Analysis Overview
SHA256
2e69cd89b60105229d7465e33802b3ff410aa6c470320732b23b88fa48572f9b
Threat Level: Known bad
The file JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1 was found to be: Known bad.
Malicious Activity Summary
UAC bypass
Pykspa family
Modifies WinLogon for persistence
Pykspa
Detect Pykspa worm
Adds policy Run key to start application
Disables RegEdit via registry modification
Impair Defenses: Safe Mode Boot
Executes dropped EXE
Checks computer location settings
Checks whether UAC is enabled
Looks up external IP address via web service
Hijack Execution Flow: Executable Installer File Permissions Weakness
Adds Run key to start application
Drops autorun.inf file
Drops file in System32 directory
Drops file in Windows directory
Drops file in Program Files directory
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Unsigned PE
Suspicious behavior: EnumeratesProcesses
System policy modification
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V16
Analysis: static1
Detonation Overview
Reported
2025-04-18 00:44
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-04-18 00:44
Reported
2025-04-18 00:47
Platform
win10v2004-20250314-en
Max time kernel
56s
Max time network
151s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\whhmr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\whhmr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
Pykspa
Pykspa family
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\whhmr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\whhmr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\whhmr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\whhmr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\whhmr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\whhmr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\whhmr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\whhmr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
Detect Pykspa worm
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\whhmr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\axjarjbrlzrlkraqa.exe" | C:\Users\Admin\AppData\Local\Temp\whhmr.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jxaiqzip = "tpaqgxodwjatrxfu.exe" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jxaiqzip = "tpaqgxodwjatrxfu.exe" | C:\Users\Admin\AppData\Local\Temp\whhmr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jxaiqzip = "wxnidzvpnfbzcnauiqklb.exe" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jxaiqzip = "hhwqkfatqhczblxqdkdd.exe" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\whhmr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jhumexqhcrkffnxoze.exe" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jxaiqzip = "tpaqgxodwjatrxfu.exe" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jxaiqzip = "tpaqgxodwjatrxfu.exe" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\whhmr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\whhmr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tpaqgxodwjatrxfu.exe" | C:\Users\Admin\AppData\Local\Temp\whhmr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\whhmr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\uthatnhzvlfbclwoagy.exe" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jxaiqzip = "tpaqgxodwjatrxfu.exe" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\whhmr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wxnidzvpnfbzcnauiqklb.exe" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\whhmr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wxnidzvpnfbzcnauiqklb.exe" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\whhmr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\whhmr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\axjarjbrlzrlkraqa.exe" | C:\Users\Admin\AppData\Local\Temp\whhmr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jxaiqzip = "jhumexqhcrkffnxoze.exe" | C:\Users\Admin\AppData\Local\Temp\whhmr.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\whhmr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wxnidzvpnfbzcnauiqklb.exe" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jxaiqzip = "wxnidzvpnfbzcnauiqklb.exe" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jxaiqzip = "jhumexqhcrkffnxoze.exe" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jxaiqzip = "hhwqkfatqhczblxqdkdd.exe" | C:\Users\Admin\AppData\Local\Temp\whhmr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jxaiqzip = "tpaqgxodwjatrxfu.exe" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\whhmr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jhumexqhcrkffnxoze.exe" | C:\Users\Admin\AppData\Local\Temp\whhmr.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\whhmr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wxnidzvpnfbzcnauiqklb.exe" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\whhmr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tpaqgxodwjatrxfu.exe" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\whhmr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hhwqkfatqhczblxqdkdd.exe" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jxaiqzip = "jhumexqhcrkffnxoze.exe" | C:\Users\Admin\AppData\Local\Temp\whhmr.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\whhmr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hhwqkfatqhczblxqdkdd.exe" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jxaiqzip = "tpaqgxodwjatrxfu.exe" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\whhmr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tpaqgxodwjatrxfu.exe" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\whhmr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\axjarjbrlzrlkraqa.exe" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\whhmr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\uthatnhzvlfbclwoagy.exe" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\whhmr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jhumexqhcrkffnxoze.exe" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jxaiqzip = "wxnidzvpnfbzcnauiqklb.exe" | C:\Users\Admin\AppData\Local\Temp\whhmr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\whhmr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hhwqkfatqhczblxqdkdd.exe" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\whhmr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\uthatnhzvlfbclwoagy.exe" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\whhmr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\axjarjbrlzrlkraqa.exe" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\whhmr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wxnidzvpnfbzcnauiqklb.exe" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jxaiqzip = "jhumexqhcrkffnxoze.exe" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jxaiqzip = "tpaqgxodwjatrxfu.exe" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jxaiqzip = "axjarjbrlzrlkraqa.exe" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jxaiqzip = "jhumexqhcrkffnxoze.exe" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jxaiqzip = "tpaqgxodwjatrxfu.exe" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\whhmr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hhwqkfatqhczblxqdkdd.exe" | C:\Users\Admin\AppData\Local\Temp\whhmr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\whhmr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jhumexqhcrkffnxoze.exe" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
Disables RegEdit via registry modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\whhmr.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\whhmr.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\whhmr.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\whhmr.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation | C:\Windows\wxnidzvpnfbzcnauiqklb.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation | C:\Windows\hhwqkfatqhczblxqdkdd.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation | C:\Windows\uthatnhzvlfbclwoagy.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation | C:\Windows\tpaqgxodwjatrxfu.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation | C:\Windows\jhumexqhcrkffnxoze.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation | C:\Windows\jhumexqhcrkffnxoze.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation | C:\Windows\uthatnhzvlfbclwoagy.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation | C:\Windows\tpaqgxodwjatrxfu.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation | C:\Windows\axjarjbrlzrlkraqa.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation | C:\Windows\tpaqgxodwjatrxfu.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation | C:\Windows\hhwqkfatqhczblxqdkdd.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation | C:\Windows\uthatnhzvlfbclwoagy.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation | C:\Windows\uthatnhzvlfbclwoagy.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation | C:\Windows\jhumexqhcrkffnxoze.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation | C:\Windows\tpaqgxodwjatrxfu.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation | C:\Windows\uthatnhzvlfbclwoagy.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation | C:\Windows\wxnidzvpnfbzcnauiqklb.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation | C:\Windows\axjarjbrlzrlkraqa.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation | C:\Windows\jhumexqhcrkffnxoze.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation | C:\Windows\tpaqgxodwjatrxfu.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation | C:\Windows\hhwqkfatqhczblxqdkdd.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation | C:\Windows\hhwqkfatqhczblxqdkdd.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation | C:\Windows\tpaqgxodwjatrxfu.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation | C:\Windows\wxnidzvpnfbzcnauiqklb.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation | C:\Windows\wxnidzvpnfbzcnauiqklb.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation | C:\Windows\tpaqgxodwjatrxfu.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation | C:\Windows\uthatnhzvlfbclwoagy.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation | C:\Windows\axjarjbrlzrlkraqa.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation | C:\Windows\hhwqkfatqhczblxqdkdd.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation | C:\Windows\hhwqkfatqhczblxqdkdd.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation | C:\Windows\uthatnhzvlfbclwoagy.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation | C:\Windows\jhumexqhcrkffnxoze.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation | C:\Windows\hhwqkfatqhczblxqdkdd.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation | C:\Windows\wxnidzvpnfbzcnauiqklb.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation | C:\Windows\tpaqgxodwjatrxfu.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe | N/A |
Executes dropped EXE
Impair Defenses: Safe Mode Boot
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc | C:\Users\Admin\AppData\Local\Temp\whhmr.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power | C:\Users\Admin\AppData\Local\Temp\whhmr.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys | C:\Users\Admin\AppData\Local\Temp\whhmr.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc | C:\Users\Admin\AppData\Local\Temp\whhmr.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager | C:\Users\Admin\AppData\Local\Temp\whhmr.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys | C:\Users\Admin\AppData\Local\Temp\whhmr.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ldkwivitiret = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jhumexqhcrkffnxoze.exe" | C:\Users\Admin\AppData\Local\Temp\whhmr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\oflwhtfpdlx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hhwqkfatqhczblxqdkdd.exe ." | C:\Users\Admin\AppData\Local\Temp\whhmr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\htuagn = "jhumexqhcrkffnxoze.exe" | C:\Users\Admin\AppData\Local\Temp\whhmr.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\htuagn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\uthatnhzvlfbclwoagy.exe" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\htuagn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\axjarjbrlzrlkraqa.exe" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\oflwhtfpdlx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tpaqgxodwjatrxfu.exe ." | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\tjoyitenah = "hhwqkfatqhczblxqdkdd.exe ." | C:\Users\Admin\AppData\Local\Temp\whhmr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\oflwhtfpdlx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\uthatnhzvlfbclwoagy.exe ." | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aptclvfnz = "tpaqgxodwjatrxfu.exe" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\oflwhtfpdlx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tpaqgxodwjatrxfu.exe ." | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\tjoyitenah = "uthatnhzvlfbclwoagy.exe ." | C:\Users\Admin\AppData\Local\Temp\whhmr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\uhjqxfn = "jhumexqhcrkffnxoze.exe ." | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aptclvfnz = "jhumexqhcrkffnxoze.exe" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\tjoyitenah = "hhwqkfatqhczblxqdkdd.exe ." | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\uhjqxfn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wxnidzvpnfbzcnauiqklb.exe ." | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aptclvfnz = "hhwqkfatqhczblxqdkdd.exe" | C:\Users\Admin\AppData\Local\Temp\whhmr.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\tjoyitenah = "wxnidzvpnfbzcnauiqklb.exe ." | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\htuagn = "jhumexqhcrkffnxoze.exe" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\tjoyitenah = "wxnidzvpnfbzcnauiqklb.exe ." | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ldkwivitiret = "C:\\Users\\Admin\\AppData\\Local\\Temp\\axjarjbrlzrlkraqa.exe" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\oflwhtfpdlx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hhwqkfatqhczblxqdkdd.exe ." | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\oflwhtfpdlx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\uthatnhzvlfbclwoagy.exe ." | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\uhjqxfn = "uthatnhzvlfbclwoagy.exe ." | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\tjoyitenah = "jhumexqhcrkffnxoze.exe ." | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ldkwivitiret = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tpaqgxodwjatrxfu.exe" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\oflwhtfpdlx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tpaqgxodwjatrxfu.exe ." | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\uhjqxfn = "jhumexqhcrkffnxoze.exe ." | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ldkwivitiret = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wxnidzvpnfbzcnauiqklb.exe" | C:\Users\Admin\AppData\Local\Temp\whhmr.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\tjoyitenah = "jhumexqhcrkffnxoze.exe ." | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\htuagn = "hhwqkfatqhczblxqdkdd.exe" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\htuagn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jhumexqhcrkffnxoze.exe" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\oflwhtfpdlx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wxnidzvpnfbzcnauiqklb.exe ." | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\uhjqxfn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\axjarjbrlzrlkraqa.exe ." | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\uhjqxfn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tpaqgxodwjatrxfu.exe ." | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\htuagn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tpaqgxodwjatrxfu.exe" | C:\Users\Admin\AppData\Local\Temp\whhmr.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aptclvfnz = "tpaqgxodwjatrxfu.exe" | C:\Users\Admin\AppData\Local\Temp\whhmr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ldkwivitiret = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tpaqgxodwjatrxfu.exe" | C:\Users\Admin\AppData\Local\Temp\whhmr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\uhjqxfn = "jhumexqhcrkffnxoze.exe ." | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\oflwhtfpdlx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tpaqgxodwjatrxfu.exe ." | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\uhjqxfn = "hhwqkfatqhczblxqdkdd.exe ." | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\uhjqxfn = "jhumexqhcrkffnxoze.exe ." | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\htuagn = "axjarjbrlzrlkraqa.exe" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\htuagn = "axjarjbrlzrlkraqa.exe" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aptclvfnz = "uthatnhzvlfbclwoagy.exe" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\oflwhtfpdlx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wxnidzvpnfbzcnauiqklb.exe ." | C:\Users\Admin\AppData\Local\Temp\whhmr.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\uhjqxfn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jhumexqhcrkffnxoze.exe ." | C:\Users\Admin\AppData\Local\Temp\whhmr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ldkwivitiret = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wxnidzvpnfbzcnauiqklb.exe" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\htuagn = "jhumexqhcrkffnxoze.exe" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\htuagn = "axjarjbrlzrlkraqa.exe" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aptclvfnz = "jhumexqhcrkffnxoze.exe" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\oflwhtfpdlx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\uthatnhzvlfbclwoagy.exe ." | C:\Users\Admin\AppData\Local\Temp\whhmr.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\uhjqxfn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tpaqgxodwjatrxfu.exe ." | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\uhjqxfn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tpaqgxodwjatrxfu.exe ." | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aptclvfnz = "uthatnhzvlfbclwoagy.exe" | C:\Users\Admin\AppData\Local\Temp\whhmr.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aptclvfnz = "axjarjbrlzrlkraqa.exe" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\uhjqxfn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wxnidzvpnfbzcnauiqklb.exe ." | C:\Users\Admin\AppData\Local\Temp\whhmr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\htuagn = "uthatnhzvlfbclwoagy.exe" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\htuagn = "hhwqkfatqhczblxqdkdd.exe" | C:\Users\Admin\AppData\Local\Temp\whhmr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ldkwivitiret = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hhwqkfatqhczblxqdkdd.exe" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\uhjqxfn = "hhwqkfatqhczblxqdkdd.exe ." | C:\Users\Admin\AppData\Local\Temp\whhmr.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\tjoyitenah = "tpaqgxodwjatrxfu.exe ." | C:\Users\Admin\AppData\Local\Temp\whhmr.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\htuagn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hhwqkfatqhczblxqdkdd.exe" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aptclvfnz = "uthatnhzvlfbclwoagy.exe" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\htuagn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wxnidzvpnfbzcnauiqklb.exe" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\whhmr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\whhmr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\whhmr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\whhmr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
Hijack Execution Flow: Executable Installer File Permissions Weakness
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" | C:\Users\Admin\AppData\Local\Temp\whhmr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" | C:\Users\Admin\AppData\Local\Temp\whhmr.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | www.whatismyip.ca | N/A | N/A |
| N/A | www.whatismyip.ca | N/A | N/A |
| N/A | whatismyip.everdot.org | N/A | N/A |
| N/A | www.whatismyip.ca | N/A | N/A |
| N/A | whatismyip.everdot.org | N/A | N/A |
| N/A | whatismyipaddress.com | N/A | N/A |
| N/A | www.showmyipaddress.com | N/A | N/A |
| N/A | whatismyip.everdot.org | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\jhumexqhcrkffnxoze.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\jhumexqhcrkffnxoze.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\npgcyvsnmfcbfrfapytvmi.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\jhumexqhcrkffnxoze.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\jhumexqhcrkffnxoze.exe | C:\Users\Admin\AppData\Local\Temp\whhmr.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\npgcyvsnmfcbfrfapytvmi.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\tpaqgxodwjatrxfu.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\npgcyvsnmfcbfrfapytvmi.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wxnidzvpnfbzcnauiqklb.exe | C:\Users\Admin\AppData\Local\Temp\whhmr.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\uthatnhzvlfbclwoagy.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\tpaqgxodwjatrxfu.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\axjarjbrlzrlkraqa.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\uthatnhzvlfbclwoagy.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\hhwqkfatqhczblxqdkdd.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\npgcyvsnmfcbfrfapytvmi.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\npgcyvsnmfcbfrfapytvmi.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\axjarjbrlzrlkraqa.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\axjarjbrlzrlkraqa.exe | C:\Users\Admin\AppData\Local\Temp\whhmr.exe | N/A |
| File created | C:\Windows\SysWOW64\yfbcdfhhljlpypiicqqxtuv.zzd | C:\Users\Admin\AppData\Local\Temp\whhmr.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\npgcyvsnmfcbfrfapytvmi.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\jhumexqhcrkffnxoze.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\npgcyvsnmfcbfrfapytvmi.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wxnidzvpnfbzcnauiqklb.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\jhumexqhcrkffnxoze.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\uthatnhzvlfbclwoagy.exe | C:\Users\Admin\AppData\Local\Temp\whhmr.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\axjarjbrlzrlkraqa.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\jhumexqhcrkffnxoze.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\uthatnhzvlfbclwoagy.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wxnidzvpnfbzcnauiqklb.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\tpaqgxodwjatrxfu.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\tpaqgxodwjatrxfu.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\axjarjbrlzrlkraqa.exe | C:\Users\Admin\AppData\Local\Temp\whhmr.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\npgcyvsnmfcbfrfapytvmi.exe | C:\Users\Admin\AppData\Local\Temp\whhmr.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\jhumexqhcrkffnxoze.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\hhwqkfatqhczblxqdkdd.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\axjarjbrlzrlkraqa.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wxnidzvpnfbzcnauiqklb.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\axjarjbrlzrlkraqa.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\jhumexqhcrkffnxoze.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wxnidzvpnfbzcnauiqklb.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\jhumexqhcrkffnxoze.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\npgcyvsnmfcbfrfapytvmi.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\axjarjbrlzrlkraqa.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\hhwqkfatqhczblxqdkdd.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wxnidzvpnfbzcnauiqklb.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\hhwqkfatqhczblxqdkdd.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\tpaqgxodwjatrxfu.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\hhwqkfatqhczblxqdkdd.exe | C:\Users\Admin\AppData\Local\Temp\whhmr.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\uthatnhzvlfbclwoagy.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\axjarjbrlzrlkraqa.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\axjarjbrlzrlkraqa.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\hhwqkfatqhczblxqdkdd.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\npgcyvsnmfcbfrfapytvmi.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\uthatnhzvlfbclwoagy.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\uthatnhzvlfbclwoagy.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\tpaqgxodwjatrxfu.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\axjarjbrlzrlkraqa.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\axjarjbrlzrlkraqa.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ldkwivitiretnptejitlseqdqbqzmbvxbm.qbt | C:\Users\Admin\AppData\Local\Temp\whhmr.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\hhwqkfatqhczblxqdkdd.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\jhumexqhcrkffnxoze.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\npgcyvsnmfcbfrfapytvmi.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\tpaqgxodwjatrxfu.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\uthatnhzvlfbclwoagy.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\yfbcdfhhljlpypiicqqxtuv.zzd | C:\Users\Admin\AppData\Local\Temp\whhmr.exe | N/A |
| File created | C:\Program Files (x86)\yfbcdfhhljlpypiicqqxtuv.zzd | C:\Users\Admin\AppData\Local\Temp\whhmr.exe | N/A |
| File opened for modification | C:\Program Files (x86)\ldkwivitiretnptejitlseqdqbqzmbvxbm.qbt | C:\Users\Admin\AppData\Local\Temp\whhmr.exe | N/A |
| File created | C:\Program Files (x86)\ldkwivitiretnptejitlseqdqbqzmbvxbm.qbt | C:\Users\Admin\AppData\Local\Temp\whhmr.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\axjarjbrlzrlkraqa.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\hhwqkfatqhczblxqdkdd.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\wxnidzvpnfbzcnauiqklb.exe | C:\Users\Admin\AppData\Local\Temp\whhmr.exe | N/A |
| File opened for modification | C:\Windows\jhumexqhcrkffnxoze.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\jhumexqhcrkffnxoze.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\wxnidzvpnfbzcnauiqklb.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\axjarjbrlzrlkraqa.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\tpaqgxodwjatrxfu.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\npgcyvsnmfcbfrfapytvmi.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File created | C:\Windows\yfbcdfhhljlpypiicqqxtuv.zzd | C:\Users\Admin\AppData\Local\Temp\whhmr.exe | N/A |
| File opened for modification | C:\Windows\ldkwivitiretnptejitlseqdqbqzmbvxbm.qbt | C:\Users\Admin\AppData\Local\Temp\whhmr.exe | N/A |
| File opened for modification | C:\Windows\axjarjbrlzrlkraqa.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\wxnidzvpnfbzcnauiqklb.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\jhumexqhcrkffnxoze.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\tpaqgxodwjatrxfu.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\jhumexqhcrkffnxoze.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\npgcyvsnmfcbfrfapytvmi.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\hhwqkfatqhczblxqdkdd.exe | C:\Users\Admin\AppData\Local\Temp\whhmr.exe | N/A |
| File opened for modification | C:\Windows\yfbcdfhhljlpypiicqqxtuv.zzd | C:\Users\Admin\AppData\Local\Temp\whhmr.exe | N/A |
| File opened for modification | C:\Windows\wxnidzvpnfbzcnauiqklb.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\npgcyvsnmfcbfrfapytvmi.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\hhwqkfatqhczblxqdkdd.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\hhwqkfatqhczblxqdkdd.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\npgcyvsnmfcbfrfapytvmi.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\tpaqgxodwjatrxfu.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\jhumexqhcrkffnxoze.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\jhumexqhcrkffnxoze.exe | C:\Users\Admin\AppData\Local\Temp\whhmr.exe | N/A |
| File opened for modification | C:\Windows\jhumexqhcrkffnxoze.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\tpaqgxodwjatrxfu.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\npgcyvsnmfcbfrfapytvmi.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\axjarjbrlzrlkraqa.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\uthatnhzvlfbclwoagy.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\axjarjbrlzrlkraqa.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\wxnidzvpnfbzcnauiqklb.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\uthatnhzvlfbclwoagy.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\jhumexqhcrkffnxoze.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\hhwqkfatqhczblxqdkdd.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\hhwqkfatqhczblxqdkdd.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\jhumexqhcrkffnxoze.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\uthatnhzvlfbclwoagy.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\tpaqgxodwjatrxfu.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\npgcyvsnmfcbfrfapytvmi.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\tpaqgxodwjatrxfu.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\npgcyvsnmfcbfrfapytvmi.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\tpaqgxodwjatrxfu.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\hhwqkfatqhczblxqdkdd.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\tpaqgxodwjatrxfu.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\uthatnhzvlfbclwoagy.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\axjarjbrlzrlkraqa.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\uthatnhzvlfbclwoagy.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\hhwqkfatqhczblxqdkdd.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\jhumexqhcrkffnxoze.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\axjarjbrlzrlkraqa.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\tpaqgxodwjatrxfu.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\hhwqkfatqhczblxqdkdd.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\wxnidzvpnfbzcnauiqklb.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\tpaqgxodwjatrxfu.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\axjarjbrlzrlkraqa.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\wxnidzvpnfbzcnauiqklb.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\uthatnhzvlfbclwoagy.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\tpaqgxodwjatrxfu.exe | C:\Users\Admin\AppData\Local\Temp\whhmr.exe | N/A |
| File opened for modification | C:\Windows\jhumexqhcrkffnxoze.exe | C:\Users\Admin\AppData\Local\Temp\whhmr.exe | N/A |
| File opened for modification | C:\Windows\tpaqgxodwjatrxfu.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\tpaqgxodwjatrxfu.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\wxnidzvpnfbzcnauiqklb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\uthatnhzvlfbclwoagy.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\tpaqgxodwjatrxfu.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\wxnidzvpnfbzcnauiqklb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\tpaqgxodwjatrxfu.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\wxnidzvpnfbzcnauiqklb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\hhwqkfatqhczblxqdkdd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\hhwqkfatqhczblxqdkdd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\wxnidzvpnfbzcnauiqklb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\tpaqgxodwjatrxfu.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\hhwqkfatqhczblxqdkdd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\wxnidzvpnfbzcnauiqklb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\uthatnhzvlfbclwoagy.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\whhmr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\axjarjbrlzrlkraqa.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\jhumexqhcrkffnxoze.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\wxnidzvpnfbzcnauiqklb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\axjarjbrlzrlkraqa.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\tpaqgxodwjatrxfu.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\hhwqkfatqhczblxqdkdd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\wxnidzvpnfbzcnauiqklb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\tpaqgxodwjatrxfu.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\uthatnhzvlfbclwoagy.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\hhwqkfatqhczblxqdkdd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\wxnidzvpnfbzcnauiqklb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\jhumexqhcrkffnxoze.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\jhumexqhcrkffnxoze.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\jhumexqhcrkffnxoze.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\uthatnhzvlfbclwoagy.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\whhmr.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\whhmr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\whhmr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" | C:\Users\Admin\AppData\Local\Temp\whhmr.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\whhmr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\whhmr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" | C:\Users\Admin\AppData\Local\Temp\whhmr.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\AppData\Local\Temp\whhmr.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\whhmr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\whhmr.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" | C:\Users\Admin\AppData\Local\Temp\whhmr.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\whhmr.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\whhmr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" | C:\Users\Admin\AppData\Local\Temp\whhmr.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\whhmr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" | C:\Users\Admin\AppData\Local\Temp\whhmr.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" | C:\Users\Admin\AppData\Local\Temp\whhmr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" | C:\Users\Admin\AppData\Local\Temp\whhmr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" | C:\Users\Admin\AppData\Local\Temp\whhmr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\AppData\Local\Temp\whhmr.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" | C:\Users\Admin\AppData\Local\Temp\whhmr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe"
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\jaffacakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe*"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c axjarjbrlzrlkraqa.exe
C:\Windows\axjarjbrlzrlkraqa.exe
axjarjbrlzrlkraqa.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jhumexqhcrkffnxoze.exe .
