Analysis Overview
SHA256
a7ba2a0628020aa108b91798907146015ab98527a7b59ac8836865c6d9e1e12b
Threat Level: Known bad
The file JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02 was found to be: Known bad.
Malicious Activity Summary
UAC bypass
Modifies WinLogon for persistence
Pykspa family
Pykspa
Detect Pykspa worm
Disables RegEdit via registry modification
Adds policy Run key to start application
Checks computer location settings
Impair Defenses: Safe Mode Boot
Executes dropped EXE
Adds Run key to start application
Hijack Execution Flow: Executable Installer File Permissions Weakness
Looks up external IP address via web service
Checks whether UAC is enabled
Drops autorun.inf file
Drops file in System32 directory
Drops file in Program Files directory
Drops file in Windows directory
Enumerates physical storage devices
Unsigned PE
System Location Discovery: System Language Discovery
System policy modification
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V16
Analysis: static1
Detonation Overview
Reported
2025-04-18 11:49
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2025-04-18 11:49
Reported
2025-04-18 11:51
Platform
win11-20250410-en
Max time kernel
58s
Max time network
151s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\wgosv.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\wgosv.exe | N/A |
Pykspa
Pykspa family
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\wgosv.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\wgosv.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\wgosv.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\wgosv.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\wgosv.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\wgosv.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\wgosv.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\wgosv.exe | N/A |
Detect Pykspa worm
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ugqwbck = "awqgvgyumzxopgcpy.exe" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nwdg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wwuohwssofhchcctggkki.exe" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ugqwbck = "awqgvgyumzxopgcpy.exe" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nwdg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hgdwocxwrhicgazpbadc.exe" | C:\Users\Admin\AppData\Local\Temp\wgosv.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ugqwbck = "hgdwocxwrhicgazpbadc.exe" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nwdg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wwuohwssofhchcctggkki.exe" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ugqwbck = "hgdwocxwrhicgazpbadc.exe" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ugqwbck = "wwuohwssofhchcctggkki.exe" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nwdg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wwuohwssofhchcctggkki.exe" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\wgosv.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ugqwbck = "jgbsiunkdrqikcznxu.exe" | C:\Users\Admin\AppData\Local\Temp\wgosv.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nwdg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\usogxkecwllehaynywy.exe" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ugqwbck = "jgbsiunkdrqikcznxu.exe" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ugqwbck = "tohwkulgxjgwwmht.exe" | C:\Users\Admin\AppData\Local\Temp\wgosv.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nwdg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jgbsiunkdrqikcznxu.exe" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ugqwbck = "hgdwocxwrhicgazpbadc.exe" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ugqwbck = "usogxkecwllehaynywy.exe" | C:\Users\Admin\AppData\Local\Temp\wgosv.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nwdg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tohwkulgxjgwwmht.exe" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ugqwbck = "jgbsiunkdrqikcznxu.exe" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nwdg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\awqgvgyumzxopgcpy.exe" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nwdg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jgbsiunkdrqikcznxu.exe" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ugqwbck = "tohwkulgxjgwwmht.exe" | C:\Users\Admin\AppData\Local\Temp\wgosv.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nwdg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wwuohwssofhchcctggkki.exe" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nwdg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hgdwocxwrhicgazpbadc.exe" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nwdg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\usogxkecwllehaynywy.exe" | C:\Users\Admin\AppData\Local\Temp\wgosv.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nwdg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hgdwocxwrhicgazpbadc.exe" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ugqwbck = "wwuohwssofhchcctggkki.exe" | C:\Users\Admin\AppData\Local\Temp\wgosv.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ugqwbck = "awqgvgyumzxopgcpy.exe" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nwdg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\usogxkecwllehaynywy.exe" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nwdg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hgdwocxwrhicgazpbadc.exe" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ugqwbck = "jgbsiunkdrqikcznxu.exe" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ugqwbck = "wwuohwssofhchcctggkki.exe" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nwdg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tohwkulgxjgwwmht.exe" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ugqwbck = "hgdwocxwrhicgazpbadc.exe" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nwdg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wwuohwssofhchcctggkki.exe" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ugqwbck = "jgbsiunkdrqikcznxu.exe" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ugqwbck = "wwuohwssofhchcctggkki.exe" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ugqwbck = "awqgvgyumzxopgcpy.exe" | C:\Users\Admin\AppData\Local\Temp\wgosv.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ugqwbck = "usogxkecwllehaynywy.exe" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ugqwbck = "awqgvgyumzxopgcpy.exe" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nwdg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tohwkulgxjgwwmht.exe" | C:\Users\Admin\AppData\Local\Temp\wgosv.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nwdg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\awqgvgyumzxopgcpy.exe" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nwdg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hgdwocxwrhicgazpbadc.exe" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nwdg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\awqgvgyumzxopgcpy.exe" | C:\Users\Admin\AppData\Local\Temp\wgosv.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
Disables RegEdit via registry modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\wgosv.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\wgosv.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\wgosv.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\wgosv.exe | N/A |
Executes dropped EXE
Impair Defenses: Safe Mode Boot
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc | C:\Users\Admin\AppData\Local\Temp\wgosv.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager | C:\Users\Admin\AppData\Local\Temp\wgosv.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys | C:\Users\Admin\AppData\Local\Temp\wgosv.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc | C:\Users\Admin\AppData\Local\Temp\wgosv.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power | C:\Users\Admin\AppData\Local\Temp\wgosv.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys | C:\Users\Admin\AppData\Local\Temp\wgosv.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tivemqbqbh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\usogxkecwllehaynywy.exe ." | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\hsbgkk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hgdwocxwrhicgazpbadc.exe ." | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hsbgkk = "jgbsiunkdrqikcznxu.exe ." | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tivemqbqbh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wwuohwssofhchcctggkki.exe ." | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tivemqbqbh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jgbsiunkdrqikcznxu.exe ." | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wgosv = "usogxkecwllehaynywy.exe" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tivemqbqbh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tohwkulgxjgwwmht.exe ." | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\wgosv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tohwkulgxjgwwmht.exe" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\wgosv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hgdwocxwrhicgazpbadc.exe" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\wgosv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jgbsiunkdrqikcznxu.exe" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\aoaipscqa = "tohwkulgxjgwwmht.exe ." | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\jwhouwfs = "tohwkulgxjgwwmht.exe" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\hsbgkk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jgbsiunkdrqikcznxu.exe ." | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\jwhouwfs = "jgbsiunkdrqikcznxu.exe" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wgosv = "jgbsiunkdrqikcznxu.exe" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\oesclqcseld = "C:\\Users\\Admin\\AppData\\Local\\Temp\\awqgvgyumzxopgcpy.exe" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tivemqbqbh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\usogxkecwllehaynywy.exe ." | C:\Users\Admin\AppData\Local\Temp\wgosv.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\aoaipscqa = "usogxkecwllehaynywy.exe ." | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\aoaipscqa = "awqgvgyumzxopgcpy.exe ." | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wgosv = "wwuohwssofhchcctggkki.exe" | C:\Users\Admin\AppData\Local\Temp\wgosv.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hsbgkk = "tohwkulgxjgwwmht.exe ." | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hsbgkk = "usogxkecwllehaynywy.exe ." | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\oesclqcseld = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tohwkulgxjgwwmht.exe" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hsbgkk = "jgbsiunkdrqikcznxu.exe ." | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\hsbgkk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\awqgvgyumzxopgcpy.exe ." | C:\Users\Admin\AppData\Local\Temp\wgosv.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tivemqbqbh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\usogxkecwllehaynywy.exe ." | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hsbgkk = "usogxkecwllehaynywy.exe ." | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\oesclqcseld = "C:\\Users\\Admin\\AppData\\Local\\Temp\\awqgvgyumzxopgcpy.exe" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\jwhouwfs = "usogxkecwllehaynywy.exe" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tivemqbqbh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tohwkulgxjgwwmht.exe ." | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\jwhouwfs = "usogxkecwllehaynywy.exe" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\hsbgkk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\usogxkecwllehaynywy.exe ." | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\wgosv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\awqgvgyumzxopgcpy.exe" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hsbgkk = "hgdwocxwrhicgazpbadc.exe ." | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tivemqbqbh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\awqgvgyumzxopgcpy.exe ." | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\oesclqcseld = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tohwkulgxjgwwmht.exe" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hsbgkk = "tohwkulgxjgwwmht.exe ." | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\jwhouwfs = "wwuohwssofhchcctggkki.exe" | C:\Users\Admin\AppData\Local\Temp\wgosv.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hsbgkk = "jgbsiunkdrqikcznxu.exe ." | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wgosv = "hgdwocxwrhicgazpbadc.exe" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wgosv = "hgdwocxwrhicgazpbadc.exe" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\wgosv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\usogxkecwllehaynywy.exe" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hsbgkk = "wwuohwssofhchcctggkki.exe ." | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\aoaipscqa = "wwuohwssofhchcctggkki.exe ." | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\wgosv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tohwkulgxjgwwmht.exe" | C:\Users\Admin\AppData\Local\Temp\wgosv.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tivemqbqbh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\awqgvgyumzxopgcpy.exe ." | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tivemqbqbh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\awqgvgyumzxopgcpy.exe ." | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tivemqbqbh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wwuohwssofhchcctggkki.exe ." | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\hsbgkk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\usogxkecwllehaynywy.exe ." | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wgosv = "wwuohwssofhchcctggkki.exe" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\aoaipscqa = "jgbsiunkdrqikcznxu.exe ." | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\oesclqcseld = "C:\\Users\\Admin\\AppData\\Local\\Temp\\usogxkecwllehaynywy.exe" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\wgosv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tohwkulgxjgwwmht.exe" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\aoaipscqa = "jgbsiunkdrqikcznxu.exe ." | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hsbgkk = "wwuohwssofhchcctggkki.exe ." | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wgosv = "hgdwocxwrhicgazpbadc.exe" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\aoaipscqa = "awqgvgyumzxopgcpy.exe ." | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\wgosv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hgdwocxwrhicgazpbadc.exe" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\wgosv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\awqgvgyumzxopgcpy.exe" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hsbgkk = "hgdwocxwrhicgazpbadc.exe ." | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\aoaipscqa = "wwuohwssofhchcctggkki.exe ." | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wgosv = "hgdwocxwrhicgazpbadc.exe" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wgosv = "awqgvgyumzxopgcpy.exe" | C:\Users\Admin\AppData\Local\Temp\wgosv.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\hsbgkk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\usogxkecwllehaynywy.exe ." | C:\Users\Admin\AppData\Local\Temp\wgosv.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\wgosv.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\wgosv.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\wgosv.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\wgosv.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
Hijack Execution Flow: Executable Installer File Permissions Weakness
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" | C:\Users\Admin\AppData\Local\Temp\wgosv.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" | C:\Users\Admin\AppData\Local\Temp\wgosv.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | whatismyip.everdot.org | N/A | N/A |
| N/A | www.whatismyip.ca | N/A | N/A |
| N/A | whatismyipaddress.com | N/A | N/A |
| N/A | www.showmyipaddress.com | N/A | N/A |
Drops autorun.inf file
| Description | Indicator | Process | Target |
| File created | C:\autorun.inf | C:\Users\Admin\AppData\Local\Temp\wgosv.exe | N/A |
| File opened for modification | F:\autorun.inf | C:\Users\Admin\AppData\Local\Temp\wgosv.exe | N/A |
| File created | F:\autorun.inf | C:\Users\Admin\AppData\Local\Temp\wgosv.exe | N/A |
| File opened for modification | C:\autorun.inf | C:\Users\Admin\AppData\Local\Temp\wgosv.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\wwuohwssofhchcctggkki.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\usogxkecwllehaynywy.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wwuohwssofhchcctggkki.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\tohwkulgxjgwwmht.exe | C:\Users\Admin\AppData\Local\Temp\wgosv.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wwuohwssofhchcctggkki.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\tohwkulgxjgwwmht.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\awqgvgyumzxopgcpy.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\tohwkulgxjgwwmht.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\tohwkulgxjgwwmht.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\usogxkecwllehaynywy.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\nonicspqnfiekghznotuto.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wwuohwssofhchcctggkki.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\tohwkulgxjgwwmht.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\hgdwocxwrhicgazpbadc.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\hgdwocxwrhicgazpbadc.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\nonicspqnfiekghznotuto.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\nonicspqnfiekghznotuto.exe | C:\Users\Admin\AppData\Local\Temp\wgosv.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\awqgvgyumzxopgcpy.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\usogxkecwllehaynywy.exe | C:\Users\Admin\AppData\Local\Temp\wgosv.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\usogxkecwllehaynywy.exe | C:\Users\Admin\AppData\Local\Temp\wgosv.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\kcsepwkcqztgdqirwokcsepwkcqztgdqirw.kcs | C:\Users\Admin\AppData\Local\Temp\wgosv.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wwuohwssofhchcctggkki.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\tohwkulgxjgwwmht.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\jgbsiunkdrqikcznxu.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\usogxkecwllehaynywy.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\awqgvgyumzxopgcpy.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\hgdwocxwrhicgazpbadc.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wwuohwssofhchcctggkki.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\awqgvgyumzxopgcpy.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\hgdwocxwrhicgazpbadc.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\usogxkecwllehaynywy.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\jgbsiunkdrqikcznxu.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\hgdwocxwrhicgazpbadc.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\awqgvgyumzxopgcpy.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\tohwkulgxjgwwmht.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\awqgvgyumzxopgcpy.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\jgbsiunkdrqikcznxu.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\awqgvgyumzxopgcpy.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\hgdwocxwrhicgazpbadc.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\hgdwocxwrhicgazpbadc.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\hgdwocxwrhicgazpbadc.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\tohwkulgxjgwwmht.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\jgbsiunkdrqikcznxu.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\usogxkecwllehaynywy.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\hgdwocxwrhicgazpbadc.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\awqgvgyumzxopgcpy.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\usogxkecwllehaynywy.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\awqgvgyumzxopgcpy.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\hgdwocxwrhicgazpbadc.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\nonicspqnfiekghznotuto.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wwuohwssofhchcctggkki.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\jgbsiunkdrqikcznxu.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\tohwkulgxjgwwmht.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\awqgvgyumzxopgcpy.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wwuohwssofhchcctggkki.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\hgdwocxwrhicgazpbadc.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File created | C:\Windows\SysWOW64\kcsepwkcqztgdqirwokcsepwkcqztgdqirw.kcs | C:\Users\Admin\AppData\Local\Temp\wgosv.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\usogxkecwllehaynywy.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\tohwkulgxjgwwmht.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\jgbsiunkdrqikcznxu.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\tohwkulgxjgwwmht.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\usogxkecwllehaynywy.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\awqgvgyumzxopgcpy.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\hgdwocxwrhicgazpbadc.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\binooknuxvegsubztalsxyyu.ehf | C:\Users\Admin\AppData\Local\Temp\wgosv.exe | N/A |
| File created | C:\Program Files (x86)\binooknuxvegsubztalsxyyu.ehf | C:\Users\Admin\AppData\Local\Temp\wgosv.exe | N/A |
| File opened for modification | C:\Program Files (x86)\kcsepwkcqztgdqirwokcsepwkcqztgdqirw.kcs | C:\Users\Admin\AppData\Local\Temp\wgosv.exe | N/A |
| File created | C:\Program Files (x86)\kcsepwkcqztgdqirwokcsepwkcqztgdqirw.kcs | C:\Users\Admin\AppData\Local\Temp\wgosv.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\awqgvgyumzxopgcpy.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\jgbsiunkdrqikcznxu.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\kcsepwkcqztgdqirwokcsepwkcqztgdqirw.kcs | C:\Users\Admin\AppData\Local\Temp\wgosv.exe | N/A |
| File opened for modification | C:\Windows\awqgvgyumzxopgcpy.exe | C:\Users\Admin\AppData\Local\Temp\wgosv.exe | N/A |
| File opened for modification | C:\Windows\awqgvgyumzxopgcpy.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\usogxkecwllehaynywy.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\usogxkecwllehaynywy.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\wwuohwssofhchcctggkki.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\awqgvgyumzxopgcpy.exe | C:\Users\Admin\AppData\Local\Temp\wgosv.exe | N/A |
| File opened for modification | C:\Windows\nonicspqnfiekghznotuto.exe | C:\Users\Admin\AppData\Local\Temp\wgosv.exe | N/A |
| File opened for modification | C:\Windows\wwuohwssofhchcctggkki.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\nonicspqnfiekghznotuto.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\hgdwocxwrhicgazpbadc.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\wwuohwssofhchcctggkki.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\jgbsiunkdrqikcznxu.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\nonicspqnfiekghznotuto.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\usogxkecwllehaynywy.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\hgdwocxwrhicgazpbadc.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\hgdwocxwrhicgazpbadc.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\usogxkecwllehaynywy.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\wwuohwssofhchcctggkki.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\hgdwocxwrhicgazpbadc.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\nonicspqnfiekghznotuto.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\hgdwocxwrhicgazpbadc.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\usogxkecwllehaynywy.exe | C:\Users\Admin\AppData\Local\Temp\wgosv.exe | N/A |
| File opened for modification | C:\Windows\hgdwocxwrhicgazpbadc.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\usogxkecwllehaynywy.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\wwuohwssofhchcctggkki.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\usogxkecwllehaynywy.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\nonicspqnfiekghznotuto.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\usogxkecwllehaynywy.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\tohwkulgxjgwwmht.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\jgbsiunkdrqikcznxu.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\awqgvgyumzxopgcpy.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\awqgvgyumzxopgcpy.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\tohwkulgxjgwwmht.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\nonicspqnfiekghznotuto.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\hgdwocxwrhicgazpbadc.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\tohwkulgxjgwwmht.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\usogxkecwllehaynywy.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\nonicspqnfiekghznotuto.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\tohwkulgxjgwwmht.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\hgdwocxwrhicgazpbadc.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\wwuohwssofhchcctggkki.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\jgbsiunkdrqikcznxu.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\usogxkecwllehaynywy.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\nonicspqnfiekghznotuto.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\awqgvgyumzxopgcpy.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\awqgvgyumzxopgcpy.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\awqgvgyumzxopgcpy.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\jgbsiunkdrqikcznxu.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\awqgvgyumzxopgcpy.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\jgbsiunkdrqikcznxu.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\jgbsiunkdrqikcznxu.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\nonicspqnfiekghznotuto.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\usogxkecwllehaynywy.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\awqgvgyumzxopgcpy.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\wwuohwssofhchcctggkki.exe | C:\Users\Admin\AppData\Local\Temp\wgosv.exe | N/A |
| File opened for modification | C:\Windows\tohwkulgxjgwwmht.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\jgbsiunkdrqikcznxu.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\hgdwocxwrhicgazpbadc.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\nonicspqnfiekghznotuto.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\usogxkecwllehaynywy.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\jgbsiunkdrqikcznxu.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\tohwkulgxjgwwmht.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\awqgvgyumzxopgcpy.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\hgdwocxwrhicgazpbadc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\tohwkulgxjgwwmht.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\wwuohwssofhchcctggkki.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\jgbsiunkdrqikcznxu.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\hgdwocxwrhicgazpbadc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\wwuohwssofhchcctggkki.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\usogxkecwllehaynywy.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\hgdwocxwrhicgazpbadc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\wwuohwssofhchcctggkki.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\wwuohwssofhchcctggkki.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\tohwkulgxjgwwmht.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\wwuohwssofhchcctggkki.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\awqgvgyumzxopgcpy.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\wwuohwssofhchcctggkki.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\awqgvgyumzxopgcpy.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\jgbsiunkdrqikcznxu.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\jgbsiunkdrqikcznxu.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\jgbsiunkdrqikcznxu.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\hgdwocxwrhicgazpbadc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\jgbsiunkdrqikcznxu.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\jgbsiunkdrqikcznxu.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\usogxkecwllehaynywy.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\hgdwocxwrhicgazpbadc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\tohwkulgxjgwwmht.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\hgdwocxwrhicgazpbadc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\usogxkecwllehaynywy.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\jgbsiunkdrqikcznxu.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\hgdwocxwrhicgazpbadc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\jgbsiunkdrqikcznxu.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\wgosv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\hgdwocxwrhicgazpbadc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\wgosv.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\AppData\Local\Temp\wgosv.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\wgosv.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\wgosv.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\wgosv.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\wgosv.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" | C:\Users\Admin\AppData\Local\Temp\wgosv.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" | C:\Users\Admin\AppData\Local\Temp\wgosv.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" | C:\Users\Admin\AppData\Local\Temp\wgosv.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\wgosv.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" | C:\Users\Admin\AppData\Local\Temp\wgosv.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\AppData\Local\Temp\wgosv.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" | C:\Users\Admin\AppData\Local\Temp\wgosv.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\wgosv.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\wgosv.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" | C:\Users\Admin\AppData\Local\Temp\wgosv.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" | C:\Users\Admin\AppData\Local\Temp\wgosv.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\wgosv.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe"
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\jaffacakes118_bdec6237d2f7f80e1250e09df51e3d02.exe*"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jgbsiunkdrqikcznxu.exe
C:\Windows\jgbsiunkdrqikcznxu.exe
jgbsiunkdrqikcznxu.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jgbsiunkdrqikcznxu.exe .
