Malware Analysis Report

2025-08-10 16:33

Sample ID 250420-d4yrhsstcs
Target JaffaCakes118_c45c7c3be165367d7676c127dbdc2050
SHA256 7be6ccadfe39aff45029a30fe34b3c87ac49ebbad791c34e2ff8bb30e7e07721
Tags
pykspa defense_evasion discovery persistence privilege_escalation trojan worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7be6ccadfe39aff45029a30fe34b3c87ac49ebbad791c34e2ff8bb30e7e07721

Threat Level: Known bad

The file JaffaCakes118_c45c7c3be165367d7676c127dbdc2050 was found to be: Known bad.

Malicious Activity Summary

pykspa defense_evasion discovery persistence privilege_escalation trojan worm

UAC bypass

Modifies WinLogon for persistence

Pykspa

Pykspa family

Detect Pykspa worm

Disables RegEdit via registry modification

Adds policy Run key to start application

Checks computer location settings

Impair Defenses: Safe Mode Boot

Executes dropped EXE

Hijack Execution Flow: Executable Installer File Permissions Weakness

Checks whether UAC is enabled

Adds Run key to start application

Looks up external IP address via web service

Drops autorun.inf file

Drops file in System32 directory

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious behavior: EnumeratesProcesses

System policy modification

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-04-20 03:34

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2025-04-20 03:34

Reported

2025-04-20 03:37

Platform

win11-20250410-en

Max time kernel

54s

Max time network

158s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\bgmsq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\bgmsq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A

Pykspa

worm pykspa

Pykspa family

pykspa

UAC bypass

defense_evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\bgmsq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\bgmsq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\bgmsq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\bgmsq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\bgmsq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\bgmsq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\bgmsq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\bgmsq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A

Detect Pykspa worm

worm
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zgowwdr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yofwfvsjsjpbvbhr.exe" C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yitehritwh = "bwsocxzvjfqhgrcrhqpkg.exe" C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yitehritwh = "yofwfvsjsjpbvbhr.exe" C:\Users\Admin\AppData\Local\Temp\bgmsq.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zgowwdr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yofwfvsjsjpbvbhr.exe" C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yitehritwh = "yofwfvsjsjpbvbhr.exe" C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yitehritwh = "ogzsdvunyrznjrzlye.exe" C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zgowwdr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yofwfvsjsjpbvbhr.exe" C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yitehritwh = "bwsocxzvjfqhgrcrhqpkg.exe" C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yitehritwh = "fwogqhfxhzgtovcnz.exe" C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yitehritwh = "zsmgsllfrlujgpylzgd.exe" C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zgowwdr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bwsocxzvjfqhgrcrhqpkg.exe" C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zgowwdr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fwogqhfxhzgtovcnz.exe" C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yitehritwh = "yofwfvsjsjpbvbhr.exe" C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\bgmsq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zgowwdr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fwogqhfxhzgtovcnz.exe" C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yitehritwh = "zsmgsllfrlujgpylzgd.exe" C:\Users\Admin\AppData\Local\Temp\bgmsq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zgowwdr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zsmgsllfrlujgpylzgd.exe" C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yitehritwh = "yofwfvsjsjpbvbhr.exe" C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zgowwdr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yofwfvsjsjpbvbhr.exe" C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zgowwdr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zsmgsllfrlujgpylzgd.exe" C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\bgmsq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yitehritwh = "yofwfvsjsjpbvbhr.exe" C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zgowwdr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bwsocxzvjfqhgrcrhqpkg.exe" C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zgowwdr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ogzsdvunyrznjrzlye.exe" C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zgowwdr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mgbwjdezmhrhfpznckic.exe" C:\Users\Admin\AppData\Local\Temp\bgmsq.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zgowwdr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zsmgsllfrlujgpylzgd.exe" C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yitehritwh = "mgbwjdezmhrhfpznckic.exe" C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yitehritwh = "mgbwjdezmhrhfpznckic.exe" C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yitehritwh = "ogzsdvunyrznjrzlye.exe" C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yitehritwh = "fwogqhfxhzgtovcnz.exe" C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zgowwdr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yofwfvsjsjpbvbhr.exe" C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yitehritwh = "yofwfvsjsjpbvbhr.exe" C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yitehritwh = "mgbwjdezmhrhfpznckic.exe" C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yitehritwh = "ogzsdvunyrznjrzlye.exe" C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yitehritwh = "bwsocxzvjfqhgrcrhqpkg.exe" C:\Users\Admin\AppData\Local\Temp\bgmsq.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yitehritwh = "bwsocxzvjfqhgrcrhqpkg.exe" C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zgowwdr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bwsocxzvjfqhgrcrhqpkg.exe" C:\Users\Admin\AppData\Local\Temp\bgmsq.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yitehritwh = "zsmgsllfrlujgpylzgd.exe" C:\Users\Admin\AppData\Local\Temp\bgmsq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zgowwdr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fwogqhfxhzgtovcnz.exe" C:\Users\Admin\AppData\Local\Temp\bgmsq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zgowwdr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ogzsdvunyrznjrzlye.exe" C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yitehritwh = "bwsocxzvjfqhgrcrhqpkg.exe" C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zgowwdr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mgbwjdezmhrhfpznckic.exe" C:\Users\Admin\AppData\Local\Temp\bgmsq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yitehritwh = "fwogqhfxhzgtovcnz.exe" C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zgowwdr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zsmgsllfrlujgpylzgd.exe" C:\Users\Admin\AppData\Local\Temp\bgmsq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yitehritwh = "mgbwjdezmhrhfpznckic.exe" C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yitehritwh = "yofwfvsjsjpbvbhr.exe" C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zgowwdr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mgbwjdezmhrhfpznckic.exe" C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A

Disables RegEdit via registry modification

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\bgmsq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\bgmsq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\bgmsq.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\bgmsq.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
N/A N/A C:\Windows\yofwfvsjsjpbvbhr.exe N/A
N/A N/A C:\Windows\fwogqhfxhzgtovcnz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
N/A N/A C:\Windows\bwsocxzvjfqhgrcrhqpkg.exe N/A
N/A N/A C:\Windows\ogzsdvunyrznjrzlye.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bgmsq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bgmsq.exe N/A
N/A N/A C:\Windows\yofwfvsjsjpbvbhr.exe N/A
N/A N/A C:\Windows\fwogqhfxhzgtovcnz.exe N/A
N/A N/A C:\Windows\bwsocxzvjfqhgrcrhqpkg.exe N/A
N/A N/A C:\Windows\ogzsdvunyrznjrzlye.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
N/A N/A C:\Windows\ogzsdvunyrznjrzlye.exe N/A
N/A N/A C:\Windows\mgbwjdezmhrhfpznckic.exe N/A
N/A N/A C:\Windows\ogzsdvunyrznjrzlye.exe N/A
N/A N/A C:\Windows\mgbwjdezmhrhfpznckic.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
N/A N/A C:\Windows\bwsocxzvjfqhgrcrhqpkg.exe N/A
N/A N/A C:\Windows\mgbwjdezmhrhfpznckic.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
N/A N/A C:\Windows\zsmgsllfrlujgpylzgd.exe N/A
N/A N/A C:\Windows\mgbwjdezmhrhfpznckic.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
N/A N/A C:\Windows\bwsocxzvjfqhgrcrhqpkg.exe N/A
N/A N/A C:\Windows\bwsocxzvjfqhgrcrhqpkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
N/A N/A C:\Windows\zsmgsllfrlujgpylzgd.exe N/A
N/A N/A C:\Windows\mgbwjdezmhrhfpznckic.exe N/A
N/A N/A C:\Windows\mgbwjdezmhrhfpznckic.exe N/A
N/A N/A C:\Windows\yofwfvsjsjpbvbhr.exe N/A
N/A N/A C:\Windows\fwogqhfxhzgtovcnz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
N/A N/A C:\Windows\zsmgsllfrlujgpylzgd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe N/A

Impair Defenses: Safe Mode Boot

defense_evasion
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager C:\Users\Admin\AppData\Local\Temp\bgmsq.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys C:\Users\Admin\AppData\Local\Temp\bgmsq.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc C:\Users\Admin\AppData\Local\Temp\bgmsq.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power C:\Users\Admin\AppData\Local\Temp\bgmsq.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys C:\Users\Admin\AppData\Local\Temp\bgmsq.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc C:\Users\Admin\AppData\Local\Temp\bgmsq.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\foyiktjtv = "bwsocxzvjfqhgrcrhqpkg.exe ." C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qetipdynujnxpt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bwsocxzvjfqhgrcrhqpkg.exe" C:\Users\Admin\AppData\Local\Temp\bgmsq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\foyiktjtv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fwogqhfxhzgtovcnz.exe ." C:\Users\Admin\AppData\Local\Temp\bgmsq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pcqekxrflzclc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zsmgsllfrlujgpylzgd.exe ." C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Software\Microsoft\Windows\CurrentVersion\Run\owfopxmv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ogzsdvunyrznjrzlye.exe" C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\qcpchtmzertb = "fwogqhfxhzgtovcnz.exe ." C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Software\Microsoft\Windows\CurrentVersion\Run\teqcgrjvzlm = "fwogqhfxhzgtovcnz.exe" C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\foyiktjtv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mgbwjdezmhrhfpznckic.exe ." C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\foyiktjtv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mgbwjdezmhrhfpznckic.exe ." C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Software\Microsoft\Windows\CurrentVersion\Run\owfopxmv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ogzsdvunyrznjrzlye.exe" C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\foyiktjtv = "mgbwjdezmhrhfpznckic.exe ." C:\Users\Admin\AppData\Local\Temp\bgmsq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\foyiktjtv = "fwogqhfxhzgtovcnz.exe ." C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\qcpchtmzertb = "ogzsdvunyrznjrzlye.exe ." C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\qcpchtmzertb = "fwogqhfxhzgtovcnz.exe ." C:\Users\Admin\AppData\Local\Temp\bgmsq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pcqekxrflzclc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fwogqhfxhzgtovcnz.exe ." C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Software\Microsoft\Windows\CurrentVersion\Run\teqcgrjvzlm = "bwsocxzvjfqhgrcrhqpkg.exe" C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\owfopxmv = "yofwfvsjsjpbvbhr.exe" C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Software\Microsoft\Windows\CurrentVersion\Run\owfopxmv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mgbwjdezmhrhfpznckic.exe" C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\foyiktjtv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fwogqhfxhzgtovcnz.exe ." C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Software\Microsoft\Windows\CurrentVersion\Run\owfopxmv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fwogqhfxhzgtovcnz.exe" C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\foyiktjtv = "mgbwjdezmhrhfpznckic.exe ." C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\qcpchtmzertb = "mgbwjdezmhrhfpznckic.exe ." C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pcqekxrflzclc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bwsocxzvjfqhgrcrhqpkg.exe ." C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\owfopxmv = "zsmgsllfrlujgpylzgd.exe" C:\Users\Admin\AppData\Local\Temp\bgmsq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qetipdynujnxpt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zsmgsllfrlujgpylzgd.exe" C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\qcpchtmzertb = "zsmgsllfrlujgpylzgd.exe ." C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Software\Microsoft\Windows\CurrentVersion\Run\teqcgrjvzlm = "ogzsdvunyrznjrzlye.exe" C:\Users\Admin\AppData\Local\Temp\bgmsq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qetipdynujnxpt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ogzsdvunyrznjrzlye.exe" C:\Users\Admin\AppData\Local\Temp\bgmsq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Software\Microsoft\Windows\CurrentVersion\Run\owfopxmv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mgbwjdezmhrhfpznckic.exe" C:\Users\Admin\AppData\Local\Temp\bgmsq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Software\Microsoft\Windows\CurrentVersion\Run\owfopxmv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yofwfvsjsjpbvbhr.exe" C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\qcpchtmzertb = "bwsocxzvjfqhgrcrhqpkg.exe ." C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\owfopxmv = "yofwfvsjsjpbvbhr.exe" C:\Users\Admin\AppData\Local\Temp\bgmsq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Software\Microsoft\Windows\CurrentVersion\Run\teqcgrjvzlm = "mgbwjdezmhrhfpznckic.exe" C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pcqekxrflzclc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fwogqhfxhzgtovcnz.exe ." C:\Users\Admin\AppData\Local\Temp\bgmsq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\owfopxmv = "mgbwjdezmhrhfpznckic.exe" C:\Users\Admin\AppData\Local\Temp\bgmsq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Software\Microsoft\Windows\CurrentVersion\Run\owfopxmv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yofwfvsjsjpbvbhr.exe" C:\Users\Admin\AppData\Local\Temp\bgmsq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pcqekxrflzclc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bwsocxzvjfqhgrcrhqpkg.exe ." C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\owfopxmv = "fwogqhfxhzgtovcnz.exe" C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\qcpchtmzertb = "mgbwjdezmhrhfpznckic.exe ." C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\foyiktjtv = "zsmgsllfrlujgpylzgd.exe ." C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\foyiktjtv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ogzsdvunyrznjrzlye.exe ." C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\owfopxmv = "zsmgsllfrlujgpylzgd.exe" C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\foyiktjtv = "ogzsdvunyrznjrzlye.exe ." C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\owfopxmv = "yofwfvsjsjpbvbhr.exe" C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\owfopxmv = "yofwfvsjsjpbvbhr.exe" C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\qcpchtmzertb = "mgbwjdezmhrhfpznckic.exe ." C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\foyiktjtv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ogzsdvunyrznjrzlye.exe ." C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\foyiktjtv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zsmgsllfrlujgpylzgd.exe ." C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\foyiktjtv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ogzsdvunyrznjrzlye.exe ." C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\foyiktjtv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yofwfvsjsjpbvbhr.exe ." C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\foyiktjtv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mgbwjdezmhrhfpznckic.exe ." C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Software\Microsoft\Windows\CurrentVersion\Run\teqcgrjvzlm = "ogzsdvunyrznjrzlye.exe" C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pcqekxrflzclc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fwogqhfxhzgtovcnz.exe ." C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\foyiktjtv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bwsocxzvjfqhgrcrhqpkg.exe ." C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Software\Microsoft\Windows\CurrentVersion\Run\teqcgrjvzlm = "mgbwjdezmhrhfpznckic.exe" C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Software\Microsoft\Windows\CurrentVersion\Run\teqcgrjvzlm = "ogzsdvunyrznjrzlye.exe" C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\qcpchtmzertb = "zsmgsllfrlujgpylzgd.exe ." C:\Users\Admin\AppData\Local\Temp\bgmsq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qetipdynujnxpt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ogzsdvunyrznjrzlye.exe" C:\Users\Admin\AppData\Local\Temp\bgmsq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qetipdynujnxpt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yofwfvsjsjpbvbhr.exe" C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\foyiktjtv = "ogzsdvunyrznjrzlye.exe ." C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Software\Microsoft\Windows\CurrentVersion\Run\teqcgrjvzlm = "bwsocxzvjfqhgrcrhqpkg.exe" C:\Users\Admin\AppData\Local\Temp\bgmsq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\foyiktjtv = "mgbwjdezmhrhfpznckic.exe ." C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\foyiktjtv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yofwfvsjsjpbvbhr.exe ." C:\Users\Admin\AppData\Local\Temp\bgmsq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\foyiktjtv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mgbwjdezmhrhfpznckic.exe ." C:\Users\Admin\AppData\Local\Temp\bgmsq.exe N/A

Checks whether UAC is enabled

defense_evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\bgmsq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\bgmsq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\bgmsq.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\bgmsq.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A

Hijack Execution Flow: Executable Installer File Permissions Weakness

defense_evasion persistence privilege_escalation
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\bgmsq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\bgmsq.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A www.whatismyip.ca N/A N/A
N/A whatismyip.everdot.org N/A N/A
N/A whatismyipaddress.com N/A N/A
N/A www.showmyipaddress.com N/A N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification F:\autorun.inf C:\Users\Admin\AppData\Local\Temp\bgmsq.exe N/A
File created F:\autorun.inf C:\Users\Admin\AppData\Local\Temp\bgmsq.exe N/A
File opened for modification C:\autorun.inf C:\Users\Admin\AppData\Local\Temp\bgmsq.exe N/A
File created C:\autorun.inf C:\Users\Admin\AppData\Local\Temp\bgmsq.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\zsmgsllfrlujgpylzgd.exe C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
File opened for modification C:\Windows\SysWOW64\fwogqhfxhzgtovcnz.exe C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
File opened for modification C:\Windows\SysWOW64\ogzsdvunyrznjrzlye.exe C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
File opened for modification C:\Windows\SysWOW64\yofwfvsjsjpbvbhr.exe C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
File opened for modification C:\Windows\SysWOW64\fwogqhfxhzgtovcnz.exe C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
File opened for modification C:\Windows\SysWOW64\mgbwjdezmhrhfpznckic.exe C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
File opened for modification C:\Windows\SysWOW64\mgbwjdezmhrhfpznckic.exe C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
File opened for modification C:\Windows\SysWOW64\zsmgsllfrlujgpylzgd.exe C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
File opened for modification C:\Windows\SysWOW64\solixtwtifrjjvhxoyyuro.exe C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
File opened for modification C:\Windows\SysWOW64\mgbwjdezmhrhfpznckic.exe C:\Users\Admin\AppData\Local\Temp\bgmsq.exe N/A
File opened for modification C:\Windows\SysWOW64\fwogqhfxhzgtovcnz.exe C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
File opened for modification C:\Windows\SysWOW64\mgbwjdezmhrhfpznckic.exe C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
File opened for modification C:\Windows\SysWOW64\ogzsdvunyrznjrzlye.exe C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
File opened for modification C:\Windows\SysWOW64\yofwfvsjsjpbvbhr.exe C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
File opened for modification C:\Windows\SysWOW64\mgbwjdezmhrhfpznckic.exe C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
File opened for modification C:\Windows\SysWOW64\ogzsdvunyrznjrzlye.exe C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
File opened for modification C:\Windows\SysWOW64\ogzsdvunyrznjrzlye.exe C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
File created C:\Windows\SysWOW64\gilojluxsvnlrjbxukqsvytv.hcf C:\Users\Admin\AppData\Local\Temp\bgmsq.exe N/A
File opened for modification C:\Windows\SysWOW64\zsmgsllfrlujgpylzgd.exe C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
File opened for modification C:\Windows\SysWOW64\ogzsdvunyrznjrzlye.exe C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
File opened for modification C:\Windows\SysWOW64\mgbwjdezmhrhfpznckic.exe C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
File opened for modification C:\Windows\SysWOW64\solixtwtifrjjvhxoyyuro.exe C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
File opened for modification C:\Windows\SysWOW64\yofwfvsjsjpbvbhr.exe C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
File opened for modification C:\Windows\SysWOW64\ogzsdvunyrznjrzlye.exe C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
File opened for modification C:\Windows\SysWOW64\yofwfvsjsjpbvbhr.exe C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
File opened for modification C:\Windows\SysWOW64\ogzsdvunyrznjrzlye.exe C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
File opened for modification C:\Windows\SysWOW64\bwsocxzvjfqhgrcrhqpkg.exe C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
File opened for modification C:\Windows\SysWOW64\zsmgsllfrlujgpylzgd.exe C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
File opened for modification C:\Windows\SysWOW64\fwogqhfxhzgtovcnz.exe C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
File opened for modification C:\Windows\SysWOW64\mgbwjdezmhrhfpznckic.exe C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
File opened for modification C:\Windows\SysWOW64\fwogqhfxhzgtovcnz.exe C:\Users\Admin\AppData\Local\Temp\bgmsq.exe N/A
File opened for modification C:\Windows\SysWOW64\solixtwtifrjjvhxoyyuro.exe C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
File opened for modification C:\Windows\SysWOW64\bwsocxzvjfqhgrcrhqpkg.exe C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
File opened for modification C:\Windows\SysWOW64\mgbwjdezmhrhfpznckic.exe C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
File opened for modification C:\Windows\SysWOW64\mgbwjdezmhrhfpznckic.exe C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
File opened for modification C:\Windows\SysWOW64\ogzsdvunyrznjrzlye.exe C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
File opened for modification C:\Windows\SysWOW64\zsmgsllfrlujgpylzgd.exe C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
File opened for modification C:\Windows\SysWOW64\mgbwjdezmhrhfpznckic.exe C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
File opened for modification C:\Windows\SysWOW64\mgbwjdezmhrhfpznckic.exe C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
File opened for modification C:\Windows\SysWOW64\yofwfvsjsjpbvbhr.exe C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
File opened for modification C:\Windows\SysWOW64\yofwfvsjsjpbvbhr.exe C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
File opened for modification C:\Windows\SysWOW64\fwogqhfxhzgtovcnz.exe C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
File opened for modification C:\Windows\SysWOW64\bwsocxzvjfqhgrcrhqpkg.exe C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
File opened for modification C:\Windows\SysWOW64\bwsocxzvjfqhgrcrhqpkg.exe C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
File opened for modification C:\Windows\SysWOW64\zsmgsllfrlujgpylzgd.exe C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
File opened for modification C:\Windows\SysWOW64\fwogqhfxhzgtovcnz.exe C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
File opened for modification C:\Windows\SysWOW64\mgbwjdezmhrhfpznckic.exe C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
File opened for modification C:\Windows\SysWOW64\mgbwjdezmhrhfpznckic.exe C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
File created C:\Windows\SysWOW64\pcqekxrflzclcfipxypcqekxrflzclcfipx.pcq C:\Users\Admin\AppData\Local\Temp\bgmsq.exe N/A
File opened for modification C:\Windows\SysWOW64\ogzsdvunyrznjrzlye.exe C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
File opened for modification C:\Windows\SysWOW64\bwsocxzvjfqhgrcrhqpkg.exe C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
File opened for modification C:\Windows\SysWOW64\zsmgsllfrlujgpylzgd.exe C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
File opened for modification C:\Windows\SysWOW64\ogzsdvunyrznjrzlye.exe C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
File opened for modification C:\Windows\SysWOW64\bwsocxzvjfqhgrcrhqpkg.exe C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
File opened for modification C:\Windows\SysWOW64\yofwfvsjsjpbvbhr.exe C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
File opened for modification C:\Windows\SysWOW64\zsmgsllfrlujgpylzgd.exe C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
File opened for modification C:\Windows\SysWOW64\bwsocxzvjfqhgrcrhqpkg.exe C:\Users\Admin\AppData\Local\Temp\bgmsq.exe N/A
File opened for modification C:\Windows\SysWOW64\fwogqhfxhzgtovcnz.exe C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
File opened for modification C:\Windows\SysWOW64\solixtwtifrjjvhxoyyuro.exe C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
File opened for modification C:\Windows\SysWOW64\ogzsdvunyrznjrzlye.exe C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
File opened for modification C:\Windows\SysWOW64\solixtwtifrjjvhxoyyuro.exe C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
File opened for modification C:\Windows\SysWOW64\ogzsdvunyrznjrzlye.exe C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
File opened for modification C:\Windows\SysWOW64\solixtwtifrjjvhxoyyuro.exe C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
File opened for modification C:\Windows\SysWOW64\zsmgsllfrlujgpylzgd.exe C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\gilojluxsvnlrjbxukqsvytv.hcf C:\Users\Admin\AppData\Local\Temp\bgmsq.exe N/A
File created C:\Program Files (x86)\gilojluxsvnlrjbxukqsvytv.hcf C:\Users\Admin\AppData\Local\Temp\bgmsq.exe N/A
File opened for modification C:\Program Files (x86)\pcqekxrflzclcfipxypcqekxrflzclcfipx.pcq C:\Users\Admin\AppData\Local\Temp\bgmsq.exe N/A
File created C:\Program Files (x86)\pcqekxrflzclcfipxypcqekxrflzclcfipx.pcq C:\Users\Admin\AppData\Local\Temp\bgmsq.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\ogzsdvunyrznjrzlye.exe C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
File opened for modification C:\Windows\solixtwtifrjjvhxoyyuro.exe C:\Users\Admin\AppData\Local\Temp\bgmsq.exe N/A
File opened for modification C:\Windows\mgbwjdezmhrhfpznckic.exe C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
File opened for modification C:\Windows\fwogqhfxhzgtovcnz.exe C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
File opened for modification C:\Windows\bwsocxzvjfqhgrcrhqpkg.exe C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
File opened for modification C:\Windows\zsmgsllfrlujgpylzgd.exe C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
File opened for modification C:\Windows\solixtwtifrjjvhxoyyuro.exe C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
File opened for modification C:\Windows\fwogqhfxhzgtovcnz.exe C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
File opened for modification C:\Windows\yofwfvsjsjpbvbhr.exe C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
File opened for modification C:\Windows\ogzsdvunyrznjrzlye.exe C:\Users\Admin\AppData\Local\Temp\bgmsq.exe N/A
File opened for modification C:\Windows\yofwfvsjsjpbvbhr.exe C:\Users\Admin\AppData\Local\Temp\bgmsq.exe N/A
File created C:\Windows\gilojluxsvnlrjbxukqsvytv.hcf C:\Users\Admin\AppData\Local\Temp\bgmsq.exe N/A
File opened for modification C:\Windows\zsmgsllfrlujgpylzgd.exe C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
File opened for modification C:\Windows\yofwfvsjsjpbvbhr.exe C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
File opened for modification C:\Windows\bwsocxzvjfqhgrcrhqpkg.exe C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
File opened for modification C:\Windows\mgbwjdezmhrhfpznckic.exe C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
File opened for modification C:\Windows\mgbwjdezmhrhfpznckic.exe C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
File opened for modification C:\Windows\ogzsdvunyrznjrzlye.exe C:\Users\Admin\AppData\Local\Temp\bgmsq.exe N/A
File opened for modification C:\Windows\solixtwtifrjjvhxoyyuro.exe C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
File opened for modification C:\Windows\ogzsdvunyrznjrzlye.exe C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
File opened for modification C:\Windows\mgbwjdezmhrhfpznckic.exe C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
File opened for modification C:\Windows\mgbwjdezmhrhfpznckic.exe C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
File opened for modification C:\Windows\ogzsdvunyrznjrzlye.exe C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
File opened for modification C:\Windows\solixtwtifrjjvhxoyyuro.exe C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
File opened for modification C:\Windows\yofwfvsjsjpbvbhr.exe C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
File opened for modification C:\Windows\zsmgsllfrlujgpylzgd.exe C:\Users\Admin\AppData\Local\Temp\bgmsq.exe N/A
File opened for modification C:\Windows\bwsocxzvjfqhgrcrhqpkg.exe C:\Users\Admin\AppData\Local\Temp\bgmsq.exe N/A
File opened for modification C:\Windows\solixtwtifrjjvhxoyyuro.exe C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
File opened for modification C:\Windows\solixtwtifrjjvhxoyyuro.exe C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
File opened for modification C:\Windows\solixtwtifrjjvhxoyyuro.exe C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
File opened for modification C:\Windows\bwsocxzvjfqhgrcrhqpkg.exe C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
File opened for modification C:\Windows\solixtwtifrjjvhxoyyuro.exe C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
File opened for modification C:\Windows\mgbwjdezmhrhfpznckic.exe C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
File opened for modification C:\Windows\bwsocxzvjfqhgrcrhqpkg.exe C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
File opened for modification C:\Windows\fwogqhfxhzgtovcnz.exe C:\Users\Admin\AppData\Local\Temp\bgmsq.exe N/A
File opened for modification C:\Windows\ogzsdvunyrznjrzlye.exe C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
File opened for modification C:\Windows\bwsocxzvjfqhgrcrhqpkg.exe C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
File opened for modification C:\Windows\zsmgsllfrlujgpylzgd.exe C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
File opened for modification C:\Windows\ogzsdvunyrznjrzlye.exe C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
File opened for modification C:\Windows\zsmgsllfrlujgpylzgd.exe C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
File opened for modification C:\Windows\ogzsdvunyrznjrzlye.exe C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
File opened for modification C:\Windows\bwsocxzvjfqhgrcrhqpkg.exe C:\Users\Admin\AppData\Local\Temp\bgmsq.exe N/A
File opened for modification C:\Windows\yofwfvsjsjpbvbhr.exe C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
File opened for modification C:\Windows\solixtwtifrjjvhxoyyuro.exe C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
File opened for modification C:\Windows\mgbwjdezmhrhfpznckic.exe C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
File opened for modification C:\Windows\zsmgsllfrlujgpylzgd.exe C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
File opened for modification C:\Windows\mgbwjdezmhrhfpznckic.exe C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
File opened for modification C:\Windows\zsmgsllfrlujgpylzgd.exe C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
File opened for modification C:\Windows\ogzsdvunyrznjrzlye.exe C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
File opened for modification C:\Windows\fwogqhfxhzgtovcnz.exe C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
File opened for modification C:\Windows\zsmgsllfrlujgpylzgd.exe C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
File opened for modification C:\Windows\yofwfvsjsjpbvbhr.exe C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
File opened for modification C:\Windows\solixtwtifrjjvhxoyyuro.exe C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
File opened for modification C:\Windows\ogzsdvunyrznjrzlye.exe C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
File opened for modification C:\Windows\yofwfvsjsjpbvbhr.exe C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
File opened for modification C:\Windows\fwogqhfxhzgtovcnz.exe C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
File opened for modification C:\Windows\fwogqhfxhzgtovcnz.exe C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
File opened for modification C:\Windows\fwogqhfxhzgtovcnz.exe C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
File opened for modification C:\Windows\yofwfvsjsjpbvbhr.exe C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
File opened for modification C:\Windows\bwsocxzvjfqhgrcrhqpkg.exe C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
File opened for modification C:\Windows\ogzsdvunyrznjrzlye.exe C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
File opened for modification C:\Windows\yofwfvsjsjpbvbhr.exe C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
File opened for modification C:\Windows\bwsocxzvjfqhgrcrhqpkg.exe C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
File opened for modification C:\Windows\bwsocxzvjfqhgrcrhqpkg.exe C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\ogzsdvunyrznjrzlye.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\bwsocxzvjfqhgrcrhqpkg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\yofwfvsjsjpbvbhr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\bwsocxzvjfqhgrcrhqpkg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\yofwfvsjsjpbvbhr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\ogzsdvunyrznjrzlye.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\zsmgsllfrlujgpylzgd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\yofwfvsjsjpbvbhr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\ogzsdvunyrznjrzlye.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\fwogqhfxhzgtovcnz.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\mgbwjdezmhrhfpznckic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\fwogqhfxhzgtovcnz.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\mgbwjdezmhrhfpznckic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\fwogqhfxhzgtovcnz.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\fwogqhfxhzgtovcnz.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\mgbwjdezmhrhfpznckic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\zsmgsllfrlujgpylzgd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\ogzsdvunyrznjrzlye.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\bwsocxzvjfqhgrcrhqpkg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\mgbwjdezmhrhfpznckic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\bwsocxzvjfqhgrcrhqpkg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\fwogqhfxhzgtovcnz.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\ogzsdvunyrznjrzlye.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\mgbwjdezmhrhfpznckic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\fwogqhfxhzgtovcnz.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\bwsocxzvjfqhgrcrhqpkg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\fwogqhfxhzgtovcnz.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\mgbwjdezmhrhfpznckic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\bwsocxzvjfqhgrcrhqpkg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bgmsq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bgmsq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bgmsq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bgmsq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bgmsq.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3148 wrote to memory of 4348 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
PID 3148 wrote to memory of 4348 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
PID 3148 wrote to memory of 4348 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
PID 2956 wrote to memory of 4764 N/A C:\Windows\system32\cmd.exe C:\Windows\yofwfvsjsjpbvbhr.exe
PID 2956 wrote to memory of 4764 N/A C:\Windows\system32\cmd.exe C:\Windows\yofwfvsjsjpbvbhr.exe
PID 2956 wrote to memory of 4764 N/A C:\Windows\system32\cmd.exe C:\Windows\yofwfvsjsjpbvbhr.exe
PID 5676 wrote to memory of 3152 N/A C:\Windows\system32\cmd.exe C:\Windows\fwogqhfxhzgtovcnz.exe
PID 5676 wrote to memory of 3152 N/A C:\Windows\system32\cmd.exe C:\Windows\fwogqhfxhzgtovcnz.exe
PID 5676 wrote to memory of 3152 N/A C:\Windows\system32\cmd.exe C:\Windows\fwogqhfxhzgtovcnz.exe
PID 3152 wrote to memory of 4772 N/A C:\Windows\fwogqhfxhzgtovcnz.exe C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
PID 3152 wrote to memory of 4772 N/A C:\Windows\fwogqhfxhzgtovcnz.exe C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
PID 3152 wrote to memory of 4772 N/A C:\Windows\fwogqhfxhzgtovcnz.exe C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
PID 5772 wrote to memory of 2364 N/A C:\Windows\system32\cmd.exe C:\Windows\bwsocxzvjfqhgrcrhqpkg.exe
PID 5772 wrote to memory of 2364 N/A C:\Windows\system32\cmd.exe C:\Windows\bwsocxzvjfqhgrcrhqpkg.exe
PID 5772 wrote to memory of 2364 N/A C:\Windows\system32\cmd.exe C:\Windows\bwsocxzvjfqhgrcrhqpkg.exe
PID 3656 wrote to memory of 2320 N/A C:\Windows\system32\cmd.exe C:\Windows\ogzsdvunyrznjrzlye.exe
PID 3656 wrote to memory of 2320 N/A C:\Windows\system32\cmd.exe C:\Windows\ogzsdvunyrznjrzlye.exe
PID 3656 wrote to memory of 2320 N/A C:\Windows\system32\cmd.exe C:\Windows\ogzsdvunyrznjrzlye.exe
PID 2320 wrote to memory of 4940 N/A C:\Windows\ogzsdvunyrznjrzlye.exe C:\Windows\system32\cmd.exe
PID 2320 wrote to memory of 4940 N/A C:\Windows\ogzsdvunyrznjrzlye.exe C:\Windows\system32\cmd.exe
PID 2320 wrote to memory of 4940 N/A C:\Windows\ogzsdvunyrznjrzlye.exe C:\Windows\system32\cmd.exe
PID 3444 wrote to memory of 5648 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Conhost.exe
PID 3444 wrote to memory of 5648 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Conhost.exe
PID 3444 wrote to memory of 5648 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Conhost.exe
PID 5416 wrote to memory of 2016 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe
PID 5416 wrote to memory of 2016 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe
PID 5416 wrote to memory of 2016 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe
PID 2016 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
PID 2016 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
PID 2016 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
PID 4152 wrote to memory of 340 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe
PID 4152 wrote to memory of 340 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe
PID 4152 wrote to memory of 340 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe
PID 712 wrote to memory of 5584 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe
PID 712 wrote to memory of 5584 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe
PID 712 wrote to memory of 5584 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe
PID 5584 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
PID 5584 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
PID 5584 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
PID 4348 wrote to memory of 4104 N/A C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe C:\Users\Admin\AppData\Local\Temp\bgmsq.exe
PID 4348 wrote to memory of 4104 N/A C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe C:\Users\Admin\AppData\Local\Temp\bgmsq.exe
PID 4348 wrote to memory of 4104 N/A C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe C:\Users\Admin\AppData\Local\Temp\bgmsq.exe
PID 4348 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe C:\Users\Admin\AppData\Local\Temp\bgmsq.exe
PID 4348 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe C:\Users\Admin\AppData\Local\Temp\bgmsq.exe
PID 4348 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe C:\Users\Admin\AppData\Local\Temp\bgmsq.exe
PID 5876 wrote to memory of 4804 N/A C:\Windows\system32\cmd.exe C:\Windows\yofwfvsjsjpbvbhr.exe
PID 5876 wrote to memory of 4804 N/A C:\Windows\system32\cmd.exe C:\Windows\yofwfvsjsjpbvbhr.exe
PID 5876 wrote to memory of 4804 N/A C:\Windows\system32\cmd.exe C:\Windows\yofwfvsjsjpbvbhr.exe
PID 5212 wrote to memory of 4776 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
PID 5212 wrote to memory of 4776 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
PID 5212 wrote to memory of 4776 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
PID 2960 wrote to memory of 5020 N/A C:\Windows\system32\cmd.exe C:\Windows\bwsocxzvjfqhgrcrhqpkg.exe
PID 2960 wrote to memory of 5020 N/A C:\Windows\system32\cmd.exe C:\Windows\bwsocxzvjfqhgrcrhqpkg.exe
PID 2960 wrote to memory of 5020 N/A C:\Windows\system32\cmd.exe C:\Windows\bwsocxzvjfqhgrcrhqpkg.exe
PID 4280 wrote to memory of 572 N/A C:\Windows\system32\cmd.exe C:\Windows\ogzsdvunyrznjrzlye.exe
PID 4280 wrote to memory of 572 N/A C:\Windows\system32\cmd.exe C:\Windows\ogzsdvunyrznjrzlye.exe
PID 4280 wrote to memory of 572 N/A C:\Windows\system32\cmd.exe C:\Windows\ogzsdvunyrznjrzlye.exe
PID 5020 wrote to memory of 5428 N/A C:\Windows\bwsocxzvjfqhgrcrhqpkg.exe C:\Windows\System32\Conhost.exe
PID 5020 wrote to memory of 5428 N/A C:\Windows\bwsocxzvjfqhgrcrhqpkg.exe C:\Windows\System32\Conhost.exe
PID 5020 wrote to memory of 5428 N/A C:\Windows\bwsocxzvjfqhgrcrhqpkg.exe C:\Windows\System32\Conhost.exe
PID 572 wrote to memory of 3500 N/A C:\Windows\ogzsdvunyrznjrzlye.exe C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
PID 572 wrote to memory of 3500 N/A C:\Windows\ogzsdvunyrznjrzlye.exe C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
PID 572 wrote to memory of 3500 N/A C:\Windows\ogzsdvunyrznjrzlye.exe C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
PID 4264 wrote to memory of 3104 N/A C:\Windows\system32\cmd.exe C:\Windows\ogzsdvunyrznjrzlye.exe