C:\Windows\jhumexqhcrkffnxoze.exe
jhumexqhcrkffnxoze.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tpaqgxodwjatrxfu.exe
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\jhumexqhcrkffnxoze.exe*."
C:\Windows\tpaqgxodwjatrxfu.exe
tpaqgxodwjatrxfu.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c uthatnhzvlfbclwoagy.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe
C:\Windows\uthatnhzvlfbclwoagy.exe
uthatnhzvlfbclwoagy.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe .
C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe
C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe
C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe
C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe .
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\uthatnhzvlfbclwoagy.exe*."
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\uthatnhzvlfbclwoagy.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe .
C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe
C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe
C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe
C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe .
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\tpaqgxodwjatrxfu.exe*."
C:\Users\Admin\AppData\Local\Temp\whhmr.exe
"C:\Users\Admin\AppData\Local\Temp\whhmr.exe" "-c:\users\admin\appdata\local\temp\jaffacakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe"
C:\Users\Admin\AppData\Local\Temp\whhmr.exe
"C:\Users\Admin\AppData\Local\Temp\whhmr.exe" "-c:\users\admin\appdata\local\temp\jaffacakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c axjarjbrlzrlkraqa.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c uthatnhzvlfbclwoagy.exe
C:\Windows\axjarjbrlzrlkraqa.exe
axjarjbrlzrlkraqa.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hhwqkfatqhczblxqdkdd.exe .
C:\Windows\uthatnhzvlfbclwoagy.exe
uthatnhzvlfbclwoagy.exe
C:\Windows\hhwqkfatqhczblxqdkdd.exe
hhwqkfatqhczblxqdkdd.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c uthatnhzvlfbclwoagy.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c uthatnhzvlfbclwoagy.exe
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\hhwqkfatqhczblxqdkdd.exe*."
C:\Windows\uthatnhzvlfbclwoagy.exe
uthatnhzvlfbclwoagy.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c uthatnhzvlfbclwoagy.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wxnidzvpnfbzcnauiqklb.exe
C:\Windows\uthatnhzvlfbclwoagy.exe
uthatnhzvlfbclwoagy.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wxnidzvpnfbzcnauiqklb.exe .
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\uthatnhzvlfbclwoagy.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe .
C:\Windows\wxnidzvpnfbzcnauiqklb.exe
wxnidzvpnfbzcnauiqklb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tpaqgxodwjatrxfu.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe .
C:\Windows\uthatnhzvlfbclwoagy.exe
uthatnhzvlfbclwoagy.exe .
C:\Windows\wxnidzvpnfbzcnauiqklb.exe
wxnidzvpnfbzcnauiqklb.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe
C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe
C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe .
C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe
C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe .
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\uthatnhzvlfbclwoagy.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe .
C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe
C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\wxnidzvpnfbzcnauiqklb.exe*."
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\tpaqgxodwjatrxfu.exe*."
C:\Windows\tpaqgxodwjatrxfu.exe
tpaqgxodwjatrxfu.exe
C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe
C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe .
C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe
C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe .
C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe
C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe .
C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe
C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe
C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe
C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hhwqkfatqhczblxqdkdd.exe
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\uthatnhzvlfbclwoagy.exe*."
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\tpaqgxodwjatrxfu.exe*."
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\uthatnhzvlfbclwoagy.exe*."
C:\Windows\hhwqkfatqhczblxqdkdd.exe
hhwqkfatqhczblxqdkdd.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c uthatnhzvlfbclwoagy.exe .
C:\Windows\uthatnhzvlfbclwoagy.exe
uthatnhzvlfbclwoagy.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c axjarjbrlzrlkraqa.exe
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\uthatnhzvlfbclwoagy.exe*."
C:\Windows\axjarjbrlzrlkraqa.exe
axjarjbrlzrlkraqa.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hhwqkfatqhczblxqdkdd.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe
C:\Windows\hhwqkfatqhczblxqdkdd.exe
hhwqkfatqhczblxqdkdd.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe .
C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe
C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\hhwqkfatqhczblxqdkdd.exe*."
C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe
C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe .
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\wxnidzvpnfbzcnauiqklb.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe .
C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe
C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe
C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe
C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe .
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\wxnidzvpnfbzcnauiqklb.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tpaqgxodwjatrxfu.exe
C:\Windows\tpaqgxodwjatrxfu.exe
tpaqgxodwjatrxfu.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hhwqkfatqhczblxqdkdd.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c axjarjbrlzrlkraqa.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wxnidzvpnfbzcnauiqklb.exe
C:\Windows\hhwqkfatqhczblxqdkdd.exe
hhwqkfatqhczblxqdkdd.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c axjarjbrlzrlkraqa.exe .
C:\Windows\axjarjbrlzrlkraqa.exe
axjarjbrlzrlkraqa.exe .
C:\Windows\wxnidzvpnfbzcnauiqklb.exe
wxnidzvpnfbzcnauiqklb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jhumexqhcrkffnxoze.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hhwqkfatqhczblxqdkdd.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wxnidzvpnfbzcnauiqklb.exe .
C:\Windows\axjarjbrlzrlkraqa.exe
axjarjbrlzrlkraqa.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tpaqgxodwjatrxfu.exe
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\axjarjbrlzrlkraqa.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hhwqkfatqhczblxqdkdd.exe .
C:\Windows\jhumexqhcrkffnxoze.exe
jhumexqhcrkffnxoze.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c uthatnhzvlfbclwoagy.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe .
C:\Windows\hhwqkfatqhczblxqdkdd.exe
hhwqkfatqhczblxqdkdd.exe .
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\axjarjbrlzrlkraqa.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hhwqkfatqhczblxqdkdd.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe
C:\Windows\wxnidzvpnfbzcnauiqklb.exe
wxnidzvpnfbzcnauiqklb.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\hhwqkfatqhczblxqdkdd.exe*."
C:\Windows\tpaqgxodwjatrxfu.exe
tpaqgxodwjatrxfu.exe
C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe
C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\wxnidzvpnfbzcnauiqklb.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe
C:\Windows\hhwqkfatqhczblxqdkdd.exe
hhwqkfatqhczblxqdkdd.exe .
C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe
C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe
C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe
C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe .
C:\Windows\hhwqkfatqhczblxqdkdd.exe
hhwqkfatqhczblxqdkdd.exe .
C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe
C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe .
C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe
C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe
C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe
C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe
C:\Windows\uthatnhzvlfbclwoagy.exe
uthatnhzvlfbclwoagy.exe
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\hhwqkfatqhczblxqdkdd.exe*."
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\axjarjbrlzrlkraqa.exe*."
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\hhwqkfatqhczblxqdkdd.exe*."
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\hhwqkfatqhczblxqdkdd.exe*."
C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe
C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe .
C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe
C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe
C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe
C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe .
C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe
C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe
C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe
C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe .
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\jhumexqhcrkffnxoze.exe*."
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\axjarjbrlzrlkraqa.exe*."
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\hhwqkfatqhczblxqdkdd.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wxnidzvpnfbzcnauiqklb.exe
C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe
C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe .
C:\Windows\wxnidzvpnfbzcnauiqklb.exe
wxnidzvpnfbzcnauiqklb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jhumexqhcrkffnxoze.exe .
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\wxnidzvpnfbzcnauiqklb.exe*."
C:\Windows\jhumexqhcrkffnxoze.exe
jhumexqhcrkffnxoze.exe .
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\jhumexqhcrkffnxoze.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jhumexqhcrkffnxoze.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wxnidzvpnfbzcnauiqklb.exe .
C:\Windows\jhumexqhcrkffnxoze.exe
jhumexqhcrkffnxoze.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe
C:\Windows\wxnidzvpnfbzcnauiqklb.exe
wxnidzvpnfbzcnauiqklb.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe .
C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe
C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\wxnidzvpnfbzcnauiqklb.exe*."
C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe
C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe .
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\wxnidzvpnfbzcnauiqklb.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe
C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe
C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe .
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe
C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe .
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\hhwqkfatqhczblxqdkdd.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c uthatnhzvlfbclwoagy.exe
C:\Windows\uthatnhzvlfbclwoagy.exe
uthatnhzvlfbclwoagy.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jhumexqhcrkffnxoze.exe .
C:\Windows\jhumexqhcrkffnxoze.exe
jhumexqhcrkffnxoze.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jhumexqhcrkffnxoze.exe
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\jhumexqhcrkffnxoze.exe*."
C:\Windows\jhumexqhcrkffnxoze.exe
jhumexqhcrkffnxoze.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hhwqkfatqhczblxqdkdd.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\hhwqkfatqhczblxqdkdd.exe
hhwqkfatqhczblxqdkdd.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe .
C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe
C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\hhwqkfatqhczblxqdkdd.exe*."
C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe
C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe .
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\hhwqkfatqhczblxqdkdd.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe .
C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe
C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe
C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe
C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe .
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\uthatnhzvlfbclwoagy.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hhwqkfatqhczblxqdkdd.exe
C:\Windows\hhwqkfatqhczblxqdkdd.exe
hhwqkfatqhczblxqdkdd.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c axjarjbrlzrlkraqa.exe .
C:\Windows\axjarjbrlzrlkraqa.exe
axjarjbrlzrlkraqa.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c axjarjbrlzrlkraqa.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\axjarjbrlzrlkraqa.exe
axjarjbrlzrlkraqa.exe
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\axjarjbrlzrlkraqa.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tpaqgxodwjatrxfu.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe
C:\Windows\tpaqgxodwjatrxfu.exe
tpaqgxodwjatrxfu.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe .
C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe
C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\tpaqgxodwjatrxfu.exe*."
C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe
C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe .
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\jhumexqhcrkffnxoze.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe .
C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe
C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe
C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe
C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe .
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\tpaqgxodwjatrxfu.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c uthatnhzvlfbclwoagy.exe
C:\Windows\uthatnhzvlfbclwoagy.exe
uthatnhzvlfbclwoagy.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jhumexqhcrkffnxoze.exe .
C:\Windows\jhumexqhcrkffnxoze.exe
jhumexqhcrkffnxoze.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tpaqgxodwjatrxfu.exe
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\jhumexqhcrkffnxoze.exe*."
C:\Windows\tpaqgxodwjatrxfu.exe
tpaqgxodwjatrxfu.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wxnidzvpnfbzcnauiqklb.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe
C:\Windows\wxnidzvpnfbzcnauiqklb.exe
wxnidzvpnfbzcnauiqklb.exe .
C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe
C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe .
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\wxnidzvpnfbzcnauiqklb.exe*."
C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe
C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe .
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\tpaqgxodwjatrxfu.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe .
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe
C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe
C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe
C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe .
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\hhwqkfatqhczblxqdkdd.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wxnidzvpnfbzcnauiqklb.exe
C:\Windows\wxnidzvpnfbzcnauiqklb.exe
wxnidzvpnfbzcnauiqklb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c uthatnhzvlfbclwoagy.exe .
C:\Windows\uthatnhzvlfbclwoagy.exe
uthatnhzvlfbclwoagy.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c uthatnhzvlfbclwoagy.exe
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\uthatnhzvlfbclwoagy.exe*."
C:\Windows\uthatnhzvlfbclwoagy.exe
uthatnhzvlfbclwoagy.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c uthatnhzvlfbclwoagy.exe .
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\uthatnhzvlfbclwoagy.exe
uthatnhzvlfbclwoagy.exe .
C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe
C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe .
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\uthatnhzvlfbclwoagy.exe*."
C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe
C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe .
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\axjarjbrlzrlkraqa.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe .
C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe
C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe
C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe
C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe .
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\uthatnhzvlfbclwoagy.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jhumexqhcrkffnxoze.exe
C:\Windows\jhumexqhcrkffnxoze.exe
jhumexqhcrkffnxoze.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hhwqkfatqhczblxqdkdd.exe .
C:\Windows\hhwqkfatqhczblxqdkdd.exe
hhwqkfatqhczblxqdkdd.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tpaqgxodwjatrxfu.exe
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\hhwqkfatqhczblxqdkdd.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tpaqgxodwjatrxfu.exe .
C:\Windows\tpaqgxodwjatrxfu.exe
tpaqgxodwjatrxfu.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe
C:\Windows\tpaqgxodwjatrxfu.exe
tpaqgxodwjatrxfu.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wxnidzvpnfbzcnauiqklb.exe
C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe
C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\tpaqgxodwjatrxfu.exe*."
C:\Windows\wxnidzvpnfbzcnauiqklb.exe
wxnidzvpnfbzcnauiqklb.exe
C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe
C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hhwqkfatqhczblxqdkdd.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wxnidzvpnfbzcnauiqklb.exe .
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\uthatnhzvlfbclwoagy.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe
C:\Windows\hhwqkfatqhczblxqdkdd.exe
hhwqkfatqhczblxqdkdd.exe
C:\Windows\wxnidzvpnfbzcnauiqklb.exe
wxnidzvpnfbzcnauiqklb.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jhumexqhcrkffnxoze.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c uthatnhzvlfbclwoagy.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe .
C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe
C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tpaqgxodwjatrxfu.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tpaqgxodwjatrxfu.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\wxnidzvpnfbzcnauiqklb.exe*."
C:\Windows\uthatnhzvlfbclwoagy.exe
uthatnhzvlfbclwoagy.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tpaqgxodwjatrxfu.exe .
C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe
C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe
C:\Windows\jhumexqhcrkffnxoze.exe
jhumexqhcrkffnxoze.exe .
C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe
C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe
C:\Windows\tpaqgxodwjatrxfu.exe
tpaqgxodwjatrxfu.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe .
C:\Windows\tpaqgxodwjatrxfu.exe
tpaqgxodwjatrxfu.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\jhumexqhcrkffnxoze.exe*."
C:\Windows\tpaqgxodwjatrxfu.exe
tpaqgxodwjatrxfu.exe .
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\hhwqkfatqhczblxqdkdd.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe .
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\tpaqgxodwjatrxfu.exe*."
C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe
C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe
C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe
C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\tpaqgxodwjatrxfu.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe .
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\uthatnhzvlfbclwoagy.exe*."
C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe
C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe .
C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe
C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe
C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe
C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe .
C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe
C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c uthatnhzvlfbclwoagy.exe
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\wxnidzvpnfbzcnauiqklb.exe*."
C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe
C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe .
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\wxnidzvpnfbzcnauiqklb.exe*."
C:\Windows\uthatnhzvlfbclwoagy.exe
uthatnhzvlfbclwoagy.exe
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\wxnidzvpnfbzcnauiqklb.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c uthatnhzvlfbclwoagy.exe .
C:\Windows\uthatnhzvlfbclwoagy.exe
uthatnhzvlfbclwoagy.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wxnidzvpnfbzcnauiqklb.exe
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\uthatnhzvlfbclwoagy.exe*."
C:\Windows\wxnidzvpnfbzcnauiqklb.exe
wxnidzvpnfbzcnauiqklb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jhumexqhcrkffnxoze.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\jhumexqhcrkffnxoze.exe
jhumexqhcrkffnxoze.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe .
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\jhumexqhcrkffnxoze.exe*."
C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe
C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe
C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe
C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe .
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\tpaqgxodwjatrxfu.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe .
C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe
C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe
C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe
C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe .
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\wxnidzvpnfbzcnauiqklb.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hhwqkfatqhczblxqdkdd.exe
C:\Windows\hhwqkfatqhczblxqdkdd.exe
hhwqkfatqhczblxqdkdd.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hhwqkfatqhczblxqdkdd.exe .
C:\Windows\hhwqkfatqhczblxqdkdd.exe
hhwqkfatqhczblxqdkdd.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wxnidzvpnfbzcnauiqklb.exe
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\hhwqkfatqhczblxqdkdd.exe*."
C:\Windows\wxnidzvpnfbzcnauiqklb.exe
wxnidzvpnfbzcnauiqklb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tpaqgxodwjatrxfu.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe
C:\Windows\tpaqgxodwjatrxfu.exe
tpaqgxodwjatrxfu.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe .
C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe
C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\tpaqgxodwjatrxfu.exe*."
C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe
C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe .
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\tpaqgxodwjatrxfu.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe .
C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe
C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe
C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe
C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe .
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\wxnidzvpnfbzcnauiqklb.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jhumexqhcrkffnxoze.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\jhumexqhcrkffnxoze.exe
jhumexqhcrkffnxoze.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c uthatnhzvlfbclwoagy.exe .
C:\Windows\uthatnhzvlfbclwoagy.exe
uthatnhzvlfbclwoagy.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tpaqgxodwjatrxfu.exe
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\uthatnhzvlfbclwoagy.exe*."
C:\Windows\tpaqgxodwjatrxfu.exe
tpaqgxodwjatrxfu.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wxnidzvpnfbzcnauiqklb.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe
C:\Windows\wxnidzvpnfbzcnauiqklb.exe
wxnidzvpnfbzcnauiqklb.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe .
C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe
C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\wxnidzvpnfbzcnauiqklb.exe*."
C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe
C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe .
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\tpaqgxodwjatrxfu.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe .
C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe
C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe
C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe
C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe .
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\axjarjbrlzrlkraqa.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c uthatnhzvlfbclwoagy.exe
C:\Windows\uthatnhzvlfbclwoagy.exe
uthatnhzvlfbclwoagy.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tpaqgxodwjatrxfu.exe .
C:\Windows\tpaqgxodwjatrxfu.exe
tpaqgxodwjatrxfu.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c uthatnhzvlfbclwoagy.exe
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\tpaqgxodwjatrxfu.exe*."
C:\Windows\uthatnhzvlfbclwoagy.exe
uthatnhzvlfbclwoagy.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wxnidzvpnfbzcnauiqklb.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe
C:\Windows\wxnidzvpnfbzcnauiqklb.exe
wxnidzvpnfbzcnauiqklb.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe .
C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe
C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\wxnidzvpnfbzcnauiqklb.exe*."
C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe
C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe .
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\axjarjbrlzrlkraqa.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe .
C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe
C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe
C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe
C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe .
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\jhumexqhcrkffnxoze.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c uthatnhzvlfbclwoagy.exe
C:\Windows\uthatnhzvlfbclwoagy.exe
uthatnhzvlfbclwoagy.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hhwqkfatqhczblxqdkdd.exe .
C:\Windows\hhwqkfatqhczblxqdkdd.exe
hhwqkfatqhczblxqdkdd.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tpaqgxodwjatrxfu.exe
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\hhwqkfatqhczblxqdkdd.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hhwqkfatqhczblxqdkdd.exe .
C:\Windows\tpaqgxodwjatrxfu.exe
tpaqgxodwjatrxfu.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe
C:\Windows\hhwqkfatqhczblxqdkdd.exe
hhwqkfatqhczblxqdkdd.exe .
C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe
C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe .
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\hhwqkfatqhczblxqdkdd.exe*."
C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe
C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe .
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\hhwqkfatqhczblxqdkdd.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe .
C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe
C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe
C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe
C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe .
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\tpaqgxodwjatrxfu.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hhwqkfatqhczblxqdkdd.exe
C:\Windows\hhwqkfatqhczblxqdkdd.exe
hhwqkfatqhczblxqdkdd.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jhumexqhcrkffnxoze.exe .
C:\Windows\jhumexqhcrkffnxoze.exe
jhumexqhcrkffnxoze.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hhwqkfatqhczblxqdkdd.exe
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\jhumexqhcrkffnxoze.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jhumexqhcrkffnxoze.exe .
C:\Windows\hhwqkfatqhczblxqdkdd.exe
hhwqkfatqhczblxqdkdd.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe
C:\Windows\jhumexqhcrkffnxoze.exe
jhumexqhcrkffnxoze.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe .
C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe
C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\jhumexqhcrkffnxoze.exe*."
C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe
C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe .
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\tpaqgxodwjatrxfu.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe .
C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe
C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe
C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe
C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wxnidzvpnfbzcnauiqklb.exe
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\tpaqgxodwjatrxfu.exe*."
C:\Windows\wxnidzvpnfbzcnauiqklb.exe
wxnidzvpnfbzcnauiqklb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hhwqkfatqhczblxqdkdd.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c uthatnhzvlfbclwoagy.exe
C:\Windows\hhwqkfatqhczblxqdkdd.exe
hhwqkfatqhczblxqdkdd.exe .
C:\Windows\uthatnhzvlfbclwoagy.exe
uthatnhzvlfbclwoagy.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tpaqgxodwjatrxfu.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hhwqkfatqhczblxqdkdd.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c uthatnhzvlfbclwoagy.exe .
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\hhwqkfatqhczblxqdkdd.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c axjarjbrlzrlkraqa.exe
C:\Windows\hhwqkfatqhczblxqdkdd.exe
hhwqkfatqhczblxqdkdd.exe
C:\Windows\tpaqgxodwjatrxfu.exe
tpaqgxodwjatrxfu.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c uthatnhzvlfbclwoagy.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tpaqgxodwjatrxfu.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jhumexqhcrkffnxoze.exe .
C:\Windows\axjarjbrlzrlkraqa.exe
axjarjbrlzrlkraqa.exe
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\tpaqgxodwjatrxfu.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\uthatnhzvlfbclwoagy.exe
uthatnhzvlfbclwoagy.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jhumexqhcrkffnxoze.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jhumexqhcrkffnxoze.exe .
C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe
C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe .
