp
US 8.8.8.8:53 kroura.net udp
US 8.8.8.8:53 agwkyw.org udp
US 8.8.8.8:53 xrctizgjhu.net udp
US 8.8.8.8:53 gyamaciq.org udp
US 8.8.8.8:53 qpdyxyxy.info udp
US 8.8.8.8:53 ksncxd.info udp
US 8.8.8.8:53 ztdlen.net udp
US 8.8.8.8:53 rlolyw.info udp
US 8.8.8.8:53 vjheqchqfu.net udp
US 8.8.8.8:53 parkhmyoxyt.info udp
US 8.8.8.8:53 rfcqjgcwrllk.info udp
US 8.8.8.8:53 mlltxlztnktg.net udp
US 8.8.8.8:53 ocqeaqwmao.com udp
US 8.8.8.8:53 ooewwc.org udp
US 8.8.8.8:53 bmnynvkvxody.net udp
US 8.8.8.8:53 eyukhwx.net udp
US 8.8.8.8:53 nqqnngzfzq.net udp
US 8.8.8.8:53 jufzfodmgfn.com udp
US 8.8.8.8:53 jypigkw.net udp
US 8.8.8.8:53 xclgbajfzsm.info udp
US 8.8.8.8:53 izbhnj.info udp
US 8.8.8.8:53 dgfyhmo.org udp
US 8.8.8.8:53 jphhtgd.com udp
US 8.8.8.8:53 nmeqwb.net udp
US 8.8.8.8:53 cmvhmg.info udp
US 8.8.8.8:53 fjqcgvtzrbhp.net udp
US 8.8.8.8:53 zkvqpqpdh.net udp
US 8.8.8.8:53 jxcueyixuj.info udp
US 8.8.8.8:53 omierhazkhgw.net udp
US 8.8.8.8:53 wsnihyhlusad.net udp
US 8.8.8.8:53 ncgzwp.info udp
US 8.8.8.8:53 nqpwnou.com udp
US 8.8.8.8:53 cwhyvuo.net udp
US 8.8.8.8:53 woqyiqgicsyo.com udp
US 8.8.8.8:53 kwdrqyzrhd.net udp
US 8.8.8.8:53 rgomxzze.info udp
US 8.8.8.8:53 lmxehfbwziu.org udp
US 8.8.8.8:53 dnyuxs.info udp
US 8.8.8.8:53 xrjmbmgmisvh.info udp
US 8.8.8.8:53 hmnwnbiyx.org udp
US 8.8.8.8:53 rbsrttfe.info udp
US 8.8.8.8:53 tudyxihdnjo.org udp
US 8.8.8.8:53 wmusrbzou.info udp
US 8.8.8.8:53 gooyaceg.org udp
US 8.8.8.8:53 jqtenkdayoy.org udp
US 8.8.8.8:53 bbcdek.info udp
US 8.8.8.8:53 wsnkjol.info udp
US 8.8.8.8:53 lvbbmybbcq.net udp
US 8.8.8.8:53 vulqosrgxel.com udp
US 8.8.8.8:53 ndrdfdfd.net udp
US 8.8.8.8:53 beeubfbbqo.net udp
US 8.8.8.8:53 lvliwxsju.net udp
US 8.8.8.8:53 umanobqbkxyf.info udp
US 8.8.8.8:53 swdvbyf.net udp
US 8.8.8.8:53 wcgcuuiu.org udp
US 8.8.8.8:53 xrfbfifxxuj.info udp
US 8.8.8.8:53 nhmyomxjv.info udp
US 8.8.8.8:53 olfijm.net udp
US 8.8.8.8:53 cgqikqgo.com udp
US 8.8.8.8:53 rocugsx.org udp
BG 77.71.13.138:26221 tcp
US 8.8.8.8:53 aoiusiqk.org udp
US 8.8.8.8:53 ygyamiuy.org udp
US 8.8.8.8:53 yhqqtkuixch.info udp
US 8.8.8.8:53 tyzkrdhyl.info udp
US 8.8.8.8:53 karojwf.info udp
US 8.8.8.8:53 rfpyujjnkb.net udp
US 8.8.8.8:53 vyvijbihvn.info udp
US 8.8.8.8:53 dspuhevizsh.info udp
US 8.8.8.8:53 adncgdng.net udp
US 8.8.8.8:53 hsrofavrq.net udp
US 8.8.8.8:53 zshqxoo.com udp
US 8.8.8.8:53 vcpuibujb.net udp
US 8.8.8.8:53 teneax.info udp
US 8.8.8.8:53 jehdyx.net udp
US 8.8.8.8:53 qaiuttgavp.info udp
US 8.8.8.8:53 ueuqjgrvtvu.info udp
US 8.8.8.8:53 llpwlrlwpx.net udp
US 8.8.8.8:53 nygqlgcq.info udp
US 8.8.8.8:53 gsscwmyyusis.org udp