C:\Windows\jgbsiunkdrqikcznxu.exe
jgbsiunkdrqikcznxu.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\jgbsiunkdrqikcznxu.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hgdwocxwrhicgazpbadc.exe
C:\Windows\hgdwocxwrhicgazpbadc.exe
hgdwocxwrhicgazpbadc.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jgbsiunkdrqikcznxu.exe .
C:\Windows\jgbsiunkdrqikcznxu.exe
jgbsiunkdrqikcznxu.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe
C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe
C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\jgbsiunkdrqikcznxu.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe .
C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe
C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\tohwkulgxjgwwmht.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe
C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe
C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe .
C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe
C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\hgdwocxwrhicgazpbadc.exe*."
C:\Users\Admin\AppData\Local\Temp\wgosv.exe
"C:\Users\Admin\AppData\Local\Temp\wgosv.exe" "-C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe"
C:\Users\Admin\AppData\Local\Temp\wgosv.exe
"C:\Users\Admin\AppData\Local\Temp\wgosv.exe" "-C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jgbsiunkdrqikcznxu.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hgdwocxwrhicgazpbadc.exe
C:\Windows\jgbsiunkdrqikcznxu.exe
jgbsiunkdrqikcznxu.exe
C:\Windows\hgdwocxwrhicgazpbadc.exe
hgdwocxwrhicgazpbadc.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jgbsiunkdrqikcznxu.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tohwkulgxjgwwmht.exe .
C:\Windows\jgbsiunkdrqikcznxu.exe
jgbsiunkdrqikcznxu.exe .
C:\Windows\tohwkulgxjgwwmht.exe
tohwkulgxjgwwmht.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tohwkulgxjgwwmht.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wwuohwssofhchcctggkki.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c awqgvgyumzxopgcpy.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jgbsiunkdrqikcznxu.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\jgbsiunkdrqikcznxu.exe*."
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\tohwkulgxjgwwmht.exe*."
C:\Windows\tohwkulgxjgwwmht.exe
tohwkulgxjgwwmht.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe
C:\Windows\wwuohwssofhchcctggkki.exe
wwuohwssofhchcctggkki.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe .
C:\Windows\awqgvgyumzxopgcpy.exe
awqgvgyumzxopgcpy.exe .
C:\Windows\jgbsiunkdrqikcznxu.exe
jgbsiunkdrqikcznxu.exe .
C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe
C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe
C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe
C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe .
C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe
C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe .
C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe
C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\awqgvgyumzxopgcpy.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\jgbsiunkdrqikcznxu.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\tohwkulgxjgwwmht.exe*."
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\usogxkecwllehaynywy.exe*."
C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe
C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe .
C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe
C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe
C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe
C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe .
C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe
C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\jgbsiunkdrqikcznxu.exe*."
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\usogxkecwllehaynywy.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jgbsiunkdrqikcznxu.exe
C:\Windows\jgbsiunkdrqikcznxu.exe
jgbsiunkdrqikcznxu.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hgdwocxwrhicgazpbadc.exe .
C:\Windows\hgdwocxwrhicgazpbadc.exe
hgdwocxwrhicgazpbadc.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\hgdwocxwrhicgazpbadc.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tohwkulgxjgwwmht.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wwuohwssofhchcctggkki.exe .
C:\Windows\tohwkulgxjgwwmht.exe
tohwkulgxjgwwmht.exe
C:\Windows\wwuohwssofhchcctggkki.exe
wwuohwssofhchcctggkki.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\wwuohwssofhchcctggkki.exe*."
C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe
C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe .
C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe
C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\wwuohwssofhchcctggkki.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe
C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe
C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe .
C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe
C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\wwuohwssofhchcctggkki.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c usogxkecwllehaynywy.exe
C:\Windows\usogxkecwllehaynywy.exe
usogxkecwllehaynywy.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wwuohwssofhchcctggkki.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hgdwocxwrhicgazpbadc.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c awqgvgyumzxopgcpy.exe
C:\Windows\hgdwocxwrhicgazpbadc.exe
hgdwocxwrhicgazpbadc.exe .
C:\Windows\wwuohwssofhchcctggkki.exe
wwuohwssofhchcctggkki.exe
C:\Windows\awqgvgyumzxopgcpy.exe
awqgvgyumzxopgcpy.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c usogxkecwllehaynywy.exe
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\hgdwocxwrhicgazpbadc.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wwuohwssofhchcctggkki.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c usogxkecwllehaynywy.exe .
C:\Windows\usogxkecwllehaynywy.exe
usogxkecwllehaynywy.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tohwkulgxjgwwmht.exe .
C:\Windows\wwuohwssofhchcctggkki.exe
wwuohwssofhchcctggkki.exe .
C:\Windows\usogxkecwllehaynywy.exe
usogxkecwllehaynywy.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jgbsiunkdrqikcznxu.exe
C:\Windows\tohwkulgxjgwwmht.exe
tohwkulgxjgwwmht.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c usogxkecwllehaynywy.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wwuohwssofhchcctggkki.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\usogxkecwllehaynywy.exe*."
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\wwuohwssofhchcctggkki.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hgdwocxwrhicgazpbadc.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe
C:\Windows\jgbsiunkdrqikcznxu.exe
jgbsiunkdrqikcznxu.exe
C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe
C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\tohwkulgxjgwwmht.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe .
C:\Windows\wwuohwssofhchcctggkki.exe
wwuohwssofhchcctggkki.exe .
C:\Windows\usogxkecwllehaynywy.exe
usogxkecwllehaynywy.exe
C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe
C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe
C:\Windows\hgdwocxwrhicgazpbadc.exe
hgdwocxwrhicgazpbadc.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe .
C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe
C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe
C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe
C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\wwuohwssofhchcctggkki.exe*."
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\jgbsiunkdrqikcznxu.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe .
C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe
C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe
C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe
C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe
C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe
C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\hgdwocxwrhicgazpbadc.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe .
C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe
C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\hgdwocxwrhicgazpbadc.exe*."
C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe
C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe .
C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe
C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe
C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe
C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jgbsiunkdrqikcznxu.exe
C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe
C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\usogxkecwllehaynywy.exe*."
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\awqgvgyumzxopgcpy.exe*."
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\awqgvgyumzxopgcpy.exe*."
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\usogxkecwllehaynywy.exe*."
C:\Windows\jgbsiunkdrqikcznxu.exe
jgbsiunkdrqikcznxu.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wwuohwssofhchcctggkki.exe .
C:\Windows\wwuohwssofhchcctggkki.exe
wwuohwssofhchcctggkki.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wwuohwssofhchcctggkki.exe
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\wwuohwssofhchcctggkki.exe*."
C:\Windows\wwuohwssofhchcctggkki.exe
wwuohwssofhchcctggkki.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tohwkulgxjgwwmht.exe .
C:\Windows\tohwkulgxjgwwmht.exe
tohwkulgxjgwwmht.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe
C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe
C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\tohwkulgxjgwwmht.exe*."
C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe
C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\hgdwocxwrhicgazpbadc.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe
C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe
C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe .
C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe
C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\usogxkecwllehaynywy.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jgbsiunkdrqikcznxu.exe
C:\Windows\jgbsiunkdrqikcznxu.exe
jgbsiunkdrqikcznxu.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tohwkulgxjgwwmht.exe .
C:\Windows\tohwkulgxjgwwmht.exe
tohwkulgxjgwwmht.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wwuohwssofhchcctggkki.exe
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\tohwkulgxjgwwmht.exe*."
C:\Windows\wwuohwssofhchcctggkki.exe
wwuohwssofhchcctggkki.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tohwkulgxjgwwmht.exe .
C:\Windows\tohwkulgxjgwwmht.exe
tohwkulgxjgwwmht.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\tohwkulgxjgwwmht.exe*."
C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe
C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe .
C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe
C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\usogxkecwllehaynywy.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe
C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe
C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe .
C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe
C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\hgdwocxwrhicgazpbadc.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tohwkulgxjgwwmht.exe
C:\Windows\tohwkulgxjgwwmht.exe
tohwkulgxjgwwmht.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wwuohwssofhchcctggkki.exe .
C:\Windows\wwuohwssofhchcctggkki.exe
wwuohwssofhchcctggkki.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jgbsiunkdrqikcznxu.exe
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\wwuohwssofhchcctggkki.exe*."
C:\Windows\jgbsiunkdrqikcznxu.exe
jgbsiunkdrqikcznxu.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c usogxkecwllehaynywy.exe .
C:\Windows\usogxkecwllehaynywy.exe
usogxkecwllehaynywy.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe
C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe
C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\usogxkecwllehaynywy.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe .
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe
C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\jgbsiunkdrqikcznxu.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe
C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe
C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe .
C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe
C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\hgdwocxwrhicgazpbadc.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hgdwocxwrhicgazpbadc.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\hgdwocxwrhicgazpbadc.exe
hgdwocxwrhicgazpbadc.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jgbsiunkdrqikcznxu.exe .
C:\Windows\jgbsiunkdrqikcznxu.exe
jgbsiunkdrqikcznxu.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jgbsiunkdrqikcznxu.exe
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\jgbsiunkdrqikcznxu.exe*."
C:\Windows\jgbsiunkdrqikcznxu.exe
jgbsiunkdrqikcznxu.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hgdwocxwrhicgazpbadc.exe .
C:\Windows\hgdwocxwrhicgazpbadc.exe
hgdwocxwrhicgazpbadc.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe
C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe
C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\hgdwocxwrhicgazpbadc.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe .
C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe
C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\hgdwocxwrhicgazpbadc.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe
C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe
C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe .
C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe
C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\tohwkulgxjgwwmht.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wwuohwssofhchcctggkki.exe
C:\Windows\wwuohwssofhchcctggkki.exe
wwuohwssofhchcctggkki.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c usogxkecwllehaynywy.exe .
C:\Windows\usogxkecwllehaynywy.exe
usogxkecwllehaynywy.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\usogxkecwllehaynywy.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wwuohwssofhchcctggkki.exe
C:\Windows\wwuohwssofhchcctggkki.exe
wwuohwssofhchcctggkki.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tohwkulgxjgwwmht.exe .
C:\Windows\tohwkulgxjgwwmht.exe
tohwkulgxjgwwmht.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe
C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe
C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\tohwkulgxjgwwmht.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe .
C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe
C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\awqgvgyumzxopgcpy.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe
C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe
C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe .
C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe
C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\awqgvgyumzxopgcpy.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tohwkulgxjgwwmht.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\tohwkulgxjgwwmht.exe
tohwkulgxjgwwmht.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wwuohwssofhchcctggkki.exe .
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\wwuohwssofhchcctggkki.exe
wwuohwssofhchcctggkki.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tohwkulgxjgwwmht.exe
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\wwuohwssofhchcctggkki.exe*."
C:\Windows\tohwkulgxjgwwmht.exe
tohwkulgxjgwwmht.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c usogxkecwllehaynywy.exe .
C:\Windows\usogxkecwllehaynywy.exe
usogxkecwllehaynywy.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe
C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe
C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\usogxkecwllehaynywy.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe .
C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe
C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\usogxkecwllehaynywy.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe
C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe
C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe .
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe
C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\awqgvgyumzxopgcpy.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hgdwocxwrhicgazpbadc.exe
C:\Windows\hgdwocxwrhicgazpbadc.exe
hgdwocxwrhicgazpbadc.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hgdwocxwrhicgazpbadc.exe .
C:\Windows\hgdwocxwrhicgazpbadc.exe
hgdwocxwrhicgazpbadc.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\hgdwocxwrhicgazpbadc.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c usogxkecwllehaynywy.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c awqgvgyumzxopgcpy.exe
C:\Windows\usogxkecwllehaynywy.exe
usogxkecwllehaynywy.exe
C:\Windows\awqgvgyumzxopgcpy.exe
awqgvgyumzxopgcpy.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c awqgvgyumzxopgcpy.exe .
C:\Windows\awqgvgyumzxopgcpy.exe
awqgvgyumzxopgcpy.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jgbsiunkdrqikcznxu.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c awqgvgyumzxopgcpy.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\awqgvgyumzxopgcpy.exe*."
C:\Windows\jgbsiunkdrqikcznxu.exe
jgbsiunkdrqikcznxu.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe .
C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe
C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe
C:\Windows\awqgvgyumzxopgcpy.exe
awqgvgyumzxopgcpy.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hgdwocxwrhicgazpbadc.exe .
C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe
C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tohwkulgxjgwwmht.exe
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\awqgvgyumzxopgcpy.exe*."
C:\Windows\hgdwocxwrhicgazpbadc.exe
hgdwocxwrhicgazpbadc.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jgbsiunkdrqikcznxu.exe .
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\awqgvgyumzxopgcpy.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wwuohwssofhchcctggkki.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe
C:\Windows\tohwkulgxjgwwmht.exe
tohwkulgxjgwwmht.exe
C:\Windows\jgbsiunkdrqikcznxu.exe
jgbsiunkdrqikcznxu.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wwuohwssofhchcctggkki.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\hgdwocxwrhicgazpbadc.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe
C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe
C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe
C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe
C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\jgbsiunkdrqikcznxu.exe*."
C:\Windows\wwuohwssofhchcctggkki.exe
wwuohwssofhchcctggkki.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe
C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe
C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe .
C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe
C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe .
C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe
C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe .
C:\Windows\wwuohwssofhchcctggkki.exe
wwuohwssofhchcctggkki.exe .
C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe
C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jgbsiunkdrqikcznxu.exe
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\awqgvgyumzxopgcpy.exe*."
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\awqgvgyumzxopgcpy.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe .
C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe
C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe
C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe
C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c usogxkecwllehaynywy.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\jgbsiunkdrqikcznxu.exe*."
C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe
C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\wwuohwssofhchcctggkki.exe*."
C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe
C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\wwuohwssofhchcctggkki.exe*."
C:\Windows\jgbsiunkdrqikcznxu.exe
jgbsiunkdrqikcznxu.exe
C:\Windows\usogxkecwllehaynywy.exe
usogxkecwllehaynywy.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jgbsiunkdrqikcznxu.exe
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\wwuohwssofhchcctggkki.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tohwkulgxjgwwmht.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\usogxkecwllehaynywy.exe*."
C:\Windows\jgbsiunkdrqikcznxu.exe
jgbsiunkdrqikcznxu.exe
C:\Windows\tohwkulgxjgwwmht.exe
tohwkulgxjgwwmht.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe
C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe
C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\tohwkulgxjgwwmht.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe .
C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe
C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\jgbsiunkdrqikcznxu.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe
C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe
C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe .
C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe
C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\usogxkecwllehaynywy.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c awqgvgyumzxopgcpy.exe
C:\Windows\awqgvgyumzxopgcpy.exe
awqgvgyumzxopgcpy.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hgdwocxwrhicgazpbadc.exe .
C:\Windows\hgdwocxwrhicgazpbadc.exe
hgdwocxwrhicgazpbadc.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wwuohwssofhchcctggkki.exe
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\hgdwocxwrhicgazpbadc.exe*."
C:\Windows\wwuohwssofhchcctggkki.exe
wwuohwssofhchcctggkki.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c usogxkecwllehaynywy.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe
C:\Windows\usogxkecwllehaynywy.exe
usogxkecwllehaynywy.exe .
C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe
C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe .
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\usogxkecwllehaynywy.exe*."
C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe
C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\awqgvgyumzxopgcpy.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe
C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe
C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe .
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe
C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\hgdwocxwrhicgazpbadc.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c usogxkecwllehaynywy.exe
C:\Windows\usogxkecwllehaynywy.exe
usogxkecwllehaynywy.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hgdwocxwrhicgazpbadc.exe .
C:\Windows\hgdwocxwrhicgazpbadc.exe
hgdwocxwrhicgazpbadc.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hgdwocxwrhicgazpbadc.exe
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\hgdwocxwrhicgazpbadc.exe*."
C:\Windows\hgdwocxwrhicgazpbadc.exe
hgdwocxwrhicgazpbadc.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c awqgvgyumzxopgcpy.exe .
C:\Windows\awqgvgyumzxopgcpy.exe
awqgvgyumzxopgcpy.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe
C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe
C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\awqgvgyumzxopgcpy.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe .
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe
C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\usogxkecwllehaynywy.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe
C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe
C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe .
C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe
C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\awqgvgyumzxopgcpy.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c usogxkecwllehaynywy.exe
C:\Windows\usogxkecwllehaynywy.exe
usogxkecwllehaynywy.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tohwkulgxjgwwmht.exe .
C:\Windows\tohwkulgxjgwwmht.exe
tohwkulgxjgwwmht.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tohwkulgxjgwwmht.exe
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\tohwkulgxjgwwmht.exe*."
C:\Windows\tohwkulgxjgwwmht.exe
tohwkulgxjgwwmht.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c awqgvgyumzxopgcpy.exe .
C:\Windows\awqgvgyumzxopgcpy.exe
awqgvgyumzxopgcpy.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe
C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe
C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\awqgvgyumzxopgcpy.exe*."
C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe
C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\awqgvgyumzxopgcpy.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe
C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe
C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe .
C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe
C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\jgbsiunkdrqikcznxu.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tohwkulgxjgwwmht.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\tohwkulgxjgwwmht.exe
tohwkulgxjgwwmht.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c usogxkecwllehaynywy.exe .
C:\Windows\usogxkecwllehaynywy.exe
usogxkecwllehaynywy.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\usogxkecwllehaynywy.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wwuohwssofhchcctggkki.exe
C:\Windows\wwuohwssofhchcctggkki.exe
wwuohwssofhchcctggkki.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hgdwocxwrhicgazpbadc.exe .
C:\Windows\hgdwocxwrhicgazpbadc.exe
hgdwocxwrhicgazpbadc.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe
C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe
C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\hgdwocxwrhicgazpbadc.exe*."
C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe
C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\usogxkecwllehaynywy.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe
C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe
C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe .
C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe
C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\jgbsiunkdrqikcznxu.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hgdwocxwrhicgazpbadc.exe
C:\Windows\hgdwocxwrhicgazpbadc.exe
hgdwocxwrhicgazpbadc.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wwuohwssofhchcctggkki.exe .
C:\Windows\wwuohwssofhchcctggkki.exe
wwuohwssofhchcctggkki.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jgbsiunkdrqikcznxu.exe
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\wwuohwssofhchcctggkki.exe*."