C:\Windows\uthatnhzvlfbclwoagy.exe
uthatnhzvlfbclwoagy.exe
C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe
C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe .
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\uthatnhzvlfbclwoagy.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe
C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe
C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe
C:\Windows\tpaqgxodwjatrxfu.exe
tpaqgxodwjatrxfu.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe .
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\hhwqkfatqhczblxqdkdd.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe .
C:\Windows\jhumexqhcrkffnxoze.exe
jhumexqhcrkffnxoze.exe
C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe
C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe .
C:\Windows\jhumexqhcrkffnxoze.exe
jhumexqhcrkffnxoze.exe .
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\tpaqgxodwjatrxfu.exe*."
C:\Windows\jhumexqhcrkffnxoze.exe
jhumexqhcrkffnxoze.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe .
C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe
C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\jhumexqhcrkffnxoze.exe*."
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\hhwqkfatqhczblxqdkdd.exe*."
C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe
C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe .
C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe
C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\jhumexqhcrkffnxoze.exe*."
C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe
C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe .
C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe
C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe .
C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe
C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe .
C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe
C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\axjarjbrlzrlkraqa.exe*."
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\wxnidzvpnfbzcnauiqklb.exe*."
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\jhumexqhcrkffnxoze.exe*."
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\uthatnhzvlfbclwoagy.exe*."
C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe
C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c uthatnhzvlfbclwoagy.exe
C:\Windows\uthatnhzvlfbclwoagy.exe
uthatnhzvlfbclwoagy.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c axjarjbrlzrlkraqa.exe .
C:\Windows\axjarjbrlzrlkraqa.exe
axjarjbrlzrlkraqa.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jhumexqhcrkffnxoze.exe
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\axjarjbrlzrlkraqa.exe*."
C:\Windows\jhumexqhcrkffnxoze.exe
jhumexqhcrkffnxoze.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hhwqkfatqhczblxqdkdd.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe
C:\Windows\hhwqkfatqhczblxqdkdd.exe
hhwqkfatqhczblxqdkdd.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe .
C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe
C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\hhwqkfatqhczblxqdkdd.exe*."
C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe
C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe .
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\wxnidzvpnfbzcnauiqklb.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe .
C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe
C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe
C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe
C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe .
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\uthatnhzvlfbclwoagy.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wxnidzvpnfbzcnauiqklb.exe
C:\Windows\wxnidzvpnfbzcnauiqklb.exe
wxnidzvpnfbzcnauiqklb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c uthatnhzvlfbclwoagy.exe .
C:\Windows\uthatnhzvlfbclwoagy.exe
uthatnhzvlfbclwoagy.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c uthatnhzvlfbclwoagy.exe
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\uthatnhzvlfbclwoagy.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tpaqgxodwjatrxfu.exe .
C:\Windows\uthatnhzvlfbclwoagy.exe
uthatnhzvlfbclwoagy.exe
C:\Windows\tpaqgxodwjatrxfu.exe
tpaqgxodwjatrxfu.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe
C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe
C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\tpaqgxodwjatrxfu.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe .
C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe
C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe .
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\tpaqgxodwjatrxfu.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe .
C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe
C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe
C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe
C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe .
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\axjarjbrlzrlkraqa.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jhumexqhcrkffnxoze.exe
C:\Windows\jhumexqhcrkffnxoze.exe
jhumexqhcrkffnxoze.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c uthatnhzvlfbclwoagy.exe .
C:\Windows\uthatnhzvlfbclwoagy.exe
uthatnhzvlfbclwoagy.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c uthatnhzvlfbclwoagy.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\uthatnhzvlfbclwoagy.exe*."
C:\Windows\uthatnhzvlfbclwoagy.exe
uthatnhzvlfbclwoagy.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c uthatnhzvlfbclwoagy.exe .
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe
C:\Windows\uthatnhzvlfbclwoagy.exe
uthatnhzvlfbclwoagy.exe .
C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe
C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe .
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\uthatnhzvlfbclwoagy.exe*."
C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe
C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe .
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\axjarjbrlzrlkraqa.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe .
C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe
C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe
C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe
C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe .
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\axjarjbrlzrlkraqa.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c uthatnhzvlfbclwoagy.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\uthatnhzvlfbclwoagy.exe
uthatnhzvlfbclwoagy.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jhumexqhcrkffnxoze.exe .
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\jhumexqhcrkffnxoze.exe
jhumexqhcrkffnxoze.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c uthatnhzvlfbclwoagy.exe
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\jhumexqhcrkffnxoze.exe*."
C:\Windows\uthatnhzvlfbclwoagy.exe
uthatnhzvlfbclwoagy.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c uthatnhzvlfbclwoagy.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe
C:\Windows\uthatnhzvlfbclwoagy.exe
uthatnhzvlfbclwoagy.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe .
C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe
C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\uthatnhzvlfbclwoagy.exe*."
C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe
C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe .
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\hhwqkfatqhczblxqdkdd.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe .
C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe
C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe
C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe
C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe .
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\hhwqkfatqhczblxqdkdd.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hhwqkfatqhczblxqdkdd.exe
C:\Windows\hhwqkfatqhczblxqdkdd.exe
hhwqkfatqhczblxqdkdd.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jhumexqhcrkffnxoze.exe .
C:\Windows\jhumexqhcrkffnxoze.exe
jhumexqhcrkffnxoze.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jhumexqhcrkffnxoze.exe
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\jhumexqhcrkffnxoze.exe*."
C:\Windows\jhumexqhcrkffnxoze.exe
jhumexqhcrkffnxoze.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hhwqkfatqhczblxqdkdd.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe
C:\Windows\hhwqkfatqhczblxqdkdd.exe
hhwqkfatqhczblxqdkdd.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe .
C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe
C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\hhwqkfatqhczblxqdkdd.exe*."
C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe
C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe .
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\hhwqkfatqhczblxqdkdd.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe
C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe
C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe .
C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe
C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe .
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\tpaqgxodwjatrxfu.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c axjarjbrlzrlkraqa.exe
C:\Windows\axjarjbrlzrlkraqa.exe
axjarjbrlzrlkraqa.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c axjarjbrlzrlkraqa.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jhumexqhcrkffnxoze.exe
C:\Windows\axjarjbrlzrlkraqa.exe
axjarjbrlzrlkraqa.exe .
C:\Windows\jhumexqhcrkffnxoze.exe
jhumexqhcrkffnxoze.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jhumexqhcrkffnxoze.exe
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\axjarjbrlzrlkraqa.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tpaqgxodwjatrxfu.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wxnidzvpnfbzcnauiqklb.exe .
C:\Windows\jhumexqhcrkffnxoze.exe
jhumexqhcrkffnxoze.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jhumexqhcrkffnxoze.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe
C:\Windows\tpaqgxodwjatrxfu.exe
tpaqgxodwjatrxfu.exe .
C:\Windows\wxnidzvpnfbzcnauiqklb.exe
wxnidzvpnfbzcnauiqklb.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c axjarjbrlzrlkraqa.exe
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\tpaqgxodwjatrxfu.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tpaqgxodwjatrxfu.exe .
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wxnidzvpnfbzcnauiqklb.exe .
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe
C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\wxnidzvpnfbzcnauiqklb.exe*."
C:\Windows\jhumexqhcrkffnxoze.exe
jhumexqhcrkffnxoze.exe
C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe
C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe
C:\Windows\axjarjbrlzrlkraqa.exe
axjarjbrlzrlkraqa.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hhwqkfatqhczblxqdkdd.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe
C:\Windows\wxnidzvpnfbzcnauiqklb.exe
wxnidzvpnfbzcnauiqklb.exe .
C:\Windows\tpaqgxodwjatrxfu.exe
tpaqgxodwjatrxfu.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jhumexqhcrkffnxoze.exe .
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\tpaqgxodwjatrxfu.exe*."
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe
C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe
C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe .
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\tpaqgxodwjatrxfu.exe*."
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\wxnidzvpnfbzcnauiqklb.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe
C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe
C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe .
C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe
C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe
C:\Windows\hhwqkfatqhczblxqdkdd.exe
hhwqkfatqhczblxqdkdd.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe .
C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe
C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe .
C:\Windows\jhumexqhcrkffnxoze.exe
jhumexqhcrkffnxoze.exe .
C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe
C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe
C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe
C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe .
C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe
C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c axjarjbrlzrlkraqa.exe
C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe
C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\tpaqgxodwjatrxfu.exe*."
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\hhwqkfatqhczblxqdkdd.exe*."
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\jhumexqhcrkffnxoze.exe*."
C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe
C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\jhumexqhcrkffnxoze.exe*."
C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe
C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jhumexqhcrkffnxoze.exe .
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\uthatnhzvlfbclwoagy.exe*."
C:\Windows\axjarjbrlzrlkraqa.exe
axjarjbrlzrlkraqa.exe
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\hhwqkfatqhczblxqdkdd.exe*."
C:\Windows\jhumexqhcrkffnxoze.exe
jhumexqhcrkffnxoze.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jhumexqhcrkffnxoze.exe
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\jhumexqhcrkffnxoze.exe*."
C:\Windows\jhumexqhcrkffnxoze.exe
jhumexqhcrkffnxoze.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jhumexqhcrkffnxoze.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe
C:\Windows\jhumexqhcrkffnxoze.exe
jhumexqhcrkffnxoze.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe .
C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe
C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\jhumexqhcrkffnxoze.exe*."
C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe
C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe .
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\wxnidzvpnfbzcnauiqklb.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe .
C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe
C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe
C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe
C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe .
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\hhwqkfatqhczblxqdkdd.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hhwqkfatqhczblxqdkdd.exe
C:\Windows\hhwqkfatqhczblxqdkdd.exe
hhwqkfatqhczblxqdkdd.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hhwqkfatqhczblxqdkdd.exe .
C:\Windows\hhwqkfatqhczblxqdkdd.exe
hhwqkfatqhczblxqdkdd.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jhumexqhcrkffnxoze.exe
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\hhwqkfatqhczblxqdkdd.exe*."
C:\Windows\jhumexqhcrkffnxoze.exe
jhumexqhcrkffnxoze.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hhwqkfatqhczblxqdkdd.exe .
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe
C:\Windows\hhwqkfatqhczblxqdkdd.exe
hhwqkfatqhczblxqdkdd.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe .
C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe
C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\hhwqkfatqhczblxqdkdd.exe*."
C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe
C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe .
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\hhwqkfatqhczblxqdkdd.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe .
C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe
C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe
C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe
C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe .
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\wxnidzvpnfbzcnauiqklb.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tpaqgxodwjatrxfu.exe
C:\Windows\tpaqgxodwjatrxfu.exe
tpaqgxodwjatrxfu.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jhumexqhcrkffnxoze.exe .
C:\Windows\jhumexqhcrkffnxoze.exe
jhumexqhcrkffnxoze.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wxnidzvpnfbzcnauiqklb.exe
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\jhumexqhcrkffnxoze.exe*."
C:\Windows\wxnidzvpnfbzcnauiqklb.exe
wxnidzvpnfbzcnauiqklb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tpaqgxodwjatrxfu.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe
C:\Windows\tpaqgxodwjatrxfu.exe
tpaqgxodwjatrxfu.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe .
C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe
C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\tpaqgxodwjatrxfu.exe*."
C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe
C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe .
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\jhumexqhcrkffnxoze.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe .
C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe
C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe
C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe
C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe .
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\jhumexqhcrkffnxoze.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c uthatnhzvlfbclwoagy.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\uthatnhzvlfbclwoagy.exe
uthatnhzvlfbclwoagy.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jhumexqhcrkffnxoze.exe .
C:\Windows\jhumexqhcrkffnxoze.exe
jhumexqhcrkffnxoze.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c axjarjbrlzrlkraqa.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c axjarjbrlzrlkraqa.exe .
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\jhumexqhcrkffnxoze.exe*."
C:\Windows\axjarjbrlzrlkraqa.exe
axjarjbrlzrlkraqa.exe
C:\Windows\axjarjbrlzrlkraqa.exe
axjarjbrlzrlkraqa.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\axjarjbrlzrlkraqa.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe .
C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe
C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe
C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe
C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe .
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\wxnidzvpnfbzcnauiqklb.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe .
C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe
C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe
C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe
C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe .
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\axjarjbrlzrlkraqa.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c uthatnhzvlfbclwoagy.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tpaqgxodwjatrxfu.exe .
C:\Windows\uthatnhzvlfbclwoagy.exe
uthatnhzvlfbclwoagy.exe
C:\Windows\tpaqgxodwjatrxfu.exe
tpaqgxodwjatrxfu.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hhwqkfatqhczblxqdkdd.exe
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\tpaqgxodwjatrxfu.exe*."
C:\Windows\hhwqkfatqhczblxqdkdd.exe
hhwqkfatqhczblxqdkdd.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c uthatnhzvlfbclwoagy.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe
C:\Windows\uthatnhzvlfbclwoagy.exe
uthatnhzvlfbclwoagy.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe .
C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe
C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\uthatnhzvlfbclwoagy.exe*."
C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe
C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe .
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\jhumexqhcrkffnxoze.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe .
C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe
C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe
C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe
C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe .
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\hhwqkfatqhczblxqdkdd.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jhumexqhcrkffnxoze.exe
C:\Windows\jhumexqhcrkffnxoze.exe
jhumexqhcrkffnxoze.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hhwqkfatqhczblxqdkdd.exe .
C:\Windows\hhwqkfatqhczblxqdkdd.exe
hhwqkfatqhczblxqdkdd.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tpaqgxodwjatrxfu.exe
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\hhwqkfatqhczblxqdkdd.exe*."
C:\Windows\tpaqgxodwjatrxfu.exe
tpaqgxodwjatrxfu.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c axjarjbrlzrlkraqa.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe
C:\Windows\axjarjbrlzrlkraqa.exe
axjarjbrlzrlkraqa.exe .
C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe
C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe .
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\axjarjbrlzrlkraqa.exe*."
C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe
C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe .
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\wxnidzvpnfbzcnauiqklb.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c uthatnhzvlfbclwoagy.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe .
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe
C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c uthatnhzvlfbclwoagy.exe .
C:\Windows\uthatnhzvlfbclwoagy.exe
uthatnhzvlfbclwoagy.exe
C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe
C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe .
C:\Windows\uthatnhzvlfbclwoagy.exe
uthatnhzvlfbclwoagy.exe .
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\jhumexqhcrkffnxoze.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wxnidzvpnfbzcnauiqklb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tpaqgxodwjatrxfu.exe
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\uthatnhzvlfbclwoagy.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c axjarjbrlzrlkraqa.exe .
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hhwqkfatqhczblxqdkdd.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe
C:\Windows\tpaqgxodwjatrxfu.exe
tpaqgxodwjatrxfu.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe .
C:\Windows\axjarjbrlzrlkraqa.exe
axjarjbrlzrlkraqa.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tpaqgxodwjatrxfu.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wxnidzvpnfbzcnauiqklb.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe
C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe .
C:\Windows\hhwqkfatqhczblxqdkdd.exe
hhwqkfatqhczblxqdkdd.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wxnidzvpnfbzcnauiqklb.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c axjarjbrlzrlkraqa.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe
C:\Windows\tpaqgxodwjatrxfu.exe
tpaqgxodwjatrxfu.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\axjarjbrlzrlkraqa.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hhwqkfatqhczblxqdkdd.exe
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\wxnidzvpnfbzcnauiqklb.exe*."
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\hhwqkfatqhczblxqdkdd.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jhumexqhcrkffnxoze.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe
C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe
C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe .
C:\Windows\axjarjbrlzrlkraqa.exe
axjarjbrlzrlkraqa.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe .
C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe
C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe .
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\axjarjbrlzrlkraqa.exe*."
C:\Windows\hhwqkfatqhczblxqdkdd.exe
hhwqkfatqhczblxqdkdd.exe
C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe
C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\jhumexqhcrkffnxoze.exe
jhumexqhcrkffnxoze.exe .
C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe
C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe .
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\wxnidzvpnfbzcnauiqklb.exe*."
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\jhumexqhcrkffnxoze.exe*."
C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe
C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe
C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe
C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe .
C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe
C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe .
C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe
C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe .
C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe
C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe
C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe
C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\tpaqgxodwjatrxfu.exe*."
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\tpaqgxodwjatrxfu.exe*."
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\uthatnhzvlfbclwoagy.exe*."
C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe
C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe .
C:\Windows\wxnidzvpnfbzcnauiqklb.exe
wxnidzvpnfbzcnauiqklb.exe
C:\Windows\wxnidzvpnfbzcnauiqklb.exe
wxnidzvpnfbzcnauiqklb.exe .
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\uthatnhzvlfbclwoagy.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c uthatnhzvlfbclwoagy.exe
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\wxnidzvpnfbzcnauiqklb.exe*."
C:\Windows\uthatnhzvlfbclwoagy.exe
uthatnhzvlfbclwoagy.exe
C:\Windows\wxnidzvpnfbzcnauiqklb.exe
wxnidzvpnfbzcnauiqklb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c uthatnhzvlfbclwoagy.exe .
C:\Windows\uthatnhzvlfbclwoagy.exe
uthatnhzvlfbclwoagy.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hhwqkfatqhczblxqdkdd.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\uthatnhzvlfbclwoagy.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hhwqkfatqhczblxqdkdd.exe .
C:\Windows\hhwqkfatqhczblxqdkdd.exe
hhwqkfatqhczblxqdkdd.exe
C:\Windows\hhwqkfatqhczblxqdkdd.exe
hhwqkfatqhczblxqdkdd.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe
C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe
C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe .
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\hhwqkfatqhczblxqdkdd.exe*."
C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe
C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe .
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\wxnidzvpnfbzcnauiqklb.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe
C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe
C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe .
C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe
C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe .
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\wxnidzvpnfbzcnauiqklb.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c axjarjbrlzrlkraqa.exe
C:\Windows\axjarjbrlzrlkraqa.exe
axjarjbrlzrlkraqa.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jhumexqhcrkffnxoze.exe .
C:\Windows\jhumexqhcrkffnxoze.exe
jhumexqhcrkffnxoze.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tpaqgxodwjatrxfu.exe
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\jhumexqhcrkffnxoze.exe*."
C:\Windows\tpaqgxodwjatrxfu.exe
tpaqgxodwjatrxfu.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hhwqkfatqhczblxqdkdd.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe
C:\Windows\hhwqkfatqhczblxqdkdd.exe
hhwqkfatqhczblxqdkdd.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe .
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe
C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\hhwqkfatqhczblxqdkdd.exe*."
C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe
C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe .
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\uthatnhzvlfbclwoagy.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe .
C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe
C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe
C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe
C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe .
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\jhumexqhcrkffnxoze.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hhwqkfatqhczblxqdkdd.exe
C:\Windows\hhwqkfatqhczblxqdkdd.exe
hhwqkfatqhczblxqdkdd.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c uthatnhzvlfbclwoagy.exe .
C:\Windows\uthatnhzvlfbclwoagy.exe
uthatnhzvlfbclwoagy.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c axjarjbrlzrlkraqa.exe
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\uthatnhzvlfbclwoagy.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hhwqkfatqhczblxqdkdd.exe .
C:\Windows\axjarjbrlzrlkraqa.exe
axjarjbrlzrlkraqa.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe
C:\Windows\hhwqkfatqhczblxqdkdd.exe
hhwqkfatqhczblxqdkdd.exe .
C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe
C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe .
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\hhwqkfatqhczblxqdkdd.exe*."
C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe
C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe .
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\uthatnhzvlfbclwoagy.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe .
C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe
C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe
C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe
C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe .
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\jhumexqhcrkffnxoze.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hhwqkfatqhczblxqdkdd.exe
C:\Windows\hhwqkfatqhczblxqdkdd.exe
hhwqkfatqhczblxqdkdd.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tpaqgxodwjatrxfu.exe .
C:\Windows\tpaqgxodwjatrxfu.exe
tpaqgxodwjatrxfu.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c uthatnhzvlfbclwoagy.exe
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\tpaqgxodwjatrxfu.exe*."
C:\Windows\uthatnhzvlfbclwoagy.exe
uthatnhzvlfbclwoagy.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hhwqkfatqhczblxqdkdd.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe
C:\Windows\hhwqkfatqhczblxqdkdd.exe
hhwqkfatqhczblxqdkdd.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe .
C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe
C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\hhwqkfatqhczblxqdkdd.exe*."
C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe
C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe .
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\tpaqgxodwjatrxfu.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe .
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe
C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe
C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe
C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe .
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\hhwqkfatqhczblxqdkdd.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c axjarjbrlzrlkraqa.exe
C:\Windows\axjarjbrlzrlkraqa.exe
axjarjbrlzrlkraqa.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tpaqgxodwjatrxfu.exe .
C:\Windows\tpaqgxodwjatrxfu.exe
tpaqgxodwjatrxfu.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c uthatnhzvlfbclwoagy.exe
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\tpaqgxodwjatrxfu.exe*."
C:\Windows\uthatnhzvlfbclwoagy.exe
uthatnhzvlfbclwoagy.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hhwqkfatqhczblxqdkdd.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\hhwqkfatqhczblxqdkdd.exe
hhwqkfatqhczblxqdkdd.exe .
C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe
C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe .
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\hhwqkfatqhczblxqdkdd.exe*."
C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe
C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe .
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\axjarjbrlzrlkraqa.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe .
C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe
C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe
C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe
C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe .
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\hhwqkfatqhczblxqdkdd.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tpaqgxodwjatrxfu.exe
C:\Windows\tpaqgxodwjatrxfu.exe
tpaqgxodwjatrxfu.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c axjarjbrlzrlkraqa.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c uthatnhzvlfbclwoagy.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\axjarjbrlzrlkraqa.exe
axjarjbrlzrlkraqa.exe .
C:\Windows\uthatnhzvlfbclwoagy.exe
uthatnhzvlfbclwoagy.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jhumexqhcrkffnxoze.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\axjarjbrlzrlkraqa.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hhwqkfatqhczblxqdkdd.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c uthatnhzvlfbclwoagy.exe .
C:\Windows\jhumexqhcrkffnxoze.exe
jhumexqhcrkffnxoze.exe
C:\Windows\hhwqkfatqhczblxqdkdd.exe
hhwqkfatqhczblxqdkdd.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tpaqgxodwjatrxfu.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c axjarjbrlzrlkraqa.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\uthatnhzvlfbclwoagy.exe
uthatnhzvlfbclwoagy.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe .
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\hhwqkfatqhczblxqdkdd.exe*."
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c uthatnhzvlfbclwoagy.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c axjarjbrlzrlkraqa.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe
C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe
C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\uthatnhzvlfbclwoagy.exe*."
C:\Windows\tpaqgxodwjatrxfu.exe
tpaqgxodwjatrxfu.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hhwqkfatqhczblxqdkdd.exe
C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe
C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe .
C:\Windows\axjarjbrlzrlkraqa.exe
axjarjbrlzrlkraqa.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jhumexqhcrkffnxoze.exe .
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe
C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe
C:\Windows\uthatnhzvlfbclwoagy.exe
uthatnhzvlfbclwoagy.exe .
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\tpaqgxodwjatrxfu.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe .
C:\Windows\axjarjbrlzrlkraqa.exe
axjarjbrlzrlkraqa.exe .