System policy modification

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\AppData\Local\Temp\bgmsq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\AppData\Local\Temp\bgmsq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\bgmsq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" C:\Users\Admin\AppData\Local\Temp\bgmsq.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\bgmsq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\bgmsq.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\bgmsq.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\bgmsq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\bgmsq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" C:\Users\Admin\AppData\Local\Temp\bgmsq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\bgmsq.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\bgmsq.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\bgmsq.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\bgmsq.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" C:\Users\Admin\AppData\Local\Temp\bgmsq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe"

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\jaffacakes118_c45c7c3be165367d7676c127dbdc2050.exe*"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c yofwfvsjsjpbvbhr.exe

C:\Windows\yofwfvsjsjpbvbhr.exe

yofwfvsjsjpbvbhr.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c fwogqhfxhzgtovcnz.exe .

C:\Windows\fwogqhfxhzgtovcnz.exe

fwogqhfxhzgtovcnz.exe .

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\fwogqhfxhzgtovcnz.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bwsocxzvjfqhgrcrhqpkg.exe

C:\Windows\bwsocxzvjfqhgrcrhqpkg.exe

bwsocxzvjfqhgrcrhqpkg.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ogzsdvunyrznjrzlye.exe .

C:\Windows\ogzsdvunyrznjrzlye.exe

ogzsdvunyrznjrzlye.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\ogzsdvunyrznjrzlye.exe*."

C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe

C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe .

C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe

C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe .

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\yofwfvsjsjpbvbhr.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe

C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe

C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe .

C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe

C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe .

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\mgbwjdezmhrhfpznckic.exe*."

C:\Users\Admin\AppData\Local\Temp\bgmsq.exe

"C:\Users\Admin\AppData\Local\Temp\bgmsq.exe" "-C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe"

C:\Users\Admin\AppData\Local\Temp\bgmsq.exe

"C:\Users\Admin\AppData\Local\Temp\bgmsq.exe" "-C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c fwogqhfxhzgtovcnz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c yofwfvsjsjpbvbhr.exe

C:\Windows\yofwfvsjsjpbvbhr.exe

yofwfvsjsjpbvbhr.exe

C:\Windows\fwogqhfxhzgtovcnz.exe

fwogqhfxhzgtovcnz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bwsocxzvjfqhgrcrhqpkg.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ogzsdvunyrznjrzlye.exe .

C:\Windows\bwsocxzvjfqhgrcrhqpkg.exe

bwsocxzvjfqhgrcrhqpkg.exe .

C:\Windows\ogzsdvunyrznjrzlye.exe

ogzsdvunyrznjrzlye.exe .

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\bwsocxzvjfqhgrcrhqpkg.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ogzsdvunyrznjrzlye.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c mgbwjdezmhrhfpznckic.exe

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\ogzsdvunyrznjrzlye.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c mgbwjdezmhrhfpznckic.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ogzsdvunyrznjrzlye.exe .

C:\Windows\mgbwjdezmhrhfpznckic.exe

mgbwjdezmhrhfpznckic.exe

C:\Windows\ogzsdvunyrznjrzlye.exe

ogzsdvunyrznjrzlye.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe

C:\Windows\ogzsdvunyrznjrzlye.exe

ogzsdvunyrznjrzlye.exe .

C:\Windows\mgbwjdezmhrhfpznckic.exe

mgbwjdezmhrhfpznckic.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe .

C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe

C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe

C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe

C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\ogzsdvunyrznjrzlye.exe*."

C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe

C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe .

C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe

C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe .

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\mgbwjdezmhrhfpznckic.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe .

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\bwsocxzvjfqhgrcrhqpkg.exe*."

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\zsmgsllfrlujgpylzgd.exe*."

C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe

C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe

C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe

C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe

C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe

C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe .

C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe

C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe .

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\zsmgsllfrlujgpylzgd.exe*."

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\zsmgsllfrlujgpylzgd.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bwsocxzvjfqhgrcrhqpkg.exe

C:\Windows\bwsocxzvjfqhgrcrhqpkg.exe

bwsocxzvjfqhgrcrhqpkg.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c mgbwjdezmhrhfpznckic.exe .

C:\Windows\mgbwjdezmhrhfpznckic.exe

mgbwjdezmhrhfpznckic.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zsmgsllfrlujgpylzgd.exe

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\mgbwjdezmhrhfpznckic.exe*."

C:\Windows\zsmgsllfrlujgpylzgd.exe

zsmgsllfrlujgpylzgd.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c mgbwjdezmhrhfpznckic.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe

C:\Windows\mgbwjdezmhrhfpznckic.exe

mgbwjdezmhrhfpznckic.exe .

C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe

C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe .

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\mgbwjdezmhrhfpznckic.exe*."

C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe

C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe .

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\bwsocxzvjfqhgrcrhqpkg.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe

C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe

C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe .

C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe

C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe .

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\ogzsdvunyrznjrzlye.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bwsocxzvjfqhgrcrhqpkg.exe

C:\Windows\bwsocxzvjfqhgrcrhqpkg.exe

bwsocxzvjfqhgrcrhqpkg.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bwsocxzvjfqhgrcrhqpkg.exe .

C:\Windows\bwsocxzvjfqhgrcrhqpkg.exe

bwsocxzvjfqhgrcrhqpkg.exe .

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\bwsocxzvjfqhgrcrhqpkg.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zsmgsllfrlujgpylzgd.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c mgbwjdezmhrhfpznckic.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c mgbwjdezmhrhfpznckic.exe

C:\Windows\zsmgsllfrlujgpylzgd.exe

zsmgsllfrlujgpylzgd.exe

C:\Windows\mgbwjdezmhrhfpznckic.exe

mgbwjdezmhrhfpznckic.exe

C:\Windows\mgbwjdezmhrhfpznckic.exe

mgbwjdezmhrhfpznckic.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c yofwfvsjsjpbvbhr.exe .

C:\Windows\yofwfvsjsjpbvbhr.exe

yofwfvsjsjpbvbhr.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zsmgsllfrlujgpylzgd.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c fwogqhfxhzgtovcnz.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe

C:\Windows\fwogqhfxhzgtovcnz.exe

fwogqhfxhzgtovcnz.exe .

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\yofwfvsjsjpbvbhr.exe*."

C:\Windows\zsmgsllfrlujgpylzgd.exe

zsmgsllfrlujgpylzgd.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe

C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c yofwfvsjsjpbvbhr.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zsmgsllfrlujgpylzgd.exe

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\fwogqhfxhzgtovcnz.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bwsocxzvjfqhgrcrhqpkg.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bwsocxzvjfqhgrcrhqpkg.exe .

C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe

C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe .

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\zsmgsllfrlujgpylzgd.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe

C:\Windows\yofwfvsjsjpbvbhr.exe

yofwfvsjsjpbvbhr.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe .

C:\Windows\bwsocxzvjfqhgrcrhqpkg.exe

bwsocxzvjfqhgrcrhqpkg.exe .

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\fwogqhfxhzgtovcnz.exe*."

C:\Windows\bwsocxzvjfqhgrcrhqpkg.exe

bwsocxzvjfqhgrcrhqpkg.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe .

C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe

C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe

C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe

C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe

C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe

C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe .

C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe

C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\bwsocxzvjfqhgrcrhqpkg.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\bwsocxzvjfqhgrcrhqpkg.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe .

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\fwogqhfxhzgtovcnz.exe*."

C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe

C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe

C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe

C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe

C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe

C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe .

C:\Windows\zsmgsllfrlujgpylzgd.exe

zsmgsllfrlujgpylzgd.exe

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\ogzsdvunyrznjrzlye.exe*."

C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe

C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe .

C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe

C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe .

C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe

C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c fwogqhfxhzgtovcnz.exe

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\yofwfvsjsjpbvbhr.exe*."

C:\Windows\fwogqhfxhzgtovcnz.exe

fwogqhfxhzgtovcnz.exe

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\yofwfvsjsjpbvbhr.exe*."

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\yofwfvsjsjpbvbhr.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c mgbwjdezmhrhfpznckic.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\mgbwjdezmhrhfpznckic.exe

mgbwjdezmhrhfpznckic.exe .

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\mgbwjdezmhrhfpznckic.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ogzsdvunyrznjrzlye.exe

C:\Windows\ogzsdvunyrznjrzlye.exe

ogzsdvunyrznjrzlye.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ogzsdvunyrznjrzlye.exe .

C:\Windows\ogzsdvunyrznjrzlye.exe

ogzsdvunyrznjrzlye.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\ogzsdvunyrznjrzlye.exe*."

C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe

C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe .

C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe

C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe .

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\mgbwjdezmhrhfpznckic.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe

C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe

C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe .

C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe

C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe .

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\zsmgsllfrlujgpylzgd.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bwsocxzvjfqhgrcrhqpkg.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\bwsocxzvjfqhgrcrhqpkg.exe

bwsocxzvjfqhgrcrhqpkg.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zsmgsllfrlujgpylzgd.exe .

C:\Windows\zsmgsllfrlujgpylzgd.exe

zsmgsllfrlujgpylzgd.exe .

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\zsmgsllfrlujgpylzgd.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c yofwfvsjsjpbvbhr.exe

C:\Windows\yofwfvsjsjpbvbhr.exe

yofwfvsjsjpbvbhr.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c yofwfvsjsjpbvbhr.exe .

C:\Windows\yofwfvsjsjpbvbhr.exe

yofwfvsjsjpbvbhr.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\yofwfvsjsjpbvbhr.exe*."

C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe

C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe

C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe .

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\yofwfvsjsjpbvbhr.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe

C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe

C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe .

C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe

C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe .

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\ogzsdvunyrznjrzlye.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c yofwfvsjsjpbvbhr.exe

C:\Windows\yofwfvsjsjpbvbhr.exe

yofwfvsjsjpbvbhr.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ogzsdvunyrznjrzlye.exe .

C:\Windows\ogzsdvunyrznjrzlye.exe

ogzsdvunyrznjrzlye.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c fwogqhfxhzgtovcnz.exe

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\ogzsdvunyrznjrzlye.exe*."

C:\Windows\fwogqhfxhzgtovcnz.exe

fwogqhfxhzgtovcnz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ogzsdvunyrznjrzlye.exe .

C:\Windows\ogzsdvunyrznjrzlye.exe

ogzsdvunyrznjrzlye.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe

C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe

C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe .

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\ogzsdvunyrznjrzlye.exe*."

C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe

C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe .

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\fwogqhfxhzgtovcnz.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe

C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe

C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe .

C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe

C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe .

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\mgbwjdezmhrhfpznckic.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ogzsdvunyrznjrzlye.exe

C:\Windows\ogzsdvunyrznjrzlye.exe

ogzsdvunyrznjrzlye.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c yofwfvsjsjpbvbhr.exe .

C:\Windows\yofwfvsjsjpbvbhr.exe

yofwfvsjsjpbvbhr.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zsmgsllfrlujgpylzgd.exe

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\yofwfvsjsjpbvbhr.exe*."

C:\Windows\zsmgsllfrlujgpylzgd.exe

zsmgsllfrlujgpylzgd.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bwsocxzvjfqhgrcrhqpkg.exe .

C:\Windows\bwsocxzvjfqhgrcrhqpkg.exe

bwsocxzvjfqhgrcrhqpkg.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe

C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe

C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\bwsocxzvjfqhgrcrhqpkg.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe .

C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe

C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe .

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\zsmgsllfrlujgpylzgd.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe

C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe

C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe .

C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe

C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe .

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\mgbwjdezmhrhfpznckic.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ogzsdvunyrznjrzlye.exe

C:\Windows\ogzsdvunyrznjrzlye.exe

ogzsdvunyrznjrzlye.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zsmgsllfrlujgpylzgd.exe .

C:\Windows\zsmgsllfrlujgpylzgd.exe

zsmgsllfrlujgpylzgd.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zsmgsllfrlujgpylzgd.exe

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\zsmgsllfrlujgpylzgd.exe*."

C:\Windows\zsmgsllfrlujgpylzgd.exe

zsmgsllfrlujgpylzgd.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ogzsdvunyrznjrzlye.exe .

C:\Windows\ogzsdvunyrznjrzlye.exe

ogzsdvunyrznjrzlye.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe

C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe

C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe .

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\ogzsdvunyrznjrzlye.exe*."

C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe

C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe .

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\zsmgsllfrlujgpylzgd.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe

C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe

C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe .

C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe

C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe .

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\yofwfvsjsjpbvbhr.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c fwogqhfxhzgtovcnz.exe

C:\Windows\fwogqhfxhzgtovcnz.exe

fwogqhfxhzgtovcnz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bwsocxzvjfqhgrcrhqpkg.exe .

C:\Windows\bwsocxzvjfqhgrcrhqpkg.exe

bwsocxzvjfqhgrcrhqpkg.exe .

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\bwsocxzvjfqhgrcrhqpkg.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ogzsdvunyrznjrzlye.exe

C:\Windows\ogzsdvunyrznjrzlye.exe

ogzsdvunyrznjrzlye.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zsmgsllfrlujgpylzgd.exe .

C:\Windows\zsmgsllfrlujgpylzgd.exe

zsmgsllfrlujgpylzgd.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\zsmgsllfrlujgpylzgd.exe*."

C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe

C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe .

C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe

C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe .

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\fwogqhfxhzgtovcnz.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe

C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe

C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe .

C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe

C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe .

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\fwogqhfxhzgtovcnz.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c yofwfvsjsjpbvbhr.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\yofwfvsjsjpbvbhr.exe

yofwfvsjsjpbvbhr.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c yofwfvsjsjpbvbhr.exe .

C:\Windows\yofwfvsjsjpbvbhr.exe

yofwfvsjsjpbvbhr.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ogzsdvunyrznjrzlye.exe

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\yofwfvsjsjpbvbhr.exe*."

C:\Windows\ogzsdvunyrznjrzlye.exe

ogzsdvunyrznjrzlye.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c mgbwjdezmhrhfpznckic.exe .

C:\Windows\mgbwjdezmhrhfpznckic.exe

mgbwjdezmhrhfpznckic.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe

C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe

C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe .

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\mgbwjdezmhrhfpznckic.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c mgbwjdezmhrhfpznckic.exe

C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe

C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe .

C:\Windows\mgbwjdezmhrhfpznckic.exe

mgbwjdezmhrhfpznckic.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c fwogqhfxhzgtovcnz.exe

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\zsmgsllfrlujgpylzgd.exe*."

C:\Windows\fwogqhfxhzgtovcnz.exe

fwogqhfxhzgtovcnz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zsmgsllfrlujgpylzgd.exe .

C:\Windows\zsmgsllfrlujgpylzgd.exe

zsmgsllfrlujgpylzgd.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c mgbwjdezmhrhfpznckic.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe

C:\Windows\mgbwjdezmhrhfpznckic.exe

mgbwjdezmhrhfpznckic.exe .

C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe

C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bwsocxzvjfqhgrcrhqpkg.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe .

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\zsmgsllfrlujgpylzgd.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ogzsdvunyrznjrzlye.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c mgbwjdezmhrhfpznckic.exe .

C:\Windows\bwsocxzvjfqhgrcrhqpkg.exe

bwsocxzvjfqhgrcrhqpkg.exe

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\mgbwjdezmhrhfpznckic.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c fwogqhfxhzgtovcnz.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe

C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe .

C:\Windows\mgbwjdezmhrhfpznckic.exe

mgbwjdezmhrhfpznckic.exe .

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\ogzsdvunyrznjrzlye.exe*."

C:\Windows\fwogqhfxhzgtovcnz.exe

fwogqhfxhzgtovcnz.exe .

C:\Windows\ogzsdvunyrznjrzlye.exe

ogzsdvunyrznjrzlye.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c fwogqhfxhzgtovcnz.exe

C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe

C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe

C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe

C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe

C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe

C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe

C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe

C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\mgbwjdezmhrhfpznckic.exe*."

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bwsocxzvjfqhgrcrhqpkg.exe .

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\fwogqhfxhzgtovcnz.exe*."

C:\Windows\fwogqhfxhzgtovcnz.exe

fwogqhfxhzgtovcnz.exe

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\ogzsdvunyrznjrzlye.exe*."

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\ogzsdvunyrznjrzlye.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bwsocxzvjfqhgrcrhqpkg.exe

C:\Windows\bwsocxzvjfqhgrcrhqpkg.exe

bwsocxzvjfqhgrcrhqpkg.exe .

C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe

C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe

C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe

C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe .

C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe

C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ogzsdvunyrznjrzlye.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe

C:\Windows\bwsocxzvjfqhgrcrhqpkg.exe

bwsocxzvjfqhgrcrhqpkg.exe

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\fwogqhfxhzgtovcnz.exe*."

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\bwsocxzvjfqhgrcrhqpkg.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe .

C:\Windows\ogzsdvunyrznjrzlye.exe

ogzsdvunyrznjrzlye.exe .

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\mgbwjdezmhrhfpznckic.exe*."

C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe

C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe .

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\ogzsdvunyrznjrzlye.exe*."

C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe

C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe

C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe

C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\bwsocxzvjfqhgrcrhqpkg.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe

C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe

C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe .

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\ogzsdvunyrznjrzlye.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bwsocxzvjfqhgrcrhqpkg.exe

C:\Windows\bwsocxzvjfqhgrcrhqpkg.exe

bwsocxzvjfqhgrcrhqpkg.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c mgbwjdezmhrhfpznckic.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\mgbwjdezmhrhfpznckic.exe

mgbwjdezmhrhfpznckic.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c mgbwjdezmhrhfpznckic.exe

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\mgbwjdezmhrhfpznckic.exe*."

C:\Windows\mgbwjdezmhrhfpznckic.exe

mgbwjdezmhrhfpznckic.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c fwogqhfxhzgtovcnz.exe .

C:\Windows\fwogqhfxhzgtovcnz.exe

fwogqhfxhzgtovcnz.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe

C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe

C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe .

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\fwogqhfxhzgtovcnz.exe*."

C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe

C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe .

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\bwsocxzvjfqhgrcrhqpkg.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe

C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe

C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe .

C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe

C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe .

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\mgbwjdezmhrhfpznckic.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c fwogqhfxhzgtovcnz.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\fwogqhfxhzgtovcnz.exe

fwogqhfxhzgtovcnz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bwsocxzvjfqhgrcrhqpkg.exe .

C:\Windows\bwsocxzvjfqhgrcrhqpkg.exe

bwsocxzvjfqhgrcrhqpkg.exe .

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\bwsocxzvjfqhgrcrhqpkg.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c fwogqhfxhzgtovcnz.exe

C:\Windows\fwogqhfxhzgtovcnz.exe

fwogqhfxhzgtovcnz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c mgbwjdezmhrhfpznckic.exe .

C:\Windows\mgbwjdezmhrhfpznckic.exe

mgbwjdezmhrhfpznckic.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe

C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe

C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe .

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\mgbwjdezmhrhfpznckic.exe*."

C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe

C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe .

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\fwogqhfxhzgtovcnz.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe

C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe

C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe

C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe .

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\bwsocxzvjfqhgrcrhqpkg.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c yofwfvsjsjpbvbhr.exe

C:\Windows\yofwfvsjsjpbvbhr.exe

yofwfvsjsjpbvbhr.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c fwogqhfxhzgtovcnz.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\fwogqhfxhzgtovcnz.exe

fwogqhfxhzgtovcnz.exe .

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\fwogqhfxhzgtovcnz.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c mgbwjdezmhrhfpznckic.exe

C:\Windows\mgbwjdezmhrhfpznckic.exe

mgbwjdezmhrhfpznckic.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c mgbwjdezmhrhfpznckic.exe .

C:\Windows\mgbwjdezmhrhfpznckic.exe

mgbwjdezmhrhfpznckic.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\mgbwjdezmhrhfpznckic.exe*."

C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe

C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe .

C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe

C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe .

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\fwogqhfxhzgtovcnz.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe

C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe

C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe .

C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe

C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe .

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\yofwfvsjsjpbvbhr.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c yofwfvsjsjpbvbhr.exe

C:\Windows\yofwfvsjsjpbvbhr.exe

yofwfvsjsjpbvbhr.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zsmgsllfrlujgpylzgd.exe .

C:\Windows\zsmgsllfrlujgpylzgd.exe

zsmgsllfrlujgpylzgd.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c fwogqhfxhzgtovcnz.exe

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\zsmgsllfrlujgpylzgd.exe*."

C:\Windows\fwogqhfxhzgtovcnz.exe

fwogqhfxhzgtovcnz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bwsocxzvjfqhgrcrhqpkg.exe .

C:\Windows\bwsocxzvjfqhgrcrhqpkg.exe

bwsocxzvjfqhgrcrhqpkg.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe

C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe

C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe .

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\bwsocxzvjfqhgrcrhqpkg.exe*."

C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe

C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe .

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\mgbwjdezmhrhfpznckic.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe

C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe

C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe .

C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe

C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe .

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\fwogqhfxhzgtovcnz.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c yofwfvsjsjpbvbhr.exe

C:\Windows\yofwfvsjsjpbvbhr.exe

yofwfvsjsjpbvbhr.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c yofwfvsjsjpbvbhr.exe .

C:\Windows\yofwfvsjsjpbvbhr.exe

yofwfvsjsjpbvbhr.exe .

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\yofwfvsjsjpbvbhr.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bwsocxzvjfqhgrcrhqpkg.exe

C:\Windows\bwsocxzvjfqhgrcrhqpkg.exe

bwsocxzvjfqhgrcrhqpkg.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bwsocxzvjfqhgrcrhqpkg.exe .

C:\Windows\bwsocxzvjfqhgrcrhqpkg.exe

bwsocxzvjfqhgrcrhqpkg.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe

C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe

C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe .

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\bwsocxzvjfqhgrcrhqpkg.exe*."

C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe

C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe .

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\bwsocxzvjfqhgrcrhqpkg.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe

C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe

C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe .

C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe

C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe .

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\zsmgsllfrlujgpylzgd.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zsmgsllfrlujgpylzgd.exe

C:\Windows\zsmgsllfrlujgpylzgd.exe

zsmgsllfrlujgpylzgd.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c yofwfvsjsjpbvbhr.exe .

C:\Windows\yofwfvsjsjpbvbhr.exe

yofwfvsjsjpbvbhr.exe .

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\yofwfvsjsjpbvbhr.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ogzsdvunyrznjrzlye.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c mgbwjdezmhrhfpznckic.exe .

C:\Windows\ogzsdvunyrznjrzlye.exe

ogzsdvunyrznjrzlye.exe

C:\Windows\mgbwjdezmhrhfpznckic.exe

mgbwjdezmhrhfpznckic.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe

C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe

C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\mgbwjdezmhrhfpznckic.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe .

C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe

C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe .

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\ogzsdvunyrznjrzlye.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c mgbwjdezmhrhfpznckic.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe

C:\Windows\mgbwjdezmhrhfpznckic.exe

mgbwjdezmhrhfpznckic.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c fwogqhfxhzgtovcnz.exe

C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe

C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe .

C:\Windows\fwogqhfxhzgtovcnz.exe

fwogqhfxhzgtovcnz.exe

C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe

C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c yofwfvsjsjpbvbhr.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zsmgsllfrlujgpylzgd.exe .

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\ogzsdvunyrznjrzlye.exe*."

C:\Windows\yofwfvsjsjpbvbhr.exe

yofwfvsjsjpbvbhr.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ogzsdvunyrznjrzlye.exe

C:\Windows\zsmgsllfrlujgpylzgd.exe

zsmgsllfrlujgpylzgd.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zsmgsllfrlujgpylzgd.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c mgbwjdezmhrhfpznckic.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bwsocxzvjfqhgrcrhqpkg.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\yofwfvsjsjpbvbhr.exe*."

C:\Windows\ogzsdvunyrznjrzlye.exe

ogzsdvunyrznjrzlye.exe

C:\Windows\mgbwjdezmhrhfpznckic.exe

mgbwjdezmhrhfpznckic.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zsmgsllfrlujgpylzgd.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\zsmgsllfrlujgpylzgd.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe .

C:\Windows\zsmgsllfrlujgpylzgd.exe

zsmgsllfrlujgpylzgd.exe

C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe

C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe

C:\Windows\bwsocxzvjfqhgrcrhqpkg.exe

bwsocxzvjfqhgrcrhqpkg.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c mgbwjdezmhrhfpznckic.exe .

C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe

C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\mgbwjdezmhrhfpznckic.exe*."

C:\Windows\zsmgsllfrlujgpylzgd.exe

zsmgsllfrlujgpylzgd.exe

C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe

C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c yofwfvsjsjpbvbhr.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe

C:\Windows\mgbwjdezmhrhfpznckic.exe

mgbwjdezmhrhfpznckic.exe .

C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe

C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\bwsocxzvjfqhgrcrhqpkg.exe*."

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\mgbwjdezmhrhfpznckic.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c mgbwjdezmhrhfpznckic.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe .

C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe

C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\yofwfvsjsjpbvbhr.exe*."

C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe

C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe .

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\mgbwjdezmhrhfpznckic.exe*."

C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe

C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe .

C:\Windows\yofwfvsjsjpbvbhr.exe

yofwfvsjsjpbvbhr.exe

C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe

C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe

C:\Windows\mgbwjdezmhrhfpznckic.exe

mgbwjdezmhrhfpznckic.exe .

C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe

C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe .

C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe

C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe .

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\mgbwjdezmhrhfpznckic.exe*."

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\zsmgsllfrlujgpylzgd.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\fwogqhfxhzgtovcnz.exe*."

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\ogzsdvunyrznjrzlye.exe*."

C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe

C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe .

C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe

C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe .

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\mgbwjdezmhrhfpznckic.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c fwogqhfxhzgtovcnz.exe

C:\Windows\fwogqhfxhzgtovcnz.exe

fwogqhfxhzgtovcnz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c fwogqhfxhzgtovcnz.exe .

C:\Windows\fwogqhfxhzgtovcnz.exe

fwogqhfxhzgtovcnz.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c yofwfvsjsjpbvbhr.exe

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\fwogqhfxhzgtovcnz.exe*."

C:\Windows\yofwfvsjsjpbvbhr.exe

yofwfvsjsjpbvbhr.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c mgbwjdezmhrhfpznckic.exe .