C:\Windows\jgbsiunkdrqikcznxu.exe
jgbsiunkdrqikcznxu.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wwuohwssofhchcctggkki.exe .
C:\Windows\wwuohwssofhchcctggkki.exe
wwuohwssofhchcctggkki.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe
C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\wwuohwssofhchcctggkki.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe .
C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe
C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\wwuohwssofhchcctggkki.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe
C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe
C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe .
C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe
C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\usogxkecwllehaynywy.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c awqgvgyumzxopgcpy.exe
C:\Windows\awqgvgyumzxopgcpy.exe
awqgvgyumzxopgcpy.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jgbsiunkdrqikcznxu.exe .
C:\Windows\jgbsiunkdrqikcznxu.exe
jgbsiunkdrqikcznxu.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\jgbsiunkdrqikcznxu.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jgbsiunkdrqikcznxu.exe
C:\Windows\jgbsiunkdrqikcznxu.exe
jgbsiunkdrqikcznxu.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jgbsiunkdrqikcznxu.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jgbsiunkdrqikcznxu.exe .
C:\Windows\jgbsiunkdrqikcznxu.exe
jgbsiunkdrqikcznxu.exe
C:\Windows\jgbsiunkdrqikcznxu.exe
jgbsiunkdrqikcznxu.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c awqgvgyumzxopgcpy.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c usogxkecwllehaynywy.exe
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\jgbsiunkdrqikcznxu.exe*."
C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe
C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe .
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\awqgvgyumzxopgcpy.exe
awqgvgyumzxopgcpy.exe .
C:\Windows\usogxkecwllehaynywy.exe
usogxkecwllehaynywy.exe
C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe
C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\awqgvgyumzxopgcpy.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c usogxkecwllehaynywy.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tohwkulgxjgwwmht.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\awqgvgyumzxopgcpy.exe*."
C:\Windows\usogxkecwllehaynywy.exe
usogxkecwllehaynywy.exe
C:\Windows\tohwkulgxjgwwmht.exe
tohwkulgxjgwwmht.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c usogxkecwllehaynywy.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tohwkulgxjgwwmht.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\tohwkulgxjgwwmht.exe*."
C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe
C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe
C:\Windows\usogxkecwllehaynywy.exe
usogxkecwllehaynywy.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jgbsiunkdrqikcznxu.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe
C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe
C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe
C:\Windows\tohwkulgxjgwwmht.exe
tohwkulgxjgwwmht.exe
C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe
C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\usogxkecwllehaynywy.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe .
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe
C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe
C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe
C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\wwuohwssofhchcctggkki.exe*."
C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe
C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\tohwkulgxjgwwmht.exe*."
C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe
C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe
C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe
C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wwuohwssofhchcctggkki.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe .
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\jgbsiunkdrqikcznxu.exe*."
C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe
C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe
C:\Windows\wwuohwssofhchcctggkki.exe
wwuohwssofhchcctggkki.exe
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\wwuohwssofhchcctggkki.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c usogxkecwllehaynywy.exe .
C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe
C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe .
C:\Windows\usogxkecwllehaynywy.exe
usogxkecwllehaynywy.exe .
C:\Windows\jgbsiunkdrqikcznxu.exe
jgbsiunkdrqikcznxu.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\usogxkecwllehaynywy.exe*."
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\usogxkecwllehaynywy.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jgbsiunkdrqikcznxu.exe
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\jgbsiunkdrqikcznxu.exe*."
C:\Windows\jgbsiunkdrqikcznxu.exe
jgbsiunkdrqikcznxu.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c awqgvgyumzxopgcpy.exe .
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\awqgvgyumzxopgcpy.exe
awqgvgyumzxopgcpy.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe
C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\awqgvgyumzxopgcpy.exe*."
C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe
C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\wwuohwssofhchcctggkki.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe
C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe
C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe .
C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe
C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\awqgvgyumzxopgcpy.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jgbsiunkdrqikcznxu.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\jgbsiunkdrqikcznxu.exe
jgbsiunkdrqikcznxu.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jgbsiunkdrqikcznxu.exe .
C:\Windows\jgbsiunkdrqikcznxu.exe
jgbsiunkdrqikcznxu.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jgbsiunkdrqikcznxu.exe
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\jgbsiunkdrqikcznxu.exe*."
C:\Windows\jgbsiunkdrqikcznxu.exe
jgbsiunkdrqikcznxu.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jgbsiunkdrqikcznxu.exe .
C:\Windows\jgbsiunkdrqikcznxu.exe
jgbsiunkdrqikcznxu.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\jgbsiunkdrqikcznxu.exe*."
C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe
C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe .
C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe
C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\tohwkulgxjgwwmht.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe
C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe
C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe .
C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe
C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\tohwkulgxjgwwmht.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c awqgvgyumzxopgcpy.exe
C:\Windows\awqgvgyumzxopgcpy.exe
awqgvgyumzxopgcpy.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wwuohwssofhchcctggkki.exe .
C:\Windows\wwuohwssofhchcctggkki.exe
wwuohwssofhchcctggkki.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wwuohwssofhchcctggkki.exe
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\wwuohwssofhchcctggkki.exe*."
C:\Windows\wwuohwssofhchcctggkki.exe
wwuohwssofhchcctggkki.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tohwkulgxjgwwmht.exe .
C:\Windows\tohwkulgxjgwwmht.exe
tohwkulgxjgwwmht.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\tohwkulgxjgwwmht.exe*."
C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe
C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe .
C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe
C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\tohwkulgxjgwwmht.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe
C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe
C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe .
C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe
C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\usogxkecwllehaynywy.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wwuohwssofhchcctggkki.exe
C:\Windows\wwuohwssofhchcctggkki.exe
wwuohwssofhchcctggkki.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jgbsiunkdrqikcznxu.exe .
C:\Windows\jgbsiunkdrqikcznxu.exe
jgbsiunkdrqikcznxu.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\jgbsiunkdrqikcznxu.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wwuohwssofhchcctggkki.exe
C:\Windows\wwuohwssofhchcctggkki.exe
wwuohwssofhchcctggkki.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jgbsiunkdrqikcznxu.exe .
C:\Windows\jgbsiunkdrqikcznxu.exe
jgbsiunkdrqikcznxu.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe
C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe
C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\jgbsiunkdrqikcznxu.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe .
C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe
C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\hgdwocxwrhicgazpbadc.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe
C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe
C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe .
C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe
C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\hgdwocxwrhicgazpbadc.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jgbsiunkdrqikcznxu.exe
C:\Windows\jgbsiunkdrqikcznxu.exe
jgbsiunkdrqikcznxu.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wwuohwssofhchcctggkki.exe .
C:\Windows\wwuohwssofhchcctggkki.exe
wwuohwssofhchcctggkki.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hgdwocxwrhicgazpbadc.exe
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\wwuohwssofhchcctggkki.exe*."
C:\Windows\hgdwocxwrhicgazpbadc.exe
hgdwocxwrhicgazpbadc.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c awqgvgyumzxopgcpy.exe .
C:\Windows\awqgvgyumzxopgcpy.exe
awqgvgyumzxopgcpy.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe
C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe
C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\awqgvgyumzxopgcpy.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe .
C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe
C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\tohwkulgxjgwwmht.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe
C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe .
C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe
C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\hgdwocxwrhicgazpbadc.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hgdwocxwrhicgazpbadc.exe
C:\Windows\hgdwocxwrhicgazpbadc.exe
hgdwocxwrhicgazpbadc.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hgdwocxwrhicgazpbadc.exe .
C:\Windows\hgdwocxwrhicgazpbadc.exe
hgdwocxwrhicgazpbadc.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\hgdwocxwrhicgazpbadc.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c usogxkecwllehaynywy.exe
C:\Windows\usogxkecwllehaynywy.exe
usogxkecwllehaynywy.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wwuohwssofhchcctggkki.exe .
C:\Windows\wwuohwssofhchcctggkki.exe
wwuohwssofhchcctggkki.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe
C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\wwuohwssofhchcctggkki.exe*."
C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe
C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\wwuohwssofhchcctggkki.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe
C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe
C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe .
C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe
C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\hgdwocxwrhicgazpbadc.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hgdwocxwrhicgazpbadc.exe
C:\Windows\hgdwocxwrhicgazpbadc.exe
hgdwocxwrhicgazpbadc.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c awqgvgyumzxopgcpy.exe .
C:\Windows\awqgvgyumzxopgcpy.exe
awqgvgyumzxopgcpy.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\awqgvgyumzxopgcpy.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wwuohwssofhchcctggkki.exe
C:\Windows\wwuohwssofhchcctggkki.exe
wwuohwssofhchcctggkki.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wwuohwssofhchcctggkki.exe .
C:\Windows\wwuohwssofhchcctggkki.exe
wwuohwssofhchcctggkki.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe
C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe
C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tohwkulgxjgwwmht.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\wwuohwssofhchcctggkki.exe*."
C:\Windows\tohwkulgxjgwwmht.exe
tohwkulgxjgwwmht.exe
C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe
C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jgbsiunkdrqikcznxu.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\tohwkulgxjgwwmht.exe*."
C:\Windows\jgbsiunkdrqikcznxu.exe
jgbsiunkdrqikcznxu.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wwuohwssofhchcctggkki.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\jgbsiunkdrqikcznxu.exe*."
C:\Windows\wwuohwssofhchcctggkki.exe
wwuohwssofhchcctggkki.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wwuohwssofhchcctggkki.exe
C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe
C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe .
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\wwuohwssofhchcctggkki.exe
wwuohwssofhchcctggkki.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c usogxkecwllehaynywy.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jgbsiunkdrqikcznxu.exe .
C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe
C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe
C:\Windows\jgbsiunkdrqikcznxu.exe
jgbsiunkdrqikcznxu.exe .
C:\Windows\usogxkecwllehaynywy.exe
usogxkecwllehaynywy.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c usogxkecwllehaynywy.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe .
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\tohwkulgxjgwwmht.exe*."
C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe
C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hgdwocxwrhicgazpbadc.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\usogxkecwllehaynywy.exe*."
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\jgbsiunkdrqikcznxu.exe*."
C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe
C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe
C:\Windows\usogxkecwllehaynywy.exe
usogxkecwllehaynywy.exe
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\tohwkulgxjgwwmht.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe .
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe
C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wwuohwssofhchcctggkki.exe
C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe
C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe
C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe
C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe .
C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe
C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe .
C:\Windows\wwuohwssofhchcctggkki.exe
wwuohwssofhchcctggkki.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c usogxkecwllehaynywy.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\jgbsiunkdrqikcznxu.exe*."
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\jgbsiunkdrqikcznxu.exe*."
C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe
C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe .
C:\Windows\usogxkecwllehaynywy.exe
usogxkecwllehaynywy.exe .
C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe
C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c usogxkecwllehaynywy.exe
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\usogxkecwllehaynywy.exe*."
C:\Windows\usogxkecwllehaynywy.exe
usogxkecwllehaynywy.exe
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\jgbsiunkdrqikcznxu.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hgdwocxwrhicgazpbadc.exe .
C:\Windows\hgdwocxwrhicgazpbadc.exe
hgdwocxwrhicgazpbadc.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe
C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe
C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\hgdwocxwrhicgazpbadc.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe .
C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe
C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\tohwkulgxjgwwmht.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe
C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe
C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe .
C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe
C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\jgbsiunkdrqikcznxu.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hgdwocxwrhicgazpbadc.exe
C:\Windows\hgdwocxwrhicgazpbadc.exe
hgdwocxwrhicgazpbadc.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tohwkulgxjgwwmht.exe .
C:\Windows\tohwkulgxjgwwmht.exe
tohwkulgxjgwwmht.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\tohwkulgxjgwwmht.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hgdwocxwrhicgazpbadc.exe
C:\Windows\hgdwocxwrhicgazpbadc.exe
hgdwocxwrhicgazpbadc.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hgdwocxwrhicgazpbadc.exe .
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\hgdwocxwrhicgazpbadc.exe
hgdwocxwrhicgazpbadc.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe
C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe
C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\hgdwocxwrhicgazpbadc.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe .
C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe
C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\awqgvgyumzxopgcpy.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe
C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe
C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe .
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe
C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\jgbsiunkdrqikcznxu.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hgdwocxwrhicgazpbadc.exe
C:\Windows\hgdwocxwrhicgazpbadc.exe
hgdwocxwrhicgazpbadc.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c awqgvgyumzxopgcpy.exe .
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\awqgvgyumzxopgcpy.exe
awqgvgyumzxopgcpy.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\awqgvgyumzxopgcpy.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jgbsiunkdrqikcznxu.exe
C:\Windows\jgbsiunkdrqikcznxu.exe
jgbsiunkdrqikcznxu.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c awqgvgyumzxopgcpy.exe .
C:\Windows\awqgvgyumzxopgcpy.exe
awqgvgyumzxopgcpy.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe
C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe
C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\awqgvgyumzxopgcpy.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe .
C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe
C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\usogxkecwllehaynywy.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe
C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe .
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe
C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\wwuohwssofhchcctggkki.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wwuohwssofhchcctggkki.exe
C:\Windows\wwuohwssofhchcctggkki.exe
wwuohwssofhchcctggkki.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c awqgvgyumzxopgcpy.exe .
C:\Windows\awqgvgyumzxopgcpy.exe
awqgvgyumzxopgcpy.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wwuohwssofhchcctggkki.exe
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\awqgvgyumzxopgcpy.exe*."
C:\Windows\wwuohwssofhchcctggkki.exe
wwuohwssofhchcctggkki.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tohwkulgxjgwwmht.exe .
C:\Windows\tohwkulgxjgwwmht.exe
tohwkulgxjgwwmht.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe
C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe
C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\tohwkulgxjgwwmht.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe .
C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe
C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\tohwkulgxjgwwmht.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe
C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe
C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe .
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe
C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\tohwkulgxjgwwmht.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c usogxkecwllehaynywy.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\usogxkecwllehaynywy.exe
usogxkecwllehaynywy.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c usogxkecwllehaynywy.exe .
C:\Windows\usogxkecwllehaynywy.exe
usogxkecwllehaynywy.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\usogxkecwllehaynywy.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tohwkulgxjgwwmht.exe
C:\Windows\tohwkulgxjgwwmht.exe
tohwkulgxjgwwmht.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hgdwocxwrhicgazpbadc.exe .
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\hgdwocxwrhicgazpbadc.exe
hgdwocxwrhicgazpbadc.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe
C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe
C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\hgdwocxwrhicgazpbadc.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe .
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe
C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\awqgvgyumzxopgcpy.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe
C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe
C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe .
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe
C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\usogxkecwllehaynywy.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hgdwocxwrhicgazpbadc.exe
C:\Windows\hgdwocxwrhicgazpbadc.exe
hgdwocxwrhicgazpbadc.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wwuohwssofhchcctggkki.exe .
C:\Windows\wwuohwssofhchcctggkki.exe
wwuohwssofhchcctggkki.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\wwuohwssofhchcctggkki.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tohwkulgxjgwwmht.exe
C:\Windows\tohwkulgxjgwwmht.exe
tohwkulgxjgwwmht.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tohwkulgxjgwwmht.exe .
C:\Windows\tohwkulgxjgwwmht.exe
tohwkulgxjgwwmht.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe
C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe
C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\tohwkulgxjgwwmht.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe .
C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe
C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\tohwkulgxjgwwmht.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe
C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe
C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe .
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe
C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\awqgvgyumzxopgcpy.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hgdwocxwrhicgazpbadc.exe
C:\Windows\hgdwocxwrhicgazpbadc.exe
hgdwocxwrhicgazpbadc.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hgdwocxwrhicgazpbadc.exe .
C:\Windows\hgdwocxwrhicgazpbadc.exe
hgdwocxwrhicgazpbadc.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\hgdwocxwrhicgazpbadc.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jgbsiunkdrqikcznxu.exe
C:\Windows\jgbsiunkdrqikcznxu.exe
jgbsiunkdrqikcznxu.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tohwkulgxjgwwmht.exe .
C:\Windows\tohwkulgxjgwwmht.exe
tohwkulgxjgwwmht.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\tohwkulgxjgwwmht.exe*."
C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe
C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe .
C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe
C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\wwuohwssofhchcctggkki.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe
C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe .
C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe
C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jgbsiunkdrqikcznxu.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\jgbsiunkdrqikcznxu.exe
jgbsiunkdrqikcznxu.exe
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\awqgvgyumzxopgcpy.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c awqgvgyumzxopgcpy.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wwuohwssofhchcctggkki.exe
C:\Windows\awqgvgyumzxopgcpy.exe
awqgvgyumzxopgcpy.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c awqgvgyumzxopgcpy.exe
C:\Windows\wwuohwssofhchcctggkki.exe
wwuohwssofhchcctggkki.exe
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\awqgvgyumzxopgcpy.exe*."
C:\Windows\awqgvgyumzxopgcpy.exe
awqgvgyumzxopgcpy.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hgdwocxwrhicgazpbadc.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c usogxkecwllehaynywy.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c awqgvgyumzxopgcpy.exe
C:\Windows\usogxkecwllehaynywy.exe
usogxkecwllehaynywy.exe .
C:\Windows\hgdwocxwrhicgazpbadc.exe
hgdwocxwrhicgazpbadc.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe
C:\Windows\awqgvgyumzxopgcpy.exe
awqgvgyumzxopgcpy.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hgdwocxwrhicgazpbadc.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\usogxkecwllehaynywy.exe*."
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\hgdwocxwrhicgazpbadc.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c awqgvgyumzxopgcpy.exe .
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe
C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c awqgvgyumzxopgcpy.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\hgdwocxwrhicgazpbadc.exe
hgdwocxwrhicgazpbadc.exe
C:\Windows\awqgvgyumzxopgcpy.exe
awqgvgyumzxopgcpy.exe .
C:\Windows\awqgvgyumzxopgcpy.exe
awqgvgyumzxopgcpy.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hgdwocxwrhicgazpbadc.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wwuohwssofhchcctggkki.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe .
C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe
C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\awqgvgyumzxopgcpy.exe*."
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\awqgvgyumzxopgcpy.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe
C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe
C:\Windows\hgdwocxwrhicgazpbadc.exe
hgdwocxwrhicgazpbadc.exe
C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe
C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe .
C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe
C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe
C:\Windows\wwuohwssofhchcctggkki.exe
wwuohwssofhchcctggkki.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe .
C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe
C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\usogxkecwllehaynywy.exe*."
C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe
C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe
C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe
C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\wwuohwssofhchcctggkki.exe*."
C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe
C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\wwuohwssofhchcctggkki.exe*."
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\wwuohwssofhchcctggkki.exe*."
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\awqgvgyumzxopgcpy.exe*."
C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe
C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe
C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe
C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe .
C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe
C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\tohwkulgxjgwwmht.exe*."
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\awqgvgyumzxopgcpy.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tohwkulgxjgwwmht.exe
C:\Windows\tohwkulgxjgwwmht.exe
tohwkulgxjgwwmht.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jgbsiunkdrqikcznxu.exe .
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\jgbsiunkdrqikcznxu.exe
jgbsiunkdrqikcznxu.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tohwkulgxjgwwmht.exe
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\jgbsiunkdrqikcznxu.exe*."
C:\Windows\tohwkulgxjgwwmht.exe
tohwkulgxjgwwmht.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jgbsiunkdrqikcznxu.exe .
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\jgbsiunkdrqikcznxu.exe
jgbsiunkdrqikcznxu.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe
C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe
C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\jgbsiunkdrqikcznxu.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe .
C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe
C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\tohwkulgxjgwwmht.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe
C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe
C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe .
C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe
C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\jgbsiunkdrqikcznxu.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c usogxkecwllehaynywy.exe
C:\Windows\usogxkecwllehaynywy.exe
usogxkecwllehaynywy.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hgdwocxwrhicgazpbadc.exe .