US 8.8.8.8:53 wffuqaze.net udp
US 8.8.8.8:53 bctwfgikb.org udp
US 8.8.8.8:53 ordxkqunjg.info udp
US 8.8.8.8:53 wmmcacmwomqs.org udp
US 8.8.8.8:53 sbciatvffc.info udp
US 8.8.8.8:53 fzqqksnzg.net udp
US 8.8.8.8:53 vwzcnlroce.net udp
US 8.8.8.8:53 ssskjib.info udp
US 8.8.8.8:53 xmlymtnez.org udp
US 8.8.8.8:53 hmpysghyr.com udp
US 8.8.8.8:53 vidpfbqkmwzq.net udp
US 8.8.8.8:53 kunshfjwnjx.net udp
US 8.8.8.8:53 asqsgmwiom.org udp
US 8.8.8.8:53 gaqocgrqrao.net udp
US 8.8.8.8:53 dinwria.com udp
US 8.8.8.8:53 odzbrjqoy.info udp
US 8.8.8.8:53 ekloliafxwj.net udp
US 8.8.8.8:53 cmcikuukucwe.org udp
US 8.8.8.8:53 hmofylikkw.net udp
US 8.8.8.8:53 rlbtjyk.net udp
US 8.8.8.8:53 aalijqi.info udp
US 8.8.8.8:53 dorczznoh.com udp
US 8.8.8.8:53 nmffdls.com udp
US 8.8.8.8:53 kjbefkipt.info udp
BG 213.167.29.19:39541 tcp
US 8.8.8.8:53 odqisf.info udp
US 8.8.8.8:53 kcadzkzfz.info udp
US 8.8.8.8:53 drgvvqqbal.info udp
US 8.8.8.8:53 ncpmyszzt.info udp
US 8.8.8.8:53 ybxsqlwexbnh.info udp
US 8.8.8.8:53 belkzkgyt.com udp
US 8.8.8.8:53 tfeopp.info udp
US 8.8.8.8:53 c.pki.goog udp
NL 173.194.69.94:80 c.pki.goog tcp
US 8.8.8.8:53 uxrqiwtcm.info udp
US 8.8.8.8:53 wafydbdssb.info udp
US 8.8.8.8:53 kkiamiym.com udp
US 8.8.8.8:53 jcdgln.info udp
US 8.8.8.8:53 sqkkcsuccm.com udp
US 8.8.8.8:53 mglyesvca.info udp
US 8.8.8.8:53 jatdaajehomt.net udp
US 8.8.8.8:53 gmgesg.org udp
US 8.8.8.8:53 qixefwzij.net udp
US 8.8.8.8:53 mwgkuyee.org udp
US 8.8.8.8:53 qeoggcyamgmq.com udp
US 8.8.8.8:53 ecicgswuii.org udp
US 8.8.8.8:53 pgjifyr.net udp
US 8.8.8.8:53 vmivrrxebxt.com udp
US 8.8.8.8:53 kixprvoqr.net udp
US 8.8.8.8:53 klnuxgxljmyx.info udp
US 8.8.8.8:53 psahbazj.net udp
US 8.8.8.8:53 peshlqnfkz.net udp
US 8.8.8.8:53 bzaydhbkyko.info udp
US 8.8.8.8:53 musyuyayeq.org udp
US 8.8.8.8:53 dwhodat.info udp
US 8.8.8.8:53 ovjaqtegctbk.info udp
BG 213.240.193.179:15999 tcp
US 8.8.8.8:53 dzeathod.net udp
US 8.8.8.8:53 yunlgymo.info udp
US 8.8.8.8:53 pqggjqkolti.org udp
US 8.8.8.8:53 uoxjsmld.info udp
US 8.8.8.8:53 nbtgzznlqbnh.info udp
US 8.8.8.8:53 xlxymelkjaj.org udp
US 8.8.8.8:53 kmoarvsun.net udp
US 8.8.8.8:53 ewiuauieao.com udp
US 8.8.8.8:53 akyyfyjnvgc.info udp
US 8.8.8.8:53 eyqimgwqka.org udp
US 8.8.8.8:53 bjpwlrlwpx.net udp
US 8.8.8.8:53 tvqsxjner.net udp
US 8.8.8.8:53 nmhryadkp.info udp
US 8.8.8.8:53 hfvmdeovt.info udp
US 8.8.8.8:53 kanyxqtgnkh.net udp
US 8.8.8.8:53 snxrgwggbm.info udp
US 8.8.8.8:53 imwkkoik.com udp
US 8.8.8.8:53 henirgspeq.net udp
US 8.8.8.8:53 uqykawscag.org udp
US 8.8.8.8:53 kbyiqznaieb.net udp
US 8.8.8.8:53 pwtwfsjwpyl.info udp