C:\Windows\mgbwjdezmhrhfpznckic.exe

mgbwjdezmhrhfpznckic.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe

C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe

C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\mgbwjdezmhrhfpznckic.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe .

C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe

C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe .

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\yofwfvsjsjpbvbhr.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe

C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe

C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe .

C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe

C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe .

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\bwsocxzvjfqhgrcrhqpkg.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c mgbwjdezmhrhfpznckic.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\mgbwjdezmhrhfpznckic.exe

mgbwjdezmhrhfpznckic.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c fwogqhfxhzgtovcnz.exe .

C:\Windows\fwogqhfxhzgtovcnz.exe

fwogqhfxhzgtovcnz.exe .

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\fwogqhfxhzgtovcnz.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bwsocxzvjfqhgrcrhqpkg.exe

C:\Windows\bwsocxzvjfqhgrcrhqpkg.exe

bwsocxzvjfqhgrcrhqpkg.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c mgbwjdezmhrhfpznckic.exe .

C:\Windows\mgbwjdezmhrhfpznckic.exe

mgbwjdezmhrhfpznckic.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\mgbwjdezmhrhfpznckic.exe*."

C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe

C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe .

C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe

C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe .

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\zsmgsllfrlujgpylzgd.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe

C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe .

C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe

C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe .

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\fwogqhfxhzgtovcnz.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zsmgsllfrlujgpylzgd.exe

C:\Windows\zsmgsllfrlujgpylzgd.exe

zsmgsllfrlujgpylzgd.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c fwogqhfxhzgtovcnz.exe .

C:\Windows\fwogqhfxhzgtovcnz.exe

fwogqhfxhzgtovcnz.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bwsocxzvjfqhgrcrhqpkg.exe

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\fwogqhfxhzgtovcnz.exe*."

C:\Windows\bwsocxzvjfqhgrcrhqpkg.exe

bwsocxzvjfqhgrcrhqpkg.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c mgbwjdezmhrhfpznckic.exe .

C:\Windows\mgbwjdezmhrhfpznckic.exe

mgbwjdezmhrhfpznckic.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe

C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe

C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\mgbwjdezmhrhfpznckic.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe .

C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe

C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe .

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\zsmgsllfrlujgpylzgd.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe

C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe

C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe

C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe .

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\ogzsdvunyrznjrzlye.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c yofwfvsjsjpbvbhr.exe

C:\Windows\yofwfvsjsjpbvbhr.exe

yofwfvsjsjpbvbhr.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c mgbwjdezmhrhfpznckic.exe .

C:\Windows\mgbwjdezmhrhfpznckic.exe

mgbwjdezmhrhfpznckic.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c fwogqhfxhzgtovcnz.exe

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\mgbwjdezmhrhfpznckic.exe*."

C:\Windows\fwogqhfxhzgtovcnz.exe

fwogqhfxhzgtovcnz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c yofwfvsjsjpbvbhr.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\yofwfvsjsjpbvbhr.exe

yofwfvsjsjpbvbhr.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\yofwfvsjsjpbvbhr.exe*."

C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe

C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe .

C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe

C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe .

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\bwsocxzvjfqhgrcrhqpkg.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe

C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe

C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe .

C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe

C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe .

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\ogzsdvunyrznjrzlye.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c fwogqhfxhzgtovcnz.exe

C:\Windows\fwogqhfxhzgtovcnz.exe

fwogqhfxhzgtovcnz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ogzsdvunyrznjrzlye.exe .

C:\Windows\ogzsdvunyrznjrzlye.exe

ogzsdvunyrznjrzlye.exe .

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\ogzsdvunyrznjrzlye.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ogzsdvunyrznjrzlye.exe

C:\Windows\ogzsdvunyrznjrzlye.exe

ogzsdvunyrznjrzlye.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bwsocxzvjfqhgrcrhqpkg.exe .

C:\Windows\bwsocxzvjfqhgrcrhqpkg.exe

bwsocxzvjfqhgrcrhqpkg.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe

C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe

C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe .

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\bwsocxzvjfqhgrcrhqpkg.exe*."

C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe

C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe .

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\fwogqhfxhzgtovcnz.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe

C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe

C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe .

C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe

C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe .

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\zsmgsllfrlujgpylzgd.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c yofwfvsjsjpbvbhr.exe

C:\Windows\yofwfvsjsjpbvbhr.exe

yofwfvsjsjpbvbhr.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ogzsdvunyrznjrzlye.exe .

C:\Windows\ogzsdvunyrznjrzlye.exe

ogzsdvunyrznjrzlye.exe .

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\ogzsdvunyrznjrzlye.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bwsocxzvjfqhgrcrhqpkg.exe

C:\Windows\bwsocxzvjfqhgrcrhqpkg.exe

bwsocxzvjfqhgrcrhqpkg.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c fwogqhfxhzgtovcnz.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\fwogqhfxhzgtovcnz.exe

fwogqhfxhzgtovcnz.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe

C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe

C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\fwogqhfxhzgtovcnz.exe*."

C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe

C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe .

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\yofwfvsjsjpbvbhr.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ogzsdvunyrznjrzlye.exe

C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe

C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe .

C:\Windows\ogzsdvunyrznjrzlye.exe

ogzsdvunyrznjrzlye.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c fwogqhfxhzgtovcnz.exe

C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe

C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c mgbwjdezmhrhfpznckic.exe .

C:\Windows\fwogqhfxhzgtovcnz.exe

fwogqhfxhzgtovcnz.exe

C:\Windows\mgbwjdezmhrhfpznckic.exe

mgbwjdezmhrhfpznckic.exe .

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\mgbwjdezmhrhfpznckic.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c fwogqhfxhzgtovcnz.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ogzsdvunyrznjrzlye.exe

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\mgbwjdezmhrhfpznckic.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zsmgsllfrlujgpylzgd.exe .

C:\Windows\fwogqhfxhzgtovcnz.exe

fwogqhfxhzgtovcnz.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c yofwfvsjsjpbvbhr.exe

C:\Windows\ogzsdvunyrznjrzlye.exe

ogzsdvunyrznjrzlye.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c mgbwjdezmhrhfpznckic.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c yofwfvsjsjpbvbhr.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe

C:\Windows\zsmgsllfrlujgpylzgd.exe

zsmgsllfrlujgpylzgd.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\yofwfvsjsjpbvbhr.exe

yofwfvsjsjpbvbhr.exe

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\fwogqhfxhzgtovcnz.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ogzsdvunyrznjrzlye.exe .

C:\Windows\mgbwjdezmhrhfpznckic.exe

mgbwjdezmhrhfpznckic.exe .

C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe

C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\zsmgsllfrlujgpylzgd.exe*."

C:\Windows\yofwfvsjsjpbvbhr.exe

yofwfvsjsjpbvbhr.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c mgbwjdezmhrhfpznckic.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe

C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe

C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe

C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe

C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe .

C:\Windows\ogzsdvunyrznjrzlye.exe

ogzsdvunyrznjrzlye.exe .

C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe

C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ogzsdvunyrznjrzlye.exe .

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\mgbwjdezmhrhfpznckic.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe

C:\Windows\mgbwjdezmhrhfpznckic.exe

mgbwjdezmhrhfpznckic.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe .

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\mgbwjdezmhrhfpznckic.exe*."

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\bwsocxzvjfqhgrcrhqpkg.exe*."

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\ogzsdvunyrznjrzlye.exe*."

C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe

C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe .

C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe

C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe

C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe

C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe

C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe

C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe .

C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe

C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe .

C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe

C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe

C:\Windows\ogzsdvunyrznjrzlye.exe

ogzsdvunyrznjrzlye.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\zsmgsllfrlujgpylzgd.exe*."

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\yofwfvsjsjpbvbhr.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe .

C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe

C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\mgbwjdezmhrhfpznckic.exe*."

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\ogzsdvunyrznjrzlye.exe*."

C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe

C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe .

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\ogzsdvunyrznjrzlye.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zsmgsllfrlujgpylzgd.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\zsmgsllfrlujgpylzgd.exe

zsmgsllfrlujgpylzgd.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ogzsdvunyrznjrzlye.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\ogzsdvunyrznjrzlye.exe

ogzsdvunyrznjrzlye.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c yofwfvsjsjpbvbhr.exe

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\ogzsdvunyrznjrzlye.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c fwogqhfxhzgtovcnz.exe .

C:\Windows\yofwfvsjsjpbvbhr.exe

yofwfvsjsjpbvbhr.exe

C:\Windows\fwogqhfxhzgtovcnz.exe

fwogqhfxhzgtovcnz.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe

C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe

C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe .

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\fwogqhfxhzgtovcnz.exe*."

C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe

C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe .

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\fwogqhfxhzgtovcnz.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe

C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe

C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe

C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe .

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\zsmgsllfrlujgpylzgd.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zsmgsllfrlujgpylzgd.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\zsmgsllfrlujgpylzgd.exe

zsmgsllfrlujgpylzgd.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ogzsdvunyrznjrzlye.exe .

C:\Windows\ogzsdvunyrznjrzlye.exe

ogzsdvunyrznjrzlye.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c yofwfvsjsjpbvbhr.exe

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\ogzsdvunyrznjrzlye.exe*."

C:\Windows\yofwfvsjsjpbvbhr.exe

yofwfvsjsjpbvbhr.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c mgbwjdezmhrhfpznckic.exe .

C:\Windows\mgbwjdezmhrhfpznckic.exe

mgbwjdezmhrhfpznckic.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe

C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe .

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\mgbwjdezmhrhfpznckic.exe*."

C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe

C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe .

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\mgbwjdezmhrhfpznckic.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe

C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe

C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe .

C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe

C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe .

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\mgbwjdezmhrhfpznckic.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ogzsdvunyrznjrzlye.exe

C:\Windows\ogzsdvunyrznjrzlye.exe

ogzsdvunyrznjrzlye.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c yofwfvsjsjpbvbhr.exe .

C:\Windows\yofwfvsjsjpbvbhr.exe

yofwfvsjsjpbvbhr.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c fwogqhfxhzgtovcnz.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\yofwfvsjsjpbvbhr.exe*."

C:\Windows\fwogqhfxhzgtovcnz.exe

fwogqhfxhzgtovcnz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c mgbwjdezmhrhfpznckic.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe

C:\Windows\mgbwjdezmhrhfpznckic.exe

mgbwjdezmhrhfpznckic.exe .

C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe

C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe .

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\mgbwjdezmhrhfpznckic.exe*."

C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe

C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe .

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\bwsocxzvjfqhgrcrhqpkg.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe

C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe

C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe .

C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe

C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe .

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\zsmgsllfrlujgpylzgd.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c mgbwjdezmhrhfpznckic.exe

C:\Windows\mgbwjdezmhrhfpznckic.exe

mgbwjdezmhrhfpznckic.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zsmgsllfrlujgpylzgd.exe .

C:\Windows\zsmgsllfrlujgpylzgd.exe

zsmgsllfrlujgpylzgd.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zsmgsllfrlujgpylzgd.exe

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\zsmgsllfrlujgpylzgd.exe*."

C:\Windows\zsmgsllfrlujgpylzgd.exe

zsmgsllfrlujgpylzgd.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zsmgsllfrlujgpylzgd.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe

C:\Windows\zsmgsllfrlujgpylzgd.exe

zsmgsllfrlujgpylzgd.exe .

C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe

C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe .

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\zsmgsllfrlujgpylzgd.exe*."

C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe

C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe .

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\fwogqhfxhzgtovcnz.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe

C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe

C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe

C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe .

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\yofwfvsjsjpbvbhr.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ogzsdvunyrznjrzlye.exe

C:\Windows\ogzsdvunyrznjrzlye.exe

ogzsdvunyrznjrzlye.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c fwogqhfxhzgtovcnz.exe .

C:\Windows\fwogqhfxhzgtovcnz.exe

fwogqhfxhzgtovcnz.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c yofwfvsjsjpbvbhr.exe

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\fwogqhfxhzgtovcnz.exe*."

C:\Windows\yofwfvsjsjpbvbhr.exe

yofwfvsjsjpbvbhr.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c yofwfvsjsjpbvbhr.exe .

C:\Windows\yofwfvsjsjpbvbhr.exe

yofwfvsjsjpbvbhr.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\yofwfvsjsjpbvbhr.exe*."

C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe

C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe .

C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe

C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe .

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\fwogqhfxhzgtovcnz.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe

C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe

C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe

C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe .

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\yofwfvsjsjpbvbhr.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ogzsdvunyrznjrzlye.exe

C:\Windows\ogzsdvunyrznjrzlye.exe

ogzsdvunyrznjrzlye.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c fwogqhfxhzgtovcnz.exe .

C:\Windows\fwogqhfxhzgtovcnz.exe

fwogqhfxhzgtovcnz.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c fwogqhfxhzgtovcnz.exe

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\fwogqhfxhzgtovcnz.exe*."

C:\Windows\fwogqhfxhzgtovcnz.exe

fwogqhfxhzgtovcnz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ogzsdvunyrznjrzlye.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\ogzsdvunyrznjrzlye.exe

ogzsdvunyrznjrzlye.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\ogzsdvunyrznjrzlye.exe*."

C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe

C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe .

C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe

C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe .

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\yofwfvsjsjpbvbhr.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe

C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe

C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe .

C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe

C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zsmgsllfrlujgpylzgd.exe

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\bwsocxzvjfqhgrcrhqpkg.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bwsocxzvjfqhgrcrhqpkg.exe

C:\Windows\zsmgsllfrlujgpylzgd.exe

zsmgsllfrlujgpylzgd.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zsmgsllfrlujgpylzgd.exe .

C:\Windows\bwsocxzvjfqhgrcrhqpkg.exe

bwsocxzvjfqhgrcrhqpkg.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c fwogqhfxhzgtovcnz.exe .

C:\Windows\zsmgsllfrlujgpylzgd.exe

zsmgsllfrlujgpylzgd.exe .

C:\Windows\fwogqhfxhzgtovcnz.exe

fwogqhfxhzgtovcnz.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c yofwfvsjsjpbvbhr.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c yofwfvsjsjpbvbhr.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c yofwfvsjsjpbvbhr.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ogzsdvunyrznjrzlye.exe .

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\zsmgsllfrlujgpylzgd.exe*."

C:\Windows\yofwfvsjsjpbvbhr.exe

yofwfvsjsjpbvbhr.exe

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\fwogqhfxhzgtovcnz.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ogzsdvunyrznjrzlye.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe

C:\Windows\yofwfvsjsjpbvbhr.exe

yofwfvsjsjpbvbhr.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zsmgsllfrlujgpylzgd.exe .

C:\Windows\yofwfvsjsjpbvbhr.exe

yofwfvsjsjpbvbhr.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe .

C:\Windows\ogzsdvunyrznjrzlye.exe

ogzsdvunyrznjrzlye.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c fwogqhfxhzgtovcnz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe .

C:\Windows\zsmgsllfrlujgpylzgd.exe

zsmgsllfrlujgpylzgd.exe .

C:\Windows\ogzsdvunyrznjrzlye.exe

ogzsdvunyrznjrzlye.exe .

C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe

C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bwsocxzvjfqhgrcrhqpkg.exe .

C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe

C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe .

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\ogzsdvunyrznjrzlye.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe

C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe

C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\zsmgsllfrlujgpylzgd.exe*."

C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe

C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\ogzsdvunyrznjrzlye.exe*."

C:\Windows\bwsocxzvjfqhgrcrhqpkg.exe

bwsocxzvjfqhgrcrhqpkg.exe .

C:\Windows\fwogqhfxhzgtovcnz.exe

fwogqhfxhzgtovcnz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe .

C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe

C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\zsmgsllfrlujgpylzgd.exe*."

C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe

C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\fwogqhfxhzgtovcnz.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe

C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe

C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe

C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe .

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\bwsocxzvjfqhgrcrhqpkg.exe*."

C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe

C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe .

C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe

C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe .

C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe

C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\bwsocxzvjfqhgrcrhqpkg.exe*."

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\bwsocxzvjfqhgrcrhqpkg.exe*."

C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe

C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe .

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\ogzsdvunyrznjrzlye.exe*."

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\ogzsdvunyrznjrzlye.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bwsocxzvjfqhgrcrhqpkg.exe

C:\Windows\bwsocxzvjfqhgrcrhqpkg.exe

bwsocxzvjfqhgrcrhqpkg.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c mgbwjdezmhrhfpznckic.exe .

C:\Windows\mgbwjdezmhrhfpznckic.exe

mgbwjdezmhrhfpznckic.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c fwogqhfxhzgtovcnz.exe

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\mgbwjdezmhrhfpznckic.exe*."

C:\Windows\fwogqhfxhzgtovcnz.exe

fwogqhfxhzgtovcnz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bwsocxzvjfqhgrcrhqpkg.exe .

C:\Windows\bwsocxzvjfqhgrcrhqpkg.exe

bwsocxzvjfqhgrcrhqpkg.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\bwsocxzvjfqhgrcrhqpkg.exe*."

C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe

C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe .

C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe

C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe .

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\fwogqhfxhzgtovcnz.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe

C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe

C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe .

C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe

C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe .

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\zsmgsllfrlujgpylzgd.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zsmgsllfrlujgpylzgd.exe

C:\Windows\zsmgsllfrlujgpylzgd.exe

zsmgsllfrlujgpylzgd.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c fwogqhfxhzgtovcnz.exe .

C:\Windows\fwogqhfxhzgtovcnz.exe

fwogqhfxhzgtovcnz.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c mgbwjdezmhrhfpznckic.exe

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\fwogqhfxhzgtovcnz.exe*."

C:\Windows\mgbwjdezmhrhfpznckic.exe

mgbwjdezmhrhfpznckic.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ogzsdvunyrznjrzlye.exe .

C:\Windows\ogzsdvunyrznjrzlye.exe

ogzsdvunyrznjrzlye.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\ogzsdvunyrznjrzlye.exe*."

C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe

C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe .

C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe

C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe .

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\mgbwjdezmhrhfpznckic.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe

C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe

C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe

C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe .

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\mgbwjdezmhrhfpznckic.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c yofwfvsjsjpbvbhr.exe

C:\Windows\yofwfvsjsjpbvbhr.exe

yofwfvsjsjpbvbhr.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c mgbwjdezmhrhfpznckic.exe .

C:\Windows\mgbwjdezmhrhfpznckic.exe

mgbwjdezmhrhfpznckic.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c mgbwjdezmhrhfpznckic.exe

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\mgbwjdezmhrhfpznckic.exe*."

C:\Windows\mgbwjdezmhrhfpznckic.exe

mgbwjdezmhrhfpznckic.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bwsocxzvjfqhgrcrhqpkg.exe .

C:\Windows\bwsocxzvjfqhgrcrhqpkg.exe

bwsocxzvjfqhgrcrhqpkg.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe

C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe

C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\bwsocxzvjfqhgrcrhqpkg.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe .

C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe

C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe .

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\yofwfvsjsjpbvbhr.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe

C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe

C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe .

C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe

C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe .

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\fwogqhfxhzgtovcnz.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c yofwfvsjsjpbvbhr.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\yofwfvsjsjpbvbhr.exe

yofwfvsjsjpbvbhr.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c fwogqhfxhzgtovcnz.exe .

C:\Windows\fwogqhfxhzgtovcnz.exe

fwogqhfxhzgtovcnz.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c fwogqhfxhzgtovcnz.exe

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\fwogqhfxhzgtovcnz.exe*."

C:\Windows\fwogqhfxhzgtovcnz.exe

fwogqhfxhzgtovcnz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c fwogqhfxhzgtovcnz.exe .

C:\Windows\fwogqhfxhzgtovcnz.exe

fwogqhfxhzgtovcnz.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\fwogqhfxhzgtovcnz.exe*."

C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe

C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe .

C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe

C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe .

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\mgbwjdezmhrhfpznckic.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe

C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe

C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe .

C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe

C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe .

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\yofwfvsjsjpbvbhr.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zsmgsllfrlujgpylzgd.exe

C:\Windows\zsmgsllfrlujgpylzgd.exe

zsmgsllfrlujgpylzgd.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c fwogqhfxhzgtovcnz.exe .

C:\Windows\fwogqhfxhzgtovcnz.exe

fwogqhfxhzgtovcnz.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bwsocxzvjfqhgrcrhqpkg.exe

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\fwogqhfxhzgtovcnz.exe*."

C:\Windows\bwsocxzvjfqhgrcrhqpkg.exe

bwsocxzvjfqhgrcrhqpkg.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c mgbwjdezmhrhfpznckic.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\mgbwjdezmhrhfpznckic.exe

mgbwjdezmhrhfpznckic.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe

C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe

C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe .

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\mgbwjdezmhrhfpznckic.exe*."

C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe

C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe .

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\ogzsdvunyrznjrzlye.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe

C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe .

C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe

C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe .

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\fwogqhfxhzgtovcnz.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c yofwfvsjsjpbvbhr.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.showmyipaddress.com udp
US 104.21.74.56:80 www.showmyipaddress.com tcp
US 104.21.74.56:80 www.showmyipaddress.com tcp
US 172.66.43.169:80 www.whatismyip.com tcp
US 172.66.43.169:80 www.whatismyip.com tcp
US 172.66.43.169:80 www.whatismyip.com tcp
US 104.21.74.56:80 www.showmyipaddress.com tcp
US 104.21.74.56:80 www.showmyipaddress.com tcp
US 104.21.74.56:80 www.showmyipaddress.com tcp
US 104.21.74.56:80 www.showmyipaddress.com tcp
US 172.66.43.169:80 www.whatismyip.com tcp
US 172.66.43.169:80 www.whatismyip.com tcp
US 104.19.222.79:80 whatismyipaddress.com tcp
NL 108.177.127.91:80 www.youtube.com tcp
KZ 95.56.12.117:42839 tcp
DE 85.214.228.140:80 gyuuym.org tcp
SG 18.142.91.111:80 unxfuild.info tcp
US 104.156.155.94:80 cydlrge.info tcp
MD 94.243.110.54:24785 tcp
US 8.8.8.8:53 ewhqxezcwwc.net udp
LT 91.231.76.205:23375 tcp
US 8.8.8.8:53 berijmyob.com udp
US 8.8.8.8:53 zyfitez.info udp
US 8.8.8.8:53 wactfwugvnh.info udp
KZ 95.56.12.117:42839 tcp
US 8.8.8.8:53 cxewloz.net udp
US 8.8.8.8:53 ialtjonec.info udp
BY 178.172.241.45:24629 tcp
US 8.8.8.8:53 dflqknsl.net udp
US 8.8.8.8:53 rsmgvipsbxn.org udp
US 8.8.8.8:53 stfzpsrmqkdz.info udp
TN 196.203.63.157:26832 tcp
US 8.8.8.8:53 njmyupro.net udp
US 8.8.8.8:53 ofrvdxkvxege.info udp
LT 78.60.137.134:36561 tcp
US 8.8.8.8:53 qyomwiskoe.com udp
US 8.8.8.8:53 edorjl.info udp
US 8.8.8.8:53 ioqpsalu.info udp
LT 5.20.66.115:45152 tcp
US 8.8.8.8:53 lzbjkx.info udp
US 8.8.8.8:53 blriytvijot.com udp
BG 94.139.219.143:24499 tcp
US 8.8.8.8:53 tqyfnr.info udp
US 8.8.8.8:53 zrizzt.net udp
BG 212.73.158.164:38314 tcp
US 8.8.8.8:53 ndlxacdmjh.net udp
US 8.8.8.8:53 xrctizgjhu.net udp
US 8.8.8.8:53 mvunzteads.info udp
BG 212.73.158.164:38314 tcp
US 8.8.8.8:53 tmwgqroevroo.info udp
US 8.8.8.8:53 snbblgoowog.info udp
US 8.8.8.8:53 gyquywiaos.org udp
US 8.8.8.8:53 pslxxdt.net udp
IT 151.51.22.129:24742 tcp
US 8.8.8.8:53 eufesoo.info udp
US 8.8.8.8:53 vyvijbihvn.info udp
AM 46.241.134.173:23589 tcp
US 8.8.8.8:53 hbaqnoo.net udp
US 8.8.8.8:53 bzdmnahcvcac.net udp
US 8.8.8.8:53 wcnawcg.info udp
US 8.8.8.8:53 cegiuoky.org udp
US 8.8.8.8:53 aoukgega.org udp
US 8.8.8.8:53 aqzabijoxac.net udp
US 8.8.8.8:53 bpdtvknodwoy.info udp
US 8.8.8.8:53 qmcajgg.info udp
US 8.8.8.8:53 gdrhrvfi.net udp
US 8.8.8.8:53 sinwfk.info udp
US 8.8.8.8:53 nsfkudrunez.net udp
DE 24.134.86.213:37182 tcp
US 8.8.8.8:53 cykogcgqqcuu.com udp
US 8.8.8.8:53 wcfnrgfs.net udp
US 8.8.8.8:53 qyqigk.com udp
US 8.8.8.8:53 nidozf.info udp
US 8.8.8.8:53 mkwgaooe.com udp
US 8.8.8.8:53 oyuusybipen.info udp
US 8.8.8.8:53 bjdoxjburcjd.info udp
US 8.8.8.8:53 opmapihwl.net udp
US 8.8.8.8:53 crsgcadvaz.net udp
US 8.8.8.8:53 ekqaao.com udp
RU 77.223.78.79:38707 tcp
US 8.8.8.8:53 gyjwtahmpgs.info udp
US 8.8.8.8:53 egdyuex.info udp
US 8.8.8.8:53 zrwyvfag.info udp
US 8.8.8.8:53 hjfdpmp.org udp
US 8.8.8.8:53 vfpxrtqrrdaf.info udp
US 8.8.8.8:53 dloueuwi.info udp
US 8.8.8.8:53 ehjskpaeaelw.info udp
US 8.8.8.8:53 yqdindvszcl.info udp
US 8.8.8.8:53 dxyslmpozuo.net udp
US 8.8.8.8:53 enfmfb.info udp
US 8.8.8.8:53 oqxxpz.info udp
US 8.8.8.8:53 vzqkjd.net udp
US 8.8.8.8:53 vxfwhrnddrzi.info udp
US 8.8.8.8:53 rqntqjqa.info udp
US 8.8.8.8:53 owtumceqt.info udp
US 8.8.8.8:53 ugwfhgwodot.net udp
US 8.8.8.8:53 sqkopyr.info udp
US 8.8.8.8:53 vsshddtk.net udp
US 8.8.8.8:53 yiwycqmk.com udp
US 8.8.8.8:53 uceotyqjb.net udp
US 8.8.8.8:53 wgueumiiqsma.org udp
US 8.8.8.8:53 poavzckqsq.net udp
US 8.8.8.8:53 nmqeugpunoyn.info udp
US 8.8.8.8:53 ieieid.info udp
US 8.8.8.8:53 ouqidxb.info udp
US 8.8.8.8:53 xkaumqztnxdp.info udp
RU 37.78.53.100:31421 tcp
US 8.8.8.8:53 cmnwyj.net udp
US 8.8.8.8:53 zhkzkjvahw.info udp
US 8.8.8.8:53 akyaagygymke.com udp
US 8.8.8.8:53 tezyggnrhcr.info udp
US 8.8.8.8:53 tkjttkr.info udp
US 8.8.8.8:53 lktcrbw.com udp
US 8.8.8.8:53 xengsf.info udp
US 8.8.8.8:53 sulaoihqudx.info udp
US 8.8.8.8:53 zzqifvyi.net udp
US 8.8.8.8:53 uutucqocfv.info udp

Files

C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe

MD5 1dd5dd5561723f37ccc81e15ecdbf830
SHA1 eeb9131c8d276ceb710d163e89fdc62b3e111971
SHA256 c8c542ac3f6526d1501c2b9d6262bfa029a1ac0d9dd6b3c1965977abdd8bd126
SHA512 b4881d7cd0c2ceeba067e13d23763e739389108d1269acd6c343dd308aa1fedde89da696a8482944342f44ea1094ea6b50021a15d4c6d03762ba032a9598bba5

C:\Windows\SysWOW64\ogzsdvunyrznjrzlye.exe

MD5 c45c7c3be165367d7676c127dbdc2050
SHA1 0ca4bbd08beb9ce9e8bd6807113345389aa07588
SHA256 7be6ccadfe39aff45029a30fe34b3c87ac49ebbad791c34e2ff8bb30e7e07721
SHA512 d0aa1e6158da64512f9098ed1ae8d33d1882a1c23fb2c7bbbc3a3c0e331355d24dc302ef4f5b778d17f952fdd93adfd5e77fc81c73c5b119793b398edb43bbb3

C:\Users\Admin\AppData\Local\Temp\bgmsq.exe

MD5 9b1be8accec33c5b7beb6711c76dfae2
SHA1 5312f362bc5881f433ade4527ebdbb57259d35bd
SHA256 43a4724768897e3163dbfa6f7479bb2db6b294b66d050be0aff2e8dc09ce4715
SHA512 2dae7b343b86c41b598d8adb1d598f9e6289c37b7c0d52616cbfed7144ac99500f5bf9adbd34b9a5d2e15c57255d09e7acbfa9ca292387685ef3a71278408055

C:\Users\Admin\AppData\Local\gilojluxsvnlrjbxukqsvytv.hcf

MD5 7b8e0bf33294d53b402c9fde89252477
SHA1 e5e2d5e66d3b7832277c60df533b9c34de1c4a5e
SHA256 1cd2d5d3526b4ed79a866275e29d67aa2bd57a37dc695350df6317f46d762958
SHA512 38f764525ef57e31cbbdbeca28081853313a2daf35fffb771d23da9886ba772f42b86c15fc6d763e9602de98704511b246dd6673f127d54c4ed4ba8bb3ad41f1

C:\Users\Admin\AppData\Local\pcqekxrflzclcfipxypcqekxrflzclcfipx.pcq

MD5 897cf0c69c02e6ea109606327103bac8
SHA1 09edd7dc7d8665ede0698ec2dc178e59ffce5d3d
SHA256 1c4ea4eb92a0c81da6e079f19eba812ff16422cf53f0fc0605212e426cae1718
SHA512 4d7a06c8d51842522be673457d02588311614b61be6498b047d125e4544a5963ec49825df78b3ddb7cd5b4b0a1e30fd97a7c9cc537f8fc37c34e313a0c687aba

C:\Program Files (x86)\gilojluxsvnlrjbxukqsvytv.hcf

MD5 ba3d7f8ee3c82a13a67ab55a75e591b5
SHA1 41513507db2af6f132e09bb8b9b6f2cc06f98e41
SHA256 30d60c058d395d11cef3c2e29335ba980a212f91f6ae6f8a11b4f21f61905872
SHA512 0d9e0222694aea8e60226210f149406b2045f019eb8b2a01ac8f26a3941f77a7df3beed533c0481116d605901db032a7e0b935341423486ecd761a4a3b5b7feb

C:\Program Files (x86)\gilojluxsvnlrjbxukqsvytv.hcf

MD5 0abad651bdca5f3c325c74e86f969747
SHA1 91ace5566978db16ae1aca8437848fe3a84ced3a
SHA256 132703b05e0d6a083b44f0d384179e22a0cabe946d96dbd7698c7cb7de0d3762
SHA512 d94dcd68551ac7fe8f642b18abde0c5e88f02d4fcb4d22487139612c640699ab55f6dec0281815bb99c848ccfae78109b5c7fed1580d062b552c228f3aa5f454

C:\Program Files (x86)\gilojluxsvnlrjbxukqsvytv.hcf

MD5 84bcf59b800466b46f654cd46931e73a
SHA1 18df896842f60e84f2d0baeb406c4489ef6b767a
SHA256 0b19af35d337302f1acfac58e622773430ccdeb7b9c900dd3e9b7a8b2e333e24
SHA512 542fbc493bc7e4dd1aadf6300eb2badd3a7e63ce97415568b28cdd53c8d4dfaf353e8f2db3c5d62fe1c582b3ef9693d7af28d9d750b89442d0153ad14ed6a3a3