C:\Windows\hgdwocxwrhicgazpbadc.exe
hgdwocxwrhicgazpbadc.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tohwkulgxjgwwmht.exe
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\hgdwocxwrhicgazpbadc.exe*."
C:\Windows\tohwkulgxjgwwmht.exe
tohwkulgxjgwwmht.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c usogxkecwllehaynywy.exe .
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\usogxkecwllehaynywy.exe
usogxkecwllehaynywy.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\usogxkecwllehaynywy.exe*."
C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe
C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe .
C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe
C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\jgbsiunkdrqikcznxu.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe
C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe
C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe .
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe
C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\wwuohwssofhchcctggkki.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hgdwocxwrhicgazpbadc.exe
C:\Windows\hgdwocxwrhicgazpbadc.exe
hgdwocxwrhicgazpbadc.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wwuohwssofhchcctggkki.exe .
C:\Windows\wwuohwssofhchcctggkki.exe
wwuohwssofhchcctggkki.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c usogxkecwllehaynywy.exe
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\wwuohwssofhchcctggkki.exe*."
C:\Windows\usogxkecwllehaynywy.exe
usogxkecwllehaynywy.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hgdwocxwrhicgazpbadc.exe .
C:\Windows\hgdwocxwrhicgazpbadc.exe
hgdwocxwrhicgazpbadc.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe
C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe
C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\hgdwocxwrhicgazpbadc.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe .
C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe
C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\wwuohwssofhchcctggkki.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe
C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe
C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe .
C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe
C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\hgdwocxwrhicgazpbadc.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wwuohwssofhchcctggkki.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\wwuohwssofhchcctggkki.exe
wwuohwssofhchcctggkki.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c awqgvgyumzxopgcpy.exe .
C:\Windows\awqgvgyumzxopgcpy.exe
awqgvgyumzxopgcpy.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c awqgvgyumzxopgcpy.exe
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\awqgvgyumzxopgcpy.exe*."
C:\Windows\awqgvgyumzxopgcpy.exe
awqgvgyumzxopgcpy.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jgbsiunkdrqikcznxu.exe .
C:\Windows\jgbsiunkdrqikcznxu.exe
jgbsiunkdrqikcznxu.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe
C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe
C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\jgbsiunkdrqikcznxu.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe .
C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe
C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\hgdwocxwrhicgazpbadc.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe
C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe
C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe .
C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe
C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\tohwkulgxjgwwmht.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c usogxkecwllehaynywy.exe
C:\Windows\usogxkecwllehaynywy.exe
usogxkecwllehaynywy.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c usogxkecwllehaynywy.exe .
C:\Windows\usogxkecwllehaynywy.exe
usogxkecwllehaynywy.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\usogxkecwllehaynywy.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jgbsiunkdrqikcznxu.exe
C:\Windows\jgbsiunkdrqikcznxu.exe
jgbsiunkdrqikcznxu.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c awqgvgyumzxopgcpy.exe .
C:\Windows\awqgvgyumzxopgcpy.exe
awqgvgyumzxopgcpy.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe
C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe
C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\awqgvgyumzxopgcpy.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe .
C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe
C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\jgbsiunkdrqikcznxu.exe*."
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | whatismyip.everdot.org | udp |
| US | 104.19.222.79:80 | whatismyipaddress.com | tcp |
| US | 172.67.155.175:80 | www.showmyipaddress.com | tcp |
| US | 172.67.155.175:80 | www.showmyipaddress.com | tcp |
| US | 172.66.43.169:80 | www.whatismyip.com | tcp |
| US | 172.66.43.169:80 | www.whatismyip.com | tcp |
| US | 104.19.222.79:80 | whatismyipaddress.com | tcp |
| US | 172.66.43.169:80 | www.whatismyip.com | tcp |
| US | 172.67.155.175:80 | www.showmyipaddress.com | tcp |
| US | 172.66.43.169:80 | www.whatismyip.com | tcp |
| US | 104.19.222.79:80 | whatismyipaddress.com | tcp |
| US | 172.67.155.175:80 | www.showmyipaddress.com | tcp |
| US | 104.19.222.79:80 | whatismyipaddress.com | tcp |
| GB | 157.240.214.35:80 | www.facebook.com | tcp |
| IT | 93.123.86.9:23203 | tcp | |
| DE | 85.214.228.140:80 | gyuuym.org | tcp |
| SG | 18.142.91.111:80 | unxfuild.info | tcp |
| US | 104.156.155.94:80 | cydlrge.info | tcp |
| US | 69.245.157.101:30273 | tcp | |
| US | 8.8.8.8:53 | gsxwsgnsdfm.net | udp |
| US | 8.8.8.8:53 | zgrjrexb.net | udp |
| BG | 91.139.214.253:20276 | tcp | |
| US | 8.8.8.8:53 | ekqqcc.org | udp |
| US | 8.8.8.8:53 | dflqknsl.net | udp |
| US | 8.8.8.8:53 | cupgcwpec.net | udp |
| BG | 87.121.48.227:18645 | tcp | |
| US | 8.8.8.8:53 | sukeymiqsogc.com | udp |
| US | 8.8.8.8:53 | qqgwew.com | udp |
| US | 8.8.8.8:53 | njmyupro.net | udp |
| US | 8.8.8.8:53 | acnurezwh.info | udp |
| US | 8.8.8.8:53 | dwpmcwemx.net | udp |
| BG | 77.76.191.142:31825 | tcp | |
| US | 8.8.8.8:53 | uwcuws.org | udp |
| US | 8.8.8.8:53 | ekkjfgfbyf.info | udp |
| US | 8.8.8.8:53 | wcugug.com | udp |
| US | 8.8.8.8:53 | wipkgxsenef.info | udp |
| LT | 78.60.90.47:26746 | tcp | |
| US | 8.8.8.8:53 | zbnxmkjiojkt.info | udp |
| CA | 68.232.80.223:39238 | tcp | |
| US | 8.8.8.8:53 | wawaoiyk.com | udp |
| US | 8.8.8.8:53 | dazulnj.org | udp |
| US | 8.8.8.8:53 | kwtyrov.net | udp |
| BG | 77.71.43.98:28558 | tcp | |
| US | 8.8.8.8:53 | pqycjkwkd.info | udp |
| US | 8.8.8.8:53 | lvliwxsju.net | udp |
| BG | 89.252.192.21:30518 | tcp | |
| US | 8.8.8.8:53 | zknshmx.net | udp |
| US | 8.8.8.8:53 | bylbrlymcwwl.info | udp |
| US | 8.8.8.8:53 | nzjcxyhv.info | udp |
| MD | 109.185.208.228:21375 | tcp | |
| US | 8.8.8.8:53 | kkiamiym.com | udp |
| US | 8.8.8.8:53 | qixefwzij.net | udp |
| LT | 85.232.153.97:16140 | tcp | |
| US | 8.8.8.8:53 | rqlutxf.net | udp |
| US | 8.8.8.8:53 | vicjjczgxif.net | udp |
| LT | 78.63.97.7:45675 | tcp | |
| US | 8.8.8.8:53 | byjllzwmuylz.net | udp |
| US | 8.8.8.8:53 | edbotl.net | udp |
| LT | 78.59.240.39:34119 | tcp | |
| US | 8.8.8.8:53 | hsfspwfirsr.org | udp |
| US | 8.8.8.8:53 | qyjxvcif.net | udp |
| US | 8.8.8.8:53 | zdhnfmzmptc.info | udp |
| US | 8.8.8.8:53 | seimkycy.org | udp |
| LT | 78.56.108.181:26764 | tcp | |
| US | 8.8.8.8:53 | fskeffl.info | udp |
| US | 8.8.8.8:53 | xpkzrtlv.net | udp |
| US | 8.8.8.8:53 | rkjyfrxybqd.net | udp |
| BG | 89.25.109.59:23813 | tcp | |
| US | 8.8.8.8:53 | sgdzhklkvfso.info | udp |
| US | 8.8.8.8:53 | ggbfhz.info | udp |
| US | 8.8.8.8:53 | dkdczgl.info | udp |
| BG | 212.233.218.98:38397 | tcp | |
| US | 8.8.8.8:53 | gsxrzdalt.info | udp |
| US | 8.8.8.8:53 | kyeuysrbnt.info | udp |
| US | 8.8.8.8:53 | qyffooarp.info | udp |
| US | 8.8.8.8:53 | gnusbw.net | udp |
| US | 8.8.8.8:53 | owuucyeeiwyu.com | udp |
| BG | 212.50.76.8:13875 | tcp | |
| US | 8.8.8.8:53 | fevpfshvp.org | udp |
| US | 8.8.8.8:53 | fwokxwu.info | udp |
| US | 8.8.8.8:53 | hylgpxjktx.net | udp |
| US | 8.8.8.8:53 | giekgyskeiik.org | udp |
| US | 8.8.8.8:53 | bavppixu.net | udp |
| BG | 212.233.218.98:38397 | tcp | |
| US | 8.8.8.8:53 | qiyssqigeq.com | udp |
| US | 8.8.8.8:53 | zqxlmd.info | udp |
| US | 8.8.8.8:53 | yofrzwf.info | udp |
| US | 8.8.8.8:53 | fkgritslx.org | udp |
| US | 8.8.8.8:53 | ifthpsgujm.net | udp |
| LT | 78.62.93.5:28700 | tcp | |
| US | 8.8.8.8:53 | eeeiusoc.com | udp |
| LT | 85.255.51.15:13558 | tcp | |
| US | 8.8.8.8:53 | wgcoiykyaeoe.org | udp |
| US | 8.8.8.8:53 | fweoxxz.com | udp |
| US | 8.8.8.8:53 | nrztjt.net | udp |
| US | 8.8.8.8:53 | jntxuexoq.net | udp |
| US | 8.8.8.8:53 | nfchzxla.net | udp |
| US | 8.8.8.8:53 | awtrjqbmv.net | udp |
| US | 8.8.8.8:53 | wadkfduaknw.info | udp |
| US | 8.8.8.8:53 | osnqusdqj.net | udp |
| US | 8.8.8.8:53 | bctsrdfp.net | udp |
| US | 8.8.8.8:53 | ejpdqikairvo.info | udp |
| US | 8.8.8.8:53 | sdzydb.info | udp |
| US | 8.8.8.8:53 | aummicksog.org | udp |
| US | 8.8.8.8:53 | qtnvfwaay.net | udp |
| US | 8.8.8.8:53 | reprsq.info | udp |
Files
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
| MD5 | 23bff39547f2d5b201693f9ad0a48638 |
| SHA1 | 777e0e2133205eadab020eae72aebce000bc431e |
| SHA256 | 23d2d49d3baf0fb03c223267d2f9f00e95d3447a66fb12b9cc2ba0d31e4b936d |
| SHA512 | f710bdcaefc281429821c0481a3225e52dda6db488fec627bf774d12c3dfbc992b1c0b428601b464e3a80058e5ae68cccd6795b0ea98b0cc8df9f7f573571bb9 |
C:\Windows\SysWOW64\jgbsiunkdrqikcznxu.exe
| MD5 | bdec6237d2f7f80e1250e09df51e3d02 |
| SHA1 | 73bbd2918a981f181299342a44b8afc0e0923f7d |
| SHA256 | a7ba2a0628020aa108b91798907146015ab98527a7b59ac8836865c6d9e1e12b |
| SHA512 | e0c1276cabc70b4fe6c936854e10eafba6c5860824d82007c2513d408d1167611b24ae6d5fe992ce12500d6d08ace5b966535ad236bb142af5f677f0ade1af8b |
C:\Users\Admin\AppData\Local\Temp\wgosv.exe
| MD5 | 5d1aac9cdfd58a9c5dbf0f9b37604c7c |
| SHA1 | 1c7f1dd85fe87858031e152ff9bbb7830536dfce |
| SHA256 | 8d359c0eb1b03f8b7f35bb44a92758a3a911ae533c27e461bef727ecef972daf |
| SHA512 | 3a02581067f15e16b8745e7984b51b91838e8fc97ac7913fdd779e0f5b7b1038b0e4fb47a7c16046d1d13a9d1074c6dcc04e2f1d322acdb37d1b606a71ecfeae |
C:\Users\Admin\AppData\Local\binooknuxvegsubztalsxyyu.ehf
| MD5 | 53161fa6d01c965f8c3f32ace579d555 |
| SHA1 | 881eeb45e6a774166cb99761845ed1c08d30c3b4 |
| SHA256 | 961ca600bfddfaa7c24e39aa4e369e0ab4e7c8cd0cc3521448d1c3b8d47cac15 |
| SHA512 | 02b1119efa2e22cd0f3114c6a3aef8af1a6cdf081383af16179cad4d37ad8c838b757f7bb6e77af605833d6b3cb7301eadb1acb8e758b87f3991a2ce6f784bd6 |
C:\Users\Admin\AppData\Local\kcsepwkcqztgdqirwokcsepwkcqztgdqirw.kcs
| MD5 | d06c4687b5c046575f5391ebb20e365d |
| SHA1 | 17943bdc4966f7923ad1f980ba84f76967d81a9c |
| SHA256 | 60bc580ca18eb1997cde8d3776e6c4cbbc5ffd188fbf3f305374e8e693a28a40 |
| SHA512 | 6865d5eb2e69f7cb738c4ef76a798f8f7995f74bb94ffc57229dd59f5b18e1f2d6052f4ce7f69ee8fb5615111503d163e53fea2c043731d3320a955d867bdfe0 |
C:\Program Files (x86)\binooknuxvegsubztalsxyyu.ehf
| MD5 | 2ab0b00262003dc4a19cc4774ff68618 |
| SHA1 | 349efa365e8c716599eb1ba40a7650bccedd755d |
| SHA256 | eeba2148afb8a456cd03c71894ce071e27469e9ee5bbbd773f2db5bf4d754f8c |
| SHA512 | 27e664dbea77200ba777cf7de51a80dad50156308ddaa3fcee760c12653afae59cf6d61718a8944b07b35be7cd381136a5c52b7cca20501d4fdd47103875149f |
C:\Program Files (x86)\binooknuxvegsubztalsxyyu.ehf
| MD5 | 1c0a2596648fcbaa109ee9ddf980a0ad |
| SHA1 | 059dbdc2ddcd11898dc3d70406cdc55cbcc9b0ee |
| SHA256 | 67a5c241a948a5db412099c4f72bdb9d2f69df6bd2cdecae8f56bf842e21b427 |
| SHA512 | c72e0f5fc9ae65adffda15b2534bfc0d4ddb35304b012d72d2374bc3d144a25c6f8277d754890479430e77ebd51c23a9814cd48546990e28bb614981752fb491 |
C:\Program Files (x86)\binooknuxvegsubztalsxyyu.ehf
| MD5 | 7f27c938fa5b29231ba289d142dfc968 |
| SHA1 | a519fa249b84d3d5c4a228ecb71ccd7ebb106396 |
| SHA256 | 49e4bab6a97c55ea404229dba890b688a04fed67ac3411840744bb02e6a6cda8 |
| SHA512 | cfeff3146d7c989691c2ad90888ae4dcb22f84d73190853c5ae94e68634b1b5fdf1797c1a00ee960b177656ede570ff672d18cbca6ef6a0f273ca1310e5945dc |
C:\Program Files (x86)\binooknuxvegsubztalsxyyu.ehf
| MD5 | 6a065f12f5318d17cbcd6deb19ddc23c |
| SHA1 | f7b613ea1d90e983e17933f6777f8e6501a6b3a2 |
| SHA256 | ad060ec0f3e1142c81dcd4b8b0468140c7e2d8793659a55c68d5ce255a42091a |
| SHA512 | 5a97262a0a84e4e8aa674326fd93f48fa340702b8a3c31de23ee4bda6e5ec13186bbc006adca7a6fad3ed1759ab1d271c3f846bdcb8e731e1dc0a5fcba933066 |
C:\Program Files (x86)\binooknuxvegsubztalsxyyu.ehf
| MD5 | 37063fb7e559ad67bcd57878b90bab40 |
| SHA1 | ef969d94e2e8931aeabfa7cc32444019d60e773e |
| SHA256 | 50e4a8a0dfefa125d22fbb94c4ecf850669cf76ec5117fffc80dafb0fc563658 |
| SHA512 | a777568e707bf443dc2231658117e9b36ae7b2d11d1d768fc4fb2e8f9e9c0b54e9099654d1e100c545207aedbac08ac29815dcbaa3841e408e1fe77427e7cd93 |
C:\Program Files (x86)\binooknuxvegsubztalsxyyu.ehf
| MD5 | 99e43e082dbf17d1ac1a49efa9fbbf1e |
| SHA1 | 8d2c5ca5be42b670f875c76826f5a98bdd34883f |
| SHA256 | 5d6cc2976f1afd966ccdbc3cab5a2862081e6ed982aeea4728e326e9d8c4082e |
| SHA512 | 211d085c323f0371bb61c54cc43382e6c4bb8ab73fc990f08fe47f833fd42b8304cee26900b1ca4308af5c50fcddc864c617feff3ec31f11c8cbc978a09e641b |
Analysis: behavioral1
Detonation Overview
Submitted
2025-04-18 11:49
Reported
2025-04-18 11:51
Platform
win10v2004-20250314-en
Max time kernel
45s
Max time network
151s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\gmsghs.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\gmsghs.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
Pykspa
Pykspa family
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\gmsghs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\gmsghs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\gmsghs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\gmsghs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\gmsghs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\gmsghs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\gmsghs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\gmsghs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
Detect Pykspa worm
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nyjciyfrzlx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gauwlkavmhczblxqdkcw.exe" | C:\Users\Admin\AppData\Local\Temp\gmsghs.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kymirkujujyplp = "tmfgushbrlfbclwoagx.exe" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kymirkujujyplp = "vqloeevrjfbzcnauiqjez.exe" | C:\Users\Admin\AppData\Local\Temp\gmsghs.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nyjciyfrzlx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmfgushbrlfbclwoagx.exe" | C:\Users\Admin\AppData\Local\Temp\gmsghs.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kymirkujujyplp = "zqhgsobthzrlkraqa.exe" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kymirkujujyplp = "iassfcqjyrkffnxoze.exe" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kymirkujujyplp = "siywhcofsjatrxfu.exe" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nyjciyfrzlx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iassfcqjyrkffnxoze.exe" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kymirkujujyplp = "siywhcofsjatrxfu.exe" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kymirkujujyplp = "gauwlkavmhczblxqdkcw.exe" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kymirkujujyplp = "vqloeevrjfbzcnauiqjez.exe" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nyjciyfrzlx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gauwlkavmhczblxqdkcw.exe" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nyjciyfrzlx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iassfcqjyrkffnxoze.exe" | C:\Users\Admin\AppData\Local\Temp\gmsghs.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kymirkujujyplp = "iassfcqjyrkffnxoze.exe" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\gmsghs.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kymirkujujyplp = "zqhgsobthzrlkraqa.exe" | C:\Users\Admin\AppData\Local\Temp\gmsghs.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nyjciyfrzlx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iassfcqjyrkffnxoze.exe" | C:\Users\Admin\AppData\Local\Temp\gmsghs.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nyjciyfrzlx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\siywhcofsjatrxfu.exe" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nyjciyfrzlx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vqloeevrjfbzcnauiqjez.exe" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nyjciyfrzlx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iassfcqjyrkffnxoze.exe" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nyjciyfrzlx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmfgushbrlfbclwoagx.exe" | C:\Users\Admin\AppData\Local\Temp\gmsghs.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kymirkujujyplp = "gauwlkavmhczblxqdkcw.exe" | C:\Users\Admin\AppData\Local\Temp\gmsghs.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kymirkujujyplp = "zqhgsobthzrlkraqa.exe" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kymirkujujyplp = "tmfgushbrlfbclwoagx.exe" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kymirkujujyplp = "tmfgushbrlfbclwoagx.exe" | C:\Users\Admin\AppData\Local\Temp\gmsghs.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nyjciyfrzlx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gauwlkavmhczblxqdkcw.exe" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kymirkujujyplp = "siywhcofsjatrxfu.exe" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kymirkujujyplp = "iassfcqjyrkffnxoze.exe" | C:\Users\Admin\AppData\Local\Temp\gmsghs.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nyjciyfrzlx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gauwlkavmhczblxqdkcw.exe" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kymirkujujyplp = "gauwlkavmhczblxqdkcw.exe" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\gmsghs.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nyjciyfrzlx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iassfcqjyrkffnxoze.exe" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kymirkujujyplp = "iassfcqjyrkffnxoze.exe" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nyjciyfrzlx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zqhgsobthzrlkraqa.exe" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nyjciyfrzlx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zqhgsobthzrlkraqa.exe" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nyjciyfrzlx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gauwlkavmhczblxqdkcw.exe" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kymirkujujyplp = "gauwlkavmhczblxqdkcw.exe" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nyjciyfrzlx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zqhgsobthzrlkraqa.exe" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kymirkujujyplp = "zqhgsobthzrlkraqa.exe" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nyjciyfrzlx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gauwlkavmhczblxqdkcw.exe" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nyjciyfrzlx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vqloeevrjfbzcnauiqjez.exe" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nyjciyfrzlx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\siywhcofsjatrxfu.exe" | C:\Users\Admin\AppData\Local\Temp\gmsghs.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nyjciyfrzlx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iassfcqjyrkffnxoze.exe" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kymirkujujyplp = "iassfcqjyrkffnxoze.exe" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nyjciyfrzlx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vqloeevrjfbzcnauiqjez.exe" | C:\Users\Admin\AppData\Local\Temp\gmsghs.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nyjciyfrzlx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zqhgsobthzrlkraqa.exe" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kymirkujujyplp = "tmfgushbrlfbclwoagx.exe" | C:\Users\Admin\AppData\Local\Temp\gmsghs.exe | N/A |
Disables RegEdit via registry modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\gmsghs.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\gmsghs.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\gmsghs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\gmsghs.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation | C:\Windows\siywhcofsjatrxfu.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation | C:\Windows\zqhgsobthzrlkraqa.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation | C:\Windows\iassfcqjyrkffnxoze.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation | C:\Windows\vqloeevrjfbzcnauiqjez.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation | C:\Windows\iassfcqjyrkffnxoze.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation | C:\Windows\tmfgushbrlfbclwoagx.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation | C:\Windows\tmfgushbrlfbclwoagx.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation | C:\Windows\gauwlkavmhczblxqdkcw.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation | C:\Windows\tmfgushbrlfbclwoagx.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation | C:\Windows\siywhcofsjatrxfu.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation | C:\Windows\siywhcofsjatrxfu.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation | C:\Windows\siywhcofsjatrxfu.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation | C:\Windows\vqloeevrjfbzcnauiqjez.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation | C:\Windows\gauwlkavmhczblxqdkcw.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation | C:\Windows\zqhgsobthzrlkraqa.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation | C:\Windows\siywhcofsjatrxfu.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation | C:\Windows\siywhcofsjatrxfu.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation | C:\Windows\zqhgsobthzrlkraqa.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation | C:\Windows\vqloeevrjfbzcnauiqjez.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation | C:\Windows\vqloeevrjfbzcnauiqjez.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation | C:\Windows\zqhgsobthzrlkraqa.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation | C:\Windows\siywhcofsjatrxfu.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation | C:\Windows\iassfcqjyrkffnxoze.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation | C:\Windows\zqhgsobthzrlkraqa.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation | C:\Windows\gauwlkavmhczblxqdkcw.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation | C:\Windows\zqhgsobthzrlkraqa.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation | C:\Windows\siywhcofsjatrxfu.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation | C:\Windows\gauwlkavmhczblxqdkcw.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation | C:\Windows\iassfcqjyrkffnxoze.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe | N/A |
Executes dropped EXE
Impair Defenses: Safe Mode Boot