US 8.8.8.8:53 ucqiyigqoaiq.com udp
US 8.8.8.8:53 sewuvwb.net udp
US 8.8.8.8:53 jesklrzdhksy.net udp
US 8.8.8.8:53 asqqtmhqdgl.net udp
US 8.8.8.8:53 femwaxbeduto.net udp
US 8.8.8.8:53 qvrufmr.info udp
US 8.8.8.8:53 jgfdnmitxed.info udp
US 8.8.8.8:53 oaewcmmi.com udp
US 8.8.8.8:53 zacghmv.org udp
MD 95.65.27.35:35875 tcp
US 8.8.8.8:53 oalwpcngx.info udp
US 8.8.8.8:53 vqjcyivgbub.com udp
US 8.8.8.8:53 cgcgkgmk.org udp
US 8.8.8.8:53 mucuccse.org udp
US 8.8.8.8:53 xcrfxbihvn.info udp
US 8.8.8.8:53 vqtremnd.net udp
US 8.8.8.8:53 hxockobonvj.com udp
US 8.8.8.8:53 wthudp.info udp
US 8.8.8.8:53 wjlmtauara.net udp
US 8.8.8.8:53 pvesxitaordl.info udp
US 8.8.8.8:53 uahpfat.net udp
US 8.8.8.8:53 aamiyigmescm.org udp
US 8.8.8.8:53 euouqqmq.com udp
US 8.8.8.8:53 nvbqfjpyue.net udp
US 8.8.8.8:53 hmbbxsksid.info udp
US 8.8.8.8:53 yemmaiye.com udp
US 8.8.8.8:53 dzrmxez.com udp
US 8.8.8.8:53 nevjvj.info udp
US 8.8.8.8:53 iojdyvbbzc.info udp
US 8.8.8.8:53 keanqoxhwecz.info udp
US 8.8.8.8:53 kxldwaoqfn.info udp
US 8.8.8.8:53 jfludhaebi.net udp
US 8.8.8.8:53 xxbuvavqnao.net udp
US 8.8.8.8:53 hogvnulyue.info udp
US 8.8.8.8:53 aaftpevwng.net udp
US 8.8.8.8:53 xogjaoh.org udp
US 8.8.8.8:53 yqgymomeqscy.org udp
US 8.8.8.8:53 tgzzsilpuoyu.info udp
US 8.8.8.8:53 wadajafybmt.net udp
US 8.8.8.8:53 zjxluxeb.info udp
US 8.8.8.8:53 gyroqyd.info udp
US 8.8.8.8:53 rejwrwpoa.info udp
US 8.8.8.8:53 jmuyzwjxj.net udp
US 8.8.8.8:53 jygbbfpqpsb.net udp
US 8.8.8.8:53 czbzsq.net udp
US 8.8.8.8:53 rgmudgkbvf.info udp
US 8.8.8.8:53 sgescokcmo.org udp
US 8.8.8.8:53 vmbsqsfsfafj.info udp
US 8.8.8.8:53 jkdqziejdel.info udp
US 8.8.8.8:53 uqenlwgfp.net udp
US 8.8.8.8:53 raamhchopod.net udp
US 8.8.8.8:53 gmmovvrpxh.net udp
US 8.8.8.8:53 lzwgpqnxhy.net udp
US 8.8.8.8:53 kmcudehty.net udp
US 8.8.8.8:53 jqnifqb.com udp
US 8.8.8.8:53 djavumhcjkj.net udp
US 8.8.8.8:53 arjyed.net udp
US 8.8.8.8:53 jehyhpbob.com udp
US 8.8.8.8:53 iyqwsaug.org udp
US 8.8.8.8:53 sahybuudhs.net udp
US 8.8.8.8:53 kiaqceyw.com udp
US 8.8.8.8:53 tdxalylplwd.net udp
US 8.8.8.8:53 luaiurlae.info udp
US 8.8.8.8:53 befuffpmb.info udp
US 8.8.8.8:53 veridpgl.info udp
US 8.8.8.8:53 jhyaxofdlhe.org udp
US 8.8.8.8:53 tmezjobct.org udp
US 8.8.8.8:53 dyrabo.net udp
US 8.8.8.8:53 zpzfed.net udp
US 8.8.8.8:53 hsfspwfirsr.org udp
US 8.8.8.8:53 xnngqv.net udp
US 8.8.8.8:53 jljyxlkgjmxh.info udp
US 8.8.8.8:53 somiqqcgmoao.org udp
US 8.8.8.8:53 fumvct.net udp
US 8.8.8.8:53 qgfttnzahij.info udp
US 8.8.8.8:53 okjnriz.info udp
US 8.8.8.8:53 ohnusmlasyt.net udp
US 8.8.8.8:53 ebpqhzooesb.info udp
US 8.8.8.8:53 wwmqcmoq.com udp