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\uthatnhzvlfbclwoagy.exe*."
C:\Windows\hhwqkfatqhczblxqdkdd.exe
hhwqkfatqhczblxqdkdd.exe
C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe
C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe
C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe
C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe
C:\Windows\jhumexqhcrkffnxoze.exe
jhumexqhcrkffnxoze.exe .
C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe
C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe .
C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe
C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe
C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe
C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe .
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\axjarjbrlzrlkraqa.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe .
C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe
C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\tpaqgxodwjatrxfu.exe*."
C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe
C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe .
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\jhumexqhcrkffnxoze.exe*."
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\jhumexqhcrkffnxoze.exe*."
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | whatismyipaddress.com | udp |
| US | 104.19.223.79:80 | whatismyipaddress.com | tcp |
| US | 8.8.8.8:53 | www.showmyipaddress.com | udp |
| US | 104.21.74.56:80 | www.showmyipaddress.com | tcp |
| US | 8.8.8.8:53 | whatismyip.everdot.org | udp |
| US | 8.8.8.8:53 | www.whatismyip.ca | udp |
| US | 8.8.8.8:53 | www.whatismyip.com | udp |
| US | 172.66.43.169:80 | www.whatismyip.com | tcp |
| US | 104.21.74.56:80 | www.showmyipaddress.com | tcp |
| US | 104.19.223.79:80 | whatismyipaddress.com | tcp |
| US | 8.8.8.8:53 | www.whatismyip.ca | udp |
| US | 8.8.8.8:53 | whatismyip.everdot.org | udp |
| US | 104.21.74.56:80 | www.showmyipaddress.com | tcp |
| US | 104.21.74.56:80 | www.showmyipaddress.com | tcp |
| US | 104.19.223.79:80 | whatismyipaddress.com | tcp |
| US | 104.19.223.79:80 | whatismyipaddress.com | tcp |
| US | 8.8.8.8:53 | www.whatismyip.ca | udp |
| US | 104.21.74.56:80 | www.showmyipaddress.com | tcp |
| US | 8.8.8.8:53 | whatismyip.everdot.org | udp |
| US | 172.66.43.169:80 | www.whatismyip.com | tcp |
| US | 104.19.223.79:80 | whatismyipaddress.com | tcp |
| US | 172.66.43.169:80 | www.whatismyip.com | tcp |
| US | 104.19.223.79:80 | whatismyipaddress.com | tcp |
| US | 8.8.8.8:53 | www.adobe.com | udp |
| GB | 2.19.252.142:80 | www.adobe.com | tcp |
| GB | 142.250.187.195:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | www.myspace.com | udp |
| US | 34.111.176.156:80 | www.myspace.com | tcp |
| BG | 89.215.188.160:17364 | tcp | |
| US | 8.8.8.8:53 | gyuuym.org | udp |
| DE | 85.214.228.140:80 | gyuuym.org | tcp |
| US | 8.8.8.8:53 | vixeyml.org | udp |
| US | 8.8.8.8:53 | jfamjz.net | udp |
| US | 8.8.8.8:53 | unxfuild.info | udp |
| SG | 18.142.91.111:80 | unxfuild.info | tcp |
| LT | 78.62.20.97:14365 | tcp | |
| LT | 78.63.85.38:22474 | tcp | |
| BG | 89.215.38.82:21301 | tcp | |
| US | 8.8.8.8:53 | jouerpzu.info | udp |
| US | 8.8.8.8:53 | bhxpgyru.net | udp |
| US | 8.8.8.8:53 | zylacipesou.info | udp |
| CY | 213.7.147.164:14151 | tcp | |
| US | 8.8.8.8:53 | tnbsvoiez.info | udp |
| US | 8.8.8.8:53 | ywfojfbqxgb.info | udp |
| US | 8.8.8.8:53 | ggoiukqgsikq.org | udp |
| US | 8.8.8.8:53 | udzdjiddn.net | udp |
| US | 8.8.8.8:53 | zyuzopbtlq.net | udp |
| US | 8.8.8.8:53 | fffglbh.org | udp |
| US | 8.8.8.8:53 | fadgruvodnvg.info | udp |
| US | 8.8.8.8:53 | sopodotkd.info | udp |
| US | 8.8.8.8:53 | aeaieoiqyewc.com | udp |
| US | 8.8.8.8:53 | ufmdcv.info | udp |
| US | 8.8.8.8:53 | ygoukmwg.org | udp |
| US | 8.8.8.8:53 | aquiagkwko.com | udp |
| US | 8.8.8.8:53 | ertcganbd.info | udp |
| US | 8.8.8.8:53 | yxvlcp.net | udp |
| US | 8.8.8.8:53 | pcqumbtzb.org | udp |
| US | 8.8.8.8:53 | cydlrge.info | udp |
| US | 104.156.155.94:80 | cydlrge.info | tcp |
| US | 8.8.8.8:53 | ksokymqagy.com | udp |
| US | 8.8.8.8:53 | xngxgeldjm.net | udp |
| US | 8.8.8.8:53 | oasokkim.com | udp |
| US | 8.8.8.8:53 | mjotpzfbosdh.info | udp |
| US | 8.8.8.8:53 | izrzxfant.net | udp |
| US | 8.8.8.8:53 | oyxjzglbsbwn.net | udp |
| US | 8.8.8.8:53 | jqkvtsqsbmj.com | udp |
| US | 8.8.8.8:53 | luvehemiri.info | udp |
| US | 8.8.8.8:53 | godkogz.info | udp |
| US | 8.8.8.8:53 | vknyfehcj.org | udp |
| US | 8.8.8.8:53 | lalckpw.org | udp |
| US | 8.8.8.8:53 | mskityfix.info | udp |
| US | 8.8.8.8:53 | qopbhqp.net | udp |
| US | 8.8.8.8:53 | tasyvqzmz.info | udp |
| US | 8.8.8.8:53 | hmfurcniz.info | udp |
| US | 8.8.8.8:53 | cnbscgxaiuv.info | udp |
| US | 8.8.8.8:53 | qqawkwkiawuu.com | udp |
| US | 8.8.8.8:53 | oyiacseoky.com | udp |
| US | 8.8.8.8:53 | wsiusmaqyuus.com | udp |
| US | 8.8.8.8:53 | qcwckw.org | udp |
| US | 8.8.8.8:53 | guqecwocem.com | udp |
| US | 8.8.8.8:53 | rnozhndhgj.info | udp |
| US | 8.8.8.8:53 | ddpobim.org | udp |
| US | 8.8.8.8:53 | abzgjamqp.info | udp |
| US | 8.8.8.8:53 | iugeqgskqoes.com | udp |
| US | 8.8.8.8:53 | trgcqufmzizj.info | udp |
| US | 8.8.8.8:53 | uewemigwqaku.com | udp |
| US | 8.8.8.8:53 | ewhqxezcwwc.net | udp |
| US | 8.8.8.8:53 | iqjcdybekjl.net | udp |
| US | 8.8.8.8:53 | uuuxor.net | udp |
| US | 8.8.8.8:53 | aiosocow.org | udp |
| US | 8.8.8.8:53 | macguv.info | udp |
| US | 8.8.8.8:53 | euaeeo.com | udp |
| US | 8.8.8.8:53 | tjeups.net | udp |
| US | 8.8.8.8:53 | yoaoooewyeeo.com | udp |
| US | 8.8.8.8:53 | bkfbuizq.info | udp |
| US | 8.8.8.8:53 | masuce.org | udp |
| US | 8.8.8.8:53 | mdhpuesj.net | udp |
| US | 8.8.8.8:53 | sbjatavb.info | udp |
| US | 8.8.8.8:53 | meueoaykmwmm.com | udp |
| US | 8.8.8.8:53 | timtcaebmlsi.info | udp |
| US | 8.8.8.8:53 | jtznnsx.info | udp |
| US | 8.8.8.8:53 | rsrtksvsmq.info | udp |
| US | 8.8.8.8:53 | dqjrswwie.com | udp |
| US | 8.8.8.8:53 | zkgcposmhdp.info | udp |
| US | 8.8.8.8:53 | oujkfmh.info | udp |
| US | 8.8.8.8:53 | vrxmprngmlhk.net | udp |
| US | 8.8.8.8:53 | itpkbzd.net | udp |
| US | 8.8.8.8:53 | wqqysoaaei.org | udp |
| US | 8.8.8.8:53 | urbvuqt.net | udp |
| US | 8.8.8.8:53 | vioktojcz.info | udp |
| US | 8.8.8.8:53 | hcyals.info | udp |
| US | 8.8.8.8:53 | lwakfxmq.info | udp |
| MD | 92.114.143.205:14909 | tcp | |
| US | 8.8.8.8:53 | ehlwnqv.net | udp |
| US | 8.8.8.8:53 | caqoomko.org | udp |
| US | 8.8.8.8:53 | ydgmbeigpep.info | udp |
| US | 8.8.8.8:53 | eznabol.net | udp |
| US | 8.8.8.8:53 | jbmfgsdhixqp.net | udp |
| US | 8.8.8.8:53 | zeagfxhz.net | udp |
| US | 8.8.8.8:53 | klqmnybibg.net | udp |
| US | 8.8.8.8:53 | qhfqvojanyh.net | udp |
| US | 8.8.8.8:53 | lenibyekxyv.info | udp |
| US | 8.8.8.8:53 | hekogukffjjs.net | udp |
| US | 8.8.8.8:53 | lyxmnybibg.info | udp |
| US | 8.8.8.8:53 | hiwchewmzkge.net | udp |
| US | 8.8.8.8:53 | tgliuodiu.com | udp |
| US | 8.8.8.8:53 | lcvffplcdbwd.net | udp |
| US | 8.8.8.8:53 | dkouvubcpovf.info | udp |
| US | 8.8.8.8:53 | qmfnhfxkh.info | udp |
| US | 8.8.8.8:53 | rbhajqjgxun.info | udp |
| US | 8.8.8.8:53 | xyvmqzpiiw.net | udp |
| US | 8.8.8.8:53 | elyorhnv.info | udp |
| US | 8.8.8.8:53 | cuqmwgaumq.com | udp |
| US | 8.8.8.8:53 | lggkpgvhp.com | udp |
| US | 8.8.8.8:53 | ugcygcyup.info | udp |
| US | 8.8.8.8:53 | kuoqmsakuo.org | udp |
| US | 8.8.8.8:53 | jkzxjpbitkv.info | udp |
| US | 8.8.8.8:53 | zyfitez.info | udp |
| US | 8.8.8.8:53 | lmjkjd.info | udp |
| US | 8.8.8.8:53 | polcvcnmw.info | udp |
| US | 8.8.8.8:53 | wycewq.org | udp |
| US | 8.8.8.8:53 | vbiblqupi.com | udp |
| US | 8.8.8.8:53 | leqdurjb.net | udp |
| US | 8.8.8.8:53 | oavepmbqny.info | udp |
| US | 8.8.8.8:53 | umqegg.com | udp |
| US | 8.8.8.8:53 | ncshwn.net | udp |
| US | 8.8.8.8:53 | ykzzgb.net | udp |
| US | 8.8.8.8:53 | hqfzqntdhhz.org | udp |
| US | 8.8.8.8:53 | eozvtyi.net | udp |
| US | 8.8.8.8:53 | dxikspgshgbk.info | udp |
| US | 8.8.8.8:53 | gsmmohjnjbln.info | udp |
| US | 8.8.8.8:53 | ueirvjxxlh.net | udp |
| US | 8.8.8.8:53 | lgmwshpwdp.net | udp |
| US | 8.8.8.8:53 | uaiaoacq.org | udp |
| US | 8.8.8.8:53 | nawwvylul.info | udp |
| US | 8.8.8.8:53 | bhpmiura.info | udp |
| US | 8.8.8.8:53 | tubqnhaq.info | udp |
| US | 8.8.8.8:53 | zgrjrexb.net | udp |
| BG | 93.152.140.68:22227 | tcp | |
| US | 8.8.8.8:53 | hbowpc.info | udp |
| US | 8.8.8.8:53 | gwoulyvd.net | udp |
| US | 8.8.8.8:53 | gvlliv.net | udp |
| US | 8.8.8.8:53 | zndmeitwdxv.org | udp |
| US | 8.8.8.8:53 | lofoabbqebr.net | udp |
| US | 8.8.8.8:53 | eeueccewmeem.com | udp |
| US | 8.8.8.8:53 | ncnpflbqh.org | udp |
| US | 8.8.8.8:53 | yemmhoaqcgu.info | udp |
| US | 8.8.8.8:53 | kpvipxfatg.info | udp |
| US | 8.8.8.8:53 | qepnjwzsuai.net | udp |
| US | 8.8.8.8:53 | gthoprfe.net | udp |
| US | 8.8.8.8:53 | dkhgjgc.com | udp |
| US | 8.8.8.8:53 | zvhjumbkrexn.info | udp |
| US | 8.8.8.8:53 | bhbexwnv.info | udp |
| US | 8.8.8.8:53 | urlktaykf.info | udp |
| US | 8.8.8.8:53 | bqfrjyi.net | udp |
| US | 8.8.8.8:53 | gmhgjm.info | udp |
| US | 8.8.8.8:53 | tyxtwjxsfk.net | udp |
| US | 8.8.8.8:53 | vlpxze.info | udp |
| US | 8.8.8.8:53 | xptqveoglb.info | udp |
| US | 8.8.8.8:53 | oyfxxr.info | udp |
| US | 8.8.8.8:53 | drbxhnek.net | udp |
| US | 8.8.8.8:53 | qhtvsohf.net | udp |
| US | 8.8.8.8:53 | skywyumxq.net | udp |
| US | 8.8.8.8:53 | rgxledaohfbs.net | udp |
| US | 8.8.8.8:53 | ceiwggwiewus.org | udp |
| US | 8.8.8.8:53 | ggpanll.info | udp |
| US | 8.8.8.8:53 | whlulmi.info | udp |
| US | 8.8.8.8:53 | akueai.com | udp |
| US | 8.8.8.8:53 | gzwufttddhbn.net | udp |
| US | 8.8.8.8:53 | fnhmmghwp.com | udp |
| US | 8.8.8.8:53 | frujpmsf.info | udp |
| US | 8.8.8.8:53 | nshdioh.net | udp |
| US | 8.8.8.8:53 | qxpnvdlsnknf.info | udp |
| US | 8.8.8.8:53 | mcrsbyx.info | udp |
| US | 8.8.8.8:53 | yksgusqg.org | udp |
| BG | 85.196.183.38:32018 | tcp | |
| US | 8.8.8.8:53 | dkhorijbr.info | udp |
| US | 8.8.8.8:53 | ekqqcc.org | udp |
| US | 8.8.8.8:53 | zspwvvhrzzge.info | udp |
| US | 8.8.8.8:53 | iybscblusc.net | udp |
| US | 8.8.8.8:53 | pgghfkx.info | udp |
| US | 8.8.8.8:53 | vkdkrhjaj.com | udp |
| US | 8.8.8.8:53 | ucoscauq.com | udp |
| US | 8.8.8.8:53 | shdbtspqbgr.info | udp |
| US | 8.8.8.8:53 | ycyeemamem.org | udp |
| US | 8.8.8.8:53 | dwfkeogzvhjn.info | udp |
| US | 8.8.8.8:53 | twibtwisycr.org | udp |
| US | 8.8.8.8:53 | cphzyb.net | udp |
| US | 8.8.8.8:53 | rowscl.info | udp |
| US | 8.8.8.8:53 | ggdyzmybvip.info | udp |
| US | 8.8.8.8:53 | aaliqunsnuv.info | udp |
| US | 8.8.8.8:53 | qqlcfqhyprx.info | udp |
| US | 8.8.8.8:53 | dflqknsl.net | udp |
| US | 8.8.8.8:53 | fkjctuf.com | udp |
| US | 8.8.8.8:53 | hsfzjawa.info | udp |
| US | 8.8.8.8:53 | cyyltaholag.info | udp |
| US | 8.8.8.8:53 | kqlqlqzoi.info | udp |
| US | 8.8.8.8:53 | qtgqqinahbp.info | udp |
| US | 8.8.8.8:53 | zpokdoo.org | udp |
| US | 8.8.8.8:53 | dekxlrpihr.net | udp |
| US | 8.8.8.8:53 | akuwmw.com | udp |
| US | 8.8.8.8:53 | tcvuvhjwh.info | udp |
| US | 8.8.8.8:53 | jftbmggsar.info | udp |
| BG | 78.154.23.239:30079 | tcp | |
| US | 8.8.8.8:53 | bxteiqiypzj.net | udp |
| US | 8.8.8.8:53 | xcjshdzfzzj.net | udp |
| US | 8.8.8.8:53 | bnlmxgz.com | udp |
| US | 8.8.8.8:53 | iczwzsy.info | udp |
| US | 8.8.8.8:53 | jubvpax.info | udp |
| US | 8.8.8.8:53 | nogbdz.net | udp |
| US | 8.8.8.8:53 | thnidplde.net | udp |
| US | 8.8.8.8:53 | zebskofwmtc.org | udp |
| US | 8.8.8.8:53 | aknsgwkcl.net | udp |
| US | 8.8.8.8:53 | obnwfmzxjodu.info | udp |
| US | 8.8.8.8:53 | xoffpr.net | udp |
| US | 8.8.8.8:53 | iuiuqvk.info | udp |
| US | 8.8.8.8:53 | ecbwysbz.info | udp |
| US | 8.8.8.8:53 | vvikfqnavsxs.net | udp |
| US | 8.8.8.8:53 | vsuuoui.info | udp |
| US | 8.8.8.8:53 | lqnmpytum.info | udp |
| US | 8.8.8.8:53 | njmyupro.net | udp |
| US | 8.8.8.8:53 | akpmzeber.net | udp |
| US | 8.8.8.8:53 | ocyarojchal.info | udp |
| US | 8.8.8.8:53 | qmlnpqahwgsu.info | udp |
| US | 8.8.8.8:53 | xrpwmsl.info | udp |
| US | 8.8.8.8:53 | hmwutyrzvjq.info | udp |
| US | 8.8.8.8:53 | ttgfvdvenk.net | udp |
| US | 8.8.8.8:53 | iusioomq.org | udp |
| US | 8.8.8.8:53 | lsvwtj.net | udp |
| US | 8.8.8.8:53 | bxbznytnei.info | udp |
| US | 8.8.8.8:53 | didppcnmb.info | udp |
| US | 8.8.8.8:53 | wcsbrpz.net | udp |
| US | 8.8.8.8:53 | mwlkrce.net | udp |
| US | 8.8.8.8:53 | rpecwiq.info | udp |
| US | 8.8.8.8:53 | omqjjcjjfr.net | udp |
| US | 8.8.8.8:53 | dpvajdvu.net | udp |
| US | 8.8.8.8:53 | zybspgpxr.com | udp |
| US | 8.8.8.8:53 | uwcuws.org | udp |
| US | 8.8.8.8:53 | txgchkhep.org | udp |
| US | 8.8.8.8:53 | htecemp.info | udp |
| US | 8.8.8.8:53 | gckzqp.info | udp |
| US | 8.8.8.8:53 | weckqk.com | udp |
| US | 8.8.8.8:53 | wqqmyk.com | udp |
| US | 8.8.8.8:53 | gifnbyxotha.net | udp |
| US | 8.8.8.8:53 | azlfou.info | udp |
| US | 8.8.8.8:53 | vtwblsrkx.com | udp |
| US | 8.8.8.8:53 | umyicieyee.org | udp |
| US | 8.8.8.8:53 | wbfqtmtdtvle.info | udp |
| US | 8.8.8.8:53 | pngqhitepiz.info | udp |
| US | 8.8.8.8:53 | hybjmgmzerjz.info | udp |
| US | 8.8.8.8:53 | ycsyskgqayum.org | udp |
| US | 8.8.8.8:53 | qyfarqhcyow.net | udp |
| US | 8.8.8.8:53 | vcsuct.net | udp |
| US | 8.8.8.8:53 | tohgfcpaq.info | udp |
| US | 8.8.8.8:53 | qgrevs.net | udp |
| US | 8.8.8.8:53 | xxcsfot.com | udp |
| US | 8.8.8.8:53 | mulcvdg.info | udp |
| US | 8.8.8.8:53 | fsyczawoha.info | udp |
| US | 8.8.8.8:53 | dqnhjkjgasf.com | udp |
| US | 8.8.8.8:53 | siggqwnovln.net | udp |
| US | 8.8.8.8:53 | nebmlmbvdbt.net | udp |
| US | 8.8.8.8:53 | zndcrtkztl.info | udp |
| US | 8.8.8.8:53 | pfqfcw.info | udp |
| US | 8.8.8.8:53 | janrpedad.net | udp |
| US | 8.8.8.8:53 | atkzfclhbift.info | udp |
| US | 8.8.8.8:53 | wchkrdcmtbz.net | udp |
| US | 8.8.8.8:53 | xdwxvmgmv.info | udp |
| BG | 79.124.34.169:14148 | tcp | |
| US | 8.8.8.8:53 | dyfohnu.info | udp |
| US | 8.8.8.8:53 | qgxeagrfp.info | udp |
| US | 8.8.8.8:53 | wueysyqiyg.org | udp |
| US | 8.8.8.8:53 | itwwovfpb.net | udp |
| US | 8.8.8.8:53 | uolxayt.net | udp |
| US | 8.8.8.8:53 | ueiewkmwyqqu.com | udp |
| US | 8.8.8.8:53 | vyzwprpfzyh.net | udp |
| US | 8.8.8.8:53 | jjrefkv.net | udp |
| US | 8.8.8.8:53 | vteivueg.net | udp |
| US | 8.8.8.8:53 | uuesbj.info | udp |
| US | 8.8.8.8:53 | kjskvzf.info | udp |
| US | 8.8.8.8:53 | zsymnwiep.org | udp |
| US | 8.8.8.8:53 | fmzdvwqcyr.net | udp |
| US | 8.8.8.8:53 | pkrdwuipfrfr.info | udp |
Files
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
| MD5 | 1bfab26466074e48dbf0d35886b0929d |
| SHA1 | 849d8dc497d1ba446ba748e9e579885573f7247a |
| SHA256 | 8d366cb18fdc73a1f5247e36ae1a049a2f04ca997a2c982d4785b1b263023511 |
| SHA512 | c126cfdd6281805cc7ac0d269981e616f89d66021876370cc75581cf329573095329919738d51a163e2b3399876bf6413348a4ebac9e14e96ccd07ecc1def0d8 |
C:\Windows\SysWOW64\jhumexqhcrkffnxoze.exe
| MD5 | bbd7b871140426c0f77e65b9c18dbcf1 |
| SHA1 | f107fdc5b346882994efb09ba63b85e696679e4d |
| SHA256 | 2e69cd89b60105229d7465e33802b3ff410aa6c470320732b23b88fa48572f9b |
| SHA512 | c30ec761442c26b0f8c86eae2aebbd09c864a2587a27ca300b7c4669eb91efd88a2a05aae21020ae3c08ba690f472a551bc85b9d83967160758aaa3c9c6ff322 |
C:\Users\Admin\AppData\Local\Temp\whhmr.exe
| MD5 | 2ef8661866c21e2bd6d43351fb4d9021 |
| SHA1 | 9c1788f29cabe212af943e1b73ab5c7bcbfb9aaa |
| SHA256 | 7c2d79e1f350f1f0a9f34ddb7f3944ba06e7a7c59480cd3feb705093286c9115 |
| SHA512 | 1ce99538aee6aa4a4972abdcbfaecb36bf8d9cd2c92520ab3308dbbf467f0a4f737fc370c8127f3f03f34f3f82c368a508180d016d3319f6146d002b22a16807 |
C:\Users\Admin\AppData\Local\ldkwivitiretnptejitlseqdqbqzmbvxbm.qbt
| MD5 | 62fd636fe768981cc8279437a0a76594 |
| SHA1 | fbde71dd35f1a5d6e180eeeb75afa99efe8559af |
| SHA256 | 2f4418ebdc18ddd5d10eee073cfb128054e833b75ae645a5ad1fbebf0beb133e |
| SHA512 | 1798ed912de4f4d8bf1c870c9ec1b56c953b3836d702a790ae7d3f244aeed01d86cc0057b7ba91c685a34feacb971625b130a2f9cccda8f5eb976de16c49a922 |
C:\Users\Admin\AppData\Local\yfbcdfhhljlpypiicqqxtuv.zzd
| MD5 | c0a9e3512d04736fcedeac2493480e12 |
| SHA1 | 7dc964fcf841e63b0d15b09baad440361e47b22d |
| SHA256 | c69a5a336cf04f8273e18e47d69dc45272679ae83b1e34806b1e2617f799d502 |
| SHA512 | be5ad815b667e09a4e5a630b5c149e08101d6cc418f92ad1033101bf6ce5d5c60dda196331606c0b27f873f99074c79444685bf3a42d7d045b9b3cf6f638c234 |
C:\Program Files (x86)\yfbcdfhhljlpypiicqqxtuv.zzd
| MD5 | 036947fa848999b46e716e77f12162f5 |
| SHA1 | 93a98886d66b09a92db40bc19ca183697d9e8654 |
| SHA256 | ca5b542a622bae59d9be14eb816dd259fa403ff7e683b30303cf4b01de491f5c |
| SHA512 | 7924a67d74e2dd7aa7553ddca4b8cfc55d272d793ee731ffbf76b89a7b8f888d1e6634d76a9d1766413c786ae3824361301aff68adca5d406fe8d5e8603e67cc |
C:\Program Files (x86)\yfbcdfhhljlpypiicqqxtuv.zzd
| MD5 | 2e3d36e67888255e81d42a7a2ee99f33 |
| SHA1 | c4ae8426543eb8ab823a66953c7925a86578f96a |
| SHA256 | a2f7618d0320242e907106ff3b41e6ab4a21bfa23d2c8ba3e692756fe61ff3d9 |
| SHA512 | 552344e546e019eeff9f6f689651c56f5030e4ccb6a20064b6a994733c02798553c1974ef5ca255f62288a184a50af31c7111b939eb83ff66ede0bd73c254537 |
C:\Program Files (x86)\yfbcdfhhljlpypiicqqxtuv.zzd
| MD5 | e1de8676ad80893e57a4fc4fbbccc99b |
| SHA1 | cc9c57abf5289bf7cf1edf262b6e38c78201be70 |
| SHA256 | f200885998e7f72bd2b81968db7b29bf67950d0520d206b17de7fcafaa4a7478 |
| SHA512 | 74c65539d7ccd72440df26902cfaa6cf13d91814485edbbb7044ae404cbe55d8bddb9519c9d9b18286a0279b1345f33a6820acc7fa26ed9601eec35e7ed100cc |
C:\Program Files (x86)\yfbcdfhhljlpypiicqqxtuv.zzd
| MD5 | e16243ab4bfdd9863ac814d6a98eeee4 |
| SHA1 | 59fbfd444729f6385e54baa3e51e93b52be719e2 |
| SHA256 | 6b8150a511584bb6415700707abcaede53c6a1b098842e369f0efce19d47cab4 |
| SHA512 | 146b398c880f0a60849668776fa9922388c53d0dcd43b4a60b2f08956a2e4efdaef3b26b3fab71a675edd0040826e4d1ab74bac749f98f5f343a40ff9cefd43c |
Analysis: behavioral2
Detonation Overview
Submitted
2025-04-18 00:44
Reported
2025-04-18 00:47
Platform
win11-20250411-en
Max time kernel
60s
Max time network
150s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\tghqbep.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\tghqbep.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
Pykspa
Pykspa family
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\tghqbep.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\tghqbep.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\tghqbep.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\tghqbep.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\tghqbep.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\tghqbep.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\tghqbep.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\tghqbep.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
Detect Pykspa worm
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zorcpuhqy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zwhavidukxouzbthl.exe" | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zorcpuhqy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gguqoecwpfziqvqhozcc.exe" | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kciwmukwhpbc = "tsfaxmjcujckrvpflvx.exe" | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kciwmukwhpbc = "igsmiwskbphouxqfkt.exe" | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kciwmukwhpbc = "soyqkwqgvhxcghyl.exe" | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zorcpuhqy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\soyqkwqgvhxcghyl.exe" | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kciwmukwhpbc = "gguqoecwpfziqvqhozcc.exe" | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kciwmukwhpbc = "zwhavidukxouzbthl.exe" | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zorcpuhqy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tsfaxmjcujckrvpflvx.exe" | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zorcpuhqy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tsfaxmjcujckrvpflvx.exe" | C:\Users\Admin\AppData\Local\Temp\tghqbep.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kciwmukwhpbc = "zwhavidukxouzbthl.exe" | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zorcpuhqy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\igsmiwskbphouxqfkt.exe" | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kciwmukwhpbc = "igsmiwskbphouxqfkt.exe" | C:\Users\Admin\AppData\Local\Temp\tghqbep.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zorcpuhqy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\igsmiwskbphouxqfkt.exe" | C:\Users\Admin\AppData\Local\Temp\tghqbep.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kciwmukwhpbc = "gguqoecwpfziqvqhozcc.exe" | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kciwmukwhpbc = "gguqoecwpfziqvqhozcc.exe" | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zorcpuhqy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gguqoecwpfziqvqhozcc.exe" | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kciwmukwhpbc = "zwhavidukxouzbthl.exe" | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kciwmukwhpbc = "zwhavidukxouzbthl.exe" | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zorcpuhqy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gguqoecwpfziqvqhozcc.exe" | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zorcpuhqy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zwhavidukxouzbthl.exe" | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kciwmukwhpbc = "soyqkwqgvhxcghyl.exe" | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zorcpuhqy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vwlihyxsmdyirxtltfjkz.exe" | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zorcpuhqy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\soyqkwqgvhxcghyl.exe" | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zorcpuhqy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tsfaxmjcujckrvpflvx.exe" | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kciwmukwhpbc = "igsmiwskbphouxqfkt.exe" | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kciwmukwhpbc = "vwlihyxsmdyirxtltfjkz.exe" | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kciwmukwhpbc = "soyqkwqgvhxcghyl.exe" | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kciwmukwhpbc = "zwhavidukxouzbthl.exe" | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kciwmukwhpbc = "vwlihyxsmdyirxtltfjkz.exe" | C:\Users\Admin\AppData\Local\Temp\tghqbep.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zorcpuhqy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tsfaxmjcujckrvpflvx.exe" | C:\Users\Admin\AppData\Local\Temp\tghqbep.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zorcpuhqy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zwhavidukxouzbthl.exe" | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zorcpuhqy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tsfaxmjcujckrvpflvx.exe" | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zorcpuhqy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\igsmiwskbphouxqfkt.exe" | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zorcpuhqy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\soyqkwqgvhxcghyl.exe" | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zorcpuhqy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\igsmiwskbphouxqfkt.exe" | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zorcpuhqy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\soyqkwqgvhxcghyl.exe" | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zorcpuhqy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zwhavidukxouzbthl.exe" | C:\Users\Admin\AppData\Local\Temp\tghqbep.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kciwmukwhpbc = "soyqkwqgvhxcghyl.exe" | C:\Users\Admin\AppData\Local\Temp\tghqbep.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zorcpuhqy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gguqoecwpfziqvqhozcc.exe" | C:\Users\Admin\AppData\Local\Temp\tghqbep.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zorcpuhqy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gguqoecwpfziqvqhozcc.exe" | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zorcpuhqy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vwlihyxsmdyirxtltfjkz.exe" | C:\Users\Admin\AppData\Local\Temp\tghqbep.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kciwmukwhpbc = "vwlihyxsmdyirxtltfjkz.exe" | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kciwmukwhpbc = "tsfaxmjcujckrvpflvx.exe" | C:\Users\Admin\AppData\Local\Temp\tghqbep.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kciwmukwhpbc = "soyqkwqgvhxcghyl.exe" | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zorcpuhqy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vwlihyxsmdyirxtltfjkz.exe" | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kciwmukwhpbc = "zwhavidukxouzbthl.exe" | C:\Users\Admin\AppData\Local\Temp\tghqbep.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kciwmukwhpbc = "zwhavidukxouzbthl.exe" | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
Disables RegEdit via registry modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\tghqbep.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\tghqbep.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\tghqbep.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\tghqbep.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
Executes dropped EXE
Impair Defenses: Safe Mode Boot