C:\Program Files (x86)\gilojluxsvnlrjbxukqsvytv.hcf

MD5 0239a0f4222162b5abf7c3d129f70d4c
SHA1 ae73d691609b2f1d592d64835f89ffa379d7045f
SHA256 f5b6958571480df1eb2c0805d03d116ba0dc466dda10f72e0d07cd1e63f5ffa9
SHA512 262eb7561df1e0ca27ae5c0564ac700d01e0af955968b1fbdd8b95e7f842e3f7999c059843fa2109315590c50f8a0801353c2d52899d9499a1b0c318c7dfb166

C:\Program Files (x86)\gilojluxsvnlrjbxukqsvytv.hcf

MD5 3a70d23c58a5dafad65772cb10e8a304
SHA1 6c048c19fad3d1460b96febf3038f955fb26699b
SHA256 39a9d888c225995ce687f00cf58bf2353fb68d4841b11f7bbdbda455c2be0e22
SHA512 3df13f508751e3cf0a8371338dc52bb1fb1525e6a9a6cc79709fe7aebb66000f1d0b9351a4d1b07c8fc5c4043a16c516196f45a785d444b59d1c14f39e73dd07

Analysis: behavioral1

Detonation Overview

Submitted

2025-04-20 03:34

Reported

2025-04-20 03:36

Platform

win10v2004-20250410-en

Max time kernel

36s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A

Pykspa

worm pykspa

Pykspa family

pykspa

UAC bypass

defense_evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe N/A

Detect Pykspa worm

worm
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds policy Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ndqznvdpbkc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gfbtqhytoghwbozbebcb.exe" C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ndqznvdpbkc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ifzpkzohaqpcfqzzav.exe" C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kdtfwhshwidmls = "trmdzpfztkkycoyzbxx.exe" C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kdtfwhshwidmls = "trmdzpfztkkycoyzbxx.exe" C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kdtfwhshwidmls = "zvodxlzrjywikucbb.exe" C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ndqznvdpbkc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vvsljbtplegwcqcfjhjjg.exe" C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bltbhrglwn = "rjzpdvsfyxknyhhidl.exe" C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kdtfwhshwidmls = "vvsljbtplegwcqcfjhjjg.exe" C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ndqznvdpbkc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\snftmzmduifqrahf.exe" C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kdtfwhshwidmls = "zvodxlzrjywikucbb.exe" C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ndqznvdpbkc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vvsljbtplegwcqcfjhjjg.exe" C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ndqznvdpbkc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\trmdzpfztkkycoyzbxx.exe" C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ndqznvdpbkc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ifzpkzohaqpcfqzzav.exe" C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kdtfwhshwidmls = "vvsljbtplegwcqcfjhjjg.exe" C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ndqznvdpbkc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\trmdzpfztkkycoyzbxx.exe" C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kdtfwhshwidmls = "gfbtqhytoghwbozbebcb.exe" C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kdtfwhshwidmls = "zvodxlzrjywikucbb.exe" C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ndqznvdpbkc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\snftmzmduifqrahf.exe" C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ndqznvdpbkc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\trmdzpfztkkycoyzbxx.exe" C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ndqznvdpbkc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ifzpkzohaqpcfqzzav.exe" C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kdtfwhshwidmls = "gfbtqhytoghwbozbebcb.exe" C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ndqznvdpbkc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ifzpkzohaqpcfqzzav.exe" C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kdtfwhshwidmls = "gfbtqhytoghwbozbebcb.exe" C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kdtfwhshwidmls = "zvodxlzrjywikucbb.exe" C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kdtfwhshwidmls = "ifzpkzohaqpcfqzzav.exe" C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ndqznvdpbkc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gfbtqhytoghwbozbebcb.exe" C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kdtfwhshwidmls = "gfbtqhytoghwbozbebcb.exe" C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ndqznvdpbkc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\snftmzmduifqrahf.exe" C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kdtfwhshwidmls = "gfbtqhytoghwbozbebcb.exe" C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kdtfwhshwidmls = "ifzpkzohaqpcfqzzav.exe" C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ndqznvdpbkc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vvsljbtplegwcqcfjhjjg.exe" C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kdtfwhshwidmls = "ifzpkzohaqpcfqzzav.exe" C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kdtfwhshwidmls = "vvsljbtplegwcqcfjhjjg.exe" C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ndqznvdpbkc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\trmdzpfztkkycoyzbxx.exe" C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bltbhrglwn = "ezslcxxnjlbhvhkomxsle.exe" C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ndqznvdpbkc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gfbtqhytoghwbozbebcb.exe" C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kdtfwhshwidmls = "snftmzmduifqrahf.exe" C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ndqznvdpbkc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\snftmzmduifqrahf.exe" C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ndqznvdpbkc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zvodxlzrjywikucbb.exe" C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\cjotwdp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rjzpdvsfyxknyhhidl.exe" C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kdtfwhshwidmls = "vvsljbtplegwcqcfjhjjg.exe" C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ndqznvdpbkc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zvodxlzrjywikucbb.exe" C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kdtfwhshwidmls = "snftmzmduifqrahf.exe" C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\cjotwdp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cvmdsljxrrfjvfgieng.exe" C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A

Disables RegEdit via registry modification

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation C:\Windows\gfbtqhytoghwbozbebcb.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation C:\Windows\zvodxlzrjywikucbb.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation C:\Windows\gfbtqhytoghwbozbebcb.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\gfbtqhytoghwbozbebcb.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation C:\Windows\zvodxlzrjywikucbb.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation C:\Windows\vvsljbtplegwcqcfjhjjg.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ifzpkzohaqpcfqzzav.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation C:\Windows\vvsljbtplegwcqcfjhjjg.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation C:\Windows\zvodxlzrjywikucbb.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\gfbtqhytoghwbozbebcb.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation C:\Windows\snftmzmduifqrahf.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation C:\Windows\trmdzpfztkkycoyzbxx.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation C:\Windows\ifzpkzohaqpcfqzzav.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation C:\Windows\trmdzpfztkkycoyzbxx.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation C:\Windows\vvsljbtplegwcqcfjhjjg.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation C:\Windows\gfbtqhytoghwbozbebcb.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation C:\Windows\gfbtqhytoghwbozbebcb.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation C:\Windows\trmdzpfztkkycoyzbxx.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation C:\Windows\zvodxlzrjywikucbb.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\gfbtqhytoghwbozbebcb.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation C:\Windows\zvodxlzrjywikucbb.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation C:\Windows\snftmzmduifqrahf.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation C:\Windows\gfbtqhytoghwbozbebcb.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation C:\Windows\gfbtqhytoghwbozbebcb.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation C:\Windows\ifzpkzohaqpcfqzzav.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ifzpkzohaqpcfqzzav.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ifzpkzohaqpcfqzzav.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ifzpkzohaqpcfqzzav.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation C:\Windows\vvsljbtplegwcqcfjhjjg.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation C:\Windows\vvsljbtplegwcqcfjhjjg.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation C:\Windows\vvsljbtplegwcqcfjhjjg.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ifzpkzohaqpcfqzzav.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\gfbtqhytoghwbozbebcb.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation C:\Windows\zvodxlzrjywikucbb.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation C:\Windows\vvsljbtplegwcqcfjhjjg.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation C:\Windows\vvsljbtplegwcqcfjhjjg.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation C:\Windows\zvodxlzrjywikucbb.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
N/A N/A C:\Windows\ifzpkzohaqpcfqzzav.exe N/A
N/A N/A C:\Windows\vvsljbtplegwcqcfjhjjg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
N/A N/A C:\Windows\zvodxlzrjywikucbb.exe N/A
N/A N/A C:\Windows\snftmzmduifqrahf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gfbtqhytoghwbozbebcb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe N/A
N/A N/A C:\Windows\ifzpkzohaqpcfqzzav.exe N/A
N/A N/A C:\Windows\ifzpkzohaqpcfqzzav.exe N/A
N/A N/A C:\Windows\trmdzpfztkkycoyzbxx.exe N/A
N/A N/A C:\Windows\trmdzpfztkkycoyzbxx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
N/A N/A C:\Windows\snftmzmduifqrahf.exe N/A
N/A N/A C:\Windows\vvsljbtplegwcqcfjhjjg.exe N/A
N/A N/A C:\Windows\snftmzmduifqrahf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ifzpkzohaqpcfqzzav.exe N/A
N/A N/A C:\Windows\vvsljbtplegwcqcfjhjjg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ifzpkzohaqpcfqzzav.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ifzpkzohaqpcfqzzav.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ifzpkzohaqpcfqzzav.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
N/A N/A C:\Windows\vvsljbtplegwcqcfjhjjg.exe N/A
N/A N/A C:\Windows\trmdzpfztkkycoyzbxx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
N/A N/A C:\Windows\vvsljbtplegwcqcfjhjjg.exe N/A
N/A N/A C:\Windows\gfbtqhytoghwbozbebcb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ifzpkzohaqpcfqzzav.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gfbtqhytoghwbozbebcb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ifzpkzohaqpcfqzzav.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
N/A N/A C:\Windows\zvodxlzrjywikucbb.exe N/A
N/A N/A C:\Windows\gfbtqhytoghwbozbebcb.exe N/A
N/A N/A C:\Windows\gfbtqhytoghwbozbebcb.exe N/A
N/A N/A C:\Windows\gfbtqhytoghwbozbebcb.exe N/A
N/A N/A C:\Windows\zvodxlzrjywikucbb.exe N/A
N/A N/A C:\Windows\zvodxlzrjywikucbb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
N/A N/A C:\Windows\ifzpkzohaqpcfqzzav.exe N/A
N/A N/A C:\Windows\snftmzmduifqrahf.exe N/A
N/A N/A C:\Windows\gfbtqhytoghwbozbebcb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe N/A

Impair Defenses: Safe Mode Boot

defense_evasion
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\jbqbrblznysay = "trmdzpfztkkycoyzbxx.exe ." C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\snftmzmduifqrahf = "gfbtqhytoghwbozbebcb.exe ." C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\snftmzmduifqrahf = "vvsljbtplegwcqcfjhjjg.exe ." C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\jbqbrblznysay = "ifzpkzohaqpcfqzzav.exe ." C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kbpzoxgtgqjq = "ifzpkzohaqpcfqzzav.exe" C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\snftmzmduifqrahf = "snftmzmduifqrahf.exe ." C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kbpzoxgtgqjq = "ifzpkzohaqpcfqzzav.exe" C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kbpzoxgtgqjq = "vvsljbtplegwcqcfjhjjg.exe" C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\snftmzmduifqrahf = "gfbtqhytoghwbozbebcb.exe ." C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zvodxlzrjywikucbb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\snftmzmduifqrahf.exe ." C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\snftmzmduifqrahf = "vvsljbtplegwcqcfjhjjg.exe ." C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nhyldpbrhuqaaio = "snftmzmduifqrahf.exe" C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\iryfkthlv = "brftfvqbspabkrpo.exe ." C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\jbqbrblznysay = "trmdzpfztkkycoyzbxx.exe ." C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ifzpkzohaqpcfqzzav = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ifzpkzohaqpcfqzzav.exe" C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kbpzoxgtgqjq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vvsljbtplegwcqcfjhjjg.exe" C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kbpzoxgtgqjq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\trmdzpfztkkycoyzbxx.exe" C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\jbqbrblznysay = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ifzpkzohaqpcfqzzav.exe ." C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kbpzoxgtgqjq = "vvsljbtplegwcqcfjhjjg.exe" C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\jbqbrblznysay = "zvodxlzrjywikucbb.exe ." C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zvodxlzrjywikucbb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\trmdzpfztkkycoyzbxx.exe ." C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zvodxlzrjywikucbb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vvsljbtplegwcqcfjhjjg.exe ." C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kbpzoxgtgqjq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vvsljbtplegwcqcfjhjjg.exe" C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\jbqbrblznysay = "C:\\Users\\Admin\\AppData\\Local\\Temp\\snftmzmduifqrahf.exe ." C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\thtfpdwfupyxej = "C:\\Users\\Admin\\AppData\\Local\\Temp\\izodqhdphfrtdlkke.exe" C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ifzpkzohaqpcfqzzav = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vvsljbtplegwcqcfjhjjg.exe" C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nhyldpbrhuqaaio = "snftmzmduifqrahf.exe" C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ifzpkzohaqpcfqzzav = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vvsljbtplegwcqcfjhjjg.exe" C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kbpzoxgtgqjq = "trmdzpfztkkycoyzbxx.exe" C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kbpzoxgtgqjq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vvsljbtplegwcqcfjhjjg.exe" C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kbpzoxgtgqjq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\trmdzpfztkkycoyzbxx.exe" C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nhyldpbrhuqaaio = "vvsljbtplegwcqcfjhjjg.exe" C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\jbqbrblznysay = "vvsljbtplegwcqcfjhjjg.exe ." C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kbpzoxgtgqjq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gfbtqhytoghwbozbebcb.exe" C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zvodxlzrjywikucbb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ifzpkzohaqpcfqzzav.exe ." C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kbpzoxgtgqjq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\snftmzmduifqrahf.exe" C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nhyldpbrhuqaaio = "ifzpkzohaqpcfqzzav.exe" C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kbpzoxgtgqjq = "vvsljbtplegwcqcfjhjjg.exe" C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kbpzoxgtgqjq = "snftmzmduifqrahf.exe" C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nhyldpbrhuqaaio = "trmdzpfztkkycoyzbxx.exe" C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\jbqbrblznysay = "vvsljbtplegwcqcfjhjjg.exe ." C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\jbqbrblznysay = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vvsljbtplegwcqcfjhjjg.exe ." C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ifzpkzohaqpcfqzzav = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gfbtqhytoghwbozbebcb.exe" C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nhyldpbrhuqaaio = "snftmzmduifqrahf.exe" C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zvodxlzrjywikucbb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\trmdzpfztkkycoyzbxx.exe ." C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kbpzoxgtgqjq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\snftmzmduifqrahf.exe" C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\jbqbrblznysay = "C:\\Users\\Admin\\AppData\\Local\\Temp\\trmdzpfztkkycoyzbxx.exe ." C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nhyldpbrhuqaaio = "trmdzpfztkkycoyzbxx.exe" C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nhyldpbrhuqaaio = "vvsljbtplegwcqcfjhjjg.exe" C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\snftmzmduifqrahf = "trmdzpfztkkycoyzbxx.exe ." C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kbpzoxgtgqjq = "vvsljbtplegwcqcfjhjjg.exe" C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zvodxlzrjywikucbb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ifzpkzohaqpcfqzzav.exe ." C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kbpzoxgtgqjq = "trmdzpfztkkycoyzbxx.exe" C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ifzpkzohaqpcfqzzav = "C:\\Users\\Admin\\AppData\\Local\\Temp\\snftmzmduifqrahf.exe" C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\snftmzmduifqrahf = "ifzpkzohaqpcfqzzav.exe ." C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\jbqbrblznysay = "zvodxlzrjywikucbb.exe ." C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ifzpkzohaqpcfqzzav = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ifzpkzohaqpcfqzzav.exe" C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zvodxlzrjywikucbb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zvodxlzrjywikucbb.exe ." C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\tfpzhtkrexeb = "brftfvqbspabkrpo.exe ." C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\jbqbrblznysay = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ifzpkzohaqpcfqzzav.exe ." C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\jbqbrblznysay = "snftmzmduifqrahf.exe ." C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\snftmzmduifqrahf = "gfbtqhytoghwbozbebcb.exe ." C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\tfpzhtkrexeb = "ezslcxxnjlbhvhkomxsle.exe ." C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\jbqbrblznysay = "zvodxlzrjywikucbb.exe ." C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A

Checks whether UAC is enabled

defense_evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A

Hijack Execution Flow: Executable Installer File Permissions Weakness

defense_evasion persistence privilege_escalation
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A www.whatismyip.ca N/A N/A
N/A whatismyip.everdot.org N/A N/A
N/A www.whatismyip.ca N/A N/A
N/A whatismyipaddress.com N/A N/A
N/A www.whatismyip.ca N/A N/A
N/A whatismyip.everdot.org N/A N/A
N/A whatismyip.everdot.org N/A N/A
N/A www.showmyipaddress.com N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\snftmzmduifqrahf.exe C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe N/A
File opened for modification C:\Windows\SysWOW64\zvodxlzrjywikucbb.exe C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe N/A
File opened for modification C:\Windows\SysWOW64\mnlfexqnkehyfuhlqpstrl.exe C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
File opened for modification C:\Windows\SysWOW64\trmdzpfztkkycoyzbxx.exe C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
File opened for modification C:\Windows\SysWOW64\gfbtqhytoghwbozbebcb.exe C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
File opened for modification C:\Windows\SysWOW64\snftmzmduifqrahf.exe C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
File opened for modification C:\Windows\SysWOW64\ifzpkzohaqpcfqzzav.exe C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
File opened for modification C:\Windows\SysWOW64\trmdzpfztkkycoyzbxx.exe C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
File opened for modification C:\Windows\SysWOW64\ifzpkzohaqpcfqzzav.exe C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
File opened for modification C:\Windows\SysWOW64\snftmzmduifqrahf.exe C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
File opened for modification C:\Windows\SysWOW64\gfbtqhytoghwbozbebcb.exe C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
File opened for modification C:\Windows\SysWOW64\zvodxlzrjywikucbb.exe C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
File opened for modification C:\Windows\SysWOW64\trmdzpfztkkycoyzbxx.exe C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
File opened for modification C:\Windows\SysWOW64\gfbtqhytoghwbozbebcb.exe C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
File opened for modification C:\Windows\SysWOW64\ifzpkzohaqpcfqzzav.exe C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe N/A
File opened for modification C:\Windows\SysWOW64\snftmzmduifqrahf.exe C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
File opened for modification C:\Windows\SysWOW64\vvsljbtplegwcqcfjhjjg.exe C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
File opened for modification C:\Windows\SysWOW64\gfbtqhytoghwbozbebcb.exe C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
File opened for modification C:\Windows\SysWOW64\mnlfexqnkehyfuhlqpstrl.exe C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
File opened for modification C:\Windows\SysWOW64\trmdzpfztkkycoyzbxx.exe C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
File opened for modification C:\Windows\SysWOW64\mnlfexqnkehyfuhlqpstrl.exe C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
File opened for modification C:\Windows\SysWOW64\vvsljbtplegwcqcfjhjjg.exe C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
File opened for modification C:\Windows\SysWOW64\zvodxlzrjywikucbb.exe C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
File opened for modification C:\Windows\SysWOW64\snftmzmduifqrahf.exe C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
File opened for modification C:\Windows\SysWOW64\mnlfexqnkehyfuhlqpstrl.exe C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
File opened for modification C:\Windows\SysWOW64\gfbtqhytoghwbozbebcb.exe C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
File opened for modification C:\Windows\SysWOW64\gfbtqhytoghwbozbebcb.exe C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
File opened for modification C:\Windows\SysWOW64\snftmzmduifqrahf.exe C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe N/A
File opened for modification C:\Windows\SysWOW64\vvsljbtplegwcqcfjhjjg.exe C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
File opened for modification C:\Windows\SysWOW64\gfbtqhytoghwbozbebcb.exe C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
File opened for modification C:\Windows\SysWOW64\zvodxlzrjywikucbb.exe C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
File opened for modification C:\Windows\SysWOW64\ifzpkzohaqpcfqzzav.exe C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
File opened for modification C:\Windows\SysWOW64\vvsljbtplegwcqcfjhjjg.exe C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe N/A
File opened for modification C:\Windows\SysWOW64\snftmzmduifqrahf.exe C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
File opened for modification C:\Windows\SysWOW64\mnlfexqnkehyfuhlqpstrl.exe C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
File opened for modification C:\Windows\SysWOW64\ifzpkzohaqpcfqzzav.exe C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
File opened for modification C:\Windows\SysWOW64\vvsljbtplegwcqcfjhjjg.exe C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
File opened for modification C:\Windows\SysWOW64\trmdzpfztkkycoyzbxx.exe C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe N/A
File opened for modification C:\Windows\SysWOW64\fnstzzzdhisqeaufrxhpuvbbb.jku C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe N/A
File opened for modification C:\Windows\SysWOW64\zvodxlzrjywikucbb.exe C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
File opened for modification C:\Windows\SysWOW64\vvsljbtplegwcqcfjhjjg.exe C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
File opened for modification C:\Windows\SysWOW64\ifzpkzohaqpcfqzzav.exe C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
File opened for modification C:\Windows\SysWOW64\zvodxlzrjywikucbb.exe C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
File opened for modification C:\Windows\SysWOW64\gfbtqhytoghwbozbebcb.exe C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe N/A
File opened for modification C:\Windows\SysWOW64\trmdzpfztkkycoyzbxx.exe C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
File opened for modification C:\Windows\SysWOW64\trmdzpfztkkycoyzbxx.exe C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
File opened for modification C:\Windows\SysWOW64\gfbtqhytoghwbozbebcb.exe C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
File opened for modification C:\Windows\SysWOW64\gfbtqhytoghwbozbebcb.exe C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
File opened for modification C:\Windows\SysWOW64\mnlfexqnkehyfuhlqpstrl.exe C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
File opened for modification C:\Windows\SysWOW64\ifzpkzohaqpcfqzzav.exe C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
File opened for modification C:\Windows\SysWOW64\mnlfexqnkehyfuhlqpstrl.exe C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
File opened for modification C:\Windows\SysWOW64\mnlfexqnkehyfuhlqpstrl.exe C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe N/A
File opened for modification C:\Windows\SysWOW64\zvodxlzrjywikucbb.exe C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe N/A
File opened for modification C:\Windows\SysWOW64\vvsljbtplegwcqcfjhjjg.exe C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
File opened for modification C:\Windows\SysWOW64\ifzpkzohaqpcfqzzav.exe C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
File opened for modification C:\Windows\SysWOW64\gfbtqhytoghwbozbebcb.exe C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
File opened for modification C:\Windows\SysWOW64\mnlfexqnkehyfuhlqpstrl.exe C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
File opened for modification C:\Windows\SysWOW64\vvsljbtplegwcqcfjhjjg.exe C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
File opened for modification C:\Windows\SysWOW64\vvsljbtplegwcqcfjhjjg.exe C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
File opened for modification C:\Windows\SysWOW64\mnlfexqnkehyfuhlqpstrl.exe C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
File opened for modification C:\Windows\SysWOW64\mnlfexqnkehyfuhlqpstrl.exe C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
File opened for modification C:\Windows\SysWOW64\ifzpkzohaqpcfqzzav.exe C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
File opened for modification C:\Windows\SysWOW64\mnlfexqnkehyfuhlqpstrl.exe C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
File opened for modification C:\Windows\SysWOW64\trmdzpfztkkycoyzbxx.exe C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\fnstzzzdhisqeaufrxhpuvbbb.jku C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe N/A
File created C:\Program Files (x86)\fnstzzzdhisqeaufrxhpuvbbb.jku C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe N/A
File opened for modification C:\Program Files (x86)\kdtfwhshwidmlsxtqhcvlxozkzoavedkpliz.ndp C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe N/A
File created C:\Program Files (x86)\kdtfwhshwidmlsxtqhcvlxozkzoavedkpliz.ndp C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\mnlfexqnkehyfuhlqpstrl.exe C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
File opened for modification C:\Windows\gfbtqhytoghwbozbebcb.exe C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
File opened for modification C:\Windows\zvodxlzrjywikucbb.exe C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
File opened for modification C:\Windows\gfbtqhytoghwbozbebcb.exe C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
File created C:\Windows\kdtfwhshwidmlsxtqhcvlxozkzoavedkpliz.ndp C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe N/A
File opened for modification C:\Windows\zvodxlzrjywikucbb.exe C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
File opened for modification C:\Windows\snftmzmduifqrahf.exe C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
File opened for modification C:\Windows\zvodxlzrjywikucbb.exe C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
File opened for modification C:\Windows\zvodxlzrjywikucbb.exe C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
File opened for modification C:\Windows\gfbtqhytoghwbozbebcb.exe C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
File opened for modification C:\Windows\mnlfexqnkehyfuhlqpstrl.exe C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
File opened for modification C:\Windows\trmdzpfztkkycoyzbxx.exe C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
File opened for modification C:\Windows\gfbtqhytoghwbozbebcb.exe C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
File opened for modification C:\Windows\mnlfexqnkehyfuhlqpstrl.exe C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
File opened for modification C:\Windows\snftmzmduifqrahf.exe C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
File opened for modification C:\Windows\ifzpkzohaqpcfqzzav.exe C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
File opened for modification C:\Windows\snftmzmduifqrahf.exe C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
File opened for modification C:\Windows\mnlfexqnkehyfuhlqpstrl.exe C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
File opened for modification C:\Windows\snftmzmduifqrahf.exe C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
File opened for modification C:\Windows\ifzpkzohaqpcfqzzav.exe C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
File opened for modification C:\Windows\gfbtqhytoghwbozbebcb.exe C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
File opened for modification C:\Windows\ifzpkzohaqpcfqzzav.exe C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
File opened for modification C:\Windows\snftmzmduifqrahf.exe C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
File opened for modification C:\Windows\snftmzmduifqrahf.exe C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
File opened for modification C:\Windows\zvodxlzrjywikucbb.exe C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe N/A
File opened for modification C:\Windows\trmdzpfztkkycoyzbxx.exe C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
File opened for modification C:\Windows\gfbtqhytoghwbozbebcb.exe C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
File opened for modification C:\Windows\snftmzmduifqrahf.exe C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
File opened for modification C:\Windows\snftmzmduifqrahf.exe C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe N/A
File opened for modification C:\Windows\zvodxlzrjywikucbb.exe C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe N/A
File opened for modification C:\Windows\mnlfexqnkehyfuhlqpstrl.exe C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
File opened for modification C:\Windows\ifzpkzohaqpcfqzzav.exe C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
File opened for modification C:\Windows\gfbtqhytoghwbozbebcb.exe C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
File opened for modification C:\Windows\ifzpkzohaqpcfqzzav.exe C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe N/A
File opened for modification C:\Windows\gfbtqhytoghwbozbebcb.exe C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe N/A
File opened for modification C:\Windows\ifzpkzohaqpcfqzzav.exe C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
File opened for modification C:\Windows\vvsljbtplegwcqcfjhjjg.exe C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
File opened for modification C:\Windows\mnlfexqnkehyfuhlqpstrl.exe C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
File opened for modification C:\Windows\vvsljbtplegwcqcfjhjjg.exe C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
File opened for modification C:\Windows\gfbtqhytoghwbozbebcb.exe C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
File opened for modification C:\Windows\trmdzpfztkkycoyzbxx.exe C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
File opened for modification C:\Windows\ifzpkzohaqpcfqzzav.exe C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
File opened for modification C:\Windows\ifzpkzohaqpcfqzzav.exe C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
File opened for modification C:\Windows\zvodxlzrjywikucbb.exe C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
File opened for modification C:\Windows\vvsljbtplegwcqcfjhjjg.exe C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
File opened for modification C:\Windows\mnlfexqnkehyfuhlqpstrl.exe C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe N/A
File opened for modification C:\Windows\trmdzpfztkkycoyzbxx.exe C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe N/A
File opened for modification C:\Windows\zvodxlzrjywikucbb.exe C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
File opened for modification C:\Windows\trmdzpfztkkycoyzbxx.exe C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
File opened for modification C:\Windows\vvsljbtplegwcqcfjhjjg.exe C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
File opened for modification C:\Windows\trmdzpfztkkycoyzbxx.exe C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
File opened for modification C:\Windows\gfbtqhytoghwbozbebcb.exe C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
File opened for modification C:\Windows\zvodxlzrjywikucbb.exe C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
File opened for modification C:\Windows\ifzpkzohaqpcfqzzav.exe C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
File opened for modification C:\Windows\trmdzpfztkkycoyzbxx.exe C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
File opened for modification C:\Windows\snftmzmduifqrahf.exe C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
File opened for modification C:\Windows\zvodxlzrjywikucbb.exe C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
File opened for modification C:\Windows\snftmzmduifqrahf.exe C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe N/A
File opened for modification C:\Windows\ifzpkzohaqpcfqzzav.exe C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
File opened for modification C:\Windows\trmdzpfztkkycoyzbxx.exe C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
File opened for modification C:\Windows\trmdzpfztkkycoyzbxx.exe C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
File opened for modification C:\Windows\fnstzzzdhisqeaufrxhpuvbbb.jku C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe N/A
File opened for modification C:\Windows\vvsljbtplegwcqcfjhjjg.exe C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
File opened for modification C:\Windows\gfbtqhytoghwbozbebcb.exe C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\ifzpkzohaqpcfqzzav.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\brftfvqbspabkrpo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\ezslcxxnjlbhvhkomxsle.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\zvodxlzrjywikucbb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\ifzpkzohaqpcfqzzav.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\ifzpkzohaqpcfqzzav.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\izodqhdphfrtdlkke.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\rjzpdvsfyxknyhhidl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\vvsljbtplegwcqcfjhjjg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\zvodxlzrjywikucbb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\zvodxlzrjywikucbb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\trmdzpfztkkycoyzbxx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\zvodxlzrjywikucbb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\gfbtqhytoghwbozbebcb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\zvodxlzrjywikucbb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\vvsljbtplegwcqcfjhjjg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\gfbtqhytoghwbozbebcb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ezslcxxnjlbhvhkomxsle.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\zvodxlzrjywikucbb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\brftfvqbspabkrpo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\zvodxlzrjywikucbb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\pjbtjdcrmnchufhkhrld.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\vvsljbtplegwcqcfjhjjg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\cvmdsljxrrfjvfgieng.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\cvmdsljxrrfjvfgieng.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\vvsljbtplegwcqcfjhjjg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ifzpkzohaqpcfqzzav.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\zvodxlzrjywikucbb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ifzpkzohaqpcfqzzav.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\snftmzmduifqrahf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\gfbtqhytoghwbozbebcb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\vvsljbtplegwcqcfjhjjg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\gfbtqhytoghwbozbebcb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\gfbtqhytoghwbozbebcb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\gfbtqhytoghwbozbebcb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\trmdzpfztkkycoyzbxx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ifzpkzohaqpcfqzzav.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\ifzpkzohaqpcfqzzav.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\zvodxlzrjywikucbb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\zvodxlzrjywikucbb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\trmdzpfztkkycoyzbxx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ifzpkzohaqpcfqzzav.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\gfbtqhytoghwbozbebcb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\snftmzmduifqrahf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\trmdzpfztkkycoyzbxx.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5816 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
PID 5816 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
PID 5816 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
PID 5372 wrote to memory of 4864 N/A C:\Windows\system32\cmd.exe C:\Windows\ifzpkzohaqpcfqzzav.exe
PID 5372 wrote to memory of 4864 N/A C:\Windows\system32\cmd.exe C:\Windows\ifzpkzohaqpcfqzzav.exe
PID 5372 wrote to memory of 4864 N/A C:\Windows\system32\cmd.exe C:\Windows\ifzpkzohaqpcfqzzav.exe
PID 4900 wrote to memory of 4972 N/A C:\Windows\system32\cmd.exe C:\Windows\vvsljbtplegwcqcfjhjjg.exe
PID 4900 wrote to memory of 4972 N/A C:\Windows\system32\cmd.exe C:\Windows\vvsljbtplegwcqcfjhjjg.exe
PID 4900 wrote to memory of 4972 N/A C:\Windows\system32\cmd.exe C:\Windows\vvsljbtplegwcqcfjhjjg.exe
PID 4972 wrote to memory of 1760 N/A C:\Windows\vvsljbtplegwcqcfjhjjg.exe C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
PID 4972 wrote to memory of 1760 N/A C:\Windows\vvsljbtplegwcqcfjhjjg.exe C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
PID 4972 wrote to memory of 1760 N/A C:\Windows\vvsljbtplegwcqcfjhjjg.exe C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
PID 4976 wrote to memory of 2728 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 4976 wrote to memory of 2728 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 4976 wrote to memory of 2728 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 5752 wrote to memory of 5288 N/A C:\Windows\system32\cmd.exe C:\Windows\snftmzmduifqrahf.exe
PID 5752 wrote to memory of 5288 N/A C:\Windows\system32\cmd.exe C:\Windows\snftmzmduifqrahf.exe
PID 5752 wrote to memory of 5288 N/A C:\Windows\system32\cmd.exe C:\Windows\snftmzmduifqrahf.exe
PID 4736 wrote to memory of 3624 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\gfbtqhytoghwbozbebcb.exe
PID 4736 wrote to memory of 3624 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\gfbtqhytoghwbozbebcb.exe
PID 4736 wrote to memory of 3624 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\gfbtqhytoghwbozbebcb.exe
PID 1184 wrote to memory of 3388 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe
PID 1184 wrote to memory of 3388 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe
PID 1184 wrote to memory of 3388 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe
PID 5288 wrote to memory of 1300 N/A C:\Windows\snftmzmduifqrahf.exe C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
PID 5288 wrote to memory of 1300 N/A C:\Windows\snftmzmduifqrahf.exe C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
PID 5288 wrote to memory of 1300 N/A C:\Windows\snftmzmduifqrahf.exe C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
PID 3388 wrote to memory of 6112 N/A C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
PID 3388 wrote to memory of 6112 N/A C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
PID 3388 wrote to memory of 6112 N/A C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
PID 3528 wrote to memory of 4136 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe
PID 3528 wrote to memory of 4136 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe
PID 3528 wrote to memory of 4136 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe
PID 1644 wrote to memory of 3540 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe
PID 1644 wrote to memory of 3540 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe
PID 1644 wrote to memory of 3540 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe
PID 3540 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
PID 3540 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
PID 3540 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
PID 4688 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe
PID 4688 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe
PID 4688 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe
PID 4688 wrote to memory of 5764 N/A C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe
PID 4688 wrote to memory of 5764 N/A C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe
PID 4688 wrote to memory of 5764 N/A C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe
PID 2072 wrote to memory of 4432 N/A C:\Windows\system32\cmd.exe C:\Windows\ifzpkzohaqpcfqzzav.exe
PID 2072 wrote to memory of 4432 N/A C:\Windows\system32\cmd.exe C:\Windows\ifzpkzohaqpcfqzzav.exe
PID 2072 wrote to memory of 4432 N/A C:\Windows\system32\cmd.exe C:\Windows\ifzpkzohaqpcfqzzav.exe
PID 1668 wrote to memory of 5996 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1668 wrote to memory of 5996 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1668 wrote to memory of 5996 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1372 wrote to memory of 5768 N/A C:\Windows\system32\cmd.exe C:\Windows\trmdzpfztkkycoyzbxx.exe
PID 1372 wrote to memory of 5768 N/A C:\Windows\system32\cmd.exe C:\Windows\trmdzpfztkkycoyzbxx.exe
PID 1372 wrote to memory of 5768 N/A C:\Windows\system32\cmd.exe C:\Windows\trmdzpfztkkycoyzbxx.exe
PID 1708 wrote to memory of 2700 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe
PID 1708 wrote to memory of 2700 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe
PID 1708 wrote to memory of 2700 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe
PID 5768 wrote to memory of 4312 N/A C:\Windows\trmdzpfztkkycoyzbxx.exe C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
PID 5768 wrote to memory of 4312 N/A C:\Windows\trmdzpfztkkycoyzbxx.exe C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
PID 5768 wrote to memory of 4312 N/A C:\Windows\trmdzpfztkkycoyzbxx.exe C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
PID 2700 wrote to memory of 5516 N/A C:\Windows\trmdzpfztkkycoyzbxx.exe C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
PID 2700 wrote to memory of 5516 N/A C:\Windows\trmdzpfztkkycoyzbxx.exe C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
PID 2700 wrote to memory of 5516 N/A C:\Windows\trmdzpfztkkycoyzbxx.exe C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
PID 3712 wrote to memory of 4980 N/A C:\Windows\system32\cmd.exe C:\Windows\snftmzmduifqrahf.exe

System policy modification

defense_evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe"

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\jaffacakes118_c45c7c3be165367d7676c127dbdc2050.exe*"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ifzpkzohaqpcfqzzav.exe

C:\Windows\ifzpkzohaqpcfqzzav.exe

ifzpkzohaqpcfqzzav.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vvsljbtplegwcqcfjhjjg.exe .