US 8.8.8.8:53 dnyidwf.info udp
US 8.8.8.8:53 eiwmoymqwssw.org udp
US 8.8.8.8:53 iiksnougjqx.info udp
US 8.8.8.8:53 ryhwpwrtisx.com udp
US 8.8.8.8:53 yadxtkefpqdf.net udp
US 8.8.8.8:53 prjruclfruku.net udp
US 8.8.8.8:53 qngitmingp.net udp
US 8.8.8.8:53 koyamgee.com udp
US 8.8.8.8:53 dvxedhtmf.net udp
US 8.8.8.8:53 ulwprsdpevsj.info udp
US 8.8.8.8:53 tpredfpal.net udp
MD 93.116.33.161:45365 tcp
US 8.8.8.8:53 fxosedxpvuwb.info udp
US 8.8.8.8:53 nqpstiiwvsd.info udp
US 8.8.8.8:53 nxdcomtddaw.com udp
US 8.8.8.8:53 gkammqok.com udp
US 8.8.8.8:53 ywiygi.com udp
US 8.8.8.8:53 robtrede.net udp
US 8.8.8.8:53 pipwbsbdy.com udp
US 8.8.8.8:53 xplogp.info udp
US 8.8.8.8:53 qwhptudqu.info udp
US 8.8.8.8:53 qyjxvcif.net udp
US 8.8.8.8:53 elysrgelce.info udp
US 8.8.8.8:53 rsmctszkniw.net udp
US 8.8.8.8:53 ciagiakywm.org udp
US 8.8.8.8:53 tiamroi.info udp
US 8.8.8.8:53 rkwlhccy.info udp
US 8.8.8.8:53 hnkrmupmodsp.net udp
US 8.8.8.8:53 jnxaaglmxvtt.info udp
US 8.8.8.8:53 uahwdirqu.info udp
US 8.8.8.8:53 mciedphx.net udp
US 8.8.8.8:53 grtvjbna.info udp
US 8.8.8.8:53 ppnhptg.com udp
US 8.8.8.8:53 rhxbrocpjwt.org udp
US 8.8.8.8:53 nthafgeqx.org udp
US 8.8.8.8:53 buxwxgjsaqu.info udp
US 8.8.8.8:53 omgobwjdgffu.net udp
US 8.8.8.8:53 zcgnsn.net udp
US 8.8.8.8:53 xxlkanjvji.info udp
US 8.8.8.8:53 xrjshdpogxk.net udp
US 8.8.8.8:53 vibshiiel.net udp
US 8.8.8.8:53 zzhbgtenymza.info udp
US 8.8.8.8:53 kwweqwos.com udp
US 8.8.8.8:53 vcrapudrlyx.com udp
US 8.8.8.8:53 idqpzjog.net udp
US 8.8.8.8:53 lvlyggoepsu.info udp
US 8.8.8.8:53 jjqtpeerkb.net udp
US 8.8.8.8:53 aowfeyron.net udp
US 8.8.8.8:53 flftjrnoyu.info udp
US 8.8.8.8:53 nptjrelfhm.net udp
US 8.8.8.8:53 ugugugwkqi.com udp
US 8.8.8.8:53 vszyrsr.info udp
US 8.8.8.8:53 urkcltobhpwf.net udp
US 8.8.8.8:53 xvmuvilgbpw.com udp
US 8.8.8.8:53 bfpylyvbekh.com udp
US 8.8.8.8:53 ilrxpqfsv.info udp
US 8.8.8.8:53 oivsdkqkbgo.net udp
US 8.8.8.8:53 wcqsegcu.org udp
US 8.8.8.8:53 icjjnapiwig.info udp
US 8.8.8.8:53 eheflhppvg.net udp
US 8.8.8.8:53 gwcimptjuotu.info udp
US 8.8.8.8:53 usschmuipyz.net udp
US 8.8.8.8:53 cykogcgqqcuu.com udp
US 8.8.8.8:53 dpmybe.net udp
US 8.8.8.8:53 iyjofui.info udp
ES 84.123.143.245:15997 tcp
US 8.8.8.8:53 btoblc.info udp
US 8.8.8.8:53 tdfkdijpra.info udp
US 8.8.8.8:53 qwcecuawd.net udp
US 8.8.8.8:53 dovowvbqkapj.info udp
US 8.8.8.8:53 ugjyfpgfl.net udp
US 8.8.8.8:53 imrwoykzhwxr.info udp
US 8.8.8.8:53 fabcrsqo.info udp
US 8.8.8.8:53 myrwjqkrwpbk.info udp
US 8.8.8.8:53 ktzipcqov.info udp
US 8.8.8.8:53 apptfhae.net udp
US 8.8.8.8:53 ggfybhomr.net udp
US 8.8.8.8:53 aqrtds.net udp