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager | C:\Users\Admin\AppData\Local\Temp\tghqbep.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys | C:\Users\Admin\AppData\Local\Temp\tghqbep.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc | C:\Users\Admin\AppData\Local\Temp\tghqbep.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power | C:\Users\Admin\AppData\Local\Temp\tghqbep.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys | C:\Users\Admin\AppData\Local\Temp\tghqbep.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc | C:\Users\Admin\AppData\Local\Temp\tghqbep.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\nejwlshscju = "C:\\Users\\Admin\\AppData\\Local\\Temp\\soyqkwqgvhxcghyl.exe ." | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\Run\jcjypypcoxkmn = "igsmiwskbphouxqfkt.exe" | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\Run\jcjypypcoxkmn = "tsfaxmjcujckrvpflvx.exe" | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\Run\simymsgqzf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vwlihyxsmdyirxtltfjkz.exe" | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\nejwlshscju = "C:\\Users\\Admin\\AppData\\Local\\Temp\\soyqkwqgvhxcghyl.exe ." | C:\Users\Admin\AppData\Local\Temp\tghqbep.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\soyqkwqgvhxcghyl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vwlihyxsmdyirxtltfjkz.exe" | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\simymsgqzf = "gguqoecwpfziqvqhozcc.exe" | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\nejwlshscju = "C:\\Users\\Admin\\AppData\\Local\\Temp\\igsmiwskbphouxqfkt.exe ." | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\nejwlshscju = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tsfaxmjcujckrvpflvx.exe ." | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\nejwlshscju = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gguqoecwpfziqvqhozcc.exe ." | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\nejwlshscju = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vwlihyxsmdyirxtltfjkz.exe ." | C:\Users\Admin\AppData\Local\Temp\tghqbep.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\niribmfuitimppf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\igsmiwskbphouxqfkt.exe ." | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\soyqkwqgvhxcghyl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vwlihyxsmdyirxtltfjkz.exe" | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\soyqkwqgvhxcghyl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\soyqkwqgvhxcghyl.exe" | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\soyqkwqgvhxcghyl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zwhavidukxouzbthl.exe" | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\kemcuewkxhvyaz = "soyqkwqgvhxcghyl.exe ." | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\soyqkwqgvhxcghyl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\soyqkwqgvhxcghyl.exe" | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\Run\jcjypypcoxkmn = "zwhavidukxouzbthl.exe" | C:\Users\Admin\AppData\Local\Temp\tghqbep.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\kemcuewkxhvyaz = "igsmiwskbphouxqfkt.exe ." | C:\Users\Admin\AppData\Local\Temp\tghqbep.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nejwlshscju = "zwhavidukxouzbthl.exe ." | C:\Users\Admin\AppData\Local\Temp\tghqbep.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nejwlshscju = "igsmiwskbphouxqfkt.exe ." | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\niribmfuitimppf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\igsmiwskbphouxqfkt.exe ." | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nejwlshscju = "tsfaxmjcujckrvpflvx.exe ." | C:\Users\Admin\AppData\Local\Temp\tghqbep.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\Run\jcjypypcoxkmn = "soyqkwqgvhxcghyl.exe" | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\simymsgqzf = "gguqoecwpfziqvqhozcc.exe" | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\simymsgqzf = "gguqoecwpfziqvqhozcc.exe" | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\Run\jcjypypcoxkmn = "tsfaxmjcujckrvpflvx.exe" | C:\Users\Admin\AppData\Local\Temp\tghqbep.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nejwlshscju = "zwhavidukxouzbthl.exe ." | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\simymsgqzf = "vwlihyxsmdyirxtltfjkz.exe" | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nejwlshscju = "tsfaxmjcujckrvpflvx.exe ." | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\kemcuewkxhvyaz = "tsfaxmjcujckrvpflvx.exe ." | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\Run\simymsgqzf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tsfaxmjcujckrvpflvx.exe" | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\Run\simymsgqzf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vwlihyxsmdyirxtltfjkz.exe" | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\kemcuewkxhvyaz = "tsfaxmjcujckrvpflvx.exe ." | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\soyqkwqgvhxcghyl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tsfaxmjcujckrvpflvx.exe" | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\Run\jcjypypcoxkmn = "igsmiwskbphouxqfkt.exe" | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\Run\jcjypypcoxkmn = "soyqkwqgvhxcghyl.exe" | C:\Users\Admin\AppData\Local\Temp\tghqbep.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\nejwlshscju = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zwhavidukxouzbthl.exe ." | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\Run\simymsgqzf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\soyqkwqgvhxcghyl.exe" | C:\Users\Admin\AppData\Local\Temp\tghqbep.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nejwlshscju = "soyqkwqgvhxcghyl.exe ." | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\nejwlshscju = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tsfaxmjcujckrvpflvx.exe ." | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\kemcuewkxhvyaz = "vwlihyxsmdyirxtltfjkz.exe ." | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\Run\jcjypypcoxkmn = "soyqkwqgvhxcghyl.exe" | C:\Users\Admin\AppData\Local\Temp\tghqbep.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\nejwlshscju = "C:\\Users\\Admin\\AppData\\Local\\Temp\\igsmiwskbphouxqfkt.exe ." | C:\Users\Admin\AppData\Local\Temp\tghqbep.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\Run\simymsgqzf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zwhavidukxouzbthl.exe" | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\simymsgqzf = "gguqoecwpfziqvqhozcc.exe" | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nejwlshscju = "vwlihyxsmdyirxtltfjkz.exe ." | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\Run\jcjypypcoxkmn = "zwhavidukxouzbthl.exe" | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nejwlshscju = "zwhavidukxouzbthl.exe ." | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\nejwlshscju = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gguqoecwpfziqvqhozcc.exe ." | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\niribmfuitimppf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zwhavidukxouzbthl.exe ." | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\kemcuewkxhvyaz = "igsmiwskbphouxqfkt.exe ." | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\niribmfuitimppf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\soyqkwqgvhxcghyl.exe ." | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\niribmfuitimppf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\soyqkwqgvhxcghyl.exe ." | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\Run\jcjypypcoxkmn = "gguqoecwpfziqvqhozcc.exe" | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\simymsgqzf = "soyqkwqgvhxcghyl.exe" | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\kemcuewkxhvyaz = "tsfaxmjcujckrvpflvx.exe ." | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\nejwlshscju = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vwlihyxsmdyirxtltfjkz.exe ." | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nejwlshscju = "soyqkwqgvhxcghyl.exe ." | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\Run\simymsgqzf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vwlihyxsmdyirxtltfjkz.exe" | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\soyqkwqgvhxcghyl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vwlihyxsmdyirxtltfjkz.exe" | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\kemcuewkxhvyaz = "vwlihyxsmdyirxtltfjkz.exe ." | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nejwlshscju = "gguqoecwpfziqvqhozcc.exe ." | C:\Users\Admin\AppData\Local\Temp\tghqbep.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\Run\jcjypypcoxkmn = "gguqoecwpfziqvqhozcc.exe" | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\tghqbep.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\tghqbep.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\tghqbep.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\tghqbep.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
Hijack Execution Flow: Executable Installer File Permissions Weakness
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" | C:\Users\Admin\AppData\Local\Temp\tghqbep.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" | C:\Users\Admin\AppData\Local\Temp\tghqbep.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | whatismyip.everdot.org | N/A | N/A |
| N/A | whatismyipaddress.com | N/A | N/A |
| N/A | www.showmyipaddress.com | N/A | N/A |
| N/A | www.whatismyip.ca | N/A | N/A |
| N/A | whatismyip.everdot.org | N/A | N/A |
Drops autorun.inf file
| Description | Indicator | Process | Target |
| File created | C:\autorun.inf | C:\Users\Admin\AppData\Local\Temp\tghqbep.exe | N/A |
| File opened for modification | F:\autorun.inf | C:\Users\Admin\AppData\Local\Temp\tghqbep.exe | N/A |
| File created | F:\autorun.inf | C:\Users\Admin\AppData\Local\Temp\tghqbep.exe | N/A |
| File opened for modification | C:\autorun.inf | C:\Users\Admin\AppData\Local\Temp\tghqbep.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\tsfaxmjcujckrvpflvx.exe | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\igsmiwskbphouxqfkt.exe | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\tsfaxmjcujckrvpflvx.exe | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\tsfaxmjcujckrvpflvx.exe | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\igsmiwskbphouxqfkt.exe | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\moeccuuqldzkubyransuki.exe | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\soyqkwqgvhxcghyl.exe | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\tsfaxmjcujckrvpflvx.exe | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\zwhavidukxouzbthl.exe | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\tsfaxmjcujckrvpflvx.exe | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\zwhavidukxouzbthl.exe | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\soyqkwqgvhxcghyl.exe | C:\Users\Admin\AppData\Local\Temp\tghqbep.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\gguqoecwpfziqvqhozcc.exe | C:\Users\Admin\AppData\Local\Temp\tghqbep.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\soyqkwqgvhxcghyl.exe | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wcwycyccbxxmalmjwnwcwy.ycc | C:\Users\Admin\AppData\Local\Temp\tghqbep.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\gguqoecwpfziqvqhozcc.exe | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\tsfaxmjcujckrvpflvx.exe | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\soyqkwqgvhxcghyl.exe | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\moeccuuqldzkubyransuki.exe | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\zwhavidukxouzbthl.exe | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\gguqoecwpfziqvqhozcc.exe | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\vwlihyxsmdyirxtltfjkz.exe | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\moeccuuqldzkubyransuki.exe | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\soyqkwqgvhxcghyl.exe | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\moeccuuqldzkubyransuki.exe | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\vwlihyxsmdyirxtltfjkz.exe | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\gguqoecwpfziqvqhozcc.exe | C:\Users\Admin\AppData\Local\Temp\tghqbep.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\vwlihyxsmdyirxtltfjkz.exe | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\soyqkwqgvhxcghyl.exe | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\zwhavidukxouzbthl.exe | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\soyqkwqgvhxcghyl.exe | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\gguqoecwpfziqvqhozcc.exe | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\igsmiwskbphouxqfkt.exe | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\gguqoecwpfziqvqhozcc.exe | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\vwlihyxsmdyirxtltfjkz.exe | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\vwlihyxsmdyirxtltfjkz.exe | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\tsfaxmjcujckrvpflvx.exe | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\soyqkwqgvhxcghyl.exe | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\soyqkwqgvhxcghyl.exe | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\vwlihyxsmdyirxtltfjkz.exe | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\soyqkwqgvhxcghyl.exe | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\soyqkwqgvhxcghyl.exe | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\igsmiwskbphouxqfkt.exe | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\gguqoecwpfziqvqhozcc.exe | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\gguqoecwpfziqvqhozcc.exe | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\igsmiwskbphouxqfkt.exe | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\vwlihyxsmdyirxtltfjkz.exe | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\soyqkwqgvhxcghyl.exe | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\zwhavidukxouzbthl.exe | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\tsfaxmjcujckrvpflvx.exe | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\soyqkwqgvhxcghyl.exe | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\soyqkwqgvhxcghyl.exe | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\zwhavidukxouzbthl.exe | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\tsfaxmjcujckrvpflvx.exe | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\tsfaxmjcujckrvpflvx.exe | C:\Users\Admin\AppData\Local\Temp\tghqbep.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\soyqkwqgvhxcghyl.exe | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\igsmiwskbphouxqfkt.exe | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\gguqoecwpfziqvqhozcc.exe | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\igsmiwskbphouxqfkt.exe | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\soyqkwqgvhxcghyl.exe | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\tsfaxmjcujckrvpflvx.exe | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\gguqoecwpfziqvqhozcc.exe | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\tsfaxmjcujckrvpflvx.exe | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\gguqoecwpfziqvqhozcc.exe | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\wcwycyccbxxmalmjwnwcwy.ycc | C:\Users\Admin\AppData\Local\Temp\tghqbep.exe | N/A |
| File created | C:\Program Files (x86)\wcwycyccbxxmalmjwnwcwy.ycc | C:\Users\Admin\AppData\Local\Temp\tghqbep.exe | N/A |
| File opened for modification | C:\Program Files (x86)\nejwlshscjuutpbjhjduzmbixiszkkjfr.xzt | C:\Users\Admin\AppData\Local\Temp\tghqbep.exe | N/A |
| File created | C:\Program Files (x86)\nejwlshscjuutpbjhjduzmbixiszkkjfr.xzt | C:\Users\Admin\AppData\Local\Temp\tghqbep.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\igsmiwskbphouxqfkt.exe | C:\Users\Admin\AppData\Local\Temp\tghqbep.exe | N/A |
| File opened for modification | C:\Windows\moeccuuqldzkubyransuki.exe | C:\Users\Admin\AppData\Local\Temp\tghqbep.exe | N/A |
| File opened for modification | C:\Windows\zwhavidukxouzbthl.exe | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| File opened for modification | C:\Windows\soyqkwqgvhxcghyl.exe | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| File opened for modification | C:\Windows\igsmiwskbphouxqfkt.exe | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| File opened for modification | C:\Windows\soyqkwqgvhxcghyl.exe | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| File opened for modification | C:\Windows\gguqoecwpfziqvqhozcc.exe | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| File opened for modification | C:\Windows\soyqkwqgvhxcghyl.exe | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| File opened for modification | C:\Windows\igsmiwskbphouxqfkt.exe | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| File opened for modification | C:\Windows\vwlihyxsmdyirxtltfjkz.exe | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| File opened for modification | C:\Windows\moeccuuqldzkubyransuki.exe | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| File opened for modification | C:\Windows\gguqoecwpfziqvqhozcc.exe | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| File opened for modification | C:\Windows\tsfaxmjcujckrvpflvx.exe | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| File opened for modification | C:\Windows\gguqoecwpfziqvqhozcc.exe | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| File opened for modification | C:\Windows\gguqoecwpfziqvqhozcc.exe | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| File opened for modification | C:\Windows\tsfaxmjcujckrvpflvx.exe | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| File opened for modification | C:\Windows\tsfaxmjcujckrvpflvx.exe | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| File opened for modification | C:\Windows\moeccuuqldzkubyransuki.exe | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| File opened for modification | C:\Windows\soyqkwqgvhxcghyl.exe | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| File opened for modification | C:\Windows\igsmiwskbphouxqfkt.exe | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| File opened for modification | C:\Windows\tsfaxmjcujckrvpflvx.exe | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| File opened for modification | C:\Windows\gguqoecwpfziqvqhozcc.exe | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| File opened for modification | C:\Windows\tsfaxmjcujckrvpflvx.exe | C:\Users\Admin\AppData\Local\Temp\tghqbep.exe | N/A |
| File created | C:\Windows\wcwycyccbxxmalmjwnwcwy.ycc | C:\Users\Admin\AppData\Local\Temp\tghqbep.exe | N/A |
| File opened for modification | C:\Windows\igsmiwskbphouxqfkt.exe | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| File opened for modification | C:\Windows\gguqoecwpfziqvqhozcc.exe | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| File opened for modification | C:\Windows\zwhavidukxouzbthl.exe | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| File opened for modification | C:\Windows\soyqkwqgvhxcghyl.exe | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| File opened for modification | C:\Windows\igsmiwskbphouxqfkt.exe | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| File opened for modification | C:\Windows\vwlihyxsmdyirxtltfjkz.exe | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| File opened for modification | C:\Windows\moeccuuqldzkubyransuki.exe | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| File opened for modification | C:\Windows\igsmiwskbphouxqfkt.exe | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| File opened for modification | C:\Windows\tsfaxmjcujckrvpflvx.exe | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| File opened for modification | C:\Windows\soyqkwqgvhxcghyl.exe | C:\Users\Admin\AppData\Local\Temp\tghqbep.exe | N/A |
| File opened for modification | C:\Windows\igsmiwskbphouxqfkt.exe | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| File opened for modification | C:\Windows\zwhavidukxouzbthl.exe | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| File opened for modification | C:\Windows\igsmiwskbphouxqfkt.exe | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| File opened for modification | C:\Windows\vwlihyxsmdyirxtltfjkz.exe | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| File opened for modification | C:\Windows\igsmiwskbphouxqfkt.exe | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| File opened for modification | C:\Windows\zwhavidukxouzbthl.exe | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| File opened for modification | C:\Windows\soyqkwqgvhxcghyl.exe | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| File opened for modification | C:\Windows\moeccuuqldzkubyransuki.exe | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| File opened for modification | C:\Windows\moeccuuqldzkubyransuki.exe | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| File opened for modification | C:\Windows\vwlihyxsmdyirxtltfjkz.exe | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| File opened for modification | C:\Windows\igsmiwskbphouxqfkt.exe | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| File opened for modification | C:\Windows\vwlihyxsmdyirxtltfjkz.exe | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| File opened for modification | C:\Windows\igsmiwskbphouxqfkt.exe | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| File opened for modification | C:\Windows\zwhavidukxouzbthl.exe | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| File opened for modification | C:\Windows\soyqkwqgvhxcghyl.exe | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| File opened for modification | C:\Windows\vwlihyxsmdyirxtltfjkz.exe | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| File opened for modification | C:\Windows\moeccuuqldzkubyransuki.exe | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| File opened for modification | C:\Windows\moeccuuqldzkubyransuki.exe | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| File opened for modification | C:\Windows\zwhavidukxouzbthl.exe | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| File opened for modification | C:\Windows\tsfaxmjcujckrvpflvx.exe | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| File opened for modification | C:\Windows\moeccuuqldzkubyransuki.exe | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| File opened for modification | C:\Windows\igsmiwskbphouxqfkt.exe | C:\Users\Admin\AppData\Local\Temp\tghqbep.exe | N/A |
| File opened for modification | C:\Windows\nejwlshscjuutpbjhjduzmbixiszkkjfr.xzt | C:\Users\Admin\AppData\Local\Temp\tghqbep.exe | N/A |
| File opened for modification | C:\Windows\gguqoecwpfziqvqhozcc.exe | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| File opened for modification | C:\Windows\zwhavidukxouzbthl.exe | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| File opened for modification | C:\Windows\vwlihyxsmdyirxtltfjkz.exe | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| File opened for modification | C:\Windows\moeccuuqldzkubyransuki.exe | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| File opened for modification | C:\Windows\tsfaxmjcujckrvpflvx.exe | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| File opened for modification | C:\Windows\zwhavidukxouzbthl.exe | C:\Users\Admin\AppData\Local\Temp\tghqbep.exe | N/A |
| File opened for modification | C:\Windows\soyqkwqgvhxcghyl.exe | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\vwlihyxsmdyirxtltfjkz.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\vwlihyxsmdyirxtltfjkz.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\igsmiwskbphouxqfkt.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\gguqoecwpfziqvqhozcc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\soyqkwqgvhxcghyl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\gguqoecwpfziqvqhozcc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\igsmiwskbphouxqfkt.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\gguqoecwpfziqvqhozcc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\tsfaxmjcujckrvpflvx.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\tsfaxmjcujckrvpflvx.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\tsfaxmjcujckrvpflvx.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\tsfaxmjcujckrvpflvx.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\igsmiwskbphouxqfkt.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\zwhavidukxouzbthl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\zwhavidukxouzbthl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\gguqoecwpfziqvqhozcc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\tsfaxmjcujckrvpflvx.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\soyqkwqgvhxcghyl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\zwhavidukxouzbthl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\zwhavidukxouzbthl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\soyqkwqgvhxcghyl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\zwhavidukxouzbthl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\soyqkwqgvhxcghyl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\soyqkwqgvhxcghyl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\zwhavidukxouzbthl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\igsmiwskbphouxqfkt.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\gguqoecwpfziqvqhozcc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\igsmiwskbphouxqfkt.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\tghqbep.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\vwlihyxsmdyirxtltfjkz.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\igsmiwskbphouxqfkt.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\gguqoecwpfziqvqhozcc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\soyqkwqgvhxcghyl.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\tghqbep.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\tghqbep.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\tghqbep.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" | C:\Users\Admin\AppData\Local\Temp\tghqbep.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" | C:\Users\Admin\AppData\Local\Temp\tghqbep.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\tghqbep.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" | C:\Users\Admin\AppData\Local\Temp\tghqbep.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\tghqbep.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" | C:\Users\Admin\AppData\Local\Temp\tghqbep.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" | C:\Users\Admin\AppData\Local\Temp\tghqbep.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" | C:\Users\Admin\AppData\Local\Temp\tghqbep.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\tghqbep.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" | C:\Users\Admin\AppData\Local\Temp\tghqbep.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\tghqbep.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" | C:\Users\Admin\AppData\Local\Temp\tghqbep.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\tghqbep.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\tghqbep.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\tghqbep.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" | C:\Users\Admin\AppData\Local\Temp\tghqbep.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\tghqbep.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe"
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\jaffacakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe*"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c igsmiwskbphouxqfkt.exe
C:\Windows\igsmiwskbphouxqfkt.exe
igsmiwskbphouxqfkt.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vwlihyxsmdyirxtltfjkz.exe .