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc | C:\Users\Admin\AppData\Local\Temp\gmsghs.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager | C:\Users\Admin\AppData\Local\Temp\gmsghs.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys | C:\Users\Admin\AppData\Local\Temp\gmsghs.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc | C:\Users\Admin\AppData\Local\Temp\gmsghs.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power | C:\Users\Admin\AppData\Local\Temp\gmsghs.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys | C:\Users\Admin\AppData\Local\Temp\gmsghs.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ncroysdtfvldafm = "vqloeevrjfbzcnauiqjez.exe" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kwicjaiveret = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iassfcqjyrkffnxoze.exe" | C:\Users\Admin\AppData\Local\Temp\gmsghs.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kwicjaiveret = "iassfcqjyrkffnxoze.exe" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kwicjaiveret = "zqhgsobthzrlkraqa.exe" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\jwjemenblzndy = "siywhcofsjatrxfu.exe ." | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\siywhcofsjatrxfu = "gauwlkavmhczblxqdkcw.exe ." | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zqhgsobthzrlkraqa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gauwlkavmhczblxqdkcw.exe ." | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kwicjaiveret = "gauwlkavmhczblxqdkcw.exe" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iassfcqjyrkffnxoze = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmfgushbrlfbclwoagx.exe" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kwicjaiveret = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zqhgsobthzrlkraqa.exe" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kwicjaiveret = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zqhgsobthzrlkraqa.exe" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kwicjaiveret = "siywhcofsjatrxfu.exe" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ncroysdtfvldafm = "iassfcqjyrkffnxoze.exe" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\jwjemenblzndy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gauwlkavmhczblxqdkcw.exe ." | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\siywhcofsjatrxfu = "zqhgsobthzrlkraqa.exe ." | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zqhgsobthzrlkraqa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gauwlkavmhczblxqdkcw.exe ." | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iassfcqjyrkffnxoze = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vqloeevrjfbzcnauiqjez.exe" | C:\Users\Admin\AppData\Local\Temp\gmsghs.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iassfcqjyrkffnxoze = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zqhgsobthzrlkraqa.exe" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kwicjaiveret = "vqloeevrjfbzcnauiqjez.exe" | C:\Users\Admin\AppData\Local\Temp\gmsghs.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kwicjaiveret = "zqhgsobthzrlkraqa.exe" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\jwjemenblzndy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vqloeevrjfbzcnauiqjez.exe ." | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\siywhcofsjatrxfu = "iassfcqjyrkffnxoze.exe ." | C:\Users\Admin\AppData\Local\Temp\gmsghs.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kwicjaiveret = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zqhgsobthzrlkraqa.exe" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\siywhcofsjatrxfu = "vqloeevrjfbzcnauiqjez.exe ." | C:\Users\Admin\AppData\Local\Temp\gmsghs.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iassfcqjyrkffnxoze = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vqloeevrjfbzcnauiqjez.exe" | C:\Users\Admin\AppData\Local\Temp\gmsghs.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kwicjaiveret = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iassfcqjyrkffnxoze.exe" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zqhgsobthzrlkraqa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iassfcqjyrkffnxoze.exe ." | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ncroysdtfvldafm = "vqloeevrjfbzcnauiqjez.exe" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\jwjemenblzndy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gauwlkavmhczblxqdkcw.exe ." | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\siywhcofsjatrxfu = "zqhgsobthzrlkraqa.exe ." | C:\Users\Admin\AppData\Local\Temp\gmsghs.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iassfcqjyrkffnxoze = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iassfcqjyrkffnxoze.exe" | C:\Users\Admin\AppData\Local\Temp\gmsghs.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kwicjaiveret = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vqloeevrjfbzcnauiqjez.exe" | C:\Users\Admin\AppData\Local\Temp\gmsghs.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\jwjemenblzndy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iassfcqjyrkffnxoze.exe ." | C:\Users\Admin\AppData\Local\Temp\gmsghs.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\jwjemenblzndy = "tmfgushbrlfbclwoagx.exe ." | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zqhgsobthzrlkraqa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gauwlkavmhczblxqdkcw.exe ." | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kwicjaiveret = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gauwlkavmhczblxqdkcw.exe" | C:\Users\Admin\AppData\Local\Temp\gmsghs.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\siywhcofsjatrxfu = "iassfcqjyrkffnxoze.exe ." | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kwicjaiveret = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zqhgsobthzrlkraqa.exe" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\jwjemenblzndy = "vqloeevrjfbzcnauiqjez.exe ." | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ncroysdtfvldafm = "tmfgushbrlfbclwoagx.exe" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iassfcqjyrkffnxoze = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zqhgsobthzrlkraqa.exe" | C:\Users\Admin\AppData\Local\Temp\gmsghs.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kwicjaiveret = "C:\\Users\\Admin\\AppData\\Local\\Temp\\siywhcofsjatrxfu.exe" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ncroysdtfvldafm = "tmfgushbrlfbclwoagx.exe" | C:\Users\Admin\AppData\Local\Temp\gmsghs.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\jwjemenblzndy = "iassfcqjyrkffnxoze.exe ." | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zqhgsobthzrlkraqa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gauwlkavmhczblxqdkcw.exe ." | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\jwjemenblzndy = "siywhcofsjatrxfu.exe ." | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zqhgsobthzrlkraqa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gauwlkavmhczblxqdkcw.exe ." | C:\Users\Admin\AppData\Local\Temp\gmsghs.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\siywhcofsjatrxfu = "iassfcqjyrkffnxoze.exe ." | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iassfcqjyrkffnxoze = "C:\\Users\\Admin\\AppData\\Local\\Temp\\siywhcofsjatrxfu.exe" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iassfcqjyrkffnxoze = "C:\\Users\\Admin\\AppData\\Local\\Temp\\siywhcofsjatrxfu.exe" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kwicjaiveret = "tmfgushbrlfbclwoagx.exe" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kwicjaiveret = "gauwlkavmhczblxqdkcw.exe" | C:\Users\Admin\AppData\Local\Temp\gmsghs.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kwicjaiveret = "iassfcqjyrkffnxoze.exe" | C:\Users\Admin\AppData\Local\Temp\gmsghs.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iassfcqjyrkffnxoze = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmfgushbrlfbclwoagx.exe" | C:\Users\Admin\AppData\Local\Temp\gmsghs.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kwicjaiveret = "C:\\Users\\Admin\\AppData\\Local\\Temp\\siywhcofsjatrxfu.exe" | C:\Users\Admin\AppData\Local\Temp\gmsghs.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\jwjemenblzndy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zqhgsobthzrlkraqa.exe ." | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\jwjemenblzndy = "gauwlkavmhczblxqdkcw.exe ." | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\jwjemenblzndy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmfgushbrlfbclwoagx.exe ." | C:\Users\Admin\AppData\Local\Temp\gmsghs.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\siywhcofsjatrxfu = "gauwlkavmhczblxqdkcw.exe ." | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zqhgsobthzrlkraqa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\siywhcofsjatrxfu.exe ." | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zqhgsobthzrlkraqa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\siywhcofsjatrxfu.exe ." | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kwicjaiveret = "siywhcofsjatrxfu.exe" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kwicjaiveret = "iassfcqjyrkffnxoze.exe" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kwicjaiveret = "zqhgsobthzrlkraqa.exe" | C:\Users\Admin\AppData\Local\Temp\gmsghs.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\gmsghs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\gmsghs.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\gmsghs.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\gmsghs.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
Hijack Execution Flow: Executable Installer File Permissions Weakness
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" | C:\Users\Admin\AppData\Local\Temp\gmsghs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" | C:\Users\Admin\AppData\Local\Temp\gmsghs.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | www.showmyipaddress.com | N/A | N/A |
| N/A | www.whatismyip.ca | N/A | N/A |
| N/A | whatismyip.everdot.org | N/A | N/A |
| N/A | www.whatismyip.ca | N/A | N/A |
| N/A | www.whatismyip.ca | N/A | N/A |
| N/A | whatismyipaddress.com | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\tmfgushbrlfbclwoagx.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\mieizaspifcbfrfapysoko.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\vqloeevrjfbzcnauiqjez.exe | C:\Users\Admin\AppData\Local\Temp\gmsghs.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\iassfcqjyrkffnxoze.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\vqloeevrjfbzcnauiqjez.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\zqhgsobthzrlkraqa.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\tmfgushbrlfbclwoagx.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wwwezeabyzadlbtslywwwe.eab | C:\Users\Admin\AppData\Local\Temp\gmsghs.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\iassfcqjyrkffnxoze.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\vqloeevrjfbzcnauiqjez.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\zqhgsobthzrlkraqa.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\vqloeevrjfbzcnauiqjez.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\gauwlkavmhczblxqdkcw.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\iassfcqjyrkffnxoze.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\siywhcofsjatrxfu.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\tmfgushbrlfbclwoagx.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\iassfcqjyrkffnxoze.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\tmfgushbrlfbclwoagx.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\vqloeevrjfbzcnauiqjez.exe | C:\Users\Admin\AppData\Local\Temp\gmsghs.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\nyjciyfrzlxlefiswudozsyovhpbnbuvy.mkt | C:\Users\Admin\AppData\Local\Temp\gmsghs.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\vqloeevrjfbzcnauiqjez.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\siywhcofsjatrxfu.exe | C:\Users\Admin\AppData\Local\Temp\gmsghs.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\tmfgushbrlfbclwoagx.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\vqloeevrjfbzcnauiqjez.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\zqhgsobthzrlkraqa.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\tmfgushbrlfbclwoagx.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\mieizaspifcbfrfapysoko.exe | C:\Users\Admin\AppData\Local\Temp\gmsghs.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\vqloeevrjfbzcnauiqjez.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\iassfcqjyrkffnxoze.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\gauwlkavmhczblxqdkcw.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\siywhcofsjatrxfu.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\iassfcqjyrkffnxoze.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\gauwlkavmhczblxqdkcw.exe | C:\Users\Admin\AppData\Local\Temp\gmsghs.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\iassfcqjyrkffnxoze.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\tmfgushbrlfbclwoagx.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\mieizaspifcbfrfapysoko.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\gauwlkavmhczblxqdkcw.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\mieizaspifcbfrfapysoko.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\vqloeevrjfbzcnauiqjez.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\iassfcqjyrkffnxoze.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\gauwlkavmhczblxqdkcw.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\gauwlkavmhczblxqdkcw.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\tmfgushbrlfbclwoagx.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\gauwlkavmhczblxqdkcw.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\vqloeevrjfbzcnauiqjez.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\gauwlkavmhczblxqdkcw.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\siywhcofsjatrxfu.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\iassfcqjyrkffnxoze.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\iassfcqjyrkffnxoze.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\tmfgushbrlfbclwoagx.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\mieizaspifcbfrfapysoko.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\zqhgsobthzrlkraqa.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\siywhcofsjatrxfu.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\gauwlkavmhczblxqdkcw.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\siywhcofsjatrxfu.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\vqloeevrjfbzcnauiqjez.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\iassfcqjyrkffnxoze.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\gauwlkavmhczblxqdkcw.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\tmfgushbrlfbclwoagx.exe | C:\Users\Admin\AppData\Local\Temp\gmsghs.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\vqloeevrjfbzcnauiqjez.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\iassfcqjyrkffnxoze.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\zqhgsobthzrlkraqa.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\zqhgsobthzrlkraqa.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\siywhcofsjatrxfu.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\wwwezeabyzadlbtslywwwe.eab | C:\Users\Admin\AppData\Local\Temp\gmsghs.exe | N/A |
| File created | C:\Program Files (x86)\wwwezeabyzadlbtslywwwe.eab | C:\Users\Admin\AppData\Local\Temp\gmsghs.exe | N/A |
| File opened for modification | C:\Program Files (x86)\nyjciyfrzlxlefiswudozsyovhpbnbuvy.mkt | C:\Users\Admin\AppData\Local\Temp\gmsghs.exe | N/A |
| File created | C:\Program Files (x86)\nyjciyfrzlxlefiswudozsyovhpbnbuvy.mkt | C:\Users\Admin\AppData\Local\Temp\gmsghs.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\tmfgushbrlfbclwoagx.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\vqloeevrjfbzcnauiqjez.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\zqhgsobthzrlkraqa.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\gauwlkavmhczblxqdkcw.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File created | C:\Windows\wwwezeabyzadlbtslywwwe.eab | C:\Users\Admin\AppData\Local\Temp\gmsghs.exe | N/A |
| File opened for modification | C:\Windows\zqhgsobthzrlkraqa.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\iassfcqjyrkffnxoze.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\gauwlkavmhczblxqdkcw.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\vqloeevrjfbzcnauiqjez.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\zqhgsobthzrlkraqa.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\vqloeevrjfbzcnauiqjez.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\iassfcqjyrkffnxoze.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\tmfgushbrlfbclwoagx.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\zqhgsobthzrlkraqa.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\siywhcofsjatrxfu.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\tmfgushbrlfbclwoagx.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\vqloeevrjfbzcnauiqjez.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\zqhgsobthzrlkraqa.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\tmfgushbrlfbclwoagx.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\siywhcofsjatrxfu.exe | C:\Users\Admin\AppData\Local\Temp\gmsghs.exe | N/A |
| File opened for modification | C:\Windows\zqhgsobthzrlkraqa.exe | C:\Users\Admin\AppData\Local\Temp\gmsghs.exe | N/A |
| File opened for modification | C:\Windows\gauwlkavmhczblxqdkcw.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\zqhgsobthzrlkraqa.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\siywhcofsjatrxfu.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\zqhgsobthzrlkraqa.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\vqloeevrjfbzcnauiqjez.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\tmfgushbrlfbclwoagx.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\iassfcqjyrkffnxoze.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\mieizaspifcbfrfapysoko.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\mieizaspifcbfrfapysoko.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\siywhcofsjatrxfu.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\mieizaspifcbfrfapysoko.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\gauwlkavmhczblxqdkcw.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\zqhgsobthzrlkraqa.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\siywhcofsjatrxfu.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File created | C:\Windows\nyjciyfrzlxlefiswudozsyovhpbnbuvy.mkt | C:\Users\Admin\AppData\Local\Temp\gmsghs.exe | N/A |
| File opened for modification | C:\Windows\vqloeevrjfbzcnauiqjez.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\iassfcqjyrkffnxoze.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\tmfgushbrlfbclwoagx.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\gauwlkavmhczblxqdkcw.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\iassfcqjyrkffnxoze.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\siywhcofsjatrxfu.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\vqloeevrjfbzcnauiqjez.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\tmfgushbrlfbclwoagx.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\tmfgushbrlfbclwoagx.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\mieizaspifcbfrfapysoko.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\iassfcqjyrkffnxoze.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\siywhcofsjatrxfu.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\zqhgsobthzrlkraqa.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\iassfcqjyrkffnxoze.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\zqhgsobthzrlkraqa.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\gauwlkavmhczblxqdkcw.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\zqhgsobthzrlkraqa.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\tmfgushbrlfbclwoagx.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\iassfcqjyrkffnxoze.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\mieizaspifcbfrfapysoko.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\mieizaspifcbfrfapysoko.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\mieizaspifcbfrfapysoko.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\vqloeevrjfbzcnauiqjez.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\iassfcqjyrkffnxoze.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\mieizaspifcbfrfapysoko.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\siywhcofsjatrxfu.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| File opened for modification | C:\Windows\gauwlkavmhczblxqdkcw.exe | C:\Users\Admin\AppData\Local\Temp\gmsghs.exe | N/A |
| File opened for modification | C:\Windows\iassfcqjyrkffnxoze.exe | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\iassfcqjyrkffnxoze.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\siywhcofsjatrxfu.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\iassfcqjyrkffnxoze.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\tmfgushbrlfbclwoagx.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\vqloeevrjfbzcnauiqjez.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\gmsghs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\tmfgushbrlfbclwoagx.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\gauwlkavmhczblxqdkcw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\iassfcqjyrkffnxoze.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\gauwlkavmhczblxqdkcw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\siywhcofsjatrxfu.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\gauwlkavmhczblxqdkcw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\siywhcofsjatrxfu.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\gauwlkavmhczblxqdkcw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\zqhgsobthzrlkraqa.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\zqhgsobthzrlkraqa.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\tmfgushbrlfbclwoagx.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\gauwlkavmhczblxqdkcw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\vqloeevrjfbzcnauiqjez.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\siywhcofsjatrxfu.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\siywhcofsjatrxfu.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\iassfcqjyrkffnxoze.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\vqloeevrjfbzcnauiqjez.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\tmfgushbrlfbclwoagx.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\vqloeevrjfbzcnauiqjez.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\siywhcofsjatrxfu.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\siywhcofsjatrxfu.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\siywhcofsjatrxfu.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\iassfcqjyrkffnxoze.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\tmfgushbrlfbclwoagx.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\siywhcofsjatrxfu.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\vqloeevrjfbzcnauiqjez.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\gmsghs.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\gmsghs.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\AppData\Local\Temp\gmsghs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" | C:\Users\Admin\AppData\Local\Temp\gmsghs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\gmsghs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" | C:\Users\Admin\AppData\Local\Temp\gmsghs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" | C:\Users\Admin\AppData\Local\Temp\gmsghs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" | C:\Users\Admin\AppData\Local\Temp\gmsghs.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\gmsghs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" | C:\Users\Admin\AppData\Local\Temp\gmsghs.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\AppData\Local\Temp\gmsghs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\gmsghs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" | C:\Users\Admin\AppData\Local\Temp\gmsghs.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" | C:\Users\Admin\AppData\Local\Temp\gmsghs.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\gmsghs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" | C:\Users\Admin\AppData\Local\Temp\gmsghs.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\gmsghs.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\gmsghs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" | C:\Users\Admin\AppData\Local\Temp\gmsghs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\gmsghs.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\gmsghs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\gmsghs.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe"
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\jaffacakes118_bdec6237d2f7f80e1250e09df51e3d02.exe*"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zqhgsobthzrlkraqa.exe
C:\Windows\zqhgsobthzrlkraqa.exe
zqhgsobthzrlkraqa.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c iassfcqjyrkffnxoze.exe .