US 8.8.8.8:53 lyjpntdxge.net udp
US 8.8.8.8:53 mpkbfsgyp.info udp
US 8.8.8.8:53 zdqmznqz.info udp
US 8.8.8.8:53 svdlwy.net udp
US 8.8.8.8:53 pwizwfsdtjrb.net udp
US 8.8.8.8:53 qseoumkkca.org udp
US 8.8.8.8:53 virvekleb.net udp
US 8.8.8.8:53 fnrxnlbj.net udp
US 8.8.8.8:53 qdnmhgdyrit.net udp
US 8.8.8.8:53 lkdxrwujqhwa.info udp
US 8.8.8.8:53 ywqmrhaam.net udp
US 8.8.8.8:53 aeiscsgaai.com udp
US 8.8.8.8:53 qyqigk.com udp
US 8.8.8.8:53 qceqmomyki.com udp
US 8.8.8.8:53 rgixcydenwn.net udp
US 8.8.8.8:53 wusitljmkdb.net udp
US 8.8.8.8:53 esfmnegcp.info udp
US 8.8.8.8:53 amruiyean.info udp
US 8.8.8.8:53 eyjybsnqfmn.net udp
US 8.8.8.8:53 fyaylmbcb.net udp
US 8.8.8.8:53 iyqwpyj.info udp
US 8.8.8.8:53 tcdibmygrcf.info udp
US 8.8.8.8:53 ldrcrq.info udp
US 8.8.8.8:53 ekqaao.com udp
US 8.8.8.8:53 nvgoapuqhtti.net udp
US 8.8.8.8:53 hhjzvmi.org udp
US 8.8.8.8:53 egvwakdov.net udp
US 8.8.8.8:53 agtatmwgh.info udp
US 8.8.8.8:53 qqqwgisy.com udp
US 8.8.8.8:53 oodszysybkh.info udp
US 8.8.8.8:53 iqrivmd.info udp
US 8.8.8.8:53 dyjywwbb.info udp
US 8.8.8.8:53 rkjyfrxybqd.net udp
US 8.8.8.8:53 uiemsckqmegi.org udp
US 8.8.8.8:53 uegsgk.org udp
US 8.8.8.8:53 lwfaqcduobl.net udp
US 8.8.8.8:53 sqtwlx.info udp
US 8.8.8.8:53 hjfdpmp.org udp
US 8.8.8.8:53 nrouxpzztl.info udp
US 8.8.8.8:53 hksaqua.info udp
US 8.8.8.8:53 beyhvc.net udp
US 8.8.8.8:53 vdzyjdvqp.com udp
US 8.8.8.8:53 rjbifug.net udp
US 8.8.8.8:53 puuasqt.net udp
US 8.8.8.8:53 venrqkxjh.org udp
US 8.8.8.8:53 rtjmkrnbjr.info udp
US 8.8.8.8:53 xdjzjkptbi.info udp
US 8.8.8.8:53 ddjevwher.com udp
US 8.8.8.8:53 yqdindvszcl.info udp
US 8.8.8.8:53 uszqxch.net udp
US 8.8.8.8:53 zjxgvooer.net udp
US 8.8.8.8:53 kxtciiurrb.info udp
US 8.8.8.8:53 ldlrgk.info udp
US 8.8.8.8:53 sqijdboulhxd.info udp
BG 78.83.83.183:43316 tcp
US 8.8.8.8:53 uokwkaua.com udp
US 8.8.8.8:53 dazwxokpjbx.net udp
US 8.8.8.8:53 mjlykxysrkpt.info udp
US 8.8.8.8:53 owtumceqt.info udp
US 8.8.8.8:53 xitxankacx.net udp
US 8.8.8.8:53 onxutsz.net udp
US 8.8.8.8:53 dihrrl.info udp
US 8.8.8.8:53 sgdzhklkvfso.info udp
US 8.8.8.8:53 vuxspcf.info udp
US 8.8.8.8:53 zqxgspl.org udp
US 8.8.8.8:53 quksmc.org udp
US 8.8.8.8:53 jlfaxsw.net udp
US 8.8.8.8:53 culhnylkb.info udp
US 8.8.8.8:53 skqsiiae.org udp
US 8.8.8.8:53 yokkkc.org udp
US 8.8.8.8:53 eqdnezux.info udp
US 8.8.8.8:53 eyjsblk.net udp
US 8.8.8.8:53 ekcywgnrjur.net udp
US 8.8.8.8:53 alyypvemovoc.net udp
US 8.8.8.8:53 npnvasgchkno.net udp
US 8.8.8.8:53 ccgiwekeyk.org udp
US 8.8.8.8:53 uekogikogwwa.com udp
US 8.8.8.8:53 qlstpgkhcjbu.net udp
US 8.8.8.8:53 uyogmici.org udp