C:\Windows\vwlihyxsmdyirxtltfjkz.exe
vwlihyxsmdyirxtltfjkz.exe .
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\vwlihyxsmdyirxtltfjkz.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tsfaxmjcujckrvpflvx.exe
C:\Windows\tsfaxmjcujckrvpflvx.exe
tsfaxmjcujckrvpflvx.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c igsmiwskbphouxqfkt.exe .
C:\Windows\igsmiwskbphouxqfkt.exe
igsmiwskbphouxqfkt.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\igsmiwskbphouxqfkt.exe*."
C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe
C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe .
C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe
C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe .
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\soyqkwqgvhxcghyl.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe
C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe
C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe .
C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe
C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe .
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\soyqkwqgvhxcghyl.exe*."
C:\Users\Admin\AppData\Local\Temp\tghqbep.exe
"C:\Users\Admin\AppData\Local\Temp\tghqbep.exe" "-c:\users\admin\appdata\local\temp\jaffacakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe"
C:\Users\Admin\AppData\Local\Temp\tghqbep.exe
"C:\Users\Admin\AppData\Local\Temp\tghqbep.exe" "-c:\users\admin\appdata\local\temp\jaffacakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gguqoecwpfziqvqhozcc.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tsfaxmjcujckrvpflvx.exe
C:\Windows\gguqoecwpfziqvqhozcc.exe
gguqoecwpfziqvqhozcc.exe
C:\Windows\tsfaxmjcujckrvpflvx.exe
tsfaxmjcujckrvpflvx.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gguqoecwpfziqvqhozcc.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tsfaxmjcujckrvpflvx.exe .
C:\Windows\tsfaxmjcujckrvpflvx.exe
tsfaxmjcujckrvpflvx.exe .
C:\Windows\gguqoecwpfziqvqhozcc.exe
gguqoecwpfziqvqhozcc.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zwhavidukxouzbthl.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vwlihyxsmdyirxtltfjkz.exe
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\tsfaxmjcujckrvpflvx.exe*."
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\gguqoecwpfziqvqhozcc.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gguqoecwpfziqvqhozcc.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gguqoecwpfziqvqhozcc.exe .
C:\Windows\vwlihyxsmdyirxtltfjkz.exe
vwlihyxsmdyirxtltfjkz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe
C:\Windows\zwhavidukxouzbthl.exe
zwhavidukxouzbthl.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe
C:\Windows\gguqoecwpfziqvqhozcc.exe
gguqoecwpfziqvqhozcc.exe .
C:\Windows\gguqoecwpfziqvqhozcc.exe
gguqoecwpfziqvqhozcc.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe .
C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe
C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe
C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe
C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\gguqoecwpfziqvqhozcc.exe*."
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\gguqoecwpfziqvqhozcc.exe*."
C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe
C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe .
C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe
C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe .
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\tsfaxmjcujckrvpflvx.exe*."
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\tsfaxmjcujckrvpflvx.exe*."
C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe
C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gguqoecwpfziqvqhozcc.exe
C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe
C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe
C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe
C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe .
C:\Windows\gguqoecwpfziqvqhozcc.exe
gguqoecwpfziqvqhozcc.exe
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\soyqkwqgvhxcghyl.exe*."
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\soyqkwqgvhxcghyl.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gguqoecwpfziqvqhozcc.exe .
C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe
C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe
C:\Windows\gguqoecwpfziqvqhozcc.exe
gguqoecwpfziqvqhozcc.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c igsmiwskbphouxqfkt.exe
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\gguqoecwpfziqvqhozcc.exe*."
C:\Windows\igsmiwskbphouxqfkt.exe
igsmiwskbphouxqfkt.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vwlihyxsmdyirxtltfjkz.exe .
C:\Windows\vwlihyxsmdyirxtltfjkz.exe
vwlihyxsmdyirxtltfjkz.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe
C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe
C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\vwlihyxsmdyirxtltfjkz.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe .
C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe
C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe .
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\zwhavidukxouzbthl.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe
C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe
C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe .
C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe
C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe .
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\gguqoecwpfziqvqhozcc.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gguqoecwpfziqvqhozcc.exe
C:\Windows\gguqoecwpfziqvqhozcc.exe
gguqoecwpfziqvqhozcc.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zwhavidukxouzbthl.exe .
C:\Windows\zwhavidukxouzbthl.exe
zwhavidukxouzbthl.exe .
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\zwhavidukxouzbthl.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c soyqkwqgvhxcghyl.exe
C:\Windows\soyqkwqgvhxcghyl.exe
soyqkwqgvhxcghyl.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vwlihyxsmdyirxtltfjkz.exe .
C:\Windows\vwlihyxsmdyirxtltfjkz.exe
vwlihyxsmdyirxtltfjkz.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gguqoecwpfziqvqhozcc.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tsfaxmjcujckrvpflvx.exe
C:\Windows\gguqoecwpfziqvqhozcc.exe
gguqoecwpfziqvqhozcc.exe
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\vwlihyxsmdyirxtltfjkz.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe .
C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe
C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe
C:\Windows\tsfaxmjcujckrvpflvx.exe
tsfaxmjcujckrvpflvx.exe
C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe
C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gguqoecwpfziqvqhozcc.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gguqoecwpfziqvqhozcc.exe .
C:\Windows\gguqoecwpfziqvqhozcc.exe
gguqoecwpfziqvqhozcc.exe .
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\soyqkwqgvhxcghyl.exe*."
C:\Windows\gguqoecwpfziqvqhozcc.exe
gguqoecwpfziqvqhozcc.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gguqoecwpfziqvqhozcc.exe
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\gguqoecwpfziqvqhozcc.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c soyqkwqgvhxcghyl.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\gguqoecwpfziqvqhozcc.exe*."
C:\Windows\gguqoecwpfziqvqhozcc.exe
gguqoecwpfziqvqhozcc.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vwlihyxsmdyirxtltfjkz.exe .
C:\Windows\soyqkwqgvhxcghyl.exe
soyqkwqgvhxcghyl.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c igsmiwskbphouxqfkt.exe .
C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe
C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe
C:\Windows\vwlihyxsmdyirxtltfjkz.exe
vwlihyxsmdyirxtltfjkz.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe .
C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe
C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe .
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\vwlihyxsmdyirxtltfjkz.exe*."
C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe
C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe .
C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe
C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe
C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe
C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe
C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe
C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe .
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\gguqoecwpfziqvqhozcc.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe .
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\tsfaxmjcujckrvpflvx.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe .
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\soyqkwqgvhxcghyl.exe*."
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe
C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe
C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe
C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe
C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe
C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe .
C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe
C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c igsmiwskbphouxqfkt.exe
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\igsmiwskbphouxqfkt.exe*."
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\vwlihyxsmdyirxtltfjkz.exe*."
C:\Windows\igsmiwskbphouxqfkt.exe
igsmiwskbphouxqfkt.exe
C:\Windows\igsmiwskbphouxqfkt.exe
igsmiwskbphouxqfkt.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tsfaxmjcujckrvpflvx.exe .
C:\Windows\tsfaxmjcujckrvpflvx.exe
tsfaxmjcujckrvpflvx.exe .
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\igsmiwskbphouxqfkt.exe*."
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\tsfaxmjcujckrvpflvx.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zwhavidukxouzbthl.exe
C:\Windows\zwhavidukxouzbthl.exe
zwhavidukxouzbthl.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c igsmiwskbphouxqfkt.exe .
C:\Windows\igsmiwskbphouxqfkt.exe
igsmiwskbphouxqfkt.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe
C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe
C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\igsmiwskbphouxqfkt.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe .
C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe
C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe .
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\vwlihyxsmdyirxtltfjkz.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe
C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe
C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe .
C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe
C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe .
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\zwhavidukxouzbthl.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vwlihyxsmdyirxtltfjkz.exe
C:\Windows\vwlihyxsmdyirxtltfjkz.exe
vwlihyxsmdyirxtltfjkz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c soyqkwqgvhxcghyl.exe .
C:\Windows\soyqkwqgvhxcghyl.exe
soyqkwqgvhxcghyl.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vwlihyxsmdyirxtltfjkz.exe
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\soyqkwqgvhxcghyl.exe*."
C:\Windows\vwlihyxsmdyirxtltfjkz.exe
vwlihyxsmdyirxtltfjkz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gguqoecwpfziqvqhozcc.exe .
C:\Windows\gguqoecwpfziqvqhozcc.exe
gguqoecwpfziqvqhozcc.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe
C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe
C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\gguqoecwpfziqvqhozcc.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe .
C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe
C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe .
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\zwhavidukxouzbthl.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe
C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe
C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe .
C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe
C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe .
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\igsmiwskbphouxqfkt.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gguqoecwpfziqvqhozcc.exe
C:\Windows\gguqoecwpfziqvqhozcc.exe
gguqoecwpfziqvqhozcc.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zwhavidukxouzbthl.exe .
C:\Windows\zwhavidukxouzbthl.exe
zwhavidukxouzbthl.exe .
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\zwhavidukxouzbthl.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c igsmiwskbphouxqfkt.exe
C:\Windows\igsmiwskbphouxqfkt.exe
igsmiwskbphouxqfkt.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c igsmiwskbphouxqfkt.exe .
C:\Windows\igsmiwskbphouxqfkt.exe
igsmiwskbphouxqfkt.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\igsmiwskbphouxqfkt.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe .
C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe
C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe
C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe
C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe .
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\soyqkwqgvhxcghyl.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe
C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe
C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe .
C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe
C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe .
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\zwhavidukxouzbthl.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zwhavidukxouzbthl.exe
C:\Windows\zwhavidukxouzbthl.exe
zwhavidukxouzbthl.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c soyqkwqgvhxcghyl.exe .
C:\Windows\soyqkwqgvhxcghyl.exe
soyqkwqgvhxcghyl.exe .
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\soyqkwqgvhxcghyl.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gguqoecwpfziqvqhozcc.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\gguqoecwpfziqvqhozcc.exe
gguqoecwpfziqvqhozcc.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tsfaxmjcujckrvpflvx.exe .
C:\Windows\tsfaxmjcujckrvpflvx.exe
tsfaxmjcujckrvpflvx.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe
C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe
C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\tsfaxmjcujckrvpflvx.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe .
C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe
C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe .
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\soyqkwqgvhxcghyl.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe
C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe
C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe .
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe
C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe .
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\vwlihyxsmdyirxtltfjkz.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vwlihyxsmdyirxtltfjkz.exe
C:\Windows\vwlihyxsmdyirxtltfjkz.exe
vwlihyxsmdyirxtltfjkz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c soyqkwqgvhxcghyl.exe .
C:\Windows\soyqkwqgvhxcghyl.exe
soyqkwqgvhxcghyl.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gguqoecwpfziqvqhozcc.exe
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\soyqkwqgvhxcghyl.exe*."
C:\Windows\gguqoecwpfziqvqhozcc.exe
gguqoecwpfziqvqhozcc.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c soyqkwqgvhxcghyl.exe .
C:\Windows\soyqkwqgvhxcghyl.exe
soyqkwqgvhxcghyl.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\soyqkwqgvhxcghyl.exe*."
C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe
C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe .
C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe
C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe .
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\zwhavidukxouzbthl.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe
C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe
C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe .
C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe
C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe .
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\vwlihyxsmdyirxtltfjkz.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gguqoecwpfziqvqhozcc.exe
C:\Windows\gguqoecwpfziqvqhozcc.exe
gguqoecwpfziqvqhozcc.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gguqoecwpfziqvqhozcc.exe .
C:\Windows\gguqoecwpfziqvqhozcc.exe
gguqoecwpfziqvqhozcc.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vwlihyxsmdyirxtltfjkz.exe
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\gguqoecwpfziqvqhozcc.exe*."
C:\Windows\vwlihyxsmdyirxtltfjkz.exe
vwlihyxsmdyirxtltfjkz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c soyqkwqgvhxcghyl.exe .
C:\Windows\soyqkwqgvhxcghyl.exe
soyqkwqgvhxcghyl.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe
C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe
C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\soyqkwqgvhxcghyl.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe .
C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe
C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe .
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\soyqkwqgvhxcghyl.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe
C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe
C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe .
C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe
C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe .
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\vwlihyxsmdyirxtltfjkz.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gguqoecwpfziqvqhozcc.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\gguqoecwpfziqvqhozcc.exe
gguqoecwpfziqvqhozcc.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vwlihyxsmdyirxtltfjkz.exe .
C:\Windows\vwlihyxsmdyirxtltfjkz.exe
vwlihyxsmdyirxtltfjkz.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c igsmiwskbphouxqfkt.exe
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\vwlihyxsmdyirxtltfjkz.exe*."
C:\Windows\igsmiwskbphouxqfkt.exe
igsmiwskbphouxqfkt.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zwhavidukxouzbthl.exe .
C:\Windows\zwhavidukxouzbthl.exe
zwhavidukxouzbthl.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gguqoecwpfziqvqhozcc.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\gguqoecwpfziqvqhozcc.exe
gguqoecwpfziqvqhozcc.exe
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\zwhavidukxouzbthl.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c soyqkwqgvhxcghyl.exe
C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe
C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe
C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe
C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe .
C:\Windows\soyqkwqgvhxcghyl.exe
soyqkwqgvhxcghyl.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c igsmiwskbphouxqfkt.exe .
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\igsmiwskbphouxqfkt.exe*."
C:\Windows\igsmiwskbphouxqfkt.exe
igsmiwskbphouxqfkt.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c soyqkwqgvhxcghyl.exe .
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\igsmiwskbphouxqfkt.exe*."
C:\Windows\soyqkwqgvhxcghyl.exe
soyqkwqgvhxcghyl.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c soyqkwqgvhxcghyl.exe
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\soyqkwqgvhxcghyl.exe*."
C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe
C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c igsmiwskbphouxqfkt.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tsfaxmjcujckrvpflvx.exe
C:\Windows\soyqkwqgvhxcghyl.exe
soyqkwqgvhxcghyl.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe .
C:\Windows\igsmiwskbphouxqfkt.exe
igsmiwskbphouxqfkt.exe .
C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe
C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tsfaxmjcujckrvpflvx.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe
C:\Windows\tsfaxmjcujckrvpflvx.exe
tsfaxmjcujckrvpflvx.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe .
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\zwhavidukxouzbthl.exe*."
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\igsmiwskbphouxqfkt.exe*."
C:\Windows\tsfaxmjcujckrvpflvx.exe
tsfaxmjcujckrvpflvx.exe .
C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe
C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe
C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe
C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe
C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe
C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe
C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\tsfaxmjcujckrvpflvx.exe*."
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\igsmiwskbphouxqfkt.exe*."
C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe
C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gguqoecwpfziqvqhozcc.exe
C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe
C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\tsfaxmjcujckrvpflvx.exe*."
C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe
C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe .
C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe
C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe .
C:\Windows\gguqoecwpfziqvqhozcc.exe
gguqoecwpfziqvqhozcc.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vwlihyxsmdyirxtltfjkz.exe .
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\igsmiwskbphouxqfkt.exe*."
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\soyqkwqgvhxcghyl.exe*."
C:\Windows\vwlihyxsmdyirxtltfjkz.exe
vwlihyxsmdyirxtltfjkz.exe .
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\vwlihyxsmdyirxtltfjkz.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gguqoecwpfziqvqhozcc.exe
C:\Windows\gguqoecwpfziqvqhozcc.exe
gguqoecwpfziqvqhozcc.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zwhavidukxouzbthl.exe .
C:\Windows\zwhavidukxouzbthl.exe
zwhavidukxouzbthl.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\zwhavidukxouzbthl.exe*."
C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe
C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe .
C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe
C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe .
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\soyqkwqgvhxcghyl.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe
C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe
C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe .
C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe
C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe .
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\igsmiwskbphouxqfkt.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tsfaxmjcujckrvpflvx.exe
C:\Windows\tsfaxmjcujckrvpflvx.exe
tsfaxmjcujckrvpflvx.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gguqoecwpfziqvqhozcc.exe .
C:\Windows\gguqoecwpfziqvqhozcc.exe
gguqoecwpfziqvqhozcc.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tsfaxmjcujckrvpflvx.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\gguqoecwpfziqvqhozcc.exe*."
C:\Windows\tsfaxmjcujckrvpflvx.exe
tsfaxmjcujckrvpflvx.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c igsmiwskbphouxqfkt.exe .
C:\Windows\igsmiwskbphouxqfkt.exe
igsmiwskbphouxqfkt.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe
C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\igsmiwskbphouxqfkt.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe .
C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe
C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe .
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\tsfaxmjcujckrvpflvx.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe
C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe
C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe .
C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe
C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe .
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\tsfaxmjcujckrvpflvx.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c igsmiwskbphouxqfkt.exe
C:\Windows\igsmiwskbphouxqfkt.exe
igsmiwskbphouxqfkt.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zwhavidukxouzbthl.exe .
C:\Windows\zwhavidukxouzbthl.exe
zwhavidukxouzbthl.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tsfaxmjcujckrvpflvx.exe
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\zwhavidukxouzbthl.exe*."
C:\Windows\tsfaxmjcujckrvpflvx.exe
tsfaxmjcujckrvpflvx.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tsfaxmjcujckrvpflvx.exe .
C:\Windows\tsfaxmjcujckrvpflvx.exe
tsfaxmjcujckrvpflvx.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe
C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe
C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\tsfaxmjcujckrvpflvx.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe .
C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe
C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe .
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\vwlihyxsmdyirxtltfjkz.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe
C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe
C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe .
C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe
C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe .
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\gguqoecwpfziqvqhozcc.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tsfaxmjcujckrvpflvx.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tsfaxmjcujckrvpflvx.exe
C:\Windows\tsfaxmjcujckrvpflvx.exe
tsfaxmjcujckrvpflvx.exe
C:\Windows\tsfaxmjcujckrvpflvx.exe
tsfaxmjcujckrvpflvx.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zwhavidukxouzbthl.exe .
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\zwhavidukxouzbthl.exe
zwhavidukxouzbthl.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gguqoecwpfziqvqhozcc.exe .
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\zwhavidukxouzbthl.exe*."
C:\Windows\gguqoecwpfziqvqhozcc.exe
gguqoecwpfziqvqhozcc.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tsfaxmjcujckrvpflvx.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c igsmiwskbphouxqfkt.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vwlihyxsmdyirxtltfjkz.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zwhavidukxouzbthl.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\gguqoecwpfziqvqhozcc.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe .
C:\Windows\tsfaxmjcujckrvpflvx.exe
tsfaxmjcujckrvpflvx.exe
C:\Windows\vwlihyxsmdyirxtltfjkz.exe
vwlihyxsmdyirxtltfjkz.exe .
C:\Windows\igsmiwskbphouxqfkt.exe
igsmiwskbphouxqfkt.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gguqoecwpfziqvqhozcc.exe
C:\Windows\zwhavidukxouzbthl.exe
zwhavidukxouzbthl.exe .
C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe
C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe
C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe
C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe .
C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe
C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\vwlihyxsmdyirxtltfjkz.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c soyqkwqgvhxcghyl.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe
C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe
C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe .
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\zwhavidukxouzbthl.exe*."
C:\Windows\gguqoecwpfziqvqhozcc.exe
gguqoecwpfziqvqhozcc.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\gguqoecwpfziqvqhozcc.exe*."
C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe
C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gguqoecwpfziqvqhozcc.exe
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\igsmiwskbphouxqfkt.exe*."
C:\Windows\soyqkwqgvhxcghyl.exe
soyqkwqgvhxcghyl.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zwhavidukxouzbthl.exe .
C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe
C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe
C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe
C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe .
C:\Windows\gguqoecwpfziqvqhozcc.exe
gguqoecwpfziqvqhozcc.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\soyqkwqgvhxcghyl.exe*."
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe
C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe .
C:\Windows\zwhavidukxouzbthl.exe
zwhavidukxouzbthl.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe .
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\tsfaxmjcujckrvpflvx.exe*."
C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe
C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\soyqkwqgvhxcghyl.exe*."
C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe
C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe .
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\zwhavidukxouzbthl.exe*."
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\vwlihyxsmdyirxtltfjkz.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe .
C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe
C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe
C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe
C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe .
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\tsfaxmjcujckrvpflvx.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c soyqkwqgvhxcghyl.exe
C:\Windows\soyqkwqgvhxcghyl.exe
soyqkwqgvhxcghyl.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zwhavidukxouzbthl.exe .
C:\Windows\zwhavidukxouzbthl.exe
zwhavidukxouzbthl.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tsfaxmjcujckrvpflvx.exe
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\zwhavidukxouzbthl.exe*."
C:\Windows\tsfaxmjcujckrvpflvx.exe
tsfaxmjcujckrvpflvx.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vwlihyxsmdyirxtltfjkz.exe .
C:\Windows\vwlihyxsmdyirxtltfjkz.exe
vwlihyxsmdyirxtltfjkz.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe
C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe
C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe .
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\vwlihyxsmdyirxtltfjkz.exe*."
C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe
C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe .
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\gguqoecwpfziqvqhozcc.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe
C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe
C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe .
C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe
C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe .
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\gguqoecwpfziqvqhozcc.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vwlihyxsmdyirxtltfjkz.exe
C:\Windows\vwlihyxsmdyirxtltfjkz.exe
vwlihyxsmdyirxtltfjkz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c igsmiwskbphouxqfkt.exe .
C:\Windows\igsmiwskbphouxqfkt.exe
igsmiwskbphouxqfkt.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tsfaxmjcujckrvpflvx.exe
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\igsmiwskbphouxqfkt.exe*."
C:\Windows\tsfaxmjcujckrvpflvx.exe
tsfaxmjcujckrvpflvx.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tsfaxmjcujckrvpflvx.exe .
C:\Windows\tsfaxmjcujckrvpflvx.exe
tsfaxmjcujckrvpflvx.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe
C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe
C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe .
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\tsfaxmjcujckrvpflvx.exe*."
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe
C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe .
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\vwlihyxsmdyirxtltfjkz.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe
C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe
C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe .
C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe
C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe .
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\gguqoecwpfziqvqhozcc.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zwhavidukxouzbthl.exe
C:\Windows\zwhavidukxouzbthl.exe
zwhavidukxouzbthl.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zwhavidukxouzbthl.exe .
C:\Windows\zwhavidukxouzbthl.exe
zwhavidukxouzbthl.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c igsmiwskbphouxqfkt.exe
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\zwhavidukxouzbthl.exe*."
C:\Windows\igsmiwskbphouxqfkt.exe
igsmiwskbphouxqfkt.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zwhavidukxouzbthl.exe .
C:\Windows\zwhavidukxouzbthl.exe
zwhavidukxouzbthl.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\zwhavidukxouzbthl.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe .
C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe
C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe
C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe
C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe .
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\igsmiwskbphouxqfkt.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe
C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe
C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe .
C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe
C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe .
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\vwlihyxsmdyirxtltfjkz.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c soyqkwqgvhxcghyl.exe
C:\Windows\soyqkwqgvhxcghyl.exe
soyqkwqgvhxcghyl.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c igsmiwskbphouxqfkt.exe .
C:\Windows\igsmiwskbphouxqfkt.exe
igsmiwskbphouxqfkt.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c igsmiwskbphouxqfkt.exe
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\igsmiwskbphouxqfkt.exe*."
C:\Windows\igsmiwskbphouxqfkt.exe
igsmiwskbphouxqfkt.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tsfaxmjcujckrvpflvx.exe .
C:\Windows\tsfaxmjcujckrvpflvx.exe
tsfaxmjcujckrvpflvx.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe
C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe
C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe .
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\tsfaxmjcujckrvpflvx.exe*."
C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe
C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe .
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\zwhavidukxouzbthl.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe
C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe
C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe .
C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe
C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe .
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\tsfaxmjcujckrvpflvx.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c soyqkwqgvhxcghyl.exe
C:\Windows\soyqkwqgvhxcghyl.exe
soyqkwqgvhxcghyl.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tsfaxmjcujckrvpflvx.exe .
C:\Windows\tsfaxmjcujckrvpflvx.exe
tsfaxmjcujckrvpflvx.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c igsmiwskbphouxqfkt.exe
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\tsfaxmjcujckrvpflvx.exe*."
C:\Windows\igsmiwskbphouxqfkt.exe
igsmiwskbphouxqfkt.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tsfaxmjcujckrvpflvx.exe .
C:\Windows\tsfaxmjcujckrvpflvx.exe
tsfaxmjcujckrvpflvx.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe
C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe .
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\tsfaxmjcujckrvpflvx.exe*."
C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe
C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe .
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\gguqoecwpfziqvqhozcc.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe
C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe
C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe .
C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe
C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe .
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\gguqoecwpfziqvqhozcc.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gguqoecwpfziqvqhozcc.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\gguqoecwpfziqvqhozcc.exe
gguqoecwpfziqvqhozcc.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c igsmiwskbphouxqfkt.exe .
C:\Windows\igsmiwskbphouxqfkt.exe
igsmiwskbphouxqfkt.exe .
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\igsmiwskbphouxqfkt.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vwlihyxsmdyirxtltfjkz.exe
C:\Windows\vwlihyxsmdyirxtltfjkz.exe
vwlihyxsmdyirxtltfjkz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c soyqkwqgvhxcghyl.exe .
C:\Windows\soyqkwqgvhxcghyl.exe
soyqkwqgvhxcghyl.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe
C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe
C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\soyqkwqgvhxcghyl.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe .
C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe
C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c igsmiwskbphouxqfkt.exe
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\vwlihyxsmdyirxtltfjkz.exe*."
C:\Windows\igsmiwskbphouxqfkt.exe
igsmiwskbphouxqfkt.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c igsmiwskbphouxqfkt.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe
C:\Windows\igsmiwskbphouxqfkt.exe
igsmiwskbphouxqfkt.exe
C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe
C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe .
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tsfaxmjcujckrvpflvx.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c soyqkwqgvhxcghyl.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vwlihyxsmdyirxtltfjkz.exe
C:\Windows\tsfaxmjcujckrvpflvx.exe
tsfaxmjcujckrvpflvx.exe .
C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe
C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe .
C:\Windows\soyqkwqgvhxcghyl.exe
soyqkwqgvhxcghyl.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vwlihyxsmdyirxtltfjkz.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tsfaxmjcujckrvpflvx.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\vwlihyxsmdyirxtltfjkz.exe
vwlihyxsmdyirxtltfjkz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tsfaxmjcujckrvpflvx.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\soyqkwqgvhxcghyl.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe .
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\gguqoecwpfziqvqhozcc.exe*."
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\tsfaxmjcujckrvpflvx.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\vwlihyxsmdyirxtltfjkz.exe
vwlihyxsmdyirxtltfjkz.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe .
C:\Windows\tsfaxmjcujckrvpflvx.exe
tsfaxmjcujckrvpflvx.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vwlihyxsmdyirxtltfjkz.exe
C:\Windows\tsfaxmjcujckrvpflvx.exe
tsfaxmjcujckrvpflvx.exe .
C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe
C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\vwlihyxsmdyirxtltfjkz.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tsfaxmjcujckrvpflvx.exe .
C:\Windows\vwlihyxsmdyirxtltfjkz.exe
vwlihyxsmdyirxtltfjkz.exe
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\tsfaxmjcujckrvpflvx.exe*."
C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe
C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe
C:\Windows\tsfaxmjcujckrvpflvx.exe
tsfaxmjcujckrvpflvx.exe .
C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe
C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gguqoecwpfziqvqhozcc.exe
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\tsfaxmjcujckrvpflvx.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c igsmiwskbphouxqfkt.exe .
C:\Windows\gguqoecwpfziqvqhozcc.exe
gguqoecwpfziqvqhozcc.exe
C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe
C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe .
C:\Windows\igsmiwskbphouxqfkt.exe
igsmiwskbphouxqfkt.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe .
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\igsmiwskbphouxqfkt.exe*."
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\tsfaxmjcujckrvpflvx.exe*."
C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe
C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe .
C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe
C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe
C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe
C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\igsmiwskbphouxqfkt.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe .
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\tsfaxmjcujckrvpflvx.exe*."
C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe
C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe .
C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe
C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe .
C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe
C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe
C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe
C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe
C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe
C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe .
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\tsfaxmjcujckrvpflvx.exe*."
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\zwhavidukxouzbthl.exe*."
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\tsfaxmjcujckrvpflvx.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c igsmiwskbphouxqfkt.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\igsmiwskbphouxqfkt.exe
igsmiwskbphouxqfkt.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zwhavidukxouzbthl.exe .
C:\Windows\zwhavidukxouzbthl.exe
zwhavidukxouzbthl.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c igsmiwskbphouxqfkt.exe
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\zwhavidukxouzbthl.exe*."
C:\Windows\igsmiwskbphouxqfkt.exe
igsmiwskbphouxqfkt.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tsfaxmjcujckrvpflvx.exe .
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\tsfaxmjcujckrvpflvx.exe
tsfaxmjcujckrvpflvx.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\tsfaxmjcujckrvpflvx.exe*."
C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe
C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe .
C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe
C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe .
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\soyqkwqgvhxcghyl.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe
C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe
C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe .
C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe
C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe .
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\tsfaxmjcujckrvpflvx.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zwhavidukxouzbthl.exe
C:\Windows\zwhavidukxouzbthl.exe
zwhavidukxouzbthl.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c soyqkwqgvhxcghyl.exe .
C:\Windows\soyqkwqgvhxcghyl.exe
soyqkwqgvhxcghyl.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gguqoecwpfziqvqhozcc.exe
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\soyqkwqgvhxcghyl.exe*."
C:\Windows\gguqoecwpfziqvqhozcc.exe
gguqoecwpfziqvqhozcc.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c igsmiwskbphouxqfkt.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe
C:\Windows\igsmiwskbphouxqfkt.exe
igsmiwskbphouxqfkt.exe .
C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe
C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe .
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\igsmiwskbphouxqfkt.exe*."
C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe
C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe .
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\soyqkwqgvhxcghyl.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe
C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe
C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe .
C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe
C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe .
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\soyqkwqgvhxcghyl.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gguqoecwpfziqvqhozcc.exe
C:\Windows\gguqoecwpfziqvqhozcc.exe
gguqoecwpfziqvqhozcc.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vwlihyxsmdyirxtltfjkz.exe .
C:\Windows\vwlihyxsmdyirxtltfjkz.exe
vwlihyxsmdyirxtltfjkz.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c igsmiwskbphouxqfkt.exe
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\vwlihyxsmdyirxtltfjkz.exe*."
C:\Windows\igsmiwskbphouxqfkt.exe
igsmiwskbphouxqfkt.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vwlihyxsmdyirxtltfjkz.exe .
C:\Windows\vwlihyxsmdyirxtltfjkz.exe
vwlihyxsmdyirxtltfjkz.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe
C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe
C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe .
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\vwlihyxsmdyirxtltfjkz.exe*."
C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe
C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe .
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\soyqkwqgvhxcghyl.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe
C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe
C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe .
C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe
C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe .
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\igsmiwskbphouxqfkt.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zwhavidukxouzbthl.exe
C:\Windows\zwhavidukxouzbthl.exe
zwhavidukxouzbthl.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c igsmiwskbphouxqfkt.exe .
C:\Windows\igsmiwskbphouxqfkt.exe
igsmiwskbphouxqfkt.exe .
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\igsmiwskbphouxqfkt.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zwhavidukxouzbthl.exe
C:\Windows\zwhavidukxouzbthl.exe
zwhavidukxouzbthl.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gguqoecwpfziqvqhozcc.exe .
C:\Windows\gguqoecwpfziqvqhozcc.exe
gguqoecwpfziqvqhozcc.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe
C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe
C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe .
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\gguqoecwpfziqvqhozcc.exe*."
C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe
C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe .
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\igsmiwskbphouxqfkt.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe
C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe .
C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe
C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe .
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\igsmiwskbphouxqfkt.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c igsmiwskbphouxqfkt.exe
C:\Windows\igsmiwskbphouxqfkt.exe
igsmiwskbphouxqfkt.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gguqoecwpfziqvqhozcc.exe .
C:\Windows\gguqoecwpfziqvqhozcc.exe
gguqoecwpfziqvqhozcc.exe .
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\gguqoecwpfziqvqhozcc.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vwlihyxsmdyirxtltfjkz.exe
C:\Windows\vwlihyxsmdyirxtltfjkz.exe
vwlihyxsmdyirxtltfjkz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vwlihyxsmdyirxtltfjkz.exe .
C:\Windows\vwlihyxsmdyirxtltfjkz.exe
vwlihyxsmdyirxtltfjkz.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe
C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe
C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\vwlihyxsmdyirxtltfjkz.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe .
C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe
C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe .
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\igsmiwskbphouxqfkt.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe
C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe .
C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe
C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe .
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\tsfaxmjcujckrvpflvx.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zwhavidukxouzbthl.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vwlihyxsmdyirxtltfjkz.exe
C:\Windows\zwhavidukxouzbthl.exe
zwhavidukxouzbthl.exe
C:\Windows\vwlihyxsmdyirxtltfjkz.exe
vwlihyxsmdyirxtltfjkz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vwlihyxsmdyirxtltfjkz.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c soyqkwqgvhxcghyl.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c igsmiwskbphouxqfkt.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\soyqkwqgvhxcghyl.exe
soyqkwqgvhxcghyl.exe .
C:\Windows\vwlihyxsmdyirxtltfjkz.exe
vwlihyxsmdyirxtltfjkz.exe .
C:\Windows\igsmiwskbphouxqfkt.exe
igsmiwskbphouxqfkt.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gguqoecwpfziqvqhozcc.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c soyqkwqgvhxcghyl.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zwhavidukxouzbthl.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\vwlihyxsmdyirxtltfjkz.exe*."
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\soyqkwqgvhxcghyl.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gguqoecwpfziqvqhozcc.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gguqoecwpfziqvqhozcc.exe .
C:\Windows\zwhavidukxouzbthl.exe
zwhavidukxouzbthl.exe
C:\Windows\soyqkwqgvhxcghyl.exe
soyqkwqgvhxcghyl.exe .
C:\Windows\gguqoecwpfziqvqhozcc.exe
gguqoecwpfziqvqhozcc.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gguqoecwpfziqvqhozcc.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe
C:\Windows\gguqoecwpfziqvqhozcc.exe
gguqoecwpfziqvqhozcc.exe .
C:\Windows\gguqoecwpfziqvqhozcc.exe
gguqoecwpfziqvqhozcc.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tsfaxmjcujckrvpflvx.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\soyqkwqgvhxcghyl.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe .
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\gguqoecwpfziqvqhozcc.exe*."
C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe
C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\gguqoecwpfziqvqhozcc.exe*."
C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe
C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\tsfaxmjcujckrvpflvx.exe
tsfaxmjcujckrvpflvx.exe .
C:\Windows\gguqoecwpfziqvqhozcc.exe
gguqoecwpfziqvqhozcc.exe
C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe
C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe .
C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe
C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe .
C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe
C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe
C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe
C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe .
C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe
C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\tsfaxmjcujckrvpflvx.exe*."
C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe
C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe .
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\tsfaxmjcujckrvpflvx.exe*."
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\tsfaxmjcujckrvpflvx.exe*."
C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe
C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe .
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\soyqkwqgvhxcghyl.exe*."
C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe
C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe
C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe
C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe .
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\gguqoecwpfziqvqhozcc.exe*."
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\igsmiwskbphouxqfkt.exe*."
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\vwlihyxsmdyirxtltfjkz.exe*."
C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe
C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gguqoecwpfziqvqhozcc.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\gguqoecwpfziqvqhozcc.exe
gguqoecwpfziqvqhozcc.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c soyqkwqgvhxcghyl.exe .
C:\Windows\soyqkwqgvhxcghyl.exe
soyqkwqgvhxcghyl.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tsfaxmjcujckrvpflvx.exe
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\soyqkwqgvhxcghyl.exe*."
C:\Windows\tsfaxmjcujckrvpflvx.exe
tsfaxmjcujckrvpflvx.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tsfaxmjcujckrvpflvx.exe .
C:\Windows\tsfaxmjcujckrvpflvx.exe
tsfaxmjcujckrvpflvx.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe
C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe
C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\tsfaxmjcujckrvpflvx.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe .
C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe
C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe .
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\igsmiwskbphouxqfkt.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe
C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe
C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe .
C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe
C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe .
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\zwhavidukxouzbthl.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zwhavidukxouzbthl.exe
C:\Windows\zwhavidukxouzbthl.exe
zwhavidukxouzbthl.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tsfaxmjcujckrvpflvx.exe .
C:\Windows\tsfaxmjcujckrvpflvx.exe
tsfaxmjcujckrvpflvx.exe .
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\tsfaxmjcujckrvpflvx.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c igsmiwskbphouxqfkt.exe
C:\Windows\igsmiwskbphouxqfkt.exe
igsmiwskbphouxqfkt.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c igsmiwskbphouxqfkt.exe .
C:\Windows\igsmiwskbphouxqfkt.exe
igsmiwskbphouxqfkt.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\igsmiwskbphouxqfkt.exe*."
C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe
C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe .
C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe
C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe .
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\gguqoecwpfziqvqhozcc.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe
C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe
C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe .
C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe
C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe .
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\igsmiwskbphouxqfkt.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vwlihyxsmdyirxtltfjkz.exe
C:\Windows\vwlihyxsmdyirxtltfjkz.exe
vwlihyxsmdyirxtltfjkz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c igsmiwskbphouxqfkt.exe .
C:\Windows\igsmiwskbphouxqfkt.exe
igsmiwskbphouxqfkt.exe .
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\igsmiwskbphouxqfkt.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c soyqkwqgvhxcghyl.exe
C:\Windows\soyqkwqgvhxcghyl.exe
soyqkwqgvhxcghyl.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vwlihyxsmdyirxtltfjkz.exe .
C:\Windows\vwlihyxsmdyirxtltfjkz.exe
vwlihyxsmdyirxtltfjkz.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe
C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\vwlihyxsmdyirxtltfjkz.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe .
C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe
C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe .
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\tsfaxmjcujckrvpflvx.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe
C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe
C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe .
C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe
C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe .
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\zwhavidukxouzbthl.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tsfaxmjcujckrvpflvx.exe
C:\Windows\tsfaxmjcujckrvpflvx.exe
tsfaxmjcujckrvpflvx.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c igsmiwskbphouxqfkt.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c igsmiwskbphouxqfkt.exe
C:\Windows\igsmiwskbphouxqfkt.exe
igsmiwskbphouxqfkt.exe .
C:\Windows\igsmiwskbphouxqfkt.exe
igsmiwskbphouxqfkt.exe
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\igsmiwskbphouxqfkt.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tsfaxmjcujckrvpflvx.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c igsmiwskbphouxqfkt.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gguqoecwpfziqvqhozcc.exe .
C:\Windows\tsfaxmjcujckrvpflvx.exe
tsfaxmjcujckrvpflvx.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe
C:\Windows\gguqoecwpfziqvqhozcc.exe
gguqoecwpfziqvqhozcc.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tsfaxmjcujckrvpflvx.exe
C:\Windows\igsmiwskbphouxqfkt.exe
igsmiwskbphouxqfkt.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c soyqkwqgvhxcghyl.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c igsmiwskbphouxqfkt.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe
C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe
C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\gguqoecwpfziqvqhozcc.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe .
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\igsmiwskbphouxqfkt.exe*."
C:\Windows\soyqkwqgvhxcghyl.exe
soyqkwqgvhxcghyl.exe .
C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe
C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c igsmiwskbphouxqfkt.exe .