C:\Windows\iassfcqjyrkffnxoze.exe
iassfcqjyrkffnxoze.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vqloeevrjfbzcnauiqjez.exe
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\iassfcqjyrkffnxoze.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gauwlkavmhczblxqdkcw.exe .
C:\Windows\vqloeevrjfbzcnauiqjez.exe
vqloeevrjfbzcnauiqjez.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe
C:\Windows\gauwlkavmhczblxqdkcw.exe
gauwlkavmhczblxqdkcw.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe .
C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe
C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\gauwlkavmhczblxqdkcw.exe*."
C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe
C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe .
C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe
C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\siywhcofsjatrxfu.exe*."
C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe
C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe .
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\gauwlkavmhczblxqdkcw.exe*."
C:\Users\Admin\AppData\Local\Temp\gmsghs.exe
"C:\Users\Admin\AppData\Local\Temp\gmsghs.exe" "-C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe"
C:\Users\Admin\AppData\Local\Temp\gmsghs.exe
"C:\Users\Admin\AppData\Local\Temp\gmsghs.exe" "-C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vqloeevrjfbzcnauiqjez.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gauwlkavmhczblxqdkcw.exe
C:\Windows\gauwlkavmhczblxqdkcw.exe
gauwlkavmhczblxqdkcw.exe
C:\Windows\vqloeevrjfbzcnauiqjez.exe
vqloeevrjfbzcnauiqjez.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c iassfcqjyrkffnxoze.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c siywhcofsjatrxfu.exe .
C:\Windows\iassfcqjyrkffnxoze.exe
iassfcqjyrkffnxoze.exe .
C:\Windows\siywhcofsjatrxfu.exe
siywhcofsjatrxfu.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tmfgushbrlfbclwoagx.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vqloeevrjfbzcnauiqjez.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c siywhcofsjatrxfu.exe .
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\siywhcofsjatrxfu.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zqhgsobthzrlkraqa.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\iassfcqjyrkffnxoze.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe .
C:\Windows\vqloeevrjfbzcnauiqjez.exe
vqloeevrjfbzcnauiqjez.exe
C:\Windows\siywhcofsjatrxfu.exe
siywhcofsjatrxfu.exe .
C:\Windows\tmfgushbrlfbclwoagx.exe
tmfgushbrlfbclwoagx.exe
C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe
C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe
C:\Windows\zqhgsobthzrlkraqa.exe
zqhgsobthzrlkraqa.exe .
C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe
C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe .
C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe
C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe .
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\siywhcofsjatrxfu.exe*."
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\gauwlkavmhczblxqdkcw.exe*."
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\zqhgsobthzrlkraqa.exe*."
C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe
C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe .
C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe
C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe .
C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe
C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe
C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe
C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe .
C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe
C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\zqhgsobthzrlkraqa.exe*."
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\tmfgushbrlfbclwoagx.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c iassfcqjyrkffnxoze.exe
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\iassfcqjyrkffnxoze.exe*."
C:\Windows\iassfcqjyrkffnxoze.exe
iassfcqjyrkffnxoze.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zqhgsobthzrlkraqa.exe .
C:\Windows\zqhgsobthzrlkraqa.exe
zqhgsobthzrlkraqa.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vqloeevrjfbzcnauiqjez.exe
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\zqhgsobthzrlkraqa.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c iassfcqjyrkffnxoze.exe .
C:\Windows\vqloeevrjfbzcnauiqjez.exe
vqloeevrjfbzcnauiqjez.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe
C:\Windows\iassfcqjyrkffnxoze.exe
iassfcqjyrkffnxoze.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe .
C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe
C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\iassfcqjyrkffnxoze.exe*."
C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe
C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\gauwlkavmhczblxqdkcw.exe*."
C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe
C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe .
C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe
C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe .
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\zqhgsobthzrlkraqa.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vqloeevrjfbzcnauiqjez.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vqloeevrjfbzcnauiqjez.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gauwlkavmhczblxqdkcw.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\vqloeevrjfbzcnauiqjez.exe
vqloeevrjfbzcnauiqjez.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c siywhcofsjatrxfu.exe .
C:\Windows\gauwlkavmhczblxqdkcw.exe
gauwlkavmhczblxqdkcw.exe
C:\Windows\vqloeevrjfbzcnauiqjez.exe
vqloeevrjfbzcnauiqjez.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c iassfcqjyrkffnxoze.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c siywhcofsjatrxfu.exe .
C:\Windows\siywhcofsjatrxfu.exe
siywhcofsjatrxfu.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vqloeevrjfbzcnauiqjez.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zqhgsobthzrlkraqa.exe
C:\Windows\iassfcqjyrkffnxoze.exe
iassfcqjyrkffnxoze.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tmfgushbrlfbclwoagx.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c iassfcqjyrkffnxoze.exe
C:\Windows\siywhcofsjatrxfu.exe
siywhcofsjatrxfu.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c iassfcqjyrkffnxoze.exe .
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\siywhcofsjatrxfu.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gauwlkavmhczblxqdkcw.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe .
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\siywhcofsjatrxfu.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe .
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\iassfcqjyrkffnxoze.exe*."
C:\Windows\zqhgsobthzrlkraqa.exe
zqhgsobthzrlkraqa.exe
C:\Windows\vqloeevrjfbzcnauiqjez.exe
vqloeevrjfbzcnauiqjez.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe
C:\Windows\tmfgushbrlfbclwoagx.exe
tmfgushbrlfbclwoagx.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe .
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe
C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe .
C:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exe
C:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe .
C:\Windows\gauwlkavmhczblxqdkcw.exe
gauwlkavmhczblxqdkcw.exe .
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\tmfgushbrlfbclwoagx.exe*."
C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe
C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe
C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe
C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe .
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\gauwlkavmhczblxqdkcw.exe*."
C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe
C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe .
C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe
C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe
C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe
C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe .
C:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exe
C:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exe
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\gauwlkavmhczblxqdkcw.exe*."
C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe
C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe .
C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe
C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\tmfgushbrlfbclwoagx.exe*."
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\iassfcqjyrkffnxoze.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zqhgsobthzrlkraqa.exe
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\tmfgushbrlfbclwoagx.exe*."
C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe
C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe .
C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe
C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe .
C:\Windows\zqhgsobthzrlkraqa.exe
zqhgsobthzrlkraqa.exe
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\zqhgsobthzrlkraqa.exe*."
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\zqhgsobthzrlkraqa.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gauwlkavmhczblxqdkcw.exe .
C:\Windows\iassfcqjyrkffnxoze.exe
iassfcqjyrkffnxoze.exe
C:\Windows\iassfcqjyrkffnxoze.exe
iassfcqjyrkffnxoze.exe .
C:\Windows\gauwlkavmhczblxqdkcw.exe
gauwlkavmhczblxqdkcw.exe .
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\iassfcqjyrkffnxoze.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c siywhcofsjatrxfu.exe
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\gauwlkavmhczblxqdkcw.exe*."
C:\Windows\siywhcofsjatrxfu.exe
siywhcofsjatrxfu.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c iassfcqjyrkffnxoze.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe
C:\Windows\iassfcqjyrkffnxoze.exe
iassfcqjyrkffnxoze.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe .
C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe
C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe
C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe
C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe .
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\iassfcqjyrkffnxoze.exe*."
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\siywhcofsjatrxfu.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe .
C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe
C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe
C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe
C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe .
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\siywhcofsjatrxfu.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zqhgsobthzrlkraqa.exe
C:\Windows\zqhgsobthzrlkraqa.exe
zqhgsobthzrlkraqa.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gauwlkavmhczblxqdkcw.exe .
C:\Windows\gauwlkavmhczblxqdkcw.exe
gauwlkavmhczblxqdkcw.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c iassfcqjyrkffnxoze.exe
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\gauwlkavmhczblxqdkcw.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c siywhcofsjatrxfu.exe .
C:\Windows\iassfcqjyrkffnxoze.exe
iassfcqjyrkffnxoze.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe
C:\Windows\siywhcofsjatrxfu.exe
siywhcofsjatrxfu.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe .
C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe
C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\siywhcofsjatrxfu.exe*."
C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe
C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe .
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\iassfcqjyrkffnxoze.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe .
C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe
C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe
C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe
C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe .
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\siywhcofsjatrxfu.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c siywhcofsjatrxfu.exe
C:\Windows\siywhcofsjatrxfu.exe
siywhcofsjatrxfu.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c iassfcqjyrkffnxoze.exe .
C:\Windows\iassfcqjyrkffnxoze.exe
iassfcqjyrkffnxoze.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vqloeevrjfbzcnauiqjez.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gauwlkavmhczblxqdkcw.exe .
C:\Windows\vqloeevrjfbzcnauiqjez.exe
vqloeevrjfbzcnauiqjez.exe
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\iassfcqjyrkffnxoze.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe
C:\Windows\gauwlkavmhczblxqdkcw.exe
gauwlkavmhczblxqdkcw.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe .
C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe
C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\gauwlkavmhczblxqdkcw.exe*."
C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe
C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe .
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\zqhgsobthzrlkraqa.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe .
C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe
C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe
C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe
C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe .
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\gauwlkavmhczblxqdkcw.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vqloeevrjfbzcnauiqjez.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\vqloeevrjfbzcnauiqjez.exe
vqloeevrjfbzcnauiqjez.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c siywhcofsjatrxfu.exe .
C:\Windows\siywhcofsjatrxfu.exe
siywhcofsjatrxfu.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c iassfcqjyrkffnxoze.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zqhgsobthzrlkraqa.exe .
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\siywhcofsjatrxfu.exe*."
C:\Windows\iassfcqjyrkffnxoze.exe
iassfcqjyrkffnxoze.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exe
C:\Windows\zqhgsobthzrlkraqa.exe
zqhgsobthzrlkraqa.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe .
C:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exe
C:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exe
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\zqhgsobthzrlkraqa.exe*."
C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe
C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe .
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\gauwlkavmhczblxqdkcw.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe .
C:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exe
C:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exe
C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe
C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe .
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\zqhgsobthzrlkraqa.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c iassfcqjyrkffnxoze.exe
C:\Windows\iassfcqjyrkffnxoze.exe
iassfcqjyrkffnxoze.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tmfgushbrlfbclwoagx.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c iassfcqjyrkffnxoze.exe
C:\Windows\tmfgushbrlfbclwoagx.exe
tmfgushbrlfbclwoagx.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tmfgushbrlfbclwoagx.exe .
C:\Windows\iassfcqjyrkffnxoze.exe
iassfcqjyrkffnxoze.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\tmfgushbrlfbclwoagx.exe*."
C:\Windows\tmfgushbrlfbclwoagx.exe
tmfgushbrlfbclwoagx.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe .
C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe
C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\tmfgushbrlfbclwoagx.exe*."
C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe
C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe .
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\tmfgushbrlfbclwoagx.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe .
C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe
C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe
C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe
C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe .
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\iassfcqjyrkffnxoze.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tmfgushbrlfbclwoagx.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c siywhcofsjatrxfu.exe .
C:\Windows\tmfgushbrlfbclwoagx.exe
tmfgushbrlfbclwoagx.exe
C:\Windows\siywhcofsjatrxfu.exe
siywhcofsjatrxfu.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gauwlkavmhczblxqdkcw.exe
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\siywhcofsjatrxfu.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gauwlkavmhczblxqdkcw.exe .
C:\Windows\gauwlkavmhczblxqdkcw.exe
gauwlkavmhczblxqdkcw.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gauwlkavmhczblxqdkcw.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c siywhcofsjatrxfu.exe
C:\Windows\gauwlkavmhczblxqdkcw.exe
gauwlkavmhczblxqdkcw.exe
C:\Windows\gauwlkavmhczblxqdkcw.exe
gauwlkavmhczblxqdkcw.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c iassfcqjyrkffnxoze.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe .
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c siywhcofsjatrxfu.exe .
C:\Windows\siywhcofsjatrxfu.exe
siywhcofsjatrxfu.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c siywhcofsjatrxfu.exe
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\gauwlkavmhczblxqdkcw.exe*."
C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe
C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vqloeevrjfbzcnauiqjez.exe .
C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe
C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe .
C:\Windows\siywhcofsjatrxfu.exe
siywhcofsjatrxfu.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tmfgushbrlfbclwoagx.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\iassfcqjyrkffnxoze.exe
iassfcqjyrkffnxoze.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vqloeevrjfbzcnauiqjez.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe .
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe .
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\gauwlkavmhczblxqdkcw.exe*."
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\siywhcofsjatrxfu.exe*."
C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe
C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe
C:\Windows\siywhcofsjatrxfu.exe
siywhcofsjatrxfu.exe
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\iassfcqjyrkffnxoze.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe .
C:\Windows\vqloeevrjfbzcnauiqjez.exe
vqloeevrjfbzcnauiqjez.exe .
C:\Windows\tmfgushbrlfbclwoagx.exe
tmfgushbrlfbclwoagx.exe
C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe
C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c siywhcofsjatrxfu.exe
C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe
C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe .
C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe
C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe .
C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe
C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe
C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe
C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe
C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe
C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\vqloeevrjfbzcnauiqjez.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c iassfcqjyrkffnxoze.exe .
C:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exe
C:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exe
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\iassfcqjyrkffnxoze.exe*."
C:\Windows\vqloeevrjfbzcnauiqjez.exe
vqloeevrjfbzcnauiqjez.exe .
C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe
C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe .
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\tmfgushbrlfbclwoagx.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tmfgushbrlfbclwoagx.exe
C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe
C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe .
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\gauwlkavmhczblxqdkcw.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vqloeevrjfbzcnauiqjez.exe .
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\siywhcofsjatrxfu.exe
siywhcofsjatrxfu.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe .
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\vqloeevrjfbzcnauiqjez.exe*."
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\tmfgushbrlfbclwoagx.exe*."
C:\Windows\iassfcqjyrkffnxoze.exe
iassfcqjyrkffnxoze.exe .
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\siywhcofsjatrxfu.exe*."
C:\Windows\tmfgushbrlfbclwoagx.exe
tmfgushbrlfbclwoagx.exe
C:\Windows\vqloeevrjfbzcnauiqjez.exe
vqloeevrjfbzcnauiqjez.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe
C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe
C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe .
C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe
C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\iassfcqjyrkffnxoze.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe .
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\vqloeevrjfbzcnauiqjez.exe*."
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\gauwlkavmhczblxqdkcw.exe*."
C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe
C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe
C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe
C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe .
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\iassfcqjyrkffnxoze.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c iassfcqjyrkffnxoze.exe
C:\Windows\iassfcqjyrkffnxoze.exe
iassfcqjyrkffnxoze.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gauwlkavmhczblxqdkcw.exe .
C:\Windows\gauwlkavmhczblxqdkcw.exe
gauwlkavmhczblxqdkcw.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gauwlkavmhczblxqdkcw.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gauwlkavmhczblxqdkcw.exe .
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\gauwlkavmhczblxqdkcw.exe*."
C:\Windows\gauwlkavmhczblxqdkcw.exe
gauwlkavmhczblxqdkcw.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe
C:\Windows\gauwlkavmhczblxqdkcw.exe
gauwlkavmhczblxqdkcw.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe .
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe
C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\gauwlkavmhczblxqdkcw.exe*."
C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe
C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe .
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\gauwlkavmhczblxqdkcw.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe .
C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe
C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe
C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe
C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe .
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\gauwlkavmhczblxqdkcw.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gauwlkavmhczblxqdkcw.exe
C:\Windows\gauwlkavmhczblxqdkcw.exe
gauwlkavmhczblxqdkcw.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vqloeevrjfbzcnauiqjez.exe .
C:\Windows\vqloeevrjfbzcnauiqjez.exe
vqloeevrjfbzcnauiqjez.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tmfgushbrlfbclwoagx.exe
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\vqloeevrjfbzcnauiqjez.exe*."
C:\Windows\tmfgushbrlfbclwoagx.exe
tmfgushbrlfbclwoagx.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c siywhcofsjatrxfu.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe
C:\Windows\siywhcofsjatrxfu.exe
siywhcofsjatrxfu.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe .
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe
C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\siywhcofsjatrxfu.exe*."
C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe
C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe .
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\gauwlkavmhczblxqdkcw.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe .
C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe
C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe
C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe
C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe .
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\iassfcqjyrkffnxoze.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vqloeevrjfbzcnauiqjez.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vqloeevrjfbzcnauiqjez.exe .
C:\Windows\vqloeevrjfbzcnauiqjez.exe
vqloeevrjfbzcnauiqjez.exe
C:\Windows\vqloeevrjfbzcnauiqjez.exe
vqloeevrjfbzcnauiqjez.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c iassfcqjyrkffnxoze.exe
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\vqloeevrjfbzcnauiqjez.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c siywhcofsjatrxfu.exe .
C:\Windows\iassfcqjyrkffnxoze.exe
iassfcqjyrkffnxoze.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe
C:\Windows\siywhcofsjatrxfu.exe
siywhcofsjatrxfu.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe .
C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe
C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\siywhcofsjatrxfu.exe*."
C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe
C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe .
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\tmfgushbrlfbclwoagx.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe .
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe
C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe
C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe
C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe .
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\tmfgushbrlfbclwoagx.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tmfgushbrlfbclwoagx.exe
C:\Windows\tmfgushbrlfbclwoagx.exe
tmfgushbrlfbclwoagx.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c siywhcofsjatrxfu.exe .
C:\Windows\siywhcofsjatrxfu.exe
siywhcofsjatrxfu.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vqloeevrjfbzcnauiqjez.exe
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\siywhcofsjatrxfu.exe*."