US 8.8.8.8:53 vgduhpdmjfj.info udp
US 8.8.8.8:53 ukmocc.net udp
US 8.8.8.8:53 esyqcmyoek.com udp
US 8.8.8.8:53 nzitfaav.info udp
US 8.8.8.8:53 forbqckcz.net udp
US 8.8.8.8:53 xjtuwkqsrch.org udp
BG 78.90.90.188:19501 tcp
US 8.8.8.8:53 pmrwlws.net udp
US 8.8.8.8:53 lktcrbw.com udp
US 8.8.8.8:53 rrmxvwgr.info udp
US 8.8.8.8:53 piwajyzepyp.net udp
US 8.8.8.8:53 vllqtjhnti.info udp
US 8.8.8.8:53 lliynip.com udp
US 8.8.8.8:53 rhodywjrbn.info udp
US 8.8.8.8:53 afdggulezhav.info udp
US 8.8.8.8:53 hyjodgw.info udp
US 8.8.8.8:53 dlpqjhthilf.info udp
US 8.8.8.8:53 gyeirywc.net udp
US 8.8.8.8:53 uvzeyklen.net udp
US 8.8.8.8:53 nfkhmzdogdsd.net udp
US 8.8.8.8:53 uglnowt.info udp
US 8.8.8.8:53 lqblhtgjwszl.info udp
US 8.8.8.8:53 msvplnqooyd.net udp
US 8.8.8.8:53 itoujqvn.net udp
US 8.8.8.8:53 eaictyqxc.info udp
US 8.8.8.8:53 ngaxdqnufmd.org udp
US 8.8.8.8:53 egqigrfu.net udp
US 8.8.8.8:53 gnotxi.net udp
US 8.8.8.8:53 bcvendpjqzgc.info udp
US 8.8.8.8:53 zkbatesie.org udp
US 8.8.8.8:53 vgqxvqngngx.info udp
LT 78.61.83.229:32236 tcp
US 8.8.8.8:53 ftvuabamtx.info udp
US 8.8.8.8:53 talywox.info udp
US 8.8.8.8:53 iewepwe.net udp
US 8.8.8.8:53 cgzqtowog.info udp
US 8.8.8.8:53 eiekkckgua.org udp
US 8.8.8.8:53 edzoeesroqjh.net udp
US 8.8.8.8:53 mxhihzgebbgq.net udp
US 8.8.8.8:53 padxnc.net udp
US 8.8.8.8:53 owuucyeeiwyu.com udp
US 8.8.8.8:53 rahaxghwhyi.com udp
US 8.8.8.8:53 qeasooggkkye.org udp
US 8.8.8.8:53 kbvuii.net udp
US 8.8.8.8:53 qoqkcoymik.org udp
US 8.8.8.8:53 ngqujab.net udp
US 8.8.8.8:53 gdiecndz.net udp
US 8.8.8.8:53 aeqlwcgz.info udp
US 8.8.8.8:53 swisueoy.org udp
US 8.8.8.8:53 fevpfshvp.org udp
US 8.8.8.8:53 mcqqriz.info udp
US 8.8.8.8:53 lzqrpefhsbo.org udp
US 8.8.8.8:53 pnzutwfbmdog.info udp
US 8.8.8.8:53 kcryxrris.info udp
US 8.8.8.8:53 xarwmcpkjgm.net udp
US 8.8.8.8:53 lyhqosq.org udp
US 8.8.8.8:53 ejethawq.net udp
US 8.8.8.8:53 dlsurad.net udp
US 8.8.8.8:53 giekgyskeiik.org udp
US 8.8.8.8:53 mciueunqx.net udp
US 8.8.8.8:53 rucuykz.com udp
US 8.8.8.8:53 hefqtblkxyjf.net udp
US 8.8.8.8:53 aqgocsymmi.com udp
US 8.8.8.8:53 npwaiifgfqlw.info udp
US 8.8.8.8:53 kjzeagx.net udp
US 8.8.8.8:53 bavppixu.net udp
BG 87.252.174.204:44464 tcp
US 8.8.8.8:53 dnzedwpvjg.info udp
US 8.8.8.8:53 gwiacu.com udp
US 8.8.8.8:53 razyzrwsa.net udp
US 8.8.8.8:53 dvfkjfnmfyy.org udp
US 8.8.8.8:53 arbahcbv.info udp
US 8.8.8.8:53 fkgritslx.org udp
US 8.8.8.8:53 lcqcmyuhvmq.net udp
US 8.8.8.8:53 ywqwco.com udp
US 8.8.8.8:53 rfkrnfcb.net udp
US 8.8.8.8:53 yenoywqqp.info udp
US 8.8.8.8:53 bxsjtakxql.net udp
US 8.8.8.8:53 ptpwnlreeaxo.net udp