C:\Windows\vvsljbtplegwcqcfjhjjg.exe

vvsljbtplegwcqcfjhjjg.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zvodxlzrjywikucbb.exe

C:\Windows\zvodxlzrjywikucbb.exe

zvodxlzrjywikucbb.exe

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\vvsljbtplegwcqcfjhjjg.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c snftmzmduifqrahf.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gfbtqhytoghwbozbebcb.exe

C:\Windows\snftmzmduifqrahf.exe

snftmzmduifqrahf.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe .

C:\Users\Admin\AppData\Local\Temp\gfbtqhytoghwbozbebcb.exe

C:\Users\Admin\AppData\Local\Temp\gfbtqhytoghwbozbebcb.exe

C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe

C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe .

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\snftmzmduifqrahf.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\trmdzpfztkkycoyzbxx.exe*."

C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe

C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe .

C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe

C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe .

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\zvodxlzrjywikucbb.exe*."

C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe

"C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe" "-C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe"

C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe

"C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe" "-C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ifzpkzohaqpcfqzzav.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ifzpkzohaqpcfqzzav.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c trmdzpfztkkycoyzbxx.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c trmdzpfztkkycoyzbxx.exe .

C:\Windows\ifzpkzohaqpcfqzzav.exe

ifzpkzohaqpcfqzzav.exe

C:\Windows\ifzpkzohaqpcfqzzav.exe

ifzpkzohaqpcfqzzav.exe

C:\Windows\trmdzpfztkkycoyzbxx.exe

trmdzpfztkkycoyzbxx.exe .

C:\Windows\trmdzpfztkkycoyzbxx.exe

trmdzpfztkkycoyzbxx.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c snftmzmduifqrahf.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c snftmzmduifqrahf.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vvsljbtplegwcqcfjhjjg.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vvsljbtplegwcqcfjhjjg.exe .

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\trmdzpfztkkycoyzbxx.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ifzpkzohaqpcfqzzav.exe

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\trmdzpfztkkycoyzbxx.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ifzpkzohaqpcfqzzav.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe .

C:\Windows\snftmzmduifqrahf.exe

snftmzmduifqrahf.exe

C:\Windows\vvsljbtplegwcqcfjhjjg.exe

vvsljbtplegwcqcfjhjjg.exe .

C:\Windows\snftmzmduifqrahf.exe

snftmzmduifqrahf.exe

C:\Windows\vvsljbtplegwcqcfjhjjg.exe

vvsljbtplegwcqcfjhjjg.exe .

C:\Users\Admin\AppData\Local\Temp\ifzpkzohaqpcfqzzav.exe

C:\Users\Admin\AppData\Local\Temp\ifzpkzohaqpcfqzzav.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe

C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe

C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe .

C:\Users\Admin\AppData\Local\Temp\ifzpkzohaqpcfqzzav.exe

C:\Users\Admin\AppData\Local\Temp\ifzpkzohaqpcfqzzav.exe

C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe

C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ifzpkzohaqpcfqzzav.exe .

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\vvsljbtplegwcqcfjhjjg.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ifzpkzohaqpcfqzzav.exe .

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\vvsljbtplegwcqcfjhjjg.exe*."

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\zvodxlzrjywikucbb.exe*."

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\zvodxlzrjywikucbb.exe*."

C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe

C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe

C:\Users\Admin\AppData\Local\Temp\ifzpkzohaqpcfqzzav.exe

C:\Users\Admin\AppData\Local\Temp\ifzpkzohaqpcfqzzav.exe .

C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe

C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe

C:\Users\Admin\AppData\Local\Temp\ifzpkzohaqpcfqzzav.exe

C:\Users\Admin\AppData\Local\Temp\ifzpkzohaqpcfqzzav.exe .

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\ifzpkzohaqpcfqzzav.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vvsljbtplegwcqcfjhjjg.exe

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\ifzpkzohaqpcfqzzav.exe*."

C:\Windows\vvsljbtplegwcqcfjhjjg.exe

vvsljbtplegwcqcfjhjjg.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c trmdzpfztkkycoyzbxx.exe .

C:\Windows\trmdzpfztkkycoyzbxx.exe

trmdzpfztkkycoyzbxx.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vvsljbtplegwcqcfjhjjg.exe

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\trmdzpfztkkycoyzbxx.exe*."

C:\Windows\vvsljbtplegwcqcfjhjjg.exe

vvsljbtplegwcqcfjhjjg.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c gfbtqhytoghwbozbebcb.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ifzpkzohaqpcfqzzav.exe

C:\Windows\gfbtqhytoghwbozbebcb.exe

gfbtqhytoghwbozbebcb.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe .

C:\Users\Admin\AppData\Local\Temp\ifzpkzohaqpcfqzzav.exe

C:\Users\Admin\AppData\Local\Temp\ifzpkzohaqpcfqzzav.exe

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\gfbtqhytoghwbozbebcb.exe*."

C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe

C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe .

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\trmdzpfztkkycoyzbxx.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gfbtqhytoghwbozbebcb.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ifzpkzohaqpcfqzzav.exe .

C:\Users\Admin\AppData\Local\Temp\gfbtqhytoghwbozbebcb.exe

C:\Users\Admin\AppData\Local\Temp\gfbtqhytoghwbozbebcb.exe

C:\Users\Admin\AppData\Local\Temp\ifzpkzohaqpcfqzzav.exe

C:\Users\Admin\AppData\Local\Temp\ifzpkzohaqpcfqzzav.exe .

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\ifzpkzohaqpcfqzzav.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zvodxlzrjywikucbb.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c gfbtqhytoghwbozbebcb.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c gfbtqhytoghwbozbebcb.exe

C:\Windows\zvodxlzrjywikucbb.exe

zvodxlzrjywikucbb.exe

C:\Windows\gfbtqhytoghwbozbebcb.exe

gfbtqhytoghwbozbebcb.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c gfbtqhytoghwbozbebcb.exe .

C:\Windows\gfbtqhytoghwbozbebcb.exe

gfbtqhytoghwbozbebcb.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zvodxlzrjywikucbb.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zvodxlzrjywikucbb.exe .

C:\Windows\gfbtqhytoghwbozbebcb.exe

gfbtqhytoghwbozbebcb.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ifzpkzohaqpcfqzzav.exe

C:\Windows\zvodxlzrjywikucbb.exe

zvodxlzrjywikucbb.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c snftmzmduifqrahf.exe

C:\Windows\zvodxlzrjywikucbb.exe

zvodxlzrjywikucbb.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vvsljbtplegwcqcfjhjjg.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c gfbtqhytoghwbozbebcb.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\gfbtqhytoghwbozbebcb.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zvodxlzrjywikucbb.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c gfbtqhytoghwbozbebcb.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe .

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\zvodxlzrjywikucbb.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ifzpkzohaqpcfqzzav.exe .

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\zvodxlzrjywikucbb.exe*."

C:\Windows\ifzpkzohaqpcfqzzav.exe

ifzpkzohaqpcfqzzav.exe

C:\Windows\snftmzmduifqrahf.exe

snftmzmduifqrahf.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe

C:\Windows\gfbtqhytoghwbozbebcb.exe

gfbtqhytoghwbozbebcb.exe .

C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe

C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe

C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe

C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe

C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe

C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe

C:\Windows\zvodxlzrjywikucbb.exe

zvodxlzrjywikucbb.exe .

C:\Windows\gfbtqhytoghwbozbebcb.exe

gfbtqhytoghwbozbebcb.exe .

C:\Windows\vvsljbtplegwcqcfjhjjg.exe

vvsljbtplegwcqcfjhjjg.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ifzpkzohaqpcfqzzav.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe .

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\gfbtqhytoghwbozbebcb.exe*."

C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe

C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe .

C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe

C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe .

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\gfbtqhytoghwbozbebcb.exe*."

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\zvodxlzrjywikucbb.exe*."

C:\Users\Admin\AppData\Local\Temp\ifzpkzohaqpcfqzzav.exe

C:\Users\Admin\AppData\Local\Temp\ifzpkzohaqpcfqzzav.exe .

C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe

C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe

C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe

C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe

C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe

C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe .

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\snftmzmduifqrahf.exe*."

C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe

C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe

C:\Users\Admin\AppData\Local\Temp\ifzpkzohaqpcfqzzav.exe

C:\Users\Admin\AppData\Local\Temp\ifzpkzohaqpcfqzzav.exe .

C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe

C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe .

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\trmdzpfztkkycoyzbxx.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c gfbtqhytoghwbozbebcb.exe

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\ifzpkzohaqpcfqzzav.exe*."

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\trmdzpfztkkycoyzbxx.exe*."

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\ifzpkzohaqpcfqzzav.exe*."

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\trmdzpfztkkycoyzbxx.exe*."

C:\Windows\gfbtqhytoghwbozbebcb.exe

gfbtqhytoghwbozbebcb.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c trmdzpfztkkycoyzbxx.exe .

C:\Windows\trmdzpfztkkycoyzbxx.exe

trmdzpfztkkycoyzbxx.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vvsljbtplegwcqcfjhjjg.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vvsljbtplegwcqcfjhjjg.exe .

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\trmdzpfztkkycoyzbxx.exe*."

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\vvsljbtplegwcqcfjhjjg.exe

vvsljbtplegwcqcfjhjjg.exe

C:\Windows\vvsljbtplegwcqcfjhjjg.exe

vvsljbtplegwcqcfjhjjg.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ifzpkzohaqpcfqzzav.exe

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\vvsljbtplegwcqcfjhjjg.exe*."

C:\Users\Admin\AppData\Local\Temp\ifzpkzohaqpcfqzzav.exe

C:\Users\Admin\AppData\Local\Temp\ifzpkzohaqpcfqzzav.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ifzpkzohaqpcfqzzav.exe .

C:\Users\Admin\AppData\Local\Temp\ifzpkzohaqpcfqzzav.exe

C:\Users\Admin\AppData\Local\Temp\ifzpkzohaqpcfqzzav.exe .

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\ifzpkzohaqpcfqzzav.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe .

C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe

C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe

C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe

C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe .

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\snftmzmduifqrahf.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c trmdzpfztkkycoyzbxx.exe

C:\Windows\trmdzpfztkkycoyzbxx.exe

trmdzpfztkkycoyzbxx.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c snftmzmduifqrahf.exe .

C:\Windows\snftmzmduifqrahf.exe

snftmzmduifqrahf.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ifzpkzohaqpcfqzzav.exe

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\snftmzmduifqrahf.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vvsljbtplegwcqcfjhjjg.exe .

C:\Windows\ifzpkzohaqpcfqzzav.exe

ifzpkzohaqpcfqzzav.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe

C:\Windows\vvsljbtplegwcqcfjhjjg.exe

vvsljbtplegwcqcfjhjjg.exe .

C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe

C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe .

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\vvsljbtplegwcqcfjhjjg.exe*."

C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe

C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe .

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\vvsljbtplegwcqcfjhjjg.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gfbtqhytoghwbozbebcb.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\gfbtqhytoghwbozbebcb.exe

C:\Users\Admin\AppData\Local\Temp\gfbtqhytoghwbozbebcb.exe

C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe

C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe .

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\trmdzpfztkkycoyzbxx.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c snftmzmduifqrahf.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c snftmzmduifqrahf.exe .

C:\Windows\snftmzmduifqrahf.exe

snftmzmduifqrahf.exe

C:\Windows\snftmzmduifqrahf.exe

snftmzmduifqrahf.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c snftmzmduifqrahf.exe

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\snftmzmduifqrahf.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ifzpkzohaqpcfqzzav.exe .

C:\Windows\snftmzmduifqrahf.exe

snftmzmduifqrahf.exe

C:\Windows\ifzpkzohaqpcfqzzav.exe

ifzpkzohaqpcfqzzav.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe .

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\ifzpkzohaqpcfqzzav.exe*."

C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe

C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe

C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe

C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe .

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\snftmzmduifqrahf.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe .

C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe

C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe

C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe

C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe .

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\trmdzpfztkkycoyzbxx.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c gfbtqhytoghwbozbebcb.exe

C:\Windows\gfbtqhytoghwbozbebcb.exe

gfbtqhytoghwbozbebcb.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vvsljbtplegwcqcfjhjjg.exe .

C:\Windows\vvsljbtplegwcqcfjhjjg.exe

vvsljbtplegwcqcfjhjjg.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ifzpkzohaqpcfqzzav.exe

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\vvsljbtplegwcqcfjhjjg.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c gfbtqhytoghwbozbebcb.exe .

C:\Windows\ifzpkzohaqpcfqzzav.exe

ifzpkzohaqpcfqzzav.exe

C:\Windows\gfbtqhytoghwbozbebcb.exe

gfbtqhytoghwbozbebcb.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe .

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\gfbtqhytoghwbozbebcb.exe*."

C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe

C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe

C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe

C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe .

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\snftmzmduifqrahf.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe .

C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe

C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe

C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe

C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe .

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\vvsljbtplegwcqcfjhjjg.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c trmdzpfztkkycoyzbxx.exe

C:\Windows\trmdzpfztkkycoyzbxx.exe

trmdzpfztkkycoyzbxx.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c trmdzpfztkkycoyzbxx.exe .

C:\Windows\trmdzpfztkkycoyzbxx.exe

trmdzpfztkkycoyzbxx.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c trmdzpfztkkycoyzbxx.exe

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\trmdzpfztkkycoyzbxx.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zvodxlzrjywikucbb.exe .

C:\Windows\trmdzpfztkkycoyzbxx.exe

trmdzpfztkkycoyzbxx.exe

C:\Windows\zvodxlzrjywikucbb.exe

zvodxlzrjywikucbb.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gfbtqhytoghwbozbebcb.exe .

C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe

C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\zvodxlzrjywikucbb.exe*."

C:\Users\Admin\AppData\Local\Temp\gfbtqhytoghwbozbebcb.exe

C:\Users\Admin\AppData\Local\Temp\gfbtqhytoghwbozbebcb.exe .

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\gfbtqhytoghwbozbebcb.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe .

C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe

C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe

C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe

C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe .

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\snftmzmduifqrahf.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ifzpkzohaqpcfqzzav.exe

C:\Windows\ifzpkzohaqpcfqzzav.exe

ifzpkzohaqpcfqzzav.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zvodxlzrjywikucbb.exe .

C:\Windows\zvodxlzrjywikucbb.exe

zvodxlzrjywikucbb.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ifzpkzohaqpcfqzzav.exe

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\zvodxlzrjywikucbb.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vvsljbtplegwcqcfjhjjg.exe .

C:\Windows\ifzpkzohaqpcfqzzav.exe

ifzpkzohaqpcfqzzav.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe

C:\Windows\vvsljbtplegwcqcfjhjjg.exe

vvsljbtplegwcqcfjhjjg.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe .

C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe

C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\vvsljbtplegwcqcfjhjjg.exe*."

C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe

C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe .

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\zvodxlzrjywikucbb.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vvsljbtplegwcqcfjhjjg.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vvsljbtplegwcqcfjhjjg.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe .

C:\Windows\vvsljbtplegwcqcfjhjjg.exe

vvsljbtplegwcqcfjhjjg.exe

C:\Windows\vvsljbtplegwcqcfjhjjg.exe

vvsljbtplegwcqcfjhjjg.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ifzpkzohaqpcfqzzav.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ifzpkzohaqpcfqzzav.exe .

C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe

C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe

C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe .

C:\Windows\ifzpkzohaqpcfqzzav.exe

ifzpkzohaqpcfqzzav.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ifzpkzohaqpcfqzzav.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c gfbtqhytoghwbozbebcb.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c trmdzpfztkkycoyzbxx.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c gfbtqhytoghwbozbebcb.exe .

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\snftmzmduifqrahf.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\ifzpkzohaqpcfqzzav.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gfbtqhytoghwbozbebcb.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gfbtqhytoghwbozbebcb.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gfbtqhytoghwbozbebcb.exe .

C:\Windows\gfbtqhytoghwbozbebcb.exe

gfbtqhytoghwbozbebcb.exe

C:\Windows\gfbtqhytoghwbozbebcb.exe

gfbtqhytoghwbozbebcb.exe .

C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe

C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe

C:\Users\Admin\AppData\Local\Temp\gfbtqhytoghwbozbebcb.exe

C:\Users\Admin\AppData\Local\Temp\gfbtqhytoghwbozbebcb.exe .

C:\Users\Admin\AppData\Local\Temp\gfbtqhytoghwbozbebcb.exe

C:\Users\Admin\AppData\Local\Temp\gfbtqhytoghwbozbebcb.exe

C:\Users\Admin\AppData\Local\Temp\gfbtqhytoghwbozbebcb.exe

C:\Users\Admin\AppData\Local\Temp\gfbtqhytoghwbozbebcb.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c trmdzpfztkkycoyzbxx.exe

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\gfbtqhytoghwbozbebcb.exe*."

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\gfbtqhytoghwbozbebcb.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c gfbtqhytoghwbozbebcb.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\gfbtqhytoghwbozbebcb.exe*."

C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe

C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe

C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe

C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe

C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe

C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe .

C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe

C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c snftmzmduifqrahf.exe

C:\Windows\gfbtqhytoghwbozbebcb.exe

gfbtqhytoghwbozbebcb.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c gfbtqhytoghwbozbebcb.exe .

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\zvodxlzrjywikucbb.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gfbtqhytoghwbozbebcb.exe

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\vvsljbtplegwcqcfjhjjg.exe*."

C:\Windows\snftmzmduifqrahf.exe

snftmzmduifqrahf.exe

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\gfbtqhytoghwbozbebcb.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gfbtqhytoghwbozbebcb.exe .

C:\Windows\gfbtqhytoghwbozbebcb.exe

gfbtqhytoghwbozbebcb.exe .

C:\Users\Admin\AppData\Local\Temp\gfbtqhytoghwbozbebcb.exe

C:\Users\Admin\AppData\Local\Temp\gfbtqhytoghwbozbebcb.exe

C:\Users\Admin\AppData\Local\Temp\gfbtqhytoghwbozbebcb.exe

C:\Users\Admin\AppData\Local\Temp\gfbtqhytoghwbozbebcb.exe .

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\gfbtqhytoghwbozbebcb.exe*."

C:\Windows\ifzpkzohaqpcfqzzav.exe

ifzpkzohaqpcfqzzav.exe

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\gfbtqhytoghwbozbebcb.exe*."

C:\Windows\ifzpkzohaqpcfqzzav.exe

ifzpkzohaqpcfqzzav.exe .

C:\Windows\trmdzpfztkkycoyzbxx.exe

trmdzpfztkkycoyzbxx.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe

C:\Windows\trmdzpfztkkycoyzbxx.exe

trmdzpfztkkycoyzbxx.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe .

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\ifzpkzohaqpcfqzzav.exe*."

C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe

C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\trmdzpfztkkycoyzbxx.exe*."

C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe

C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe .

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\snftmzmduifqrahf.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c snftmzmduifqrahf.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\snftmzmduifqrahf.exe

snftmzmduifqrahf.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zvodxlzrjywikucbb.exe .

C:\Windows\zvodxlzrjywikucbb.exe

zvodxlzrjywikucbb.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c trmdzpfztkkycoyzbxx.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\zvodxlzrjywikucbb.exe*."

C:\Windows\trmdzpfztkkycoyzbxx.exe

trmdzpfztkkycoyzbxx.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zvodxlzrjywikucbb.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ifzpkzohaqpcfqzzav.exe

C:\Windows\zvodxlzrjywikucbb.exe

zvodxlzrjywikucbb.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe .

C:\Users\Admin\AppData\Local\Temp\ifzpkzohaqpcfqzzav.exe

C:\Users\Admin\AppData\Local\Temp\ifzpkzohaqpcfqzzav.exe

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\zvodxlzrjywikucbb.exe*."

C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe

C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe .

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\snftmzmduifqrahf.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe .

C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe

C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe

C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe

C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe .

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\snftmzmduifqrahf.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c brftfvqbspabkrpo.exe

C:\Windows\brftfvqbspabkrpo.exe

brftfvqbspabkrpo.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c brftfvqbspabkrpo.exe .

C:\Windows\brftfvqbspabkrpo.exe

brftfvqbspabkrpo.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c izodqhdphfrtdlkke.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ifzpkzohaqpcfqzzav.exe

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\brftfvqbspabkrpo.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ezslcxxnjlbhvhkomxsle.exe .

C:\Windows\izodqhdphfrtdlkke.exe

izodqhdphfrtdlkke.exe

C:\Windows\ifzpkzohaqpcfqzzav.exe

ifzpkzohaqpcfqzzav.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pjbtjdcrmnchufhkhrld.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zvodxlzrjywikucbb.exe .

C:\Windows\ezslcxxnjlbhvhkomxsle.exe

ezslcxxnjlbhvhkomxsle.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rjzpdvsfyxknyhhidl.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c trmdzpfztkkycoyzbxx.exe

C:\Windows\zvodxlzrjywikucbb.exe

zvodxlzrjywikucbb.exe .

C:\Users\Admin\AppData\Local\Temp\pjbtjdcrmnchufhkhrld.exe

C:\Users\Admin\AppData\Local\Temp\pjbtjdcrmnchufhkhrld.exe

C:\Users\Admin\AppData\Local\Temp\rjzpdvsfyxknyhhidl.exe

C:\Users\Admin\AppData\Local\Temp\rjzpdvsfyxknyhhidl.exe .

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\ezslcxxnjlbhvhkomxsle.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zvodxlzrjywikucbb.exe .

C:\Windows\trmdzpfztkkycoyzbxx.exe

trmdzpfztkkycoyzbxx.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brftfvqbspabkrpo.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ifzpkzohaqpcfqzzav.exe

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\zvodxlzrjywikucbb.exe*."

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\rjzpdvsfyxknyhhidl.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\izodqhdphfrtdlkke.exe .

C:\Windows\zvodxlzrjywikucbb.exe

zvodxlzrjywikucbb.exe .

C:\Users\Admin\AppData\Local\Temp\ifzpkzohaqpcfqzzav.exe

C:\Users\Admin\AppData\Local\Temp\ifzpkzohaqpcfqzzav.exe

C:\Users\Admin\AppData\Local\Temp\brftfvqbspabkrpo.exe

C:\Users\Admin\AppData\Local\Temp\brftfvqbspabkrpo.exe

C:\Users\Admin\AppData\Local\Temp\izodqhdphfrtdlkke.exe

C:\Users\Admin\AppData\Local\Temp\izodqhdphfrtdlkke.exe .

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\zvodxlzrjywikucbb.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ifzpkzohaqpcfqzzav.exe .

C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe

C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe .

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\izodqhdphfrtdlkke.exe*."

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\zvodxlzrjywikucbb.exe*."

C:\Users\Admin\AppData\Local\Temp\ifzpkzohaqpcfqzzav.exe

C:\Users\Admin\AppData\Local\Temp\ifzpkzohaqpcfqzzav.exe .

C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe

C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe

C:\Users\Admin\AppData\Local\Temp\ejmpq.exe

"C:\Users\Admin\AppData\Local\Temp\ejmpq.exe" "-C:\Users\Admin\AppData\Local\Temp\brftfvqbspabkrpo.exe"

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\ifzpkzohaqpcfqzzav.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vvsljbtplegwcqcfjhjjg.exe

C:\Users\Admin\AppData\Local\Temp\ejmpq.exe

"C:\Users\Admin\AppData\Local\Temp\ejmpq.exe" "-C:\Users\Admin\AppData\Local\Temp\brftfvqbspabkrpo.exe"

C:\Windows\vvsljbtplegwcqcfjhjjg.exe

vvsljbtplegwcqcfjhjjg.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zvodxlzrjywikucbb.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\zvodxlzrjywikucbb.exe

zvodxlzrjywikucbb.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vvsljbtplegwcqcfjhjjg.exe

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\zvodxlzrjywikucbb.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vvsljbtplegwcqcfjhjjg.exe .

C:\Windows\vvsljbtplegwcqcfjhjjg.exe

vvsljbtplegwcqcfjhjjg.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe

C:\Windows\vvsljbtplegwcqcfjhjjg.exe

vvsljbtplegwcqcfjhjjg.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe .

C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe

C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\vvsljbtplegwcqcfjhjjg.exe*."

C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe

C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe .

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\trmdzpfztkkycoyzbxx.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ifzpkzohaqpcfqzzav.exe

C:\Users\Admin\AppData\Local\Temp\ifzpkzohaqpcfqzzav.exe

C:\Users\Admin\AppData\Local\Temp\ifzpkzohaqpcfqzzav.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe .

C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe

C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe .

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\vvsljbtplegwcqcfjhjjg.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c brftfvqbspabkrpo.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vvsljbtplegwcqcfjhjjg.exe

C:\Windows\brftfvqbspabkrpo.exe

brftfvqbspabkrpo.exe

C:\Users\Admin\AppData\Local\Temp\ejmpq.exe

"C:\Users\Admin\AppData\Local\Temp\ejmpq.exe" "-C:\Users\Admin\AppData\Local\Temp\brftfvqbspabkrpo.exe"

C:\Users\Admin\AppData\Local\Temp\ejmpq.exe

"C:\Users\Admin\AppData\Local\Temp\ejmpq.exe" "-C:\Users\Admin\AppData\Local\Temp\brftfvqbspabkrpo.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c pjbtjdcrmnchufhkhrld.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\vvsljbtplegwcqcfjhjjg.exe

vvsljbtplegwcqcfjhjjg.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vvsljbtplegwcqcfjhjjg.exe .

C:\Windows\pjbtjdcrmnchufhkhrld.exe

pjbtjdcrmnchufhkhrld.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cvmdsljxrrfjvfgieng.exe

C:\Windows\vvsljbtplegwcqcfjhjjg.exe

vvsljbtplegwcqcfjhjjg.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c brftfvqbspabkrpo.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zvodxlzrjywikucbb.exe

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\pjbtjdcrmnchufhkhrld.exe*."

C:\Windows\cvmdsljxrrfjvfgieng.exe

cvmdsljxrrfjvfgieng.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vvsljbtplegwcqcfjhjjg.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\izodqhdphfrtdlkke.exe

C:\Windows\brftfvqbspabkrpo.exe

brftfvqbspabkrpo.exe .

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\vvsljbtplegwcqcfjhjjg.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ezslcxxnjlbhvhkomxsle.exe .

C:\Windows\zvodxlzrjywikucbb.exe

zvodxlzrjywikucbb.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\izodqhdphfrtdlkke.exe

C:\Users\Admin\AppData\Local\Temp\izodqhdphfrtdlkke.exe

C:\Windows\vvsljbtplegwcqcfjhjjg.exe

vvsljbtplegwcqcfjhjjg.exe .

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\brftfvqbspabkrpo.exe*."

C:\Users\Admin\AppData\Local\Temp\ezslcxxnjlbhvhkomxsle.exe

C:\Users\Admin\AppData\Local\Temp\ezslcxxnjlbhvhkomxsle.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cvmdsljxrrfjvfgieng.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gfbtqhytoghwbozbebcb.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cvmdsljxrrfjvfgieng.exe .

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\vvsljbtplegwcqcfjhjjg.exe*."

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\ezslcxxnjlbhvhkomxsle.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe .

C:\Users\Admin\AppData\Local\Temp\gfbtqhytoghwbozbebcb.exe

C:\Users\Admin\AppData\Local\Temp\gfbtqhytoghwbozbebcb.exe

C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe

C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe

C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe

C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe .

C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe

C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe .

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\vvsljbtplegwcqcfjhjjg.exe*."

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\vvsljbtplegwcqcfjhjjg.exe*."

C:\Users\Admin\AppData\Local\Temp\cvmdsljxrrfjvfgieng.exe

C:\Users\Admin\AppData\Local\Temp\cvmdsljxrrfjvfgieng.exe .

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\cvmdsljxrrfjvfgieng.exe*."