C:\Windows\vqloeevrjfbzcnauiqjez.exe
vqloeevrjfbzcnauiqjez.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tmfgushbrlfbclwoagx.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\tmfgushbrlfbclwoagx.exe
tmfgushbrlfbclwoagx.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe .
C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe
C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\tmfgushbrlfbclwoagx.exe*."
C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe
C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe .
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\iassfcqjyrkffnxoze.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exe .
C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe
C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe
C:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exe
C:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exe .
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\vqloeevrjfbzcnauiqjez.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tmfgushbrlfbclwoagx.exe
C:\Windows\tmfgushbrlfbclwoagx.exe
tmfgushbrlfbclwoagx.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c siywhcofsjatrxfu.exe .
C:\Windows\siywhcofsjatrxfu.exe
siywhcofsjatrxfu.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tmfgushbrlfbclwoagx.exe
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\siywhcofsjatrxfu.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c siywhcofsjatrxfu.exe .
C:\Windows\tmfgushbrlfbclwoagx.exe
tmfgushbrlfbclwoagx.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe
C:\Windows\siywhcofsjatrxfu.exe
siywhcofsjatrxfu.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c iassfcqjyrkffnxoze.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zqhgsobthzrlkraqa.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe
C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\siywhcofsjatrxfu.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c siywhcofsjatrxfu.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zqhgsobthzrlkraqa.exe .
C:\Windows\zqhgsobthzrlkraqa.exe
zqhgsobthzrlkraqa.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe
C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe
C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe .
C:\Windows\iassfcqjyrkffnxoze.exe
iassfcqjyrkffnxoze.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gauwlkavmhczblxqdkcw.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tmfgushbrlfbclwoagx.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zqhgsobthzrlkraqa.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vqloeevrjfbzcnauiqjez.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe .
C:\Windows\siywhcofsjatrxfu.exe
siywhcofsjatrxfu.exe .
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\gauwlkavmhczblxqdkcw.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe
C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe
C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe
C:\Windows\zqhgsobthzrlkraqa.exe
zqhgsobthzrlkraqa.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe .
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\siywhcofsjatrxfu.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe .
C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe
C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe .
C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe
C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe
C:\Windows\zqhgsobthzrlkraqa.exe
zqhgsobthzrlkraqa.exe .
C:\Windows\tmfgushbrlfbclwoagx.exe
tmfgushbrlfbclwoagx.exe
C:\Windows\vqloeevrjfbzcnauiqjez.exe
vqloeevrjfbzcnauiqjez.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c siywhcofsjatrxfu.exe
C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe
C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\zqhgsobthzrlkraqa.exe*."
C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe
C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe
C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe
C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe .
C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe
C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zqhgsobthzrlkraqa.exe .
C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe
C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe .
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\zqhgsobthzrlkraqa.exe*."
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\vqloeevrjfbzcnauiqjez.exe*."
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\zqhgsobthzrlkraqa.exe*."
C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe
C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe .
C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe
C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c iassfcqjyrkffnxoze.exe
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\siywhcofsjatrxfu.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vqloeevrjfbzcnauiqjez.exe .
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\tmfgushbrlfbclwoagx.exe*."
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\tmfgushbrlfbclwoagx.exe*."
C:\Windows\siywhcofsjatrxfu.exe
siywhcofsjatrxfu.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe .
C:\Windows\zqhgsobthzrlkraqa.exe
zqhgsobthzrlkraqa.exe .
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\tmfgushbrlfbclwoagx.exe*."
C:\Windows\vqloeevrjfbzcnauiqjez.exe
vqloeevrjfbzcnauiqjez.exe .
C:\Windows\iassfcqjyrkffnxoze.exe
iassfcqjyrkffnxoze.exe
C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe
C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe
C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe
C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe .
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\zqhgsobthzrlkraqa.exe*."
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\vqloeevrjfbzcnauiqjez.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe .
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\tmfgushbrlfbclwoagx.exe*."
C:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exe
C:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exe
C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe
C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe .
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\gauwlkavmhczblxqdkcw.exe*."
C:\Windows\gauwlkavmhczblxqdkcw.exe
gauwlkavmhczblxqdkcw.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c siywhcofsjatrxfu.exe
C:\Windows\siywhcofsjatrxfu.exe
siywhcofsjatrxfu.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c iassfcqjyrkffnxoze.exe .
C:\Windows\iassfcqjyrkffnxoze.exe
iassfcqjyrkffnxoze.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gauwlkavmhczblxqdkcw.exe
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\iassfcqjyrkffnxoze.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c siywhcofsjatrxfu.exe .
C:\Windows\gauwlkavmhczblxqdkcw.exe
gauwlkavmhczblxqdkcw.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exe
C:\Windows\siywhcofsjatrxfu.exe
siywhcofsjatrxfu.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe .
C:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exe
C:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exe
C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe
C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe .
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\siywhcofsjatrxfu.exe*."
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\tmfgushbrlfbclwoagx.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe .
C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe
C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe
C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe
C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe .
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\iassfcqjyrkffnxoze.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c iassfcqjyrkffnxoze.exe
C:\Windows\iassfcqjyrkffnxoze.exe
iassfcqjyrkffnxoze.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c iassfcqjyrkffnxoze.exe .
C:\Windows\iassfcqjyrkffnxoze.exe
iassfcqjyrkffnxoze.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c iassfcqjyrkffnxoze.exe
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\iassfcqjyrkffnxoze.exe*."
C:\Windows\iassfcqjyrkffnxoze.exe
iassfcqjyrkffnxoze.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zqhgsobthzrlkraqa.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exe
C:\Windows\zqhgsobthzrlkraqa.exe
zqhgsobthzrlkraqa.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe .
C:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exe
C:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exe
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\zqhgsobthzrlkraqa.exe*."
C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe
C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe .
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\tmfgushbrlfbclwoagx.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe .
C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe
C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe
C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe
C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe .
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\iassfcqjyrkffnxoze.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zqhgsobthzrlkraqa.exe
C:\Windows\zqhgsobthzrlkraqa.exe
zqhgsobthzrlkraqa.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tmfgushbrlfbclwoagx.exe .
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\tmfgushbrlfbclwoagx.exe
tmfgushbrlfbclwoagx.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gauwlkavmhczblxqdkcw.exe
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\tmfgushbrlfbclwoagx.exe*."
C:\Windows\gauwlkavmhczblxqdkcw.exe
gauwlkavmhczblxqdkcw.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c iassfcqjyrkffnxoze.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe
C:\Windows\iassfcqjyrkffnxoze.exe
iassfcqjyrkffnxoze.exe .
C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe
C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe .
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\iassfcqjyrkffnxoze.exe*."
C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe
C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe .
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\gauwlkavmhczblxqdkcw.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe .
C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe
C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe
C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe
C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe .
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\gauwlkavmhczblxqdkcw.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vqloeevrjfbzcnauiqjez.exe
C:\Windows\vqloeevrjfbzcnauiqjez.exe
vqloeevrjfbzcnauiqjez.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c iassfcqjyrkffnxoze.exe .
C:\Windows\iassfcqjyrkffnxoze.exe
iassfcqjyrkffnxoze.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vqloeevrjfbzcnauiqjez.exe
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\iassfcqjyrkffnxoze.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gauwlkavmhczblxqdkcw.exe .
C:\Windows\vqloeevrjfbzcnauiqjez.exe
vqloeevrjfbzcnauiqjez.exe
C:\Windows\gauwlkavmhczblxqdkcw.exe
gauwlkavmhczblxqdkcw.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\gauwlkavmhczblxqdkcw.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe .
C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe
C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe
C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe
C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe .
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\gauwlkavmhczblxqdkcw.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe .
C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe
C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe
C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe
C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe .
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\zqhgsobthzrlkraqa.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zqhgsobthzrlkraqa.exe
C:\Windows\zqhgsobthzrlkraqa.exe
zqhgsobthzrlkraqa.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gauwlkavmhczblxqdkcw.exe .
C:\Windows\gauwlkavmhczblxqdkcw.exe
gauwlkavmhczblxqdkcw.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gauwlkavmhczblxqdkcw.exe
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\gauwlkavmhczblxqdkcw.exe*."
C:\Windows\gauwlkavmhczblxqdkcw.exe
gauwlkavmhczblxqdkcw.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vqloeevrjfbzcnauiqjez.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe
C:\Windows\vqloeevrjfbzcnauiqjez.exe
vqloeevrjfbzcnauiqjez.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe .
C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe
C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\vqloeevrjfbzcnauiqjez.exe*."
C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe
C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe .
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\siywhcofsjatrxfu.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe
C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe .
C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe
C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe .
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\zqhgsobthzrlkraqa.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c iassfcqjyrkffnxoze.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vqloeevrjfbzcnauiqjez.exe
C:\Windows\iassfcqjyrkffnxoze.exe
iassfcqjyrkffnxoze.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zqhgsobthzrlkraqa.exe .
C:\Windows\vqloeevrjfbzcnauiqjez.exe
vqloeevrjfbzcnauiqjez.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c siywhcofsjatrxfu.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gauwlkavmhczblxqdkcw.exe
C:\Windows\zqhgsobthzrlkraqa.exe
zqhgsobthzrlkraqa.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vqloeevrjfbzcnauiqjez.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tmfgushbrlfbclwoagx.exe
C:\Windows\gauwlkavmhczblxqdkcw.exe
gauwlkavmhczblxqdkcw.exe
C:\Windows\siywhcofsjatrxfu.exe
siywhcofsjatrxfu.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gauwlkavmhczblxqdkcw.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c iassfcqjyrkffnxoze.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tmfgushbrlfbclwoagx.exe .
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\zqhgsobthzrlkraqa.exe*."
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\siywhcofsjatrxfu.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c iassfcqjyrkffnxoze.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe .
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\tmfgushbrlfbclwoagx.exe
tmfgushbrlfbclwoagx.exe
C:\Windows\vqloeevrjfbzcnauiqjez.exe
vqloeevrjfbzcnauiqjez.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c siywhcofsjatrxfu.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe .
C:\Windows\gauwlkavmhczblxqdkcw.exe
gauwlkavmhczblxqdkcw.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe
C:\Windows\tmfgushbrlfbclwoagx.exe
tmfgushbrlfbclwoagx.exe .
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\iassfcqjyrkffnxoze.exe
iassfcqjyrkffnxoze.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe .
C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe
C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe
C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe
C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\gauwlkavmhczblxqdkcw.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe .
C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe
C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe .
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\iassfcqjyrkffnxoze.exe*."
C:\Windows\iassfcqjyrkffnxoze.exe
iassfcqjyrkffnxoze.exe
C:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exe
C:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exe
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\tmfgushbrlfbclwoagx.exe*."
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\tmfgushbrlfbclwoagx.exe*."
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\tmfgushbrlfbclwoagx.exe*."
C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe
C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe
C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe
C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe .
C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe
C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe
C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe
C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\tmfgushbrlfbclwoagx.exe*."
C:\Windows\siywhcofsjatrxfu.exe
siywhcofsjatrxfu.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gauwlkavmhczblxqdkcw.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\siywhcofsjatrxfu.exe*."
C:\Windows\gauwlkavmhczblxqdkcw.exe
gauwlkavmhczblxqdkcw.exe
C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe
C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe .
C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe
C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gauwlkavmhczblxqdkcw.exe .
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\zqhgsobthzrlkraqa.exe*."
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\zqhgsobthzrlkraqa.exe*."
C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe
C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe .
C:\Windows\gauwlkavmhczblxqdkcw.exe
gauwlkavmhczblxqdkcw.exe .
C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe
C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\zqhgsobthzrlkraqa.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zqhgsobthzrlkraqa.exe
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\gauwlkavmhczblxqdkcw.exe*."
C:\Windows\zqhgsobthzrlkraqa.exe
zqhgsobthzrlkraqa.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tmfgushbrlfbclwoagx.exe .
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe
C:\Windows\tmfgushbrlfbclwoagx.exe
tmfgushbrlfbclwoagx.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe .
C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe
C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\tmfgushbrlfbclwoagx.exe*."
C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe
C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe .
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\iassfcqjyrkffnxoze.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exe .
C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe
C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe
C:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exe
C:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exe .
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\vqloeevrjfbzcnauiqjez.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gauwlkavmhczblxqdkcw.exe
C:\Windows\gauwlkavmhczblxqdkcw.exe
gauwlkavmhczblxqdkcw.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vqloeevrjfbzcnauiqjez.exe .
C:\Windows\vqloeevrjfbzcnauiqjez.exe
vqloeevrjfbzcnauiqjez.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zqhgsobthzrlkraqa.exe
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\vqloeevrjfbzcnauiqjez.exe*."
C:\Windows\zqhgsobthzrlkraqa.exe
zqhgsobthzrlkraqa.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tmfgushbrlfbclwoagx.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe
C:\Windows\tmfgushbrlfbclwoagx.exe
tmfgushbrlfbclwoagx.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe .
C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe
C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\tmfgushbrlfbclwoagx.exe*."
C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe
C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe .
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\iassfcqjyrkffnxoze.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe .
C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe
C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe
C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe
C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe .
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\zqhgsobthzrlkraqa.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gauwlkavmhczblxqdkcw.exe
C:\Windows\gauwlkavmhczblxqdkcw.exe
gauwlkavmhczblxqdkcw.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zqhgsobthzrlkraqa.exe .
C:\Windows\zqhgsobthzrlkraqa.exe
zqhgsobthzrlkraqa.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zqhgsobthzrlkraqa.exe
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\zqhgsobthzrlkraqa.exe*."
C:\Windows\zqhgsobthzrlkraqa.exe
zqhgsobthzrlkraqa.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c iassfcqjyrkffnxoze.exe .
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe
C:\Windows\iassfcqjyrkffnxoze.exe
iassfcqjyrkffnxoze.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe .
C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe
C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\iassfcqjyrkffnxoze.exe*."
C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe
C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe .
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\zqhgsobthzrlkraqa.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe .
C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe
C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe
C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe
C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe .
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\iassfcqjyrkffnxoze.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vqloeevrjfbzcnauiqjez.exe
C:\Windows\vqloeevrjfbzcnauiqjez.exe
vqloeevrjfbzcnauiqjez.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zqhgsobthzrlkraqa.exe .
C:\Windows\zqhgsobthzrlkraqa.exe
zqhgsobthzrlkraqa.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c iassfcqjyrkffnxoze.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\zqhgsobthzrlkraqa.exe*."
C:\Windows\iassfcqjyrkffnxoze.exe
iassfcqjyrkffnxoze.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vqloeevrjfbzcnauiqjez.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\vqloeevrjfbzcnauiqjez.exe
vqloeevrjfbzcnauiqjez.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe .
C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe
C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\vqloeevrjfbzcnauiqjez.exe*."
C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe
C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe .
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\zqhgsobthzrlkraqa.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe .
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe
C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe
C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe
C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe .
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\iassfcqjyrkffnxoze.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zqhgsobthzrlkraqa.exe
C:\Windows\zqhgsobthzrlkraqa.exe
zqhgsobthzrlkraqa.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tmfgushbrlfbclwoagx.exe .
C:\Windows\tmfgushbrlfbclwoagx.exe
tmfgushbrlfbclwoagx.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vqloeevrjfbzcnauiqjez.exe
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\tmfgushbrlfbclwoagx.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zqhgsobthzrlkraqa.exe .
C:\Windows\vqloeevrjfbzcnauiqjez.exe
vqloeevrjfbzcnauiqjez.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\zqhgsobthzrlkraqa.exe
zqhgsobthzrlkraqa.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe .
C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe
C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\zqhgsobthzrlkraqa.exe*."
C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe
C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe .
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\tmfgushbrlfbclwoagx.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exe .
C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe
C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe
C:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exe
C:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exe .
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\vqloeevrjfbzcnauiqjez.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c siywhcofsjatrxfu.exe
C:\Windows\siywhcofsjatrxfu.exe
siywhcofsjatrxfu.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c siywhcofsjatrxfu.exe .
C:\Windows\siywhcofsjatrxfu.exe
siywhcofsjatrxfu.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c iassfcqjyrkffnxoze.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\siywhcofsjatrxfu.exe*."
C:\Windows\iassfcqjyrkffnxoze.exe
iassfcqjyrkffnxoze.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gauwlkavmhczblxqdkcw.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exe
C:\Windows\gauwlkavmhczblxqdkcw.exe
gauwlkavmhczblxqdkcw.exe .
C:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exe
C:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe .
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\gauwlkavmhczblxqdkcw.exe*."
C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe
C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe .
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\iassfcqjyrkffnxoze.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vqloeevrjfbzcnauiqjez.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tmfgushbrlfbclwoagx.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe .
C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe
C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe
C:\Windows\vqloeevrjfbzcnauiqjez.exe
vqloeevrjfbzcnauiqjez.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zqhgsobthzrlkraqa.exe .
C:\Windows\tmfgushbrlfbclwoagx.exe
tmfgushbrlfbclwoagx.exe
C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe
C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c siywhcofsjatrxfu.exe .
C:\Windows\zqhgsobthzrlkraqa.exe
zqhgsobthzrlkraqa.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c iassfcqjyrkffnxoze.exe
C:\Windows\siywhcofsjatrxfu.exe
siywhcofsjatrxfu.exe .
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\siywhcofsjatrxfu.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tmfgushbrlfbclwoagx.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vqloeevrjfbzcnauiqjez.exe .
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\zqhgsobthzrlkraqa.exe*."
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\siywhcofsjatrxfu.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vqloeevrjfbzcnauiqjez.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe
C:\Windows\iassfcqjyrkffnxoze.exe
iassfcqjyrkffnxoze.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe .
C:\Windows\tmfgushbrlfbclwoagx.exe
tmfgushbrlfbclwoagx.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tmfgushbrlfbclwoagx.exe
C:\Windows\vqloeevrjfbzcnauiqjez.exe
vqloeevrjfbzcnauiqjez.exe .
C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe
C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exe
C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe
C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe .
C:\Windows\vqloeevrjfbzcnauiqjez.exe
vqloeevrjfbzcnauiqjez.exe .
C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe
C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gauwlkavmhczblxqdkcw.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exe .
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\vqloeevrjfbzcnauiqjez.exe*."
C:\Windows\tmfgushbrlfbclwoagx.exe
tmfgushbrlfbclwoagx.exe
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\tmfgushbrlfbclwoagx.exe*."
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\vqloeevrjfbzcnauiqjez.exe*."
C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe
C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c iassfcqjyrkffnxoze.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gauwlkavmhczblxqdkcw.exe .
C:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exe
C:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exe
C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe
C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\gauwlkavmhczblxqdkcw.exe
gauwlkavmhczblxqdkcw.exe .
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\iassfcqjyrkffnxoze.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exe .
C:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exe
C:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exe .
C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe
C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe
C:\Windows\iassfcqjyrkffnxoze.exe
iassfcqjyrkffnxoze.exe
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\gauwlkavmhczblxqdkcw.exe*."
C:\Windows\gauwlkavmhczblxqdkcw.exe
gauwlkavmhczblxqdkcw.exe .
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\gauwlkavmhczblxqdkcw.exe*."
C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe
C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\gauwlkavmhczblxqdkcw.exe*."
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\vqloeevrjfbzcnauiqjez.exe*."
C:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exe
C:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe .
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\vqloeevrjfbzcnauiqjez.exe*."
C:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exe
C:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exe
C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe
C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe .
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\zqhgsobthzrlkraqa.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zqhgsobthzrlkraqa.exe
C:\Windows\zqhgsobthzrlkraqa.exe
zqhgsobthzrlkraqa.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zqhgsobthzrlkraqa.exe .
C:\Windows\zqhgsobthzrlkraqa.exe
zqhgsobthzrlkraqa.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gauwlkavmhczblxqdkcw.exe
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\zqhgsobthzrlkraqa.exe*."