C:\Windows\tsfaxmjcujckrvpflvx.exe
tsfaxmjcujckrvpflvx.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe .
C:\Windows\igsmiwskbphouxqfkt.exe
igsmiwskbphouxqfkt.exe
C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe
C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe
C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe
C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe
C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe
C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe .
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\soyqkwqgvhxcghyl.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tsfaxmjcujckrvpflvx.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe
C:\Windows\igsmiwskbphouxqfkt.exe
igsmiwskbphouxqfkt.exe .
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\gguqoecwpfziqvqhozcc.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gguqoecwpfziqvqhozcc.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe .
C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe
C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\zwhavidukxouzbthl.exe*."
C:\Windows\tsfaxmjcujckrvpflvx.exe
tsfaxmjcujckrvpflvx.exe
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\igsmiwskbphouxqfkt.exe*."
C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe
C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe .
C:\Windows\gguqoecwpfziqvqhozcc.exe
gguqoecwpfziqvqhozcc.exe .
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\igsmiwskbphouxqfkt.exe*."
C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe
C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe
C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe
C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe .
C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe
C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe .
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\igsmiwskbphouxqfkt.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\gguqoecwpfziqvqhozcc.exe*."
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\vwlihyxsmdyirxtltfjkz.exe*."
C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe
C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe .
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe
C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe .
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\tsfaxmjcujckrvpflvx.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zwhavidukxouzbthl.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\zwhavidukxouzbthl.exe
zwhavidukxouzbthl.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gguqoecwpfziqvqhozcc.exe .
C:\Windows\gguqoecwpfziqvqhozcc.exe
gguqoecwpfziqvqhozcc.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c soyqkwqgvhxcghyl.exe
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\gguqoecwpfziqvqhozcc.exe*."
C:\Windows\soyqkwqgvhxcghyl.exe
soyqkwqgvhxcghyl.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tsfaxmjcujckrvpflvx.exe .
C:\Windows\tsfaxmjcujckrvpflvx.exe
tsfaxmjcujckrvpflvx.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe
C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe
C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\tsfaxmjcujckrvpflvx.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe .
C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe
C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe .
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\gguqoecwpfziqvqhozcc.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe
C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe
C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe .
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe
C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe .
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\zwhavidukxouzbthl.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gguqoecwpfziqvqhozcc.exe
C:\Windows\gguqoecwpfziqvqhozcc.exe
gguqoecwpfziqvqhozcc.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c igsmiwskbphouxqfkt.exe .
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\igsmiwskbphouxqfkt.exe
igsmiwskbphouxqfkt.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c igsmiwskbphouxqfkt.exe
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\igsmiwskbphouxqfkt.exe*."
C:\Windows\igsmiwskbphouxqfkt.exe
igsmiwskbphouxqfkt.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c igsmiwskbphouxqfkt.exe .
C:\Windows\igsmiwskbphouxqfkt.exe
igsmiwskbphouxqfkt.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\igsmiwskbphouxqfkt.exe*."
C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe
C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe .
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe
C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe .
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\gguqoecwpfziqvqhozcc.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe
C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe
C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe .
C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe
C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe .
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\tsfaxmjcujckrvpflvx.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c igsmiwskbphouxqfkt.exe
C:\Windows\igsmiwskbphouxqfkt.exe
igsmiwskbphouxqfkt.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gguqoecwpfziqvqhozcc.exe .
C:\Windows\gguqoecwpfziqvqhozcc.exe
gguqoecwpfziqvqhozcc.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c igsmiwskbphouxqfkt.exe
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\gguqoecwpfziqvqhozcc.exe*."
C:\Windows\igsmiwskbphouxqfkt.exe
igsmiwskbphouxqfkt.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vwlihyxsmdyirxtltfjkz.exe .
C:\Windows\vwlihyxsmdyirxtltfjkz.exe
vwlihyxsmdyirxtltfjkz.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe
C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe
C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe .
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\vwlihyxsmdyirxtltfjkz.exe*."
C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe
C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe .
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\tsfaxmjcujckrvpflvx.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe
C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe
C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe .
C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe
C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe .
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\igsmiwskbphouxqfkt.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zwhavidukxouzbthl.exe
C:\Windows\zwhavidukxouzbthl.exe
zwhavidukxouzbthl.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c igsmiwskbphouxqfkt.exe .
C:\Windows\igsmiwskbphouxqfkt.exe
igsmiwskbphouxqfkt.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c soyqkwqgvhxcghyl.exe
C:\Windows\soyqkwqgvhxcghyl.exe
soyqkwqgvhxcghyl.exe
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\igsmiwskbphouxqfkt.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zwhavidukxouzbthl.exe
C:\Windows\zwhavidukxouzbthl.exe
zwhavidukxouzbthl.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vwlihyxsmdyirxtltfjkz.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tsfaxmjcujckrvpflvx.exe .
C:\Windows\vwlihyxsmdyirxtltfjkz.exe
vwlihyxsmdyirxtltfjkz.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe
C:\Windows\tsfaxmjcujckrvpflvx.exe
tsfaxmjcujckrvpflvx.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe .
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | whatismyip.everdot.org | udp |
| US | 104.19.222.79:80 | whatismyipaddress.com | tcp |
| US | 104.19.222.79:80 | whatismyipaddress.com | tcp |
| US | 172.67.155.175:80 | www.showmyipaddress.com | tcp |
| US | 104.19.222.79:80 | whatismyipaddress.com | tcp |
| US | 172.67.155.175:80 | www.showmyipaddress.com | tcp |
| US | 172.67.155.175:80 | www.showmyipaddress.com | tcp |
| US | 172.67.155.175:80 | www.showmyipaddress.com | tcp |
| US | 172.66.43.169:80 | www.whatismyip.com | tcp |
| US | 172.67.155.175:80 | www.showmyipaddress.com | tcp |
| US | 172.66.43.169:80 | www.whatismyip.com | tcp |
| US | 172.66.43.169:80 | www.whatismyip.com | tcp |
| US | 172.67.155.175:80 | www.showmyipaddress.com | tcp |
| US | 172.66.43.169:80 | www.whatismyip.com | tcp |
| US | 172.66.43.169:80 | www.whatismyip.com | tcp |
| US | 172.66.43.169:80 | www.whatismyip.com | tcp |
| NL | 172.217.218.93:80 | www.youtube.com | tcp |
| BG | 89.215.67.123:31824 | tcp | |
| DE | 85.214.228.140:80 | gyuuym.org | tcp |
| BG | 90.154.234.72:42635 | tcp | |
| US | 104.156.155.94:80 | cydlrge.info | tcp |
| US | 8.8.8.8:53 | bdxfkh.net | udp |
| LT | 78.61.21.121:28588 | tcp | |
| US | 8.8.8.8:53 | nmagxex.net | udp |
| US | 8.8.8.8:53 | rzdphwz.info | udp |
| US | 8.8.8.8:53 | eznabol.net | udp |
| BG | 85.217.202.45:19536 | tcp | |
| US | 8.8.8.8:53 | xptqveoglb.info | udp |
| US | 8.8.8.8:53 | cnmkhmdz.net | udp |
| LT | 78.61.86.178:31894 | tcp | |
| US | 8.8.8.8:53 | dmqxfsz.info | udp |
| US | 8.8.8.8:53 | dwfkeogzvhjn.info | udp |
| US | 8.8.8.8:53 | emdlvlnet.info | udp |
| US | 8.8.8.8:53 | tcvuvhjwh.info | udp |
| ES | 85.239.135.215:38560 | tcp | |
| US | 8.8.8.8:53 | ecbwysbz.info | udp |
| US | 8.8.8.8:53 | zjhakx.net | udp |
| US | 89.117.78.161:16699 | tcp | |
| US | 8.8.8.8:53 | atkzfclhbift.info | udp |
| US | 8.8.8.8:53 | nyhjezkiqo.net | udp |
| US | 8.8.8.8:53 | bpzorpfuhtf.org | udp |
| US | 8.8.8.8:53 | bkngmvgi.net | udp |
| US | 8.8.8.8:53 | otryhsc.info | udp |
| US | 8.8.8.8:53 | wfrcgjcwbdfg.net | udp |
| US | 8.8.8.8:53 | fjusznt.com | udp |
| US | 8.8.8.8:53 | qcwgwugsqi.org | udp |
| US | 8.8.8.8:53 | kivwnwrfr.net | udp |
| BG | 93.183.174.83:26304 | tcp | |
| US | 8.8.8.8:53 | vtzezfjcpn.net | udp |
| US | 8.8.8.8:53 | gyfkhqrdjql.net | udp |
| GB | 89.117.44.201:17518 | tcp | |
| US | 8.8.8.8:53 | tetvqitez.info | udp |
| US | 8.8.8.8:53 | pznarkfmr.org | udp |
| BG | 93.123.120.12:28404 | tcp | |
| US | 89.116.63.37:42204 | tcp | |
| US | 8.8.8.8:53 | maewqgqcqugm.com | udp |
| US | 8.8.8.8:53 | kkooiksgfvz.info | udp |
| BG | 87.119.104.127:29091 | tcp | |
| US | 8.8.8.8:53 | iezzcskzjbde.net | udp |
| US | 8.8.8.8:53 | wsslhctxrzh.net | udp |
| US | 8.8.8.8:53 | izgljqnscuho.info | udp |
| US | 8.8.8.8:53 | sgescokcmo.org | udp |
| BG | 78.90.45.235:33805 | tcp | |
| US | 8.8.8.8:53 | hixxsmxhv.net | udp |
| US | 8.8.8.8:53 | hahxsttxpc.info | udp |
| US | 8.8.8.8:53 | yfrzxvhvwojo.net | udp |
| US | 8.8.8.8:53 | ciagiakywm.org | udp |
| BG | 87.254.161.251:45456 | tcp | |
| US | 8.8.8.8:53 | wwobhagm.net | udp |
| US | 89.116.63.37:42204 | tcp | |
| US | 8.8.8.8:53 | jbuvibpu.net | udp |
| US | 8.8.8.8:53 | riggkatwk.info | udp |
| US | 8.8.8.8:53 | hpxtzoxnrdqn.net | udp |
| US | 8.8.8.8:53 | wqsqgu.org | udp |
| US | 8.8.8.8:53 | ritlgwj.info | udp |
| US | 8.8.8.8:53 | ekqaao.com | udp |
| US | 8.8.8.8:53 | bifqmtxo.info | udp |
| US | 8.8.8.8:53 | zmtwgmdm.info | udp |
| US | 8.8.8.8:53 | rkjyfrxybqd.net | udp |
| US | 8.8.8.8:53 | iuiwyqmeuc.com | udp |
| US | 8.8.8.8:53 | vszcbexujew.com | udp |
| US | 8.8.8.8:53 | khepozdfmhxg.net | udp |
| US | 8.8.8.8:53 | bujcfix.com | udp |
| US | 8.8.8.8:53 | wzjjowle.info | udp |
| US | 8.8.8.8:53 | oektsf.info | udp |
| US | 8.8.8.8:53 | zgmwokbtl.org | udp |
| US | 8.8.8.8:53 | ldlrgk.info | udp |
| US | 8.8.8.8:53 | bbjypjhimwt.com | udp |
| US | 8.8.8.8:53 | radwbbbgrqj.net | udp |
| US | 8.8.8.8:53 | owtumceqt.info | udp |
| US | 8.8.8.8:53 | zqmxbmfokn.net | udp |
| BG | 109.121.205.21:45163 | tcp | |
| US | 8.8.8.8:53 | ndsizwsebym.info | udp |
| US | 8.8.8.8:53 | kiswyo.org | udp |
| US | 8.8.8.8:53 | ktjntvhm.net | udp |
| US | 8.8.8.8:53 | zptttwxfn.net | udp |
| US | 8.8.8.8:53 | glbibuf.net | udp |
| US | 8.8.8.8:53 | yuayiqikmi.com | udp |
| US | 8.8.8.8:53 | vmlkqafvnse.info | udp |
| US | 8.8.8.8:53 | nxdecyvejdn.net | udp |
| US | 8.8.8.8:53 | qlstpgkhcjbu.net | udp |
| US | 8.8.8.8:53 | nzitfaav.info | udp |
| US | 8.8.8.8:53 | saqwamcocqym.org | udp |
| US | 8.8.8.8:53 | puxdmhrp.net | udp |
| US | 8.8.8.8:53 | lktcrbw.com | udp |
| US | 8.8.8.8:53 | ymlflqcr.info | udp |
| US | 8.8.8.8:53 | kczcec.net | udp |
| US | 8.8.8.8:53 | xlpbsxgos.org | udp |
| US | 8.8.8.8:53 | hyjodgw.info | udp |
| US | 8.8.8.8:53 | uqkosoyeecqy.org | udp |
| US | 8.8.8.8:53 | zobkfubev.com | udp |
| US | 8.8.8.8:53 | pbspki.info | udp |
| US | 8.8.8.8:53 | eaictyqxc.info | udp |
| US | 8.8.8.8:53 | xynivuf.info | udp |
| US | 8.8.8.8:53 | fhhqur.info | udp |
| US | 8.8.8.8:53 | yywswagqwm.org | udp |
| US | 8.8.8.8:53 | vgqxvqngngx.info | udp |
| US | 8.8.8.8:53 | gnusbw.net | udp |
| US | 8.8.8.8:53 | cgzqtowog.info | udp |
| US | 8.8.8.8:53 | ieooysmq.org | udp |
| US | 8.8.8.8:53 | gtghfh.info | udp |
| US | 8.8.8.8:53 | rhxcxga.org | udp |
| US | 8.8.8.8:53 | culanyj.info | udp |
| US | 8.8.8.8:53 | fevpfshvp.org | udp |
| US | 8.8.8.8:53 | jaeyoux.info | udp |
| US | 8.8.8.8:53 | mbdgpxjkghsq.info | udp |
| US | 8.8.8.8:53 | qrgdwl.net | udp |
| US | 8.8.8.8:53 | kcryxrris.info | udp |
| US | 8.8.8.8:53 | wdfnrykkgd.net | udp |
| US | 8.8.8.8:53 | ltyuvozd.info | udp |
| US | 8.8.8.8:53 | pweetvxafcx.info | udp |
| US | 8.8.8.8:53 | hxjblp.info | udp |
| US | 8.8.8.8:53 | jafrwjovcmrn.info | udp |
| US | 8.8.8.8:53 | npwaiifgfqlw.info | udp |
| US | 8.8.8.8:53 | bavppixu.net | udp |
| US | 8.8.8.8:53 | bozbdshql.info | udp |
| US | 8.8.8.8:53 | bgtgxxn.info | udp |
| US | 8.8.8.8:53 | ahgtpzynotau.info | udp |
| US | 8.8.8.8:53 | eeeiusoc.com | udp |
| US | 8.8.8.8:53 | ckwskymaem.org | udp |
| US | 8.8.8.8:53 | vcmbhoxtxgpv.net | udp |
| US | 8.8.8.8:53 | hvsffhbdwr.info | udp |
| US | 8.8.8.8:53 | lxdcmum.org | udp |
| US | 8.8.8.8:53 | qzdvod.info | udp |
| US | 8.8.8.8:53 | zbqtpeerkb.net | udp |
| US | 8.8.8.8:53 | fujspwj.net | udp |
| US | 8.8.8.8:53 | qshpjwto.info | udp |
| US | 8.8.8.8:53 | cdgjtwmv.info | udp |
| US | 8.8.8.8:53 | pawuhgrucky.info | udp |
| US | 8.8.8.8:53 | msaeugqyakco.org | udp |
| US | 8.8.8.8:53 | dytxrd.net | udp |
| US | 8.8.8.8:53 | twspwi.net | udp |
| US | 8.8.8.8:53 | oseugvh.net | udp |
| US | 8.8.8.8:53 | wndrdkrczckm.net | udp |
| US | 8.8.8.8:53 | cxpupfpax.info | udp |
| US | 8.8.8.8:53 | fzkrxmam.info | udp |
| US | 8.8.8.8:53 | waqxkwjykid.info | udp |
| US | 8.8.8.8:53 | bivfdh.info | udp |
| US | 8.8.8.8:53 | wcmcgymwia.com | udp |
| US | 8.8.8.8:53 | ptwakfh.info | udp |
| US | 8.8.8.8:53 | yuyqamaicguk.org | udp |
| US | 8.8.8.8:53 | bvrlxiawb.net | udp |
| US | 8.8.8.8:53 | bujydax.net | udp |
| US | 8.8.8.8:53 | hgerycix.net | udp |
| US | 8.8.8.8:53 | lfrlruwayazs.info | udp |
| US | 8.8.8.8:53 | goigwicsoemm.com | udp |
| US | 8.8.8.8:53 | iudueul.net | udp |
Files
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe
| MD5 | e417a08af652a452f7d11c105d31e115 |
| SHA1 | d14c6d2f80595d9e8ce0fcd95e9fde907ef2bb5f |
| SHA256 | 2b7ccee1ae4a47bcf3689fd64d3787a05bcf132a369274fea722a1f7c4ed1bcf |
| SHA512 | 0bf0135e476ced49d6bc6bee1b90f775af6a26c2b047bf808d4a8b2005151d86480f38922ecb3fe82832f6fa9feb7ad693a1af1e89a2518e5159e1e24bdf075d |
C:\Windows\SysWOW64\igsmiwskbphouxqfkt.exe
| MD5 | bbd7b871140426c0f77e65b9c18dbcf1 |
| SHA1 | f107fdc5b346882994efb09ba63b85e696679e4d |
| SHA256 | 2e69cd89b60105229d7465e33802b3ff410aa6c470320732b23b88fa48572f9b |
| SHA512 | c30ec761442c26b0f8c86eae2aebbd09c864a2587a27ca300b7c4669eb91efd88a2a05aae21020ae3c08ba690f472a551bc85b9d83967160758aaa3c9c6ff322 |
C:\Users\Admin\AppData\Local\Temp\tghqbep.exe
| MD5 | c8399f5e5f048cb6e38300019b14b00c |
| SHA1 | 77e57a0c2302525cbbf1be055778cff5f4f6e40f |
| SHA256 | 26b2dff7988792e884416bf89fe810d79ce1f4e39cb928d3360ba4a8f308aa0e |
| SHA512 | c94d5d2ccf7dddff4a25a1d8d11f0d9f28e508997a87f520e8b3a4e77cfedd0bc154e670685e0bb33ab00a629b47afc8dac74ac69bbda84282e8deb72277d74a |
C:\Users\Admin\AppData\Local\wcwycyccbxxmalmjwnwcwy.ycc
| MD5 | 30b7a9069c1e515ff927cb9a2a4bb466 |
| SHA1 | af077b575d54549e5f1733779ac4ff5fc8731eab |
| SHA256 | 9e08cfca9cd51c1f49aff162b5a8f68a5763778025009e4ff68fe89afb1920aa |
| SHA512 | bd101e821f20c8cc022a52b00de4f0a85f7f206ca5ee2fc2a1be67a7542b93a625d2f34f9015d8bab9992a023aa24e365a665f6361d43a5f9821ebcea3e13baa |
C:\Users\Admin\AppData\Local\nejwlshscjuutpbjhjduzmbixiszkkjfr.xzt
| MD5 | 028ef4278ee435cea688b89d2b90d8c8 |
| SHA1 | b988ef5124fc7875fd0d207d4f321c31780cd925 |
| SHA256 | 134a8f46afe2e00dd5b5f28b4142d87afb8eedc765e15f0beced16fac8d98d9d |
| SHA512 | a7d3d16e4cbda1cdcbe7eac1314324b2b086c80467c3e65bd7cd7e3e77a910b2b8bef427dffc906d093232ee0394bad69d6ead0509fdad78a692b49e1bd4634e |
C:\Program Files (x86)\wcwycyccbxxmalmjwnwcwy.ycc
| MD5 | d2894cf8e0dd16faa08c5c431b2efbe3 |
| SHA1 | 47b0b36488440e54ae7276255f933e70b8096d25 |
| SHA256 | 2efaf56fc0ad3e14e02a4e57b3ca2b78e172bd15b50314098e81941fe9ee5067 |
| SHA512 | 27088ad25d945ddd1cf6278fbe37639a9d966b5f3263adf70007c6cf9646a73e415c9ab1461212769855660e7cd4269d3844e096321becd93dce8e6ba239ee0d |
C:\Program Files (x86)\wcwycyccbxxmalmjwnwcwy.ycc
| MD5 | 0064b1e543614428260afcf09333a74c |
| SHA1 | 6038991e73532986e87b4f332f9e2dc36620986e |
| SHA256 | 93011c74311c020052de3001d678f35becf21477d7b6ab9d3db181542e7d9551 |
| SHA512 | 5466adb2fc5b2905a17b1d5190302d0d1bfebd17bcafb09217f2fb176abe7911059b5ac919d30b67c159f7221cba13d1c78fcbbb91e1816829073d2bd0ace29a |
C:\Program Files (x86)\wcwycyccbxxmalmjwnwcwy.ycc
| MD5 | fc0fcf09dcde29edf9b9096d7b306abf |
| SHA1 | d29eb55d96d010e6936f55e1d228bb347960f545 |
| SHA256 | 96014a65d61fc857a1e394f066a46ab941cbbcd20e8866e2cd01e9b579099c4a |
| SHA512 | 22cbc101d379c7948d0741a7784a19cd3e77c3500756ab6996fe5481135bf036de4196e1fabeddb7abf3f19506bf0837ca7d81d0a97b4e9e19452d570edacd8d |
C:\Program Files (x86)\wcwycyccbxxmalmjwnwcwy.ycc
| MD5 | e34af927ee40e94a82ee17915a7295fa |
| SHA1 | e3f50e55118e43cb2cc962e6bb21245998536c22 |
| SHA256 | ab23591d523f69555811ce8f8d08c0364b668901f0ab622073d5be86d8d19865 |
| SHA512 | 2c4c674ff5020bb31f4487b1a9a89b8a4f169314f523da86147c69f1f955d679a23573aeb720839bb5cb4e37a36ef1d688f0742bf8d16ae76c91732f1628d6e8 |
C:\Program Files (x86)\wcwycyccbxxmalmjwnwcwy.ycc
| MD5 | 43afc6d1a6a683709021fbafc77cd7f3 |
| SHA1 | 3b4da58e3c9a7fcd87ac021b5ad14a3773dd5c4e |
| SHA256 | d64603088955d9ea71d4f906b8951a24f3959637ad7b0be462ddf6a7de8daa30 |
| SHA512 | 1b2492d0937f0ec5d4d00c471592ac19b3acd5aa61e29db22025e4efd11fd82010d18b3ff70730d13a294f43ee8c4462b818e0dadcd24f556c9e992afe298d78 |
C:\Program Files (x86)\wcwycyccbxxmalmjwnwcwy.ycc
| MD5 | 002e4b1a8ae758b06c71a7d9f9451428 |
| SHA1 | 049a198d52d8d92084fcaabf079ec6484104f1c3 |
| SHA256 | 84dbaab5ddb02343acc3a02f70b2e755472fd5ef0391a1c92ead908c51b43954 |
| SHA512 | 71aacaa79dc8acfa652e6fbfb02fdfdf41b271bc8937f0709fc323137e1907b22c1a01c4998270ba2f854bf66c83d420341da46585f2fb92fca62f3f030af5bd |