C:\Users\Admin\AppData\Local\Temp\ejmpq.exe

"C:\Users\Admin\AppData\Local\Temp\ejmpq.exe" "-C:\Users\Admin\AppData\Local\Temp\brftfvqbspabkrpo.exe"

C:\Users\Admin\AppData\Local\Temp\ejmpq.exe

"C:\Users\Admin\AppData\Local\Temp\ejmpq.exe" "-C:\Users\Admin\AppData\Local\Temp\brftfvqbspabkrpo.exe"

C:\Users\Admin\AppData\Local\Temp\cvmdsljxrrfjvfgieng.exe

C:\Users\Admin\AppData\Local\Temp\cvmdsljxrrfjvfgieng.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c snftmzmduifqrahf.exe

C:\Windows\snftmzmduifqrahf.exe

snftmzmduifqrahf.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c gfbtqhytoghwbozbebcb.exe .

C:\Windows\gfbtqhytoghwbozbebcb.exe

gfbtqhytoghwbozbebcb.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c trmdzpfztkkycoyzbxx.exe

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\gfbtqhytoghwbozbebcb.exe*."

C:\Windows\trmdzpfztkkycoyzbxx.exe

trmdzpfztkkycoyzbxx.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vvsljbtplegwcqcfjhjjg.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe

C:\Windows\vvsljbtplegwcqcfjhjjg.exe

vvsljbtplegwcqcfjhjjg.exe .

C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe

C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\vvsljbtplegwcqcfjhjjg.exe*."

C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe

C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe .

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\zvodxlzrjywikucbb.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gfbtqhytoghwbozbebcb.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe .

C:\Users\Admin\AppData\Local\Temp\gfbtqhytoghwbozbebcb.exe

C:\Users\Admin\AppData\Local\Temp\gfbtqhytoghwbozbebcb.exe

C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe

C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe .

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\zvodxlzrjywikucbb.exe*."

C:\Users\Admin\AppData\Local\Temp\ejmpq.exe

"C:\Users\Admin\AppData\Local\Temp\ejmpq.exe" "-C:\Users\Admin\AppData\Local\Temp\brftfvqbspabkrpo.exe"

C:\Users\Admin\AppData\Local\Temp\ejmpq.exe

"C:\Users\Admin\AppData\Local\Temp\ejmpq.exe" "-C:\Users\Admin\AppData\Local\Temp\brftfvqbspabkrpo.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vvsljbtplegwcqcfjhjjg.exe

C:\Windows\vvsljbtplegwcqcfjhjjg.exe

vvsljbtplegwcqcfjhjjg.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c trmdzpfztkkycoyzbxx.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ifzpkzohaqpcfqzzav.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ifzpkzohaqpcfqzzav.exe

C:\Windows\trmdzpfztkkycoyzbxx.exe

trmdzpfztkkycoyzbxx.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c gfbtqhytoghwbozbebcb.exe

C:\Windows\ifzpkzohaqpcfqzzav.exe

ifzpkzohaqpcfqzzav.exe

C:\Windows\ifzpkzohaqpcfqzzav.exe

ifzpkzohaqpcfqzzav.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c snftmzmduifqrahf.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vvsljbtplegwcqcfjhjjg.exe .

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\trmdzpfztkkycoyzbxx.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ifzpkzohaqpcfqzzav.exe .

C:\Windows\gfbtqhytoghwbozbebcb.exe

gfbtqhytoghwbozbebcb.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gfbtqhytoghwbozbebcb.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ifzpkzohaqpcfqzzav.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c gfbtqhytoghwbozbebcb.exe

C:\Windows\vvsljbtplegwcqcfjhjjg.exe

vvsljbtplegwcqcfjhjjg.exe .

C:\Windows\ifzpkzohaqpcfqzzav.exe

ifzpkzohaqpcfqzzav.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ifzpkzohaqpcfqzzav.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vvsljbtplegwcqcfjhjjg.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ifzpkzohaqpcfqzzav.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe

C:\Windows\snftmzmduifqrahf.exe

snftmzmduifqrahf.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ifzpkzohaqpcfqzzav.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ifzpkzohaqpcfqzzav.exe .

C:\Users\Admin\AppData\Local\Temp\gfbtqhytoghwbozbebcb.exe

C:\Users\Admin\AppData\Local\Temp\gfbtqhytoghwbozbebcb.exe

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\ifzpkzohaqpcfqzzav.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe .

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\vvsljbtplegwcqcfjhjjg.exe*."

C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe

C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe .

C:\Windows\gfbtqhytoghwbozbebcb.exe

gfbtqhytoghwbozbebcb.exe

C:\Windows\ifzpkzohaqpcfqzzav.exe

ifzpkzohaqpcfqzzav.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ifzpkzohaqpcfqzzav.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\snftmzmduifqrahf.exe*."

C:\Windows\ifzpkzohaqpcfqzzav.exe

ifzpkzohaqpcfqzzav.exe .

C:\Users\Admin\AppData\Local\Temp\ejmpq.exe

"C:\Users\Admin\AppData\Local\Temp\ejmpq.exe" "-C:\Users\Admin\AppData\Local\Temp\brftfvqbspabkrpo.exe"

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\vvsljbtplegwcqcfjhjjg.exe*."

C:\Users\Admin\AppData\Local\Temp\ejmpq.exe

"C:\Users\Admin\AppData\Local\Temp\ejmpq.exe" "-C:\Users\Admin\AppData\Local\Temp\brftfvqbspabkrpo.exe"

C:\Windows\vvsljbtplegwcqcfjhjjg.exe

vvsljbtplegwcqcfjhjjg.exe .

C:\Users\Admin\AppData\Local\Temp\ifzpkzohaqpcfqzzav.exe

C:\Users\Admin\AppData\Local\Temp\ifzpkzohaqpcfqzzav.exe

C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe

C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe .

C:\Users\Admin\AppData\Local\Temp\ifzpkzohaqpcfqzzav.exe

C:\Users\Admin\AppData\Local\Temp\ifzpkzohaqpcfqzzav.exe

C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe

C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe

C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe

C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zvodxlzrjywikucbb.exe

C:\Users\Admin\AppData\Local\Temp\ifzpkzohaqpcfqzzav.exe

C:\Users\Admin\AppData\Local\Temp\ifzpkzohaqpcfqzzav.exe .

C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe

C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe .

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\ifzpkzohaqpcfqzzav.exe*."

C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe

C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe .

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\vvsljbtplegwcqcfjhjjg.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c gfbtqhytoghwbozbebcb.exe .

C:\Users\Admin\AppData\Local\Temp\ifzpkzohaqpcfqzzav.exe

C:\Users\Admin\AppData\Local\Temp\ifzpkzohaqpcfqzzav.exe

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\zvodxlzrjywikucbb.exe*."

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\vvsljbtplegwcqcfjhjjg.exe*."

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\ifzpkzohaqpcfqzzav.exe*."

C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe

C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe

C:\Windows\zvodxlzrjywikucbb.exe

zvodxlzrjywikucbb.exe

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\trmdzpfztkkycoyzbxx.exe*."

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\vvsljbtplegwcqcfjhjjg.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c snftmzmduifqrahf.exe

C:\Windows\gfbtqhytoghwbozbebcb.exe

gfbtqhytoghwbozbebcb.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ifzpkzohaqpcfqzzav.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe

C:\Windows\snftmzmduifqrahf.exe

snftmzmduifqrahf.exe

C:\Windows\ifzpkzohaqpcfqzzav.exe

ifzpkzohaqpcfqzzav.exe .

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\gfbtqhytoghwbozbebcb.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe .

C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe

C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\ifzpkzohaqpcfqzzav.exe*."

C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe

C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe .

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\snftmzmduifqrahf.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ifzpkzohaqpcfqzzav.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe .

C:\Users\Admin\AppData\Local\Temp\ifzpkzohaqpcfqzzav.exe

C:\Users\Admin\AppData\Local\Temp\ifzpkzohaqpcfqzzav.exe

C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe

C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe .

C:\Users\Admin\AppData\Local\Temp\ejmpq.exe

"C:\Users\Admin\AppData\Local\Temp\ejmpq.exe" "-C:\Users\Admin\AppData\Local\Temp\brftfvqbspabkrpo.exe"

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\vvsljbtplegwcqcfjhjjg.exe*."

C:\Users\Admin\AppData\Local\Temp\ejmpq.exe

"C:\Users\Admin\AppData\Local\Temp\ejmpq.exe" "-C:\Users\Admin\AppData\Local\Temp\brftfvqbspabkrpo.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ifzpkzohaqpcfqzzav.exe

C:\Windows\ifzpkzohaqpcfqzzav.exe

ifzpkzohaqpcfqzzav.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c gfbtqhytoghwbozbebcb.exe .

C:\Windows\gfbtqhytoghwbozbebcb.exe

gfbtqhytoghwbozbebcb.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c trmdzpfztkkycoyzbxx.exe

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\gfbtqhytoghwbozbebcb.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ifzpkzohaqpcfqzzav.exe .

C:\Windows\trmdzpfztkkycoyzbxx.exe

trmdzpfztkkycoyzbxx.exe

C:\Windows\ifzpkzohaqpcfqzzav.exe

ifzpkzohaqpcfqzzav.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe

C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe

C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe .

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\ifzpkzohaqpcfqzzav.exe*."

C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe

C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe .

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\zvodxlzrjywikucbb.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gfbtqhytoghwbozbebcb.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gfbtqhytoghwbozbebcb.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\gfbtqhytoghwbozbebcb.exe

C:\Users\Admin\AppData\Local\Temp\gfbtqhytoghwbozbebcb.exe

C:\Users\Admin\AppData\Local\Temp\gfbtqhytoghwbozbebcb.exe

C:\Users\Admin\AppData\Local\Temp\gfbtqhytoghwbozbebcb.exe .

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\gfbtqhytoghwbozbebcb.exe*."

C:\Users\Admin\AppData\Local\Temp\ejmpq.exe

"C:\Users\Admin\AppData\Local\Temp\ejmpq.exe" "-C:\Users\Admin\AppData\Local\Temp\brftfvqbspabkrpo.exe"

C:\Users\Admin\AppData\Local\Temp\ejmpq.exe

"C:\Users\Admin\AppData\Local\Temp\ejmpq.exe" "-C:\Users\Admin\AppData\Local\Temp\brftfvqbspabkrpo.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c snftmzmduifqrahf.exe

C:\Windows\snftmzmduifqrahf.exe

snftmzmduifqrahf.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ifzpkzohaqpcfqzzav.exe .

C:\Windows\ifzpkzohaqpcfqzzav.exe

ifzpkzohaqpcfqzzav.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ifzpkzohaqpcfqzzav.exe

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\ifzpkzohaqpcfqzzav.exe*."

C:\Windows\ifzpkzohaqpcfqzzav.exe

ifzpkzohaqpcfqzzav.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c trmdzpfztkkycoyzbxx.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gfbtqhytoghwbozbebcb.exe

C:\Windows\trmdzpfztkkycoyzbxx.exe

trmdzpfztkkycoyzbxx.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe .

C:\Users\Admin\AppData\Local\Temp\gfbtqhytoghwbozbebcb.exe

C:\Users\Admin\AppData\Local\Temp\gfbtqhytoghwbozbebcb.exe

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\trmdzpfztkkycoyzbxx.exe*."

C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe

C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe .

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\zvodxlzrjywikucbb.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe .

C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe

C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe

C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe

C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe .

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\trmdzpfztkkycoyzbxx.exe*."

C:\Users\Admin\AppData\Local\Temp\ejmpq.exe

"C:\Users\Admin\AppData\Local\Temp\ejmpq.exe" "-C:\Users\Admin\AppData\Local\Temp\brftfvqbspabkrpo.exe"

C:\Users\Admin\AppData\Local\Temp\ejmpq.exe

"C:\Users\Admin\AppData\Local\Temp\ejmpq.exe" "-C:\Users\Admin\AppData\Local\Temp\brftfvqbspabkrpo.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c gfbtqhytoghwbozbebcb.exe

C:\Windows\gfbtqhytoghwbozbebcb.exe

gfbtqhytoghwbozbebcb.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zvodxlzrjywikucbb.exe .

C:\Windows\zvodxlzrjywikucbb.exe

zvodxlzrjywikucbb.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vvsljbtplegwcqcfjhjjg.exe

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\zvodxlzrjywikucbb.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c snftmzmduifqrahf.exe .

C:\Windows\vvsljbtplegwcqcfjhjjg.exe

vvsljbtplegwcqcfjhjjg.exe

C:\Windows\snftmzmduifqrahf.exe

snftmzmduifqrahf.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe .

C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe

C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\snftmzmduifqrahf.exe*."

C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe

C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe .

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\snftmzmduifqrahf.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gfbtqhytoghwbozbebcb.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ifzpkzohaqpcfqzzav.exe .

C:\Users\Admin\AppData\Local\Temp\gfbtqhytoghwbozbebcb.exe

C:\Users\Admin\AppData\Local\Temp\gfbtqhytoghwbozbebcb.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c rjzpdvsfyxknyhhidl.exe

C:\Users\Admin\AppData\Local\Temp\ifzpkzohaqpcfqzzav.exe

C:\Users\Admin\AppData\Local\Temp\ifzpkzohaqpcfqzzav.exe .

C:\Windows\rjzpdvsfyxknyhhidl.exe

rjzpdvsfyxknyhhidl.exe

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\ifzpkzohaqpcfqzzav.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cvmdsljxrrfjvfgieng.exe .

C:\Users\Admin\AppData\Local\Temp\ejmpq.exe

"C:\Users\Admin\AppData\Local\Temp\ejmpq.exe" "-C:\Users\Admin\AppData\Local\Temp\brftfvqbspabkrpo.exe"

C:\Users\Admin\AppData\Local\Temp\ejmpq.exe

"C:\Users\Admin\AppData\Local\Temp\ejmpq.exe" "-C:\Users\Admin\AppData\Local\Temp\brftfvqbspabkrpo.exe"

C:\Windows\cvmdsljxrrfjvfgieng.exe

cvmdsljxrrfjvfgieng.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c izodqhdphfrtdlkke.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ezslcxxnjlbhvhkomxsle.exe .

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\cvmdsljxrrfjvfgieng.exe*."

C:\Windows\izodqhdphfrtdlkke.exe

izodqhdphfrtdlkke.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pjbtjdcrmnchufhkhrld.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c trmdzpfztkkycoyzbxx.exe

C:\Windows\ezslcxxnjlbhvhkomxsle.exe

ezslcxxnjlbhvhkomxsle.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rjzpdvsfyxknyhhidl.exe .

C:\Users\Admin\AppData\Local\Temp\pjbtjdcrmnchufhkhrld.exe

C:\Users\Admin\AppData\Local\Temp\pjbtjdcrmnchufhkhrld.exe

C:\Windows\trmdzpfztkkycoyzbxx.exe

trmdzpfztkkycoyzbxx.exe

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\ezslcxxnjlbhvhkomxsle.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ifzpkzohaqpcfqzzav.exe .

C:\Users\Admin\AppData\Local\Temp\rjzpdvsfyxknyhhidl.exe

C:\Users\Admin\AppData\Local\Temp\rjzpdvsfyxknyhhidl.exe .

C:\Windows\ifzpkzohaqpcfqzzav.exe

ifzpkzohaqpcfqzzav.exe .

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\rjzpdvsfyxknyhhidl.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ezslcxxnjlbhvhkomxsle.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c gfbtqhytoghwbozbebcb.exe

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\ifzpkzohaqpcfqzzav.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vvsljbtplegwcqcfjhjjg.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cvmdsljxrrfjvfgieng.exe .

C:\Windows\gfbtqhytoghwbozbebcb.exe

gfbtqhytoghwbozbebcb.exe

C:\Users\Admin\AppData\Local\Temp\ezslcxxnjlbhvhkomxsle.exe

C:\Users\Admin\AppData\Local\Temp\ezslcxxnjlbhvhkomxsle.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe

C:\Windows\vvsljbtplegwcqcfjhjjg.exe

vvsljbtplegwcqcfjhjjg.exe .

C:\Users\Admin\AppData\Local\Temp\cvmdsljxrrfjvfgieng.exe

C:\Users\Admin\AppData\Local\Temp\cvmdsljxrrfjvfgieng.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe .

C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe

C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\cvmdsljxrrfjvfgieng.exe*."

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\vvsljbtplegwcqcfjhjjg.exe*."

C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe

C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe .

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\zvodxlzrjywikucbb.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gfbtqhytoghwbozbebcb.exe .

C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe

C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe

C:\Users\Admin\AppData\Local\Temp\gfbtqhytoghwbozbebcb.exe

C:\Users\Admin\AppData\Local\Temp\gfbtqhytoghwbozbebcb.exe .

C:\Users\Admin\AppData\Local\Temp\ejmpq.exe

"C:\Users\Admin\AppData\Local\Temp\ejmpq.exe" "-C:\Users\Admin\AppData\Local\Temp\brftfvqbspabkrpo.exe"

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\gfbtqhytoghwbozbebcb.exe*."

C:\Users\Admin\AppData\Local\Temp\ejmpq.exe

"C:\Users\Admin\AppData\Local\Temp\ejmpq.exe" "-C:\Users\Admin\AppData\Local\Temp\brftfvqbspabkrpo.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c gfbtqhytoghwbozbebcb.exe

C:\Windows\gfbtqhytoghwbozbebcb.exe

gfbtqhytoghwbozbebcb.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c gfbtqhytoghwbozbebcb.exe .

C:\Windows\gfbtqhytoghwbozbebcb.exe

gfbtqhytoghwbozbebcb.exe .

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\gfbtqhytoghwbozbebcb.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zvodxlzrjywikucbb.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zvodxlzrjywikucbb.exe .

C:\Windows\zvodxlzrjywikucbb.exe

zvodxlzrjywikucbb.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gfbtqhytoghwbozbebcb.exe

C:\Windows\zvodxlzrjywikucbb.exe

zvodxlzrjywikucbb.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gfbtqhytoghwbozbebcb.exe .

C:\Users\Admin\AppData\Local\Temp\gfbtqhytoghwbozbebcb.exe

C:\Users\Admin\AppData\Local\Temp\gfbtqhytoghwbozbebcb.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\zvodxlzrjywikucbb.exe*."

C:\Users\Admin\AppData\Local\Temp\gfbtqhytoghwbozbebcb.exe

C:\Users\Admin\AppData\Local\Temp\gfbtqhytoghwbozbebcb.exe .

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\gfbtqhytoghwbozbebcb.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe .

C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe

C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe

C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe

C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe .

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\vvsljbtplegwcqcfjhjjg.exe*."

C:\Users\Admin\AppData\Local\Temp\ejmpq.exe

"C:\Users\Admin\AppData\Local\Temp\ejmpq.exe" "-C:\Users\Admin\AppData\Local\Temp\brftfvqbspabkrpo.exe"

C:\Users\Admin\AppData\Local\Temp\ejmpq.exe

"C:\Users\Admin\AppData\Local\Temp\ejmpq.exe" "-C:\Users\Admin\AppData\Local\Temp\brftfvqbspabkrpo.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vvsljbtplegwcqcfjhjjg.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ifzpkzohaqpcfqzzav.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ifzpkzohaqpcfqzzav.exe

C:\Windows\ifzpkzohaqpcfqzzav.exe

ifzpkzohaqpcfqzzav.exe

C:\Windows\vvsljbtplegwcqcfjhjjg.exe

vvsljbtplegwcqcfjhjjg.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vvsljbtplegwcqcfjhjjg.exe .

C:\Windows\ifzpkzohaqpcfqzzav.exe

ifzpkzohaqpcfqzzav.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c trmdzpfztkkycoyzbxx.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c trmdzpfztkkycoyzbxx.exe .

C:\Windows\vvsljbtplegwcqcfjhjjg.exe

vvsljbtplegwcqcfjhjjg.exe .

C:\Windows\trmdzpfztkkycoyzbxx.exe

trmdzpfztkkycoyzbxx.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c snftmzmduifqrahf.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vvsljbtplegwcqcfjhjjg.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ifzpkzohaqpcfqzzav.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c gfbtqhytoghwbozbebcb.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c trmdzpfztkkycoyzbxx.exe .

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\vvsljbtplegwcqcfjhjjg.exe*."

C:\Windows\trmdzpfztkkycoyzbxx.exe

trmdzpfztkkycoyzbxx.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gfbtqhytoghwbozbebcb.exe

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\trmdzpfztkkycoyzbxx.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c trmdzpfztkkycoyzbxx.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe .

C:\Windows\snftmzmduifqrahf.exe

snftmzmduifqrahf.exe

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\trmdzpfztkkycoyzbxx.exe*."

C:\Windows\vvsljbtplegwcqcfjhjjg.exe

vvsljbtplegwcqcfjhjjg.exe

C:\Windows\ifzpkzohaqpcfqzzav.exe

ifzpkzohaqpcfqzzav.exe .

C:\Windows\trmdzpfztkkycoyzbxx.exe

trmdzpfztkkycoyzbxx.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe .

C:\Users\Admin\AppData\Local\Temp\gfbtqhytoghwbozbebcb.exe

C:\Users\Admin\AppData\Local\Temp\gfbtqhytoghwbozbebcb.exe

C:\Windows\gfbtqhytoghwbozbebcb.exe

gfbtqhytoghwbozbebcb.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe .

C:\Users\Admin\AppData\Local\Temp\ejmpq.exe

"C:\Users\Admin\AppData\Local\Temp\ejmpq.exe" "-C:\Users\Admin\AppData\Local\Temp\brftfvqbspabkrpo.exe"

C:\Windows\trmdzpfztkkycoyzbxx.exe

trmdzpfztkkycoyzbxx.exe .

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\trmdzpfztkkycoyzbxx.exe*."

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\ifzpkzohaqpcfqzzav.exe*."

C:\Users\Admin\AppData\Local\Temp\ejmpq.exe

"C:\Users\Admin\AppData\Local\Temp\ejmpq.exe" "-C:\Users\Admin\AppData\Local\Temp\brftfvqbspabkrpo.exe"

C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe

C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe

C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe

C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe

C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe

C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe .

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\trmdzpfztkkycoyzbxx.exe*."

C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe

C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe

C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe

C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe .

C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe

C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c snftmzmduifqrahf.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\zvodxlzrjywikucbb.exe*."

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\snftmzmduifqrahf.exe*."

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\snftmzmduifqrahf.exe*."

C:\Windows\snftmzmduifqrahf.exe

snftmzmduifqrahf.exe

C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe

C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe .

C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe

C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c trmdzpfztkkycoyzbxx.exe .

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\vvsljbtplegwcqcfjhjjg.exe*."

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\vvsljbtplegwcqcfjhjjg.exe*."

C:\Windows\trmdzpfztkkycoyzbxx.exe

trmdzpfztkkycoyzbxx.exe .

C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe

C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zvodxlzrjywikucbb.exe

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\trmdzpfztkkycoyzbxx.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c trmdzpfztkkycoyzbxx.exe .

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\vvsljbtplegwcqcfjhjjg.exe*."

C:\Windows\zvodxlzrjywikucbb.exe

zvodxlzrjywikucbb.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe

C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe

C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe

C:\Windows\trmdzpfztkkycoyzbxx.exe

trmdzpfztkkycoyzbxx.exe .

C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe

C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe .

C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe

C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\trmdzpfztkkycoyzbxx.exe*."

C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe

C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe .

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\snftmzmduifqrahf.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gfbtqhytoghwbozbebcb.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe

C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe

C:\Users\Admin\AppData\Local\Temp\ejmpq.exe

"C:\Users\Admin\AppData\Local\Temp\ejmpq.exe" "-C:\Users\Admin\AppData\Local\Temp\brftfvqbspabkrpo.exe"

C:\Users\Admin\AppData\Local\Temp\gfbtqhytoghwbozbebcb.exe

C:\Users\Admin\AppData\Local\Temp\gfbtqhytoghwbozbebcb.exe .

C:\Users\Admin\AppData\Local\Temp\ejmpq.exe

"C:\Users\Admin\AppData\Local\Temp\ejmpq.exe" "-C:\Users\Admin\AppData\Local\Temp\brftfvqbspabkrpo.exe"

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\gfbtqhytoghwbozbebcb.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c gfbtqhytoghwbozbebcb.exe

C:\Windows\gfbtqhytoghwbozbebcb.exe

gfbtqhytoghwbozbebcb.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c trmdzpfztkkycoyzbxx.exe .

C:\Windows\trmdzpfztkkycoyzbxx.exe

trmdzpfztkkycoyzbxx.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c snftmzmduifqrahf.exe

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\trmdzpfztkkycoyzbxx.exe*."

C:\Windows\snftmzmduifqrahf.exe

snftmzmduifqrahf.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c gfbtqhytoghwbozbebcb.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe

C:\Windows\gfbtqhytoghwbozbebcb.exe

gfbtqhytoghwbozbebcb.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe .

C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe

C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\gfbtqhytoghwbozbebcb.exe*."

C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe

C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe .

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\zvodxlzrjywikucbb.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe .

C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe

C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe

C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe

C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe .

C:\Users\Admin\AppData\Local\Temp\ejmpq.exe

"C:\Users\Admin\AppData\Local\Temp\ejmpq.exe" "-C:\Users\Admin\AppData\Local\Temp\brftfvqbspabkrpo.exe"

C:\Users\Admin\AppData\Local\Temp\ejmpq.exe

"C:\Users\Admin\AppData\Local\Temp\ejmpq.exe" "-C:\Users\Admin\AppData\Local\Temp\brftfvqbspabkrpo.exe"

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\trmdzpfztkkycoyzbxx.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ifzpkzohaqpcfqzzav.exe

C:\Windows\ifzpkzohaqpcfqzzav.exe

ifzpkzohaqpcfqzzav.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ifzpkzohaqpcfqzzav.exe .

C:\Windows\ifzpkzohaqpcfqzzav.exe

ifzpkzohaqpcfqzzav.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zvodxlzrjywikucbb.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c trmdzpfztkkycoyzbxx.exe .

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\ifzpkzohaqpcfqzzav.exe*."

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\zvodxlzrjywikucbb.exe

zvodxlzrjywikucbb.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe

C:\Windows\trmdzpfztkkycoyzbxx.exe

trmdzpfztkkycoyzbxx.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe .

C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe

C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\trmdzpfztkkycoyzbxx.exe*."

C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe

C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe .

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\zvodxlzrjywikucbb.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe .

C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe

C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe

C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe

C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe .

C:\Users\Admin\AppData\Local\Temp\ejmpq.exe

"C:\Users\Admin\AppData\Local\Temp\ejmpq.exe" "-C:\Users\Admin\AppData\Local\Temp\brftfvqbspabkrpo.exe"

C:\Users\Admin\AppData\Local\Temp\ejmpq.exe

"C:\Users\Admin\AppData\Local\Temp\ejmpq.exe" "-C:\Users\Admin\AppData\Local\Temp\brftfvqbspabkrpo.exe"

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\snftmzmduifqrahf.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vvsljbtplegwcqcfjhjjg.exe

C:\Windows\vvsljbtplegwcqcfjhjjg.exe

vvsljbtplegwcqcfjhjjg.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c gfbtqhytoghwbozbebcb.exe .

C:\Windows\gfbtqhytoghwbozbebcb.exe

gfbtqhytoghwbozbebcb.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zvodxlzrjywikucbb.exe

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\gfbtqhytoghwbozbebcb.exe*."

C:\Windows\zvodxlzrjywikucbb.exe

zvodxlzrjywikucbb.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c snftmzmduifqrahf.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe

C:\Windows\snftmzmduifqrahf.exe

snftmzmduifqrahf.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe

C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\snftmzmduifqrahf.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c pjbtjdcrmnchufhkhrld.exe

C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe

C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe .

C:\Windows\pjbtjdcrmnchufhkhrld.exe

pjbtjdcrmnchufhkhrld.exe

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\trmdzpfztkkycoyzbxx.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c rjzpdvsfyxknyhhidl.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe .

C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe

C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe

C:\Windows\rjzpdvsfyxknyhhidl.exe

rjzpdvsfyxknyhhidl.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c brftfvqbspabkrpo.exe

C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe

C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe .

C:\Users\Admin\AppData\Local\Temp\ejmpq.exe

"C:\Users\Admin\AppData\Local\Temp\ejmpq.exe" "-C:\Users\Admin\AppData\Local\Temp\brftfvqbspabkrpo.exe"

C:\Users\Admin\AppData\Local\Temp\ejmpq.exe

"C:\Users\Admin\AppData\Local\Temp\ejmpq.exe" "-C:\Users\Admin\AppData\Local\Temp\brftfvqbspabkrpo.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c pjbtjdcrmnchufhkhrld.exe .

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\rjzpdvsfyxknyhhidl.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ezslcxxnjlbhvhkomxsle.exe

C:\Windows\brftfvqbspabkrpo.exe

brftfvqbspabkrpo.exe

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\snftmzmduifqrahf.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ezslcxxnjlbhvhkomxsle.exe .

C:\Windows\pjbtjdcrmnchufhkhrld.exe

pjbtjdcrmnchufhkhrld.exe .

C:\Users\Admin\AppData\Local\Temp\ezslcxxnjlbhvhkomxsle.exe

C:\Users\Admin\AppData\Local\Temp\ezslcxxnjlbhvhkomxsle.exe

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\pjbtjdcrmnchufhkhrld.exe*."

C:\Users\Admin\AppData\Local\Temp\ezslcxxnjlbhvhkomxsle.exe

C:\Users\Admin\AppData\Local\Temp\ezslcxxnjlbhvhkomxsle.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rjzpdvsfyxknyhhidl.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vvsljbtplegwcqcfjhjjg.exe

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\ezslcxxnjlbhvhkomxsle.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cvmdsljxrrfjvfgieng.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\rjzpdvsfyxknyhhidl.exe

C:\Users\Admin\AppData\Local\Temp\rjzpdvsfyxknyhhidl.exe

C:\Users\Admin\AppData\Local\Temp\cvmdsljxrrfjvfgieng.exe

C:\Users\Admin\AppData\Local\Temp\cvmdsljxrrfjvfgieng.exe .

C:\Windows\vvsljbtplegwcqcfjhjjg.exe

vvsljbtplegwcqcfjhjjg.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ifzpkzohaqpcfqzzav.exe .

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\cvmdsljxrrfjvfgieng.exe*."

C:\Windows\ifzpkzohaqpcfqzzav.exe

ifzpkzohaqpcfqzzav.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ifzpkzohaqpcfqzzav.exe

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\ifzpkzohaqpcfqzzav.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c snftmzmduifqrahf.exe .

C:\Windows\ifzpkzohaqpcfqzzav.exe

ifzpkzohaqpcfqzzav.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gfbtqhytoghwbozbebcb.exe

C:\Windows\snftmzmduifqrahf.exe

snftmzmduifqrahf.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gfbtqhytoghwbozbebcb.exe .

C:\Users\Admin\AppData\Local\Temp\gfbtqhytoghwbozbebcb.exe

C:\Users\Admin\AppData\Local\Temp\gfbtqhytoghwbozbebcb.exe

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\snftmzmduifqrahf.exe*."

C:\Users\Admin\AppData\Local\Temp\gfbtqhytoghwbozbebcb.exe

C:\Users\Admin\AppData\Local\Temp\gfbtqhytoghwbozbebcb.exe .

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\gfbtqhytoghwbozbebcb.exe*."

C:\Users\Admin\AppData\Local\Temp\ejmpq.exe

"C:\Users\Admin\AppData\Local\Temp\ejmpq.exe" "-C:\Users\Admin\AppData\Local\Temp\brftfvqbspabkrpo.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe

C:\Users\Admin\AppData\Local\Temp\ejmpq.exe

"C:\Users\Admin\AppData\Local\Temp\ejmpq.exe" "-C:\Users\Admin\AppData\Local\Temp\brftfvqbspabkrpo.exe"

C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe

C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gfbtqhytoghwbozbebcb.exe .

C:\Users\Admin\AppData\Local\Temp\gfbtqhytoghwbozbebcb.exe

C:\Users\Admin\AppData\Local\Temp\gfbtqhytoghwbozbebcb.exe .