US 8.8.8.8:53 lvyniwarirxa.info udp
US 8.8.8.8:53 sukkwgwymmsw.com udp
US 8.8.8.8:53 mylnoyzmjut.net udp
US 8.8.8.8:53 eeeiusoc.com udp
US 8.8.8.8:53 korhdwhyrom.info udp
US 8.8.8.8:53 nqpcnuv.info udp
US 8.8.8.8:53 ccmqsuqogs.com udp
US 8.8.8.8:53 qzdvod.info udp
US 8.8.8.8:53 dbrfrcxbqn.info udp
US 8.8.8.8:53 larssxlty.org udp
US 8.8.8.8:53 omymcysg.org udp
US 8.8.8.8:53 dnmdtbeezw.info udp
US 8.8.8.8:53 cmscyauocy.com udp
US 8.8.8.8:53 wwnkhjllelum.net udp
US 8.8.8.8:53 iuaakiwmysqi.org udp
US 8.8.8.8:53 zbqtpeerkb.net udp
US 8.8.8.8:53 xilxrzkve.org udp
US 8.8.8.8:53 ezwahix.net udp
BG 87.120.179.47:27772 tcp
US 8.8.8.8:53 zqocyvxqpom.net udp
US 8.8.8.8:53 zwhxiwn.com udp
US 8.8.8.8:53 zuwrljtqss.net udp
US 8.8.8.8:53 swjxeqn.info udp
US 8.8.8.8:53 ozfxbirmhuhx.info udp
US 8.8.8.8:53 mswmmooyom.com udp
US 8.8.8.8:53 sdwzoxzjjkbx.info udp
US 8.8.8.8:53 ykqttxlti.info udp
US 8.8.8.8:53 msaeugqyakco.org udp
US 8.8.8.8:53 kmbxvynhnkt.net udp
US 8.8.8.8:53 dayelsesnsl.com udp
US 8.8.8.8:53 hyxobb.net udp
US 8.8.8.8:53 tmrxnmjrkb.net udp
US 8.8.8.8:53 gcdihxrdbgl.info udp
US 8.8.8.8:53 auyqomuqwy.com udp
US 8.8.8.8:53 mscxpilwdsn.info udp
US 8.8.8.8:53 wsdadebgpxi.net udp
US 8.8.8.8:53 mmjzgaj.net udp
US 8.8.8.8:53 bviczngffjoq.info udp
US 8.8.8.8:53 jujklqx.info udp
US 8.8.8.8:53 uomieuwsgywa.com udp
US 8.8.8.8:53 wwtjrc.info udp
US 8.8.8.8:53 daecor.info udp
US 8.8.8.8:53 fjrjyr.info udp
US 8.8.8.8:53 fzkrxmam.info udp
US 8.8.8.8:53 zczolaevc.net udp
US 8.8.8.8:53 lejynalt.net udp
US 8.8.8.8:53 xdwqawhturpv.info udp
US 8.8.8.8:53 oyoejii.info udp
US 8.8.8.8:53 qifpunqk.info udp
US 8.8.8.8:53 mgillfzw.info udp
US 8.8.8.8:53 fixijml.org udp
US 8.8.8.8:53 kmweuwmw.org udp
US 8.8.8.8:53 oullaorifg.net udp
US 8.8.8.8:53 bvrlxiawb.net udp
US 8.8.8.8:53 nbzlxkn.org udp
US 8.8.8.8:53 gkfhojcrxdw.info udp
US 8.8.8.8:53 keoflefkrgn.info udp
US 8.8.8.8:53 wckesggcywuc.com udp
US 8.8.8.8:53 tkawsmw.org udp
US 8.8.8.8:53 jqicsbohyedk.net udp
US 8.8.8.8:53 faxwtiw.com udp
US 8.8.8.8:53 sxsydftugfl.net udp
US 8.8.8.8:53 qegcvruo.net udp
US 8.8.8.8:53 gihfhxtpret.info udp
US 8.8.8.8:53 nhkfwu.net udp
US 8.8.8.8:53 giaoaygeui.com udp
US 8.8.8.8:53 msoiygcw.org udp
US 8.8.8.8:53 wcljfyx.info udp
US 8.8.8.8:53 wuybbjqyvdz.net udp
US 8.8.8.8:53 rmxqxgh.net udp
US 8.8.8.8:53 jntxuexoq.net udp
US 8.8.8.8:53 nuegfjvl.info udp
US 8.8.8.8:53 zmrdepayvia.com udp
US 8.8.8.8:53 awtrjqbmv.net udp
US 8.8.8.8:53 bxzqfyzcuak.org udp
US 8.8.8.8:53 sepkrsdid.info udp
BG 78.83.83.183:43316 tcp
US 8.8.8.8:53 osnqusdqj.net udp
US 8.8.8.8:53 siygwiyuei.org udp