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\gfbtqhytoghwbozbebcb.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ifzpkzohaqpcfqzzav.exe

C:\Windows\ifzpkzohaqpcfqzzav.exe

ifzpkzohaqpcfqzzav.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ifzpkzohaqpcfqzzav.exe .

C:\Windows\ifzpkzohaqpcfqzzav.exe

ifzpkzohaqpcfqzzav.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c snftmzmduifqrahf.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c gfbtqhytoghwbozbebcb.exe .

C:\Windows\snftmzmduifqrahf.exe

snftmzmduifqrahf.exe

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\ifzpkzohaqpcfqzzav.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe

C:\Windows\gfbtqhytoghwbozbebcb.exe

gfbtqhytoghwbozbebcb.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gfbtqhytoghwbozbebcb.exe .

C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe

C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\gfbtqhytoghwbozbebcb.exe*."

C:\Users\Admin\AppData\Local\Temp\gfbtqhytoghwbozbebcb.exe

C:\Users\Admin\AppData\Local\Temp\gfbtqhytoghwbozbebcb.exe .

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\gfbtqhytoghwbozbebcb.exe*."

C:\Users\Admin\AppData\Local\Temp\ejmpq.exe

"C:\Users\Admin\AppData\Local\Temp\ejmpq.exe" "-C:\Users\Admin\AppData\Local\Temp\brftfvqbspabkrpo.exe"

C:\Users\Admin\AppData\Local\Temp\ejmpq.exe

"C:\Users\Admin\AppData\Local\Temp\ejmpq.exe" "-C:\Users\Admin\AppData\Local\Temp\brftfvqbspabkrpo.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gfbtqhytoghwbozbebcb.exe .

C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe

C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vvsljbtplegwcqcfjhjjg.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vvsljbtplegwcqcfjhjjg.exe

C:\Users\Admin\AppData\Local\Temp\gfbtqhytoghwbozbebcb.exe

C:\Users\Admin\AppData\Local\Temp\gfbtqhytoghwbozbebcb.exe .

C:\Windows\vvsljbtplegwcqcfjhjjg.exe

vvsljbtplegwcqcfjhjjg.exe

C:\Windows\vvsljbtplegwcqcfjhjjg.exe

vvsljbtplegwcqcfjhjjg.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ifzpkzohaqpcfqzzav.exe .

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\gfbtqhytoghwbozbebcb.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ifzpkzohaqpcfqzzav.exe .

C:\Windows\ifzpkzohaqpcfqzzav.exe

ifzpkzohaqpcfqzzav.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c gfbtqhytoghwbozbebcb.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c gfbtqhytoghwbozbebcb.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c snftmzmduifqrahf.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ifzpkzohaqpcfqzzav.exe .

C:\Windows\ifzpkzohaqpcfqzzav.exe

ifzpkzohaqpcfqzzav.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\ifzpkzohaqpcfqzzav.exe*."

C:\Windows\gfbtqhytoghwbozbebcb.exe

gfbtqhytoghwbozbebcb.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c snftmzmduifqrahf.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ifzpkzohaqpcfqzzav.exe .

C:\Windows\gfbtqhytoghwbozbebcb.exe

gfbtqhytoghwbozbebcb.exe

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\ifzpkzohaqpcfqzzav.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c gfbtqhytoghwbozbebcb.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ifzpkzohaqpcfqzzav.exe

C:\Windows\ifzpkzohaqpcfqzzav.exe

ifzpkzohaqpcfqzzav.exe .

C:\Users\Admin\AppData\Local\Temp\ifzpkzohaqpcfqzzav.exe

C:\Users\Admin\AppData\Local\Temp\ifzpkzohaqpcfqzzav.exe .

C:\Windows\snftmzmduifqrahf.exe

snftmzmduifqrahf.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe .

C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe

C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c gfbtqhytoghwbozbebcb.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe .

C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe

C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe .

C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe

C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vvsljbtplegwcqcfjhjjg.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe

C:\Users\Admin\AppData\Local\Temp\ejmpq.exe

"C:\Users\Admin\AppData\Local\Temp\ejmpq.exe" "-C:\Users\Admin\AppData\Local\Temp\brftfvqbspabkrpo.exe"

C:\Windows\snftmzmduifqrahf.exe

snftmzmduifqrahf.exe

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\ifzpkzohaqpcfqzzav.exe*."

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\ifzpkzohaqpcfqzzav.exe*."

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\snftmzmduifqrahf.exe*."

C:\Users\Admin\AppData\Local\Temp\ejmpq.exe

"C:\Users\Admin\AppData\Local\Temp\ejmpq.exe" "-C:\Users\Admin\AppData\Local\Temp\brftfvqbspabkrpo.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe .

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\snftmzmduifqrahf.exe*."

C:\Windows\gfbtqhytoghwbozbebcb.exe

gfbtqhytoghwbozbebcb.exe .

C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe

C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe

C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe

C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe .

C:\Users\Admin\AppData\Local\Temp\ifzpkzohaqpcfqzzav.exe

C:\Users\Admin\AppData\Local\Temp\ifzpkzohaqpcfqzzav.exe

C:\Windows\gfbtqhytoghwbozbebcb.exe

gfbtqhytoghwbozbebcb.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe

C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe

C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe

C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe

C:\Windows\vvsljbtplegwcqcfjhjjg.exe

vvsljbtplegwcqcfjhjjg.exe .

C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe

C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ifzpkzohaqpcfqzzav.exe .

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\gfbtqhytoghwbozbebcb.exe*."

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\trmdzpfztkkycoyzbxx.exe*."

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\vvsljbtplegwcqcfjhjjg.exe*."

C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe

C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\vvsljbtplegwcqcfjhjjg.exe*."

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\trmdzpfztkkycoyzbxx.exe*."

C:\Users\Admin\AppData\Local\Temp\ifzpkzohaqpcfqzzav.exe

C:\Users\Admin\AppData\Local\Temp\ifzpkzohaqpcfqzzav.exe .

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\ifzpkzohaqpcfqzzav.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ifzpkzohaqpcfqzzav.exe

C:\Windows\ifzpkzohaqpcfqzzav.exe

ifzpkzohaqpcfqzzav.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ifzpkzohaqpcfqzzav.exe .

C:\Windows\ifzpkzohaqpcfqzzav.exe

ifzpkzohaqpcfqzzav.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c trmdzpfztkkycoyzbxx.exe

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\ifzpkzohaqpcfqzzav.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vvsljbtplegwcqcfjhjjg.exe .

C:\Windows\trmdzpfztkkycoyzbxx.exe

trmdzpfztkkycoyzbxx.exe

C:\Windows\vvsljbtplegwcqcfjhjjg.exe

vvsljbtplegwcqcfjhjjg.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe

C:\Users\Admin\AppData\Local\Temp\ejmpq.exe

"C:\Users\Admin\AppData\Local\Temp\ejmpq.exe" "-C:\Users\Admin\AppData\Local\Temp\brftfvqbspabkrpo.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe .

C:\Users\Admin\AppData\Local\Temp\ejmpq.exe

"C:\Users\Admin\AppData\Local\Temp\ejmpq.exe" "-C:\Users\Admin\AppData\Local\Temp\brftfvqbspabkrpo.exe"

C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe

C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\vvsljbtplegwcqcfjhjjg.exe*."

C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe

C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe .

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\trmdzpfztkkycoyzbxx.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ifzpkzohaqpcfqzzav.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe .

C:\Users\Admin\AppData\Local\Temp\ifzpkzohaqpcfqzzav.exe

C:\Users\Admin\AppData\Local\Temp\ifzpkzohaqpcfqzzav.exe

C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe

C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe .

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\zvodxlzrjywikucbb.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zvodxlzrjywikucbb.exe

C:\Windows\zvodxlzrjywikucbb.exe

zvodxlzrjywikucbb.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c trmdzpfztkkycoyzbxx.exe .

C:\Windows\trmdzpfztkkycoyzbxx.exe

trmdzpfztkkycoyzbxx.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c trmdzpfztkkycoyzbxx.exe

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\trmdzpfztkkycoyzbxx.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c gfbtqhytoghwbozbebcb.exe .

C:\Windows\trmdzpfztkkycoyzbxx.exe

trmdzpfztkkycoyzbxx.exe

C:\Users\Admin\AppData\Local\Temp\ejmpq.exe

"C:\Users\Admin\AppData\Local\Temp\ejmpq.exe" "-C:\Users\Admin\AppData\Local\Temp\brftfvqbspabkrpo.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe

C:\Users\Admin\AppData\Local\Temp\ejmpq.exe

"C:\Users\Admin\AppData\Local\Temp\ejmpq.exe" "-C:\Users\Admin\AppData\Local\Temp\brftfvqbspabkrpo.exe"

C:\Windows\gfbtqhytoghwbozbebcb.exe

gfbtqhytoghwbozbebcb.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ifzpkzohaqpcfqzzav.exe .

C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe

C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\gfbtqhytoghwbozbebcb.exe*."