Files

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

MD5 5be990ef06295142609c061e763f94c5
SHA1 8e92649e057aedcae61933ddd382fdda697ea98a
SHA256 43c235b417faab687bd120df0b67f120b2f22e8947846e02178185bf5abd5be5
SHA512 6bd2141db8b654e0dddf2cb83638675febaeebc7f34164a345ab0fa245a98af7b718c485526518fdb36a0bb88e9b4ecaa97a9801f4b3a97422e5f34788785b95

C:\Windows\SysWOW64\iassfcqjyrkffnxoze.exe

MD5 bdec6237d2f7f80e1250e09df51e3d02
SHA1 73bbd2918a981f181299342a44b8afc0e0923f7d
SHA256 a7ba2a0628020aa108b91798907146015ab98527a7b59ac8836865c6d9e1e12b
SHA512 e0c1276cabc70b4fe6c936854e10eafba6c5860824d82007c2513d408d1167611b24ae6d5fe992ce12500d6d08ace5b966535ad236bb142af5f677f0ade1af8b

C:\Users\Admin\AppData\Local\Temp\gmsghs.exe

MD5 a98d60dea3ed5563c16c113e2aeea939
SHA1 7a9e89bde295d813b5a5864ccdb9cc3217bd907b
SHA256 2a3c0fb9746db654845545e663b3d6fdffa213a453d3696e9ac66aaf9ee843c5
SHA512 7d5ac8bbf72ca0ddf3f03e272ba720d1f18e167e326097b8c6f7f23e628a0d5fc9c842610a4d97ddd474493cc73d3810722fcacc87d95ca21feb6ccacb7fc638

C:\Users\Admin\AppData\Local\wwwezeabyzadlbtslywwwe.eab

MD5 3a5c31bb6937870cf7038af00b6a0c8e
SHA1 0e2fd7823208dd7ac62364d051c62ebf089b48a6
SHA256 250fa470da5ef2dced8667f5c9e5c4f945f0e9b0e5f80f3b1be08198b7491d3d
SHA512 87716bcecd53a01a7c73438a4c7537bff412cf0f8f509b7d2b6dbb9fe3fad2677af4625d32cfca67cb43229652e8af7afe649cae728fa010a0287ea7db83f7f8

C:\Users\Admin\AppData\Local\nyjciyfrzlxlefiswudozsyovhpbnbuvy.mkt

MD5 0c85e84de601cb71aa23ab7796318ef7
SHA1 cecf915a9321dc4d3be6a85312ea85ff62bf2fad
SHA256 a6288dc0b2a7d6982a8cd3b2fe24711d2fe6b12573c0dedee30c47583bbbd8ea
SHA512 d16a109357e4c3b5cfead73fdb96ba09830c191c591341c966b76481a4864b73d9d60bb04290b7df1759714d4af71c3fe5859f789b23450ec7345cba83d19bb4

C:\Program Files (x86)\wwwezeabyzadlbtslywwwe.eab

MD5 2cf33247a6b2808969c868c4463898f2
SHA1 0a4824caa2522289048418a5695d6113d86c1afd
SHA256 61bf246f465ce91c493c2bac8f6c188a87829e104fe723533a52b914fcab4a6e
SHA512 1d337f4f3392397bd8952593c45ebf3cc409a4401ef4e8136d205273d3d841e22ee6e16c0229721745d5c992af70ff5802a506f2aa773f72e1ea053911853581

C:\Program Files (x86)\wwwezeabyzadlbtslywwwe.eab

MD5 52ec5fff929f0fbacacce4c2096a89bb
SHA1 920941e8bac673c90ae57b18db1e034905a5dde1
SHA256 4ea900d803614273eb18b74f87c5ea92e826edd76785048f8d52a2ea072df02a
SHA512 06ab0ba2633b9aba800de043077f89498fdf92ef039a90f11c97dff4cfd71327496c2ff04408fc94a990e62d451ab828c18264c1c19eb547624de73aac072b6b

C:\Users\Admin\AppData\Local\wwwezeabyzadlbtslywwwe.eab

MD5 0db6c08d3b976455b3b1d64aa27cd8f4
SHA1 61642662e6335bd8c81f46d28fe51b07b3a14146
SHA256 a3cf444551b4900d890bae92c528e9a5b4b5b25477cdfbebdec730c882908808
SHA512 30953a0720397909ccd43962a839bf081671572df13532941a39cd65c5e682b1e04f6aba27b505ec3114f4c12a6eefc542d015c0faf518fde3cc2143bd5cc9e9

C:\Program Files (x86)\wwwezeabyzadlbtslywwwe.eab

MD5 6fffdfaa059d06b5420dc6e64f58384a
SHA1 9bd94147b645d559e5dbfaea0db0696fd0c2320b
SHA256 4eb7940c87dc0b4e5f584de17d6c6c35ae165bb9b942fcffafa2ce8059df7110
SHA512 ec1e4746d4e74aa5f2b2fc23cd64bab4659669dea0bb0c17061179b709273aeac030dcfd353f412b388f3932a18d44b7dfe1a6d551ba3dc9e2e53f20940fc20a

C:\Program Files (x86)\wwwezeabyzadlbtslywwwe.eab

MD5 ad201f27b46401479d6fde407e19b99c
SHA1 6bc1194b17c2e55ee0685b77f11bb98a5613f0bd
SHA256 2afb7575872009213e00176ac8336f2bc7bf477fae721db844ea1a2be4705607
SHA512 56781b62ae74b48fce2df966baab3584258800cb688cec6c9a050ce0f05ddb6d27d24378cce9a15f930495bbeed604d31eeb22e306473f3b6e6b7c285e592501

C:\Program Files (x86)\wwwezeabyzadlbtslywwwe.eab

MD5 6f040ced56c17c267cad61e6ac39fe43
SHA1 33d39d3e68fa059f7933d2cdea2c254f84686bec
SHA256 d0c3a78042fa468aac0bb0818db9396c04a086f76b60bed1b735f8f81161b633
SHA512 70043e5f4839538d3802053517260ea83953a2080f824a916c33c74cb6a82d13dd66f45e32dd19b6b358015f6172416022e9e5240e107d8c974f735ff4be29a8