Network

Country Destination Domain Proto
US 8.8.8.8:53 whatismyipaddress.com udp
US 104.19.222.79:80 whatismyipaddress.com tcp
US 8.8.8.8:53 www.whatismyip.ca udp
US 8.8.8.8:53 whatismyip.everdot.org udp
US 104.19.222.79:80 whatismyipaddress.com tcp
US 8.8.8.8:53 www.whatismyip.com udp
US 172.66.43.169:80 www.whatismyip.com tcp
US 172.66.43.169:80 www.whatismyip.com tcp
US 8.8.8.8:53 whatismyip.everdot.org udp
US 8.8.8.8:53 www.showmyipaddress.com udp
US 104.21.74.56:80 www.showmyipaddress.com tcp
US 8.8.8.8:53 www.whatismyip.ca udp
US 104.21.74.56:80 www.showmyipaddress.com tcp
US 172.66.43.169:80 www.whatismyip.com tcp
US 104.19.222.79:80 whatismyipaddress.com tcp
US 104.19.222.79:80 whatismyipaddress.com tcp
US 104.19.222.79:80 whatismyipaddress.com tcp
US 172.66.43.169:80 www.whatismyip.com tcp
US 172.66.43.169:80 www.whatismyip.com tcp
US 104.21.74.56:80 www.showmyipaddress.com tcp
US 8.8.8.8:53 whatismyip.everdot.org udp
US 104.21.74.56:80 www.showmyipaddress.com tcp
US 172.66.43.169:80 www.whatismyip.com tcp
US 8.8.8.8:53 www.whatismyip.ca udp
US 8.8.8.8:53 www.youtube.com udp
NL 108.177.96.93:80 www.youtube.com tcp
RU 77.223.78.79:38707 tcp
US 8.8.8.8:53 gyuuym.org udp
DE 85.214.228.140:80 gyuuym.org tcp
US 8.8.8.8:53 eexkotf.info udp
US 8.8.8.8:53 eiwoaeokgwog.com udp
US 8.8.8.8:53 qqgyfxxrwi.info udp
US 8.8.8.8:53 uccqsmaceeog.com udp
US 8.8.8.8:53 vvpqlmhsvez.org udp
US 8.8.8.8:53 uyyqmq.org udp
US 8.8.8.8:53 pmfrjpd.net udp
US 8.8.8.8:53 nwnlunl.info udp
US 8.8.8.8:53 unxfuild.info udp
SG 18.142.91.111:80 unxfuild.info tcp
US 8.8.8.8:53 ecarkkfge.net udp
US 8.8.8.8:53 udxeinqijify.net udp
US 8.8.8.8:53 gqturtz.info udp
US 8.8.8.8:53 pzonmwzqaaxg.net udp
US 8.8.8.8:53 mwvcdel.info udp
US 8.8.8.8:53 zbwlzqxw.info udp
US 8.8.8.8:53 trddaw.info udp
US 8.8.8.8:53 ggoiukqgsikq.org udp
US 8.8.8.8:53 kfdhntds.info udp
US 8.8.8.8:53 soosoutg.net udp
US 8.8.8.8:53 regnxpfm.info udp
US 8.8.8.8:53 udzdjiddn.net udp
US 8.8.8.8:53 gikmsuwy.net udp
US 8.8.8.8:53 eckwgkuwmoig.org udp
US 8.8.8.8:53 yaaqimkemuce.com udp
US 8.8.8.8:53 chttig.net udp
US 8.8.8.8:53 bgzztyt.net udp
US 8.8.8.8:53 ygoukmwg.org udp
RU 81.163.102.144:42522 tcp
US 8.8.8.8:53 ggqywaauomwa.com udp
US 8.8.8.8:53 uhvsgrzt.net udp
US 8.8.8.8:53 igbrdw.net udp
US 8.8.8.8:53 dlrwpmnz.net udp
US 8.8.8.8:53 cydlrge.info udp
US 104.156.155.94:80 cydlrge.info tcp
US 8.8.8.8:53 zbbwbxbltuys.info udp
US 8.8.8.8:53 wqguhmew.net udp
US 8.8.8.8:53 wmimwemk.org udp
US 8.8.8.8:53 mjotpzfbosdh.info udp
US 8.8.8.8:53 rnjocnb.org udp
US 8.8.8.8:53 fvmsxycepv.net udp
US 8.8.8.8:53 vvqkmettlbmk.info udp
US 8.8.8.8:53 dxtisnno.info udp
US 8.8.8.8:53 luvehemiri.info udp
US 8.8.8.8:53 emjefllcr.info udp
US 8.8.8.8:53 grqivjdkk.info udp
US 8.8.8.8:53 lalckpw.org udp
US 8.8.8.8:53 pqtgwlb.org udp
US 8.8.8.8:53 xrjgqeapv.org udp
US 8.8.8.8:53 hmfurcniz.info udp
US 8.8.8.8:53 drpnaxockodb.info udp
US 8.8.8.8:53 xpyokogem.com udp
US 8.8.8.8:53 jubqjqz.info udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
RU 109.171.90.106:22110 tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 lgtefafwk.com udp
US 8.8.8.8:53 ddpobim.org udp
US 8.8.8.8:53 xxuoecb.info udp
US 8.8.8.8:53 jiwoyixyg.net udp
US 8.8.8.8:53 torklmn.com udp
US 8.8.8.8:53 xkfnifzmj.org udp
US 8.8.8.8:53 gyfuvgp.net udp
US 8.8.8.8:53 iqgnvszeyxj.info udp
US 8.8.8.8:53 ewhqxezcwwc.net udp
US 8.8.8.8:53 zvnetamn.net udp
US 8.8.8.8:53 tpmursqydo.info udp
US 8.8.8.8:53 sjhiaceqz.net udp
US 8.8.8.8:53 ajkaletef.net udp
US 8.8.8.8:53 oocqoeecym.org udp
US 8.8.8.8:53 rgvavtfukg.net udp
US 8.8.8.8:53 yoaoooewyeeo.com udp
US 8.8.8.8:53 psghwaps.net udp
US 8.8.8.8:53 qxmfwo.info udp
US 8.8.8.8:53 mdhpuesj.net udp
US 8.8.8.8:53 xkmdfofxu.info udp
US 8.8.8.8:53 aiatzchrhzlw.info udp
US 8.8.8.8:53 ocwieqwsmgom.com udp
US 8.8.8.8:53 tqstvovrnut.com udp
US 8.8.8.8:53 kzobzbbskkfp.net udp
US 8.8.8.8:53 dqjrswwie.com udp
US 8.8.8.8:53 ebzxznzyf.net udp
US 8.8.8.8:53 magqum.org udp
US 8.8.8.8:53 irjegoeijuj.info udp
US 8.8.8.8:53 vrxmprngmlhk.net udp
US 8.8.8.8:53 eznabol.net udp
US 8.8.8.8:53 zsbgeev.org udp
US 8.8.8.8:53 wpnlfudy.net udp
US 8.8.8.8:53 xqnwrkdey.info udp
US 8.8.8.8:53 vpaefgq.info udp
US 8.8.8.8:53 nuhureuszkp.com udp
US 8.8.8.8:53 klqmnybibg.net udp
US 8.8.8.8:53 uumocigk.org udp
US 8.8.8.8:53 xtwmrcheht.net udp
US 8.8.8.8:53 ouykoueski.com udp
US 8.8.8.8:53 lxuwvnzn.info udp
US 8.8.8.8:53 fzephmmo.info udp
US 8.8.8.8:53 bippbklpogp.com udp
US 8.8.8.8:53 wsvyjilqa.net udp
US 8.8.8.8:53 favsrkddpp.info udp
US 8.8.8.8:53 miblxid.net udp
US 8.8.8.8:53 llgqjodd.info udp
US 8.8.8.8:53 dkouvubcpovf.info udp
US 8.8.8.8:53 wzvyhpgfpx.info udp
BG 212.73.158.164:38314 tcp
US 8.8.8.8:53 lyfydcz.org udp
US 8.8.8.8:53 hfnwtvpktc.net udp
US 8.8.8.8:53 ojulvu.info udp
US 8.8.8.8:53 kgucribs.info udp
US 8.8.8.8:53 hvistgf.net udp
US 8.8.8.8:53 jpmvdl.net udp
US 8.8.8.8:53 zyfitez.info udp
US 8.8.8.8:53 bhmarckn.net udp
US 8.8.8.8:53 sqnjdmcsljl.info udp
US 8.8.8.8:53 uyfwfygyt.net udp
US 8.8.8.8:53 ckuhkr.net udp
US 8.8.8.8:53 plawpqxu.info udp
US 8.8.8.8:53 ivpifeg.info udp
US 8.8.8.8:53 fbosnbkf.info udp
US 8.8.8.8:53 leqdurjb.net udp
US 8.8.8.8:53 wwjcfsq.net udp
US 8.8.8.8:53 nqcmmotmvcl.org udp
US 8.8.8.8:53 jjhkcassxjkg.info udp
US 8.8.8.8:53 vmfyzxjop.com udp
US 8.8.8.8:53 pevposdkzmmx.net udp
US 8.8.8.8:53 sqjshm.net udp
US 8.8.8.8:53 akmgqmaqycae.com udp
US 8.8.8.8:53 dxikspgshgbk.info udp
US 8.8.8.8:53 zitaxgf.org udp
US 8.8.8.8:53 iqkyaqi.net udp
US 8.8.8.8:53 iakqgqqq.org udp
US 8.8.8.8:53 xuhjhgh.net udp
US 8.8.8.8:53 lgmwshpwdp.net udp
US 8.8.8.8:53 xkfcrlu.info udp
US 8.8.8.8:53 kiswiethjbsx.info udp
US 8.8.8.8:53 iqmqka.org udp
US 8.8.8.8:53 imkksu.org udp
US 8.8.8.8:53 zgrjrexb.net udp
US 8.8.8.8:53 caqkxcv.net udp
US 8.8.8.8:53 seymos.com udp
US 8.8.8.8:53 jkkusoleoks.com udp
US 8.8.8.8:53 tmswpub.net udp
US 8.8.8.8:53 eeueccewmeem.com udp
LT 78.60.137.134:36561 tcp
US 8.8.8.8:53 ymqfljmkljmc.info udp
US 8.8.8.8:53 wewsmy.com udp
US 8.8.8.8:53 pdghwgfykon.info udp
US 8.8.8.8:53 fffqhazzmohe.info udp
US 8.8.8.8:53 gthoprfe.net udp
US 8.8.8.8:53 muiyya.com udp
US 8.8.8.8:53 xudwqcfsmygf.net udp
US 8.8.8.8:53 vlpxze.info udp
US 8.8.8.8:53 achoflxaa.net udp
US 8.8.8.8:53 swdopariv.net udp
US 8.8.8.8:53 qykweumuge.org udp
US 8.8.8.8:53 skywyumxq.net udp
US 8.8.8.8:53 gefvuptctc.net udp
US 8.8.8.8:53 fupqdkuv.info udp
US 8.8.8.8:53 aygspphuc.info udp
US 8.8.8.8:53 seltwxls.net udp
US 8.8.8.8:53 usikcoem.com udp
US 8.8.8.8:53 egsmyysc.org udp
US 8.8.8.8:53 gjbqvl.net udp
US 8.8.8.8:53 vntcidw.com udp
US 8.8.8.8:53 humrwvaatezj.net udp
US 8.8.8.8:53 nshdioh.net udp
US 8.8.8.8:53 bzgwumazks.info udp
US 8.8.8.8:53 tckqjmvimmw.info udp
US 8.8.8.8:53 njugbgahswnd.net udp
US 8.8.8.8:53 ocvvzewlhdly.net udp
US 8.8.8.8:53 ekqqcc.org udp
US 8.8.8.8:53 lqvcwl.net udp
US 8.8.8.8:53 ndxazqnb.net udp
US 8.8.8.8:53 vuthfotnwmf.com udp
US 8.8.8.8:53 ywtgbieahsr.info udp
US 8.8.8.8:53 dwfkeogzvhjn.info udp
US 8.8.8.8:53 gppxtymxoc.info udp
US 8.8.8.8:53 yrubfclb.net udp
US 8.8.8.8:53 vfylrr.net udp
US 8.8.8.8:53 hqpqaejqff.info udp
US 8.8.8.8:53 guwiskkcya.com udp
US 8.8.8.8:53 gqmukaaqaagc.org udp
US 8.8.8.8:53 aiiepcaupxr.net udp
US 8.8.8.8:53 qtgqqinahbp.info udp
US 8.8.8.8:53 heeufoyzrgzr.info udp
US 8.8.8.8:53 kjomfddc.net udp
US 8.8.8.8:53 uugtwfjkea.info udp
US 8.8.8.8:53 rsmgvipsbxn.org udp
US 8.8.8.8:53 tcvuvhjwh.info udp
US 8.8.8.8:53 yykogaeeuwik.com udp
US 8.8.8.8:53 osaoggsu.org udp
US 8.8.8.8:53 jubvpax.info udp
US 8.8.8.8:53 zrnddj.net udp
US 8.8.8.8:53 kuswuaiammek.org udp
US 8.8.8.8:53 aknsgwkcl.net udp
US 8.8.8.8:53 mheoufbwbusq.info udp
US 8.8.8.8:53 nuwoqwuunwy.net udp
US 8.8.8.8:53 hyvslrtyap.info udp
US 8.8.8.8:53 gmmikjtntd.info udp
US 8.8.8.8:53 ecbwysbz.info udp
US 8.8.8.8:53 njmyupro.net udp
US 8.8.8.8:53 ucueqqeq.org udp
US 8.8.8.8:53 lbhivufnh.info udp
RU 37.78.53.100:31421 tcp
US 8.8.8.8:53 c.pki.goog udp
NL 173.194.69.94:80 c.pki.goog tcp
US 8.8.8.8:53 hvamve.net udp
US 8.8.8.8:53 javenjmjab.net udp
US 8.8.8.8:53 tbifbcfqrqf.org udp
US 8.8.8.8:53 xrpwmsl.info udp
US 8.8.8.8:53 xmksnjkx.info udp
US 8.8.8.8:53 xefyrbw.net udp
US 8.8.8.8:53 inqwsjvwfih.net udp
US 8.8.8.8:53 hcxkvqpgp.info udp
US 8.8.8.8:53 djlewglculp.info udp
US 8.8.8.8:53 porqmpwyjdxr.net udp
US 8.8.8.8:53 gwjhiykur.net udp
US 8.8.8.8:53 xuydlddpph.net udp
US 8.8.8.8:53 iusioomq.org udp
US 8.8.8.8:53 rmdqbsr.org udp
US 8.8.8.8:53 huujzzqbkb.net udp
US 8.8.8.8:53 pwbuzxafqa.info udp
US 8.8.8.8:53 pyrkeqsjq.com udp
US 8.8.8.8:53 eufrzjcqd.info udp
US 8.8.8.8:53 zctqses.net udp
US 8.8.8.8:53 zsetki.net udp
US 8.8.8.8:53 amkwyw.com udp
US 8.8.8.8:53 kdverxnqr.info udp
US 8.8.8.8:53 wcsbrpz.net udp
US 8.8.8.8:53 qicvvzbiszlq.info udp
US 8.8.8.8:53 lemywmdxdvv.com udp
US 8.8.8.8:53 eqhajgnyp.net udp
US 8.8.8.8:53 uwcuws.org udp
US 8.8.8.8:53 tsdgpzgl.net udp
US 8.8.8.8:53 bbynszjbnxfz.net udp
US 8.8.8.8:53 uzkkfpnqprh.net udp
US 8.8.8.8:53 azlfou.info udp
US 8.8.8.8:53 sqxianowwh.info udp
US 8.8.8.8:53 iqxilwn.net udp
US 8.8.8.8:53 tuccxwxuj.net udp
US 8.8.8.8:53 gicwkesk.com udp
US 8.8.8.8:53 eyrwhecqcld.net udp
US 8.8.8.8:53 umyicieyee.org udp
US 8.8.8.8:53 iwseueyaqw.com udp
US 8.8.8.8:53 vcsuct.net udp
US 8.8.8.8:53 cgmuyuwkkm.com udp
US 8.8.8.8:53 kqvfjr.info udp
US 8.8.8.8:53 vlrfndulx.info udp
US 8.8.8.8:53 cwthxabhl.net udp
US 8.8.8.8:53 vfnvyo.net udp
US 8.8.8.8:53 ycfwxyn.info udp
US 8.8.8.8:53 gnbqfeved.info udp
US 8.8.8.8:53 fsyczawoha.info udp
US 8.8.8.8:53 vtwxdsja.net udp
US 8.8.8.8:53 qxofewvrb.info udp
AM 46.241.134.173:23589 tcp
US 8.8.8.8:53 bjlqfjfcb.com udp
US 8.8.8.8:53 atkzfclhbift.info udp
US 8.8.8.8:53 culfmfiszv.info udp
US 8.8.8.8:53 gmbywzdol.info udp
US 8.8.8.8:53 wkpicsh.net udp
US 8.8.8.8:53 wueysyqiyg.org udp
US 8.8.8.8:53 ehtosibmmys.info udp
US 8.8.8.8:53 gltmmafax.info udp
US 8.8.8.8:53 xhphlikerv.info udp
US 8.8.8.8:53 gbcmemmhsqpa.net udp
US 8.8.8.8:53 ysoqemye.org udp
US 8.8.8.8:53 jjrefkv.net udp
US 8.8.8.8:53 itnkwq.net udp
US 8.8.8.8:53 zzjgyfkosf.info udp
US 8.8.8.8:53 aldrtf.net udp
US 8.8.8.8:53 bausazsepk.net udp
US 8.8.8.8:53 baniuuvaaax.info udp
US 8.8.8.8:53 kjskvzf.info udp
US 8.8.8.8:53 tcldzk.info udp
US 8.8.8.8:53 sjoyvjzf.info udp
US 8.8.8.8:53 vewebedwhrv.info udp
US 8.8.8.8:53 ckuqrjeub.net udp
US 8.8.8.8:53 uqlqvwc.net udp
US 8.8.8.8:53 lzbjkx.info udp
US 8.8.8.8:53 nvfxjwp.net udp
US 8.8.8.8:53 zjtbhml.info udp
US 8.8.8.8:53 eivmeyn.info udp
US 8.8.8.8:53 yjhgjgmq.net udp
US 8.8.8.8:53 xjlsdzdaotpm.net udp
US 8.8.8.8:53 blriytvijot.com udp
US 8.8.8.8:53 omcuoigmv.net udp
US 8.8.8.8:53 vsvsvsomp.com udp
US 8.8.8.8:53 eqgsya.org udp
DE 24.134.86.213:37182 tcp
US 8.8.8.8:53 wstbmf.net udp
US 8.8.8.8:53 kyilnx.net udp
US 8.8.8.8:53 aqwwys.com udp
US 8.8.8.8:53 jylsfen.org udp
US 8.8.8.8:53 jklojvfnlb.net udp
US 8.8.8.8:53 yavufybezxf.net udp
US 8.8.8.8:53 xylupgl.com udp
US 8.8.8.8:53 gaqkygwq.org udp
US 8.8.8.8:53 fnzepm.net udp
US 8.8.8.8:53 iuwkackk.org udp
US 8.8.8.8:53 jcyigavj.info udp
US 8.8.8.8:53 jrbulad.info udp
US 8.8.8.8:53 kfnuyajya.net udp
US 8.8.8.8:53 utlyppx.net udp
US 8.8.8.8:53 spmckxrwmaso.info udp
US 8.8.8.8:53 bkdzbgbicy.net udp
US 8.8.8.8:53 qcwgskmqgc.com udp
US 8.8.8.8:53 bpzorpfuhtf.org udp
US 8.8.8.8:53 ljdgtntid.net udp
US 8.8.8.8:53 ykosooggwmkm.com udp
US 8.8.8.8:53 skidsahnfh.net udp
US 8.8.8.8:53 lmxyrocqoy.info udp
US 8.8.8.8:53 gasaimoacc.org udp
US 8.8.8.8:53 bkngmvgi.net udp
US 8.8.8.8:53 qceeue.org udp
US 8.8.8.8:53 ehfsbzfmhopw.info udp
US 8.8.8.8:53 nqygdzueec.info udp
US 8.8.8.8:53 bqdindvszcl.com udp
US 8.8.8.8:53 khjrjixfvoh.net udp
US 8.8.8.8:53 dykwknvmdfdj.info udp
US 8.8.8.8:53 rrvoahykpt.info udp
DE 24.134.86.213:37182 tcp
US 8.8.8.8:53 wawaoiyk.com udp
US 8.8.8.8:53 lqrtfqem.info udp
US 8.8.8.8:53 bzxzkk.info udp
US 8.8.8.8:53 rkqxiqanjzte.info udp
US 8.8.8.8:53 zbbudf.net udp
US 8.8.8.8:53 xilurslwdcv.org udp
US 8.8.8.8:53 szezcs.info udp
US 8.8.8.8:53 pkqsdeb.org udp
US 8.8.8.8:53 vxnkiyjsbfll.info udp
US 8.8.8.8:53 fcbmrodq.net udp
US 8.8.8.8:53 dazulnj.org udp
US 8.8.8.8:53 skqlbuxa.info udp
US 8.8.8.8:53 pspaksboj.info udp
US 8.8.8.8:53 xszolrihdsb.org udp
US 8.8.8.8:53 jzthxr.net udp
US 8.8.8.8:53 gayqkium.com udp
US 8.8.8.8:53 ergpaczjthrq.net udp
US 8.8.8.8:53 fjusznt.com udp
US 8.8.8.8:53 pmcknukxt.org udp
US 8.8.8.8:53 gacmoaeggkiy.org udp
US 8.8.8.8:53 aotyaxzx.net udp
US 8.8.8.8:53 zuhmapbot.net udp
US 8.8.8.8:53 cnzloatrxd.net udp
US 8.8.8.8:53 iokoyicu.org udp
US 8.8.8.8:53 pirrnagupur.info udp
US 8.8.8.8:53 uarvmkb.info udp
US 8.8.8.8:53 dmxgwpqsqpfb.net udp
US 8.8.8.8:53 vjvlnnztmb.net udp
US 8.8.8.8:53 dxtcjjvqzm.net udp
US 8.8.8.8:53 pgaihqxg.info udp
US 8.8.8.8:53 yojkaljecqs.info udp
US 8.8.8.8:53 wakuwkosocgq.org udp
US 8.8.8.8:53 lctxdahwfit.org udp
US 8.8.8.8:53 djnaih.net udp
US 8.8.8.8:53 ecegeakc.org udp
US 8.8.8.8:53 jazciccsnsz.org udp
US 8.8.8.8:53 afkezlokdt.info udp
US 8.8.8.8:53 talfuiea.info udp
US 8.8.8.8:53 ootkjdzphd.net udp
US 8.8.8.8:53 fmdqzqjnt.net udp
US 8.8.8.8:53 swhesyhutpn.net udp
US 8.8.8.8:53 wagksk.org udp
BG 78.83.141.57:33295 tcp
US 8.8.8.8:53 aararuzmj.info udp
US 8.8.8.8:53 oeuyomqoyg.com udp
US 8.8.8.8:53 zrizzt.net udp
US 8.8.8.8:53 mcvyjkxyonf.info udp
US 8.8.8.8:53 dbbxjezlikvj.net udp
US 8.8.8.8:53 nsjnpn.net udp
US 8.8.8.8:53 hqggncb.com udp
US 8.8.8.8:53 jbqnjatgjoq.info udp
US 8.8.8.8:53 ogqeocmggack.com udp
US 8.8.8.8:53 ucwzpxpgexdy.info udp
US 8.8.8.8:53 yakuuc.org udp
US 8.8.8.8:53 bbrqxulc.info udp
US 8.8.8.8:53 ivewnr.info udp
US 8.8.8.8:53 pwexny.net udp
US 8.8.8.8:53 lkyazabydsyc.info udp
US 8.8.8.8:53 xhjgly.info udp
US 8.8.8.8:53 rwwonop.com udp
US 8.8.8.8:53 hwpcjyzas.org udp
US 8.8.8.8:53 gjdqtga.net udp
US 8.8.8.8:53 juhcxksgyed.com udp
US 8.8.8.8:53 nqxijbihvn.info udp
US 8.8.8.8:53 cllotyt.info udp
US 8.8.8.8:53 esmkkwoguqsi.org udp
US 8.8.8.8:53 syxifqaqc.info udp
US 8.8.8.8:53 yspynbdonzn.net udp
US 8.8.8.8:53 lafpzlpndekd.net udp
US 8.8.8.8:53 jsaavzp.net udp
US 8.8.8.8:53 xrctizgjhu.net udp
US 8.8.8.8:53 yqhjgibtrr.net udp
US 8.8.8.8:53 rfcqjgcwrllk.info udp
US 8.8.8.8:53 tvjkhjzkp.info udp
US 8.8.8.8:53 dtpihozfb.info udp
US 8.8.8.8:53 iyysqkwk.com udp
US 8.8.8.8:53 oofhvr.info udp
US 8.8.8.8:53 ooewwc.org udp
US 8.8.8.8:53 fpfevmogf.org udp
US 8.8.8.8:53 cqjkpycajgl.info udp
US 8.8.8.8:53 jypigkw.net udp
US 8.8.8.8:53 surbpjzrpz.info udp
US 8.8.8.8:53 ekvrqipon.info udp
MD 37.75.78.197:39602 tcp
US 8.8.8.8:53 jphhtgd.com udp
US 8.8.8.8:53 wzrgpxhnr.info udp
US 8.8.8.8:53 ygyuos.com udp
US 8.8.8.8:53 zwbalgplxc.info udp
US 8.8.8.8:53 tjesbej.org udp
US 8.8.8.8:53 qxpqcowoxj.net udp
US 8.8.8.8:53 pqyycduqzs.info udp
US 8.8.8.8:53 kqqshdptab.info udp
US 8.8.8.8:53 wgwmegoucoug.org udp
US 8.8.8.8:53 omierhazkhgw.net udp
US 8.8.8.8:53 caxfwelvch.net udp
US 8.8.8.8:53 gglyjmvqf.net udp
US 8.8.8.8:53 hgfipol.net udp
US 8.8.8.8:53 rlfwvfxudiy.org udp
US 8.8.8.8:53 saalppztotvc.net udp
US 8.8.8.8:53 kwdrqyzrhd.net udp
US 8.8.8.8:53 gyquywiaos.org udp
US 8.8.8.8:53 bhlsypeeex.info udp
US 8.8.8.8:53 xrjmbmgmisvh.info udp
US 8.8.8.8:53 zlentobezop.org udp
US 8.8.8.8:53 xbhogt.net udp
US 8.8.8.8:53 tfjkjw.net udp
US 8.8.8.8:53 sedurcvlz.net udp
US 8.8.8.8:53 wodmlspgi.net udp
US 8.8.8.8:53 jqtenkdayoy.org udp
US 8.8.8.8:53 snfpeo.info udp
US 8.8.8.8:53 vteelbsv.info udp
US 8.8.8.8:53 qgvvucy.net udp
US 8.8.8.8:53 eufesoo.info udp
US 8.8.8.8:53 nzrivburitvi.info udp
US 8.8.8.8:53 qbzieldgeut.net udp
US 8.8.8.8:53 lvliwxsju.net udp
US 8.8.8.8:53 aobjzumoeab.net udp
US 8.8.8.8:53 lkwxxizcgmer.info udp
US 8.8.8.8:53 gyqmes.org udp
US 8.8.8.8:53 vmefar.net udp
US 8.8.8.8:53 wcgcuuiu.org udp
US 8.8.8.8:53 clccpmhqpyue.info udp
US 8.8.8.8:53 gaagywiikeyo.com udp
US 8.8.8.8:53 xyfaxuajx.info udp
US 8.8.8.8:53 naziosjghmh.net udp
US 8.8.8.8:53 oqchzve.net udp
US 8.8.8.8:53 nhmyomxjv.info udp
US 8.8.8.8:53 pkfrrjmr.net udp
US 8.8.8.8:53 ybamjo.net udp
US 8.8.8.8:53 eskmjir.net udp
US 8.8.8.8:53 dirrkj.net udp
US 8.8.8.8:53 tyzkrdhyl.info udp
US 8.8.8.8:53 iiggioeaaoee.org udp
LT 5.20.66.115:45152 tcp
US 8.8.8.8:53 bonhivlurp.info udp
US 8.8.8.8:53 jwferid.com udp
US 8.8.8.8:53 vyvijbihvn.info udp
US 8.8.8.8:53 cykxrrvwfp.net udp
US 8.8.8.8:53 sgjopnhso.net udp
US 8.8.8.8:53 aociqgkm.com udp
US 8.8.8.8:53 xebolmhkpnrf.info udp
US 8.8.8.8:53 pemqfyvnh.info udp
US 8.8.8.8:53 hsrofavrq.net udp
US 8.8.8.8:53 ggprqcwzbk.net udp
US 8.8.8.8:53 jyebkpa.org udp
US 8.8.8.8:53 bwgadgk.com udp
US 8.8.8.8:53 nhtppsvh.info udp
US 8.8.8.8:53 swxsxhjyqfi.info udp
US 8.8.8.8:53 vtklsoeptekl.net udp
US 8.8.8.8:53 llpwlrlwpx.net udp
US 8.8.8.8:53 kgqwkeuqki.org udp
US 8.8.8.8:53 holjji.net udp
US 8.8.8.8:53 wieywauuciks.com udp
US 8.8.8.8:53 oriozsxinnto.net udp
US 8.8.8.8:53 ikuumlfbdyj.info udp
US 8.8.8.8:53 qcwgqmum.com udp
US 8.8.8.8:53 qucyaisc.com udp
US 8.8.8.8:53 bctwfgikb.org udp
US 8.8.8.8:53 wepptkf.info udp
US 8.8.8.8:53 jkbsgcx.info udp
US 8.8.8.8:53 vclulsd.org udp
US 8.8.8.8:53 fzqqksnzg.net udp
US 8.8.8.8:53 jwrzwgpyjb.info udp
US 8.8.8.8:53 zmpcftkwvdju.net udp
US 8.8.8.8:53 auamqesm.org udp
US 8.8.8.8:53 xmlymtnez.org udp
AM 46.241.134.173:23589 tcp
US 8.8.8.8:53 odzbrjqoy.info udp
US 8.8.8.8:53 tmdtrnnseycu.net udp
US 8.8.8.8:53 lgkppwwc.info udp
US 8.8.8.8:53 aalijqi.info udp
US 8.8.8.8:53 aqxaawj.net udp
US 8.8.8.8:53 vtckewcb.info udp
US 8.8.8.8:53 vilifkc.net udp
US 8.8.8.8:53 hiaojggd.info udp
US 8.8.8.8:53 jwryicour.net udp
US 8.8.8.8:53 suwciixf.info udp
US 8.8.8.8:53 odqisf.info udp
US 8.8.8.8:53 qgpihguuhzq.info udp
US 8.8.8.8:53 ncpmyszzt.info udp
US 8.8.8.8:53 agoiqgcy.org udp
US 8.8.8.8:53 tewpjph.org udp
US 8.8.8.8:53 ybxsqlwexbnh.info udp
US 8.8.8.8:53 ydyyiuz.net udp
US 8.8.8.8:53 ajcblsbopqna.net udp
US 8.8.8.8:53 cjjkjzvsdw.net udp
US 8.8.8.8:53 lnmdsr.net udp
US 8.8.8.8:53 kkiamiym.com udp
US 8.8.8.8:53 goknstgv.net udp
US 8.8.8.8:53 gntfxztnljap.net udp
US 8.8.8.8:53 wmfqbgb.net udp
US 8.8.8.8:53 iyeuuikw.com udp
US 8.8.8.8:53 jatdaajehomt.net udp
US 8.8.8.8:53 strpmpuozrzs.info udp
US 8.8.8.8:53 scdcax.info udp
US 8.8.8.8:53 tecahnfi.net udp
US 8.8.8.8:53 jvmvczysit.info udp
US 8.8.8.8:53 wvneioethg.net udp
US 8.8.8.8:53 momoemcy.com udp
US 8.8.8.8:53 mwgkuyee.org udp
US 8.8.8.8:53 jqabwsvxiyqr.net udp
US 8.8.8.8:53 bmjyxypus.net udp
US 8.8.8.8:53 gbzhlbzkj.net udp
US 8.8.8.8:53 iwymameawasg.com udp
US 8.8.8.8:53 xbgouwdx.net udp
US 8.8.8.8:53 nuvyetxexaz.info udp
US 8.8.8.8:53 rhufjc.net udp
US 8.8.8.8:53 uiceesz.info udp
US 8.8.8.8:53 mwueesisuk.com udp
US 8.8.8.8:53 bzaydhbkyko.info udp
US 8.8.8.8:53 ujxoveg.info udp
US 8.8.8.8:53 siomfmt.net udp
US 8.8.8.8:53 uoxjsmld.info udp
US 8.8.8.8:53 pebyjghrn.net udp
KZ 95.56.12.117:42839 tcp
US 8.8.8.8:53 nakmmnboo.net udp
US 8.8.8.8:53 ksgiaoamowmm.com udp
US 8.8.8.8:53 dieqzcpcb.org udp
US 8.8.8.8:53 ewiuauieao.com udp
US 8.8.8.8:53 hgqjinfucy.net udp
US 8.8.8.8:53 ospuaeooh.info udp
US 8.8.8.8:53 nkscwc.net udp
US 8.8.8.8:53 bjpwlrlwpx.net udp
US 8.8.8.8:53 skfaqmhww.net udp
US 8.8.8.8:53 szcwhwlcevl.info udp
US 8.8.8.8:53 eojaqgnph.net udp
US 8.8.8.8:53 imwkkoik.com udp
US 8.8.8.8:53 hwlcwdzi.net udp
US 8.8.8.8:53 wkuwoq.org udp
US 8.8.8.8:53 mkquos.com udp
US 8.8.8.8:53 ukgwqqigus.org udp
US 8.8.8.8:53 sewuvwb.net udp
US 8.8.8.8:53 hhyudahznf.info udp
US 8.8.8.8:53 uixrff.info udp
US 8.8.8.8:53 dtdfko.info udp
US 8.8.8.8:53 hvrmugbonll.org udp
US 8.8.8.8:53 oaewcmmi.com udp
US 8.8.8.8:53 lztutm.net udp
US 8.8.8.8:53 hbswnsc.info udp
US 8.8.8.8:53 oweuoiqciqko.org udp
US 8.8.8.8:53 yjyixeosc.net udp
US 8.8.8.8:53 ytibbcvsomah.info udp
US 8.8.8.8:53 oalwpcngx.info udp
US 8.8.8.8:53 bspoxwrz.net udp
US 8.8.8.8:53 xnzwaxpojetg.net udp
US 8.8.8.8:53 qmagae.com udp
US 8.8.8.8:53 jgkojuznm.org udp
US 8.8.8.8:53 xcrfxbihvn.info udp
US 8.8.8.8:53 henkkq.info udp
MD 93.116.230.64:15294 tcp
US 8.8.8.8:53 garynjfqf.net udp
US 8.8.8.8:53 dunkopfdudj.org udp
US 8.8.8.8:53 ogaaqsegcsua.com udp
US 8.8.8.8:53 coavgckfx.net udp
US 8.8.8.8:53 skxsxgekl.info udp
US 8.8.8.8:53 sxjrqtaplcaj.net udp
US 8.8.8.8:53 pvesxitaordl.info udp
US 8.8.8.8:53 qqdjxtff.info udp
US 8.8.8.8:53 qmmkcdx.net udp
US 8.8.8.8:53 bcscdylqkqh.org udp
US 8.8.8.8:53 dzrmxez.com udp
US 8.8.8.8:53 gofevllkfor.net udp
US 8.8.8.8:53 fcxthmvhet.net udp
US 8.8.8.8:53 xodkihx.org udp
US 8.8.8.8:53 kxldwaoqfn.info udp
US 8.8.8.8:53 ekkibidnt.net udp
US 8.8.8.8:53 vifhgu.net udp
US 8.8.8.8:53 uozdmyyaqni.net udp
US 8.8.8.8:53 fvjojj.info udp
US 8.8.8.8:53 xxbuvavqnao.net udp
US 8.8.8.8:53 rcdorur.info udp
US 8.8.8.8:53 oonfdh.info udp
US 8.8.8.8:53 tgzzsilpuoyu.info udp
US 8.8.8.8:53 epzlhdvdcaat.info udp
US 8.8.8.8:53 pyeppclzv.net udp
US 8.8.8.8:53 hmhvlxzgizgj.net udp
US 8.8.8.8:53 ocvnporuvqvx.net udp
US 8.8.8.8:53 moekqcumok.com udp
US 8.8.8.8:53 rejwrwpoa.info udp
BR 200.158.170.237:19466 tcp
US 8.8.8.8:53 tonqduf.info udp
US 8.8.8.8:53 amszjoed.net udp
US 8.8.8.8:53 ivvuttqyfeby.net udp
US 8.8.8.8:53 iyobvrfh.info udp
US 8.8.8.8:53 jmuyzwjxj.net udp
US 8.8.8.8:53 minwvfhcdfcg.info udp
US 8.8.8.8:53 qtbhhdpg.info udp
US 8.8.8.8:53 sgescokcmo.org udp
US 8.8.8.8:53 ilovbxgl.info udp
US 8.8.8.8:53 tvpcqzfd.net udp
US 8.8.8.8:53 pmrvlddqm.com udp
US 8.8.8.8:53 uljnwoyya.net udp
US 8.8.8.8:53 cykwsmek.com udp
US 8.8.8.8:53 iutmxlo.net udp
US 8.8.8.8:53 lzwgpqnxhy.net udp
US 8.8.8.8:53 kciewo.com udp
US 8.8.8.8:53 jwzmnwreh.info udp
US 8.8.8.8:53 xopfrsswlo.info udp
US 8.8.8.8:53 cnhgllwd.net udp
US 8.8.8.8:53 jehyhpbob.com udp
US 8.8.8.8:53 lhlfyfbjvsbs.net udp
US 8.8.8.8:53 bzmrhx.info udp
US 8.8.8.8:53 pifyielslmx.info udp
US 8.8.8.8:53 xwvctcqga.info udp
US 8.8.8.8:53 luaiurlae.info udp
US 8.8.8.8:53 raftszrzer.info udp
US 8.8.8.8:53 yedyywowdnj.info udp
US 8.8.8.8:53 qouomase.com udp
US 8.8.8.8:53 ycworew.net udp
US 8.8.8.8:53 dhbbfl.info udp
US 8.8.8.8:53 hsfspwfirsr.org udp
US 8.8.8.8:53 uysoikugis.com udp
US 8.8.8.8:53 viczrmaky.info udp
US 8.8.8.8:53 fumvct.net udp
US 8.8.8.8:53 ivygmakddu.net udp
US 8.8.8.8:53 yqydhx.net udp
US 8.8.8.8:53 dnyidwf.info udp
US 8.8.8.8:53 tvpvdilt.info udp
US 8.8.8.8:53 jjvldfhsugn.info udp
US 8.8.8.8:53 iazfhmh.net udp
US 8.8.8.8:53 mrtgnolyhuv.info udp
US 8.8.8.8:53 gxpufsuec.info udp
US 8.8.8.8:53 vcsaumzyc.org udp
US 8.8.8.8:53 yadxtkefpqdf.net udp
US 8.8.8.8:53 iguyyan.net udp
US 8.8.8.8:53 qngitmingp.net udp
US 8.8.8.8:53 ylxplkvhz.net udp
US 8.8.8.8:53 kmummcqsmqck.com udp
US 8.8.8.8:53 wallzptbdew.net udp
US 8.8.8.8:53 ulwprsdpevsj.info udp
US 8.8.8.8:53 fvnvthxadle.net udp
US 8.8.8.8:53 aqgcku.com udp
US 8.8.8.8:53 pqtkzz.net udp
US 8.8.8.8:53 wcsuemgukkca.org udp
US 8.8.8.8:53 qrusxmfds.info udp
US 8.8.8.8:53 hkyabke.org udp
US 8.8.8.8:53 qyjxvcif.net udp
US 8.8.8.8:53 wkzctjjriqnp.net udp
US 8.8.8.8:53 ujkabkb.net udp
RU 37.78.53.100:31421 tcp
US 8.8.8.8:53 rkwlhccy.info udp
US 8.8.8.8:53 plvepgf.com udp
US 8.8.8.8:53 lkekwo.net udp
US 8.8.8.8:53 aoylnk.net udp
US 8.8.8.8:53 gyiusume.org udp
US 8.8.8.8:53 htcopwdnmg.net udp
US 8.8.8.8:53 nthafgeqx.org udp
US 8.8.8.8:53 lhucnlbolq.info udp
US 8.8.8.8:53 opmixh.net udp
US 8.8.8.8:53 vibshiiel.net udp
US 8.8.8.8:53 agppnma.info udp
US 8.8.8.8:53 nozmwsn.net udp
US 8.8.8.8:53 oflyyyvsdgd.net udp
US 8.8.8.8:53 ygjrsynrvk.info udp
US 8.8.8.8:53 nujrrkrmuqt.org udp
US 8.8.8.8:53 exlfvszo.net udp
US 8.8.8.8:53 khhcdwnmzs.net udp
US 8.8.8.8:53 jjqtpeerkb.net udp
US 8.8.8.8:53 ldnwlopctmji.info udp
US 8.8.8.8:53 pbttxi.net udp
US 8.8.8.8:53 sieprydl.net udp
US 8.8.8.8:53 urkcltobhpwf.net udp
US 8.8.8.8:53 jobwrjdaaipt.net udp
US 8.8.8.8:53 pxdecuwucu.info udp
US 8.8.8.8:53 djtznyoy.info udp
US 8.8.8.8:53 ukmuimkmssqi.com udp
US 8.8.8.8:53 oismai.com udp
US 8.8.8.8:53 vybefujybnd.com udp
US 8.8.8.8:53 tpzhdy.info udp
US 8.8.8.8:53 reakzkgq.info udp
US 8.8.8.8:53 otwzrfzurp.net udp
US 8.8.8.8:53 vdpyopgicm.net udp
US 8.8.8.8:53 eheflhppvg.net udp
US 8.8.8.8:53 yilejhoiv.info udp
US 8.8.8.8:53 ewowia.com udp
US 8.8.8.8:53 soetzwjijsg.net udp
US 8.8.8.8:53 cykogcgqqcuu.com udp
US 8.8.8.8:53 ksytlxlmmqqt.net udp
US 8.8.8.8:53 zhpcheuuzzv.net udp
US 8.8.8.8:53 ugjyfpgfl.net udp
US 8.8.8.8:53 yqdptprq.info udp
US 8.8.8.8:53 oxngtxhinvdm.net udp
US 8.8.8.8:53 iutvfgu.net udp
US 8.8.8.8:53 kussaayi.com udp
US 8.8.8.8:53 tnfteszsf.net udp
US 8.8.8.8:53 myrwjqkrwpbk.info udp
US 8.8.8.8:53 ueiscspdhg.info udp
US 8.8.8.8:53 mpkbfsgyp.info udp
MD 94.243.110.54:24785 tcp
US 8.8.8.8:53 wcfnrgfs.net udp
US 8.8.8.8:53 wgacweyssiss.org udp
US 8.8.8.8:53 addypknyj.info udp
US 8.8.8.8:53 brpooxwznc.net udp
US 8.8.8.8:53 qseoumkkca.org udp
US 8.8.8.8:53 tezojqza.info udp
US 8.8.8.8:53 tagipqbef.org udp
US 8.8.8.8:53 prrsxuxdbc.net udp
US 8.8.8.8:53 jebeqcxefee.net udp
US 8.8.8.8:53 qdnmhgdyrit.net udp
US 8.8.8.8:53 dqvctfbckcl.org udp
US 8.8.8.8:53 hqknstusprqr.info udp
US 8.8.8.8:53 qyqigk.com udp
US 8.8.8.8:53 dmppptpv.net udp
US 8.8.8.8:53 gobrgabax.info udp
US 8.8.8.8:53 fyaylmbcb.net udp
US 8.8.8.8:53 gmmecgaw.org udp
US 8.8.8.8:53 vubktulhet.info udp
US 8.8.8.8:53 dytjnq.net udp
US 8.8.8.8:53 novdvyxuzpqq.net udp
US 8.8.8.8:53 tolvztmosvdc.net udp
US 8.8.8.8:53 icnajqztpye.info udp
US 8.8.8.8:53 csqyuqcwys.com udp
US 8.8.8.8:53 ekqaao.com udp
US 8.8.8.8:53 otlwpkaya.net udp
US 8.8.8.8:53 iibwlwkwlv.info udp
US 8.8.8.8:53 jvbzeq.net udp
US 8.8.8.8:53 pubmevfurefz.info udp
US 8.8.8.8:53 xalhadmnyy.net udp
US 8.8.8.8:53 bifytiffy.info udp
US 8.8.8.8:53 rkjyfrxybqd.net udp
US 8.8.8.8:53 mbmaauppwra.net udp
US 8.8.8.8:53 vaqmtrjxg.net udp
US 8.8.8.8:53 nqrqla.info udp
US 8.8.8.8:53 oqwiuwegoq.org udp
US 8.8.8.8:53 narzyojlrmb.org udp
US 8.8.8.8:53 gkuwckaogimo.org udp
US 8.8.8.8:53 hztnzodq.info udp
US 8.8.8.8:53 bshqnaawayg.org udp
MD 93.116.230.64:15294 tcp
US 8.8.8.8:53 epeabyvep.info udp
US 8.8.8.8:53 rjbifug.net udp
US 8.8.8.8:53 iceynpjs.info udp
US 8.8.8.8:53 erdcbqbzp.info udp
US 8.8.8.8:53 kznukgsu.net udp
US 8.8.8.8:53 qxrristtw.info udp
US 8.8.8.8:53 yqdindvszcl.info udp
US 8.8.8.8:53 zwtuwzy.info udp
US 8.8.8.8:53 oezotwvr.info udp
US 8.8.8.8:53 csaeumie.com udp
US 8.8.8.8:53 ldlrgk.info udp
US 8.8.8.8:53 hccvfaoit.net udp
US 8.8.8.8:53 wuwyagsyoiis.org udp
US 8.8.8.8:53 owtumceqt.info udp
US 8.8.8.8:53 cmqmmwwwqwue.org udp
US 8.8.8.8:53 dtzcfjhlbzxf.net udp
US 8.8.8.8:53 kdiczltcyn.info udp
US 8.8.8.8:53 ekjqlqnkzpb.net udp
US 8.8.8.8:53 jpiyjgn.info udp
US 8.8.8.8:53 sgdzhklkvfso.info udp
US 8.8.8.8:53 vcxbjuufzqnu.info udp
US 8.8.8.8:53 skqsiiae.org udp
US 8.8.8.8:53 xzthqed.info udp
US 8.8.8.8:53 jieoujiimk.info udp
US 8.8.8.8:53 rdiunemv.net udp
US 8.8.8.8:53 gfxenmj.info udp
US 8.8.8.8:53 alyypvemovoc.net udp
US 8.8.8.8:53 gyqywbxn.info udp
AZ 188.253.128.101:23377 tcp
US 8.8.8.8:53 cplsriind.net udp
US 8.8.8.8:53 cggkgsaw.com udp
US 8.8.8.8:53 wleiiavobljy.info udp
US 8.8.8.8:53 hpljhaz.net udp
US 8.8.8.8:53 rysoewivqoi.net udp
US 8.8.8.8:53 qlstpgkhcjbu.net udp
US 8.8.8.8:53 qucqee.org udp
US 8.8.8.8:53 jhfuhezrqq.net udp
US 8.8.8.8:53 wccawmmq.org udp
US 8.8.8.8:53 skmqolgkieb.info udp
US 8.8.8.8:53 hugahdzz.info udp
US 8.8.8.8:53 nzitfaav.info udp
US 8.8.8.8:53 lcimughahyi.info udp
US 8.8.8.8:53 tmlmzuryf.net udp
US 8.8.8.8:53 myrozlp.net udp
US 8.8.8.8:53 lktcrbw.com udp
US 8.8.8.8:53 vpnbzghq.info udp
US 8.8.8.8:53 sptclzcqz.net udp
US 8.8.8.8:53 hyjodgw.info udp
US 8.8.8.8:53 hijzlv.net udp
US 8.8.8.8:53 rmngtus.com udp
US 8.8.8.8:53 ykxvjui.info udp
US 8.8.8.8:53 dkdczgl.info udp
US 8.8.8.8:53 zalbqoip.info udp
US 8.8.8.8:53 datfdz.info udp
US 8.8.8.8:53 eaictyqxc.info udp
US 8.8.8.8:53 unaefml.net udp
US 8.8.8.8:53 mpzooqbtun.net udp
US 8.8.8.8:53 sdvejqt.info udp
US 8.8.8.8:53 vgqxvqngngx.info udp
US 8.8.8.8:53 lummpt.info udp
US 8.8.8.8:53 jcibvsfku.org udp
US 8.8.8.8:53 laxvlustvhf.net udp
US 8.8.8.8:53 vlbsriakwwq.com udp
US 8.8.8.8:53 iawiuqqk.org udp

Files

C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe

MD5 1dd5dd5561723f37ccc81e15ecdbf830
SHA1 eeb9131c8d276ceb710d163e89fdc62b3e111971
SHA256 c8c542ac3f6526d1501c2b9d6262bfa029a1ac0d9dd6b3c1965977abdd8bd126
SHA512 b4881d7cd0c2ceeba067e13d23763e739389108d1269acd6c343dd308aa1fedde89da696a8482944342f44ea1094ea6b50021a15d4c6d03762ba032a9598bba5

C:\Windows\SysWOW64\ifzpkzohaqpcfqzzav.exe

MD5 c45c7c3be165367d7676c127dbdc2050
SHA1 0ca4bbd08beb9ce9e8bd6807113345389aa07588
SHA256 7be6ccadfe39aff45029a30fe34b3c87ac49ebbad791c34e2ff8bb30e7e07721
SHA512 d0aa1e6158da64512f9098ed1ae8d33d1882a1c23fb2c7bbbc3a3c0e331355d24dc302ef4f5b778d17f952fdd93adfd5e77fc81c73c5b119793b398edb43bbb3

C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe

MD5 d54c839cd3f9c13e2f65b9fea53f68d9
SHA1 38963222841896b25b894d08633ddee057f07b5a
SHA256 6c8fd7f119877cd7260d19fe38d1a2d4c60bf2da15175b509ba0fb67cc007385
SHA512 809fca4f57a68c2210568348e273ebcb122fd0836523b06e5b06afab2e8d81e73b18cc970d53d5b1a3474013c95906ac53f6bc87ee1d8351428597a373352989

C:\Users\Admin\AppData\Local\fnstzzzdhisqeaufrxhpuvbbb.jku

MD5 97b42c4faf2850d9df9fcb3a90ca8d75
SHA1 1375d516cedd32960692efbe3da1e91f520383bb
SHA256 000bd95d7682a752284b4a8aa594319d5edb4a51eb2931aa3e3ff4d021d2d6bd
SHA512 f0e27d8fe1ee8f1adbf88d6a02785ed3ec96dbe9c4c924d2213e38a9e4604ccfce0172541449b7e17eb12d0113368127cacf0a83b28e46b0f23c1096fd585910

C:\Users\Admin\AppData\Local\kdtfwhshwidmlsxtqhcvlxozkzoavedkpliz.ndp

MD5 e1836595a7c814a2d4fed52db60166a0
SHA1 441368a8e5031d330a1ce1a1fe13030a12005923
SHA256 61c0601ecb78a18508ff1b47e9bd2d4908dca07908a2878fd494714017f3b869
SHA512 5aa7c0ecb627dff68b1c54b4e04c965eb2473f1586e0061ec4c6dcb9b817b292d620283cf159b3a97ae770f9bb47e39dba3766a8aef0f9c3dc9af983b70c44d9

C:\Program Files (x86)\fnstzzzdhisqeaufrxhpuvbbb.jku

MD5 c7c16ba0ad68623f27a47e2870957f8d
SHA1 8ea2254a3d2082029b85699fa22a316a797a38ac
SHA256 d997339a8d65d293bbdf06a018db13764ab64cbd4b9df413b9642e6d6dc3dc98
SHA512 4252fdd0517d7a0f232fe1e448c6bd4e99c98443f09762c3819548269ad0c4ffdb5e721c4ad0a1bc5320203610cad7127c07f23a8951b5ff14a8e24173a1babe

C:\Program Files (x86)\fnstzzzdhisqeaufrxhpuvbbb.jku

MD5 955bab5ab702922791a2c5ccd7a6a042
SHA1 7d1329240a84e679c654ec97868907453782560a
SHA256 1ad3331e039f0770c1aef349746f18c525a0d1e47dcf1c95ad7e920f3be30944
SHA512 47ae8252369292db8184b11c803237883ef50684b9154df9060776b6023d9461e3f914f583d2d55b7668f90b93351045c1186624b949d74eaa6b64e6b8f8e8d4

C:\Program Files (x86)\fnstzzzdhisqeaufrxhpuvbbb.jku

MD5 0634c50b7a388fadd8d1148a7369cef9
SHA1 008b3741e8838cf4d1867d8833c579d4caa65a4b
SHA256 7384078b38fc80757a00d49c6ded146ca46b0004dc71cbbcef345992ef0213f3
SHA512 193980ab6fd46fc6811e21c239d3d3ef9a461d8de0df72bb9700c178ee32c5aa4eca2af1dd68b83160a5ee627e3b281d9785276beee24d0be331c6a57fde866b

C:\Program Files (x86)\fnstzzzdhisqeaufrxhpuvbbb.jku

MD5 8cb2728e73cf33d8da212cd8cb16962f
SHA1 6046fbba156bea7e394587a7796af8d1626131a4
SHA256 35d3310b53829a2d6e3ae2bfc63ec500f52c43491eaec6171eb4d5e26a3a3645
SHA512 8a8f8232cbfeda194cdb502af07dd5a94151790e0ef48d32c2be52b5ad04887c142a83facb7ba53980548b3a754bb8ed4ccbbfbe37516608c06e30d7f2c68225

C:\Program Files (x86)\fnstzzzdhisqeaufrxhpuvbbb.jku

MD5 a39386ad0ee355920372cb9ab66d7414
SHA1 48b9c894ca8a2be8d62bbf84b96ea44a897feb56
SHA256 93abced5d5b948384bd04532bb47156e0778a8de6c88a2474fca070b04c10bcd
SHA512 8c79fcd96f64559d61f288247bf21468bca7e4d36b581891731b1e4773581902e440055671b2075dab45b55cd357130323a976552af05031ec5eb35a23a66be0

C:\Program Files (x86)\fnstzzzdhisqeaufrxhpuvbbb.jku

MD5 ad8dcaf81dd808da9fe533fe9d8bbd80
SHA1 8b649e1ea16e8de8db53b26ad8f0ec6c96621dc3
SHA256 b6c9310dcf061e42a77ff3cf211fcc2b74ed64620986de85f22ff823015b9e1e
SHA512 c971cbb9456799938556131f1233762a3b92f6da339c3e2a03f899aba870fc0e23f79ca06796097d5939c2e05d13c312ed557690689b8e2baf2282234ba6e316