C:\Windows\gauwlkavmhczblxqdkcw.exe
gauwlkavmhczblxqdkcw.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zqhgsobthzrlkraqa.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe
C:\Windows\zqhgsobthzrlkraqa.exe
zqhgsobthzrlkraqa.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe .
C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe
C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\zqhgsobthzrlkraqa.exe*."
C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe
C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe .
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\siywhcofsjatrxfu.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe .
C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe
C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe
C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe .
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\tmfgushbrlfbclwoagx.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tmfgushbrlfbclwoagx.exe
C:\Windows\tmfgushbrlfbclwoagx.exe
tmfgushbrlfbclwoagx.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zqhgsobthzrlkraqa.exe .
C:\Windows\zqhgsobthzrlkraqa.exe
zqhgsobthzrlkraqa.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zqhgsobthzrlkraqa.exe
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\zqhgsobthzrlkraqa.exe*."
C:\Windows\zqhgsobthzrlkraqa.exe
zqhgsobthzrlkraqa.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c siywhcofsjatrxfu.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe
C:\Windows\siywhcofsjatrxfu.exe
siywhcofsjatrxfu.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe .
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe
C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\siywhcofsjatrxfu.exe*."
C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe
C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe .
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\siywhcofsjatrxfu.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exe .
C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe
C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe
C:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exe
C:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exe .
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\vqloeevrjfbzcnauiqjez.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c siywhcofsjatrxfu.exe
C:\Windows\siywhcofsjatrxfu.exe
siywhcofsjatrxfu.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zqhgsobthzrlkraqa.exe .
C:\Windows\zqhgsobthzrlkraqa.exe
zqhgsobthzrlkraqa.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tmfgushbrlfbclwoagx.exe
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\zqhgsobthzrlkraqa.exe*."
C:\Windows\tmfgushbrlfbclwoagx.exe
tmfgushbrlfbclwoagx.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c iassfcqjyrkffnxoze.exe .
C:\Windows\iassfcqjyrkffnxoze.exe
iassfcqjyrkffnxoze.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe
C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe
C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe .
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\iassfcqjyrkffnxoze.exe*."
C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe
C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe .
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\zqhgsobthzrlkraqa.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe .
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe
C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe
C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe
C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe .
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\zqhgsobthzrlkraqa.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c siywhcofsjatrxfu.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zqhgsobthzrlkraqa.exe .
C:\Windows\siywhcofsjatrxfu.exe
siywhcofsjatrxfu.exe
C:\Windows\zqhgsobthzrlkraqa.exe
zqhgsobthzrlkraqa.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tmfgushbrlfbclwoagx.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\zqhgsobthzrlkraqa.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c siywhcofsjatrxfu.exe .
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\tmfgushbrlfbclwoagx.exe
tmfgushbrlfbclwoagx.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exe
C:\Windows\siywhcofsjatrxfu.exe
siywhcofsjatrxfu.exe .
C:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exe
C:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe .
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\siywhcofsjatrxfu.exe*."
C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe
C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe .
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\siywhcofsjatrxfu.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe .
C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe
C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe
C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe
C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe .
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\iassfcqjyrkffnxoze.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c iassfcqjyrkffnxoze.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\iassfcqjyrkffnxoze.exe
iassfcqjyrkffnxoze.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gauwlkavmhczblxqdkcw.exe .
C:\Windows\gauwlkavmhczblxqdkcw.exe
gauwlkavmhczblxqdkcw.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zqhgsobthzrlkraqa.exe
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\gauwlkavmhczblxqdkcw.exe*."
C:\Windows\zqhgsobthzrlkraqa.exe
zqhgsobthzrlkraqa.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tmfgushbrlfbclwoagx.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe
C:\Windows\tmfgushbrlfbclwoagx.exe
tmfgushbrlfbclwoagx.exe .
C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe
C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe .
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\tmfgushbrlfbclwoagx.exe*."
C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe
C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe .
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\iassfcqjyrkffnxoze.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe .
C:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exe
C:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exe
C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe
C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe .
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\tmfgushbrlfbclwoagx.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c siywhcofsjatrxfu.exe
C:\Windows\siywhcofsjatrxfu.exe
siywhcofsjatrxfu.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tmfgushbrlfbclwoagx.exe .
C:\Windows\tmfgushbrlfbclwoagx.exe
tmfgushbrlfbclwoagx.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c siywhcofsjatrxfu.exe
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\tmfgushbrlfbclwoagx.exe*."
C:\Windows\siywhcofsjatrxfu.exe
siywhcofsjatrxfu.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zqhgsobthzrlkraqa.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vqloeevrjfbzcnauiqjez.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c iassfcqjyrkffnxoze.exe
C:\Windows\zqhgsobthzrlkraqa.exe
zqhgsobthzrlkraqa.exe .
C:\Windows\vqloeevrjfbzcnauiqjez.exe
vqloeevrjfbzcnauiqjez.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vqloeevrjfbzcnauiqjez.exe .
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\zqhgsobthzrlkraqa.exe*."
C:\Windows\iassfcqjyrkffnxoze.exe
iassfcqjyrkffnxoze.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c siywhcofsjatrxfu.exe .
C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe
C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe
C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe
C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe .
C:\Windows\vqloeevrjfbzcnauiqjez.exe
vqloeevrjfbzcnauiqjez.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zqhgsobthzrlkraqa.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c iassfcqjyrkffnxoze.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tmfgushbrlfbclwoagx.exe
C:\Windows\siywhcofsjatrxfu.exe
siywhcofsjatrxfu.exe .
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\iassfcqjyrkffnxoze.exe*."
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\vqloeevrjfbzcnauiqjez.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gauwlkavmhczblxqdkcw.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe
C:\Windows\zqhgsobthzrlkraqa.exe
zqhgsobthzrlkraqa.exe
C:\Windows\iassfcqjyrkffnxoze.exe
iassfcqjyrkffnxoze.exe .
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\siywhcofsjatrxfu.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe .
C:\Windows\tmfgushbrlfbclwoagx.exe
tmfgushbrlfbclwoagx.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\iassfcqjyrkffnxoze.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe .
C:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exe
C:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe
C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe
C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe
C:\Windows\gauwlkavmhczblxqdkcw.exe
gauwlkavmhczblxqdkcw.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe .
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe
C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe .
C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe
C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe .
C:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exe
C:\Users\Admin\AppData\Local\Temp\vqloeevrjfbzcnauiqjez.exe .
C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe
C:\Users\Admin\AppData\Local\Temp\iassfcqjyrkffnxoze.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zqhgsobthzrlkraqa.exe
C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe
C:\Users\Admin\AppData\Local\Temp\zqhgsobthzrlkraqa.exe .
C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe
C:\Users\Admin\AppData\Local\Temp\tmfgushbrlfbclwoagx.exe
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\gauwlkavmhczblxqdkcw.exe*."
C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe
C:\Users\Admin\AppData\Local\Temp\gauwlkavmhczblxqdkcw.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c siywhcofsjatrxfu.exe .
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\siywhcofsjatrxfu.exe*."
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\vqloeevrjfbzcnauiqjez.exe*."
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\iassfcqjyrkffnxoze.exe*."
C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe
C:\Users\Admin\AppData\Local\Temp\siywhcofsjatrxfu.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | whatismyipaddress.com | udp |
| US | 104.19.222.79:80 | whatismyipaddress.com | tcp |
| US | 8.8.8.8:53 | www.showmyipaddress.com | udp |
| US | 172.67.155.175:80 | www.showmyipaddress.com | tcp |
| US | 172.67.155.175:80 | www.showmyipaddress.com | tcp |
| US | 104.19.222.79:80 | whatismyipaddress.com | tcp |
| US | 8.8.8.8:53 | www.whatismyip.com | udp |
| US | 172.66.43.169:80 | www.whatismyip.com | tcp |
| US | 172.67.155.175:80 | www.showmyipaddress.com | tcp |
| US | 8.8.8.8:53 | www.whatismyip.ca | udp |
| US | 8.8.8.8:53 | whatismyip.everdot.org | udp |
| US | 104.19.222.79:80 | whatismyipaddress.com | tcp |
| US | 104.19.222.79:80 | whatismyipaddress.com | tcp |
| US | 8.8.8.8:53 | www.whatismyip.ca | udp |
| US | 104.19.222.79:80 | whatismyipaddress.com | tcp |
| US | 172.67.155.175:80 | www.showmyipaddress.com | tcp |
| US | 172.67.155.175:80 | www.showmyipaddress.com | tcp |
| US | 8.8.8.8:53 | www.whatismyip.ca | udp |
| US | 172.67.155.175:80 | www.showmyipaddress.com | tcp |
| US | 172.66.43.169:80 | www.whatismyip.com | tcp |
| US | 104.19.222.79:80 | whatismyipaddress.com | tcp |
| US | 8.8.8.8:53 | www.youtube.com | udp |
| NL | 142.251.31.91:80 | www.youtube.com | tcp |
| LT | 86.100.209.26:16121 | tcp | |
| US | 8.8.8.8:53 | gyuuym.org | udp |
| DE | 85.214.228.140:80 | gyuuym.org | tcp |
| US | 8.8.8.8:53 | sehciwrxa.net | udp |
| US | 8.8.8.8:53 | zvwhmmgiwwap.net | udp |
| US | 8.8.8.8:53 | tcjqkah.info | udp |
| US | 8.8.8.8:53 | unxfuild.info | udp |
| SG | 18.142.91.111:80 | unxfuild.info | tcp |
| US | 8.8.8.8:53 | oxzmxjbdyrhm.info | udp |
| US | 8.8.8.8:53 | pplxtdbmwxe.org | udp |
| US | 8.8.8.8:53 | zufoqnzxtstt.net | udp |
| US | 8.8.8.8:53 | qimyei.com | udp |
| US | 8.8.8.8:53 | ggoiukqgsikq.org | udp |
| US | 8.8.8.8:53 | nchsnuj.org | udp |
| US | 8.8.8.8:53 | aytqtwnyowi.info | udp |
| US | 8.8.8.8:53 | bqjkcdhsdbbk.info | udp |
| US | 8.8.8.8:53 | iiagyq.org | udp |
| US | 8.8.8.8:53 | nrarfhhvdwlq.info | udp |
| US | 8.8.8.8:53 | udzdjiddn.net | udp |
| US | 8.8.8.8:53 | fffglbh.org | udp |
| US | 8.8.8.8:53 | ygoukmwg.org | udp |
| US | 8.8.8.8:53 | ohnxfkbt.info | udp |
| US | 8.8.8.8:53 | jijfynbapk.info | udp |
| US | 8.8.8.8:53 | sxtwlvlgg.net | udp |
| US | 8.8.8.8:53 | vlmcopxk.info | udp |
| US | 8.8.8.8:53 | cydlrge.info | udp |
| US | 104.156.155.94:80 | cydlrge.info | tcp |
| US | 8.8.8.8:53 | ksokymqagy.com | udp |
| US | 8.8.8.8:53 | mjotpzfbosdh.info | udp |
| US | 8.8.8.8:53 | vimmentvkjot.net | udp |
| US | 8.8.8.8:53 | zwkgfgp.com | udp |
| US | 8.8.8.8:53 | rrjohmhr.net | udp |
| US | 8.8.8.8:53 | znvxpaelzat.info | udp |
| US | 8.8.8.8:53 | bglhzv.net | udp |
| US | 8.8.8.8:53 | kkococsmug.org | udp |
| US | 8.8.8.8:53 | luvehemiri.info | udp |
| US | 8.8.8.8:53 | kakuwkugok.org | udp |
| US | 8.8.8.8:53 | lalckpw.org | udp |
| US | 8.8.8.8:53 | kagmau.com | udp |
| US | 8.8.8.8:53 | hmfurcniz.info | udp |
| US | 8.8.8.8:53 | cnbscgxaiuv.info | udp |
| US | 8.8.8.8:53 | cslbnypi.info | udp |
| US | 8.8.8.8:53 | geaxvu.info | udp |
| LT | 78.58.37.209:13159 | tcp | |
| US | 8.8.8.8:53 | ekuhrilkd.info | udp |
| US | 8.8.8.8:53 | ddpobim.org | udp |
| US | 8.8.8.8:53 | jkdxjkzn.net | udp |
| US | 8.8.8.8:53 | wsvoqtlyz.info | udp |
| US | 8.8.8.8:53 | misiai.org | udp |
| US | 8.8.8.8:53 | wcbrovxplcly.info | udp |
| US | 8.8.8.8:53 | bfvanhve.info | udp |
| US | 8.8.8.8:53 | nkxwhoehboh.net | udp |
| US | 8.8.8.8:53 | ewhqxezcwwc.net | udp |
| US | 8.8.8.8:53 | gujgzm.net | udp |
| US | 8.8.8.8:53 | rblrzc.net | udp |
| US | 8.8.8.8:53 | umuyiw.com | udp |
| US | 8.8.8.8:53 | yoaoooewyeeo.com | udp |
| US | 8.8.8.8:53 | rblwbk.info | udp |
| US | 8.8.8.8:53 | hfpefw.net | udp |
| US | 8.8.8.8:53 | wetokypar.info | udp |
| US | 8.8.8.8:53 | mdhpuesj.net | udp |
| US | 8.8.8.8:53 | fppdru.net | udp |
| US | 8.8.8.8:53 | ccltlgp.info | udp |
| US | 8.8.8.8:53 | mtvihkf.info | udp |
| US | 8.8.8.8:53 | dqjrswwie.com | udp |
| US | 8.8.8.8:53 | eogunlgw.net | udp |
| US | 8.8.8.8:53 | ezyqglow.info | udp |
| US | 8.8.8.8:53 | sdrqtcj.net | udp |
| US | 8.8.8.8:53 | hbeqvpxbfvbo.net | udp |
| US | 8.8.8.8:53 | vrxmprngmlhk.net | udp |
| US | 8.8.8.8:53 | oumoigky.org | udp |
| US | 8.8.8.8:53 | wlyuexf.net | udp |
| US | 8.8.8.8:53 | eznabol.net | udp |
| US | 8.8.8.8:53 | sxhrtgobgqfq.net | udp |
| US | 8.8.8.8:53 | dynsrc.info | udp |
| US | 8.8.8.8:53 | oabxja.net | udp |
| US | 8.8.8.8:53 | klqmnybibg.net | udp |
| US | 8.8.8.8:53 | wauclzddea.info | udp |
| US | 8.8.8.8:53 | clhwhr.info | udp |
| US | 8.8.8.8:53 | lyxmnybibg.info | udp |
| US | 8.8.8.8:53 | dsbcpqdgmsx.net | udp |
| US | 8.8.8.8:53 | ixhajic.net | udp |
| US | 8.8.8.8:53 | suzwveb.net | udp |
| US | 8.8.8.8:53 | dkouvubcpovf.info | udp |
| US | 8.8.8.8:53 | tlhfmxplxszg.info | udp |
| US | 8.8.8.8:53 | zuahvvfwncp.info | udp |
| US | 8.8.8.8:53 | unxyhnhfacdb.info | udp |
| US | 8.8.8.8:53 | kgrhjfmtlg.info | udp |
| US | 8.8.8.8:53 | xolodqwajgg.net | udp |
| US | 8.8.8.8:53 | jnfebdsaxkd.com | udp |
| US | 8.8.8.8:53 | xyvmqzpiiw.net | udp |
| US | 8.8.8.8:53 | aozejwylyqd.info | udp |
| US | 8.8.8.8:53 | dqfhrafr.net | udp |
| US | 8.8.8.8:53 | kgucribs.info | udp |
| US | 8.8.8.8:53 | wnurqy.info | udp |
| US | 8.8.8.8:53 | zizvduhjtq.net | udp |
| US | 8.8.8.8:53 | zyfitez.info | udp |
| US | 8.8.8.8:53 | pqhykuojyir.com | udp |
| US | 8.8.8.8:53 | gkcaei.com | udp |
| US | 8.8.8.8:53 | rxcgrgxo.info | udp |
| US | 8.8.8.8:53 | leqdurjb.net | udp |
| US | 8.8.8.8:53 | copncsxew.info | udp |
| US | 8.8.8.8:53 | hofoxnlshhmp.net | udp |
| US | 8.8.8.8:53 | vxuyrcqa.net | udp |
| US | 8.8.8.8:53 | bajkjmlkl.info | udp |
| BG | 77.85.226.99:18761 | tcp | |
| US | 8.8.8.8:53 | yimotcl.net | udp |
| US | 8.8.8.8:53 | dptefrxm.net | udp |
| US | 8.8.8.8:53 | acmocycw.org | udp |
| US | 8.8.8.8:53 | dxikspgshgbk.info | udp |
| US | 8.8.8.8:53 | flnxsigobz.info | udp |
| US | 8.8.8.8:53 | nlgcgvzaqfqg.info | udp |
| US | 8.8.8.8:53 | scjqfcl.info | udp |
| US | 8.8.8.8:53 | zmrzskzepnvo.net | udp |
| US | 8.8.8.8:53 | lgmwshpwdp.net | udp |
| US | 8.8.8.8:53 | xchkvpat.net | udp |
| US | 8.8.8.8:53 | skggci.org | udp |
| US | 8.8.8.8:53 | tcnfkvvbkr.net | udp |
| US | 8.8.8.8:53 | yqkcuqwwiqic.com | udp |
| US | 8.8.8.8:53 | bbfwtqcizj.info | udp |
| US | 8.8.8.8:53 | zgrjrexb.net | udp |
| US | 8.8.8.8:53 | agvwme.info | udp |
| US | 8.8.8.8:53 | bozztmkzgh.info | udp |
| US | 8.8.8.8:53 | eeueccewmeem.com | udp |
| US | 8.8.8.8:53 | hgjmdwt.info | udp |
| US | 8.8.8.8:53 | yemmhoaqcgu.info | udp |
| US | 8.8.8.8:53 | vytvvat.org | udp |
| US | 8.8.8.8:53 | elpsmjwcqdrk.net | udp |
| US | 8.8.8.8:53 | civitlujb.net | udp |
| US | 8.8.8.8:53 | gthoprfe.net | udp |
| US | 8.8.8.8:53 | lnjvbpkc.net | udp |
| US | 8.8.8.8:53 | ydzppbxyb.net | udp |
| US | 8.8.8.8:53 | urlktaykf.info | udp |
| US | 8.8.8.8:53 | kqdynkkicln.info | udp |
| US | 8.8.8.8:53 | vlpxze.info | udp |
| US | 8.8.8.8:53 | aegcig.com | udp |
| US | 8.8.8.8:53 | zavcxy.info | udp |
| US | 8.8.8.8:53 | ekrkjmba.info | udp |
| US | 8.8.8.8:53 | skywyumxq.net | udp |
| US | 8.8.8.8:53 | sodurdwmwwl.net | udp |
| US | 8.8.8.8:53 | znzsjqslxcgg.net | udp |
| US | 8.8.8.8:53 | gscwqw.com | udp |
| US | 8.8.8.8:53 | egsmyysc.org | udp |
| US | 8.8.8.8:53 | ztmwrwta.net | udp |
| US | 8.8.8.8:53 | aaekcqagga.org | udp |
| US | 8.8.8.8:53 | nshdioh.net | udp |
| US | 8.8.8.8:53 | ojxplpnq.net | udp |
| US | 8.8.8.8:53 | ekqqcc.org | udp |
| US | 8.8.8.8:53 | emwauogimiqe.org | udp |
| US | 8.8.8.8:53 | samiaai.net | udp |
| US | 8.8.8.8:53 | biuhxczojm.info | udp |
| LT | 81.7.89.221:35922 | tcp | |
| US | 8.8.8.8:53 | zvpaml.net | udp |
| US | 8.8.8.8:53 | dmpttocxeg.info | udp |
| US | 8.8.8.8:53 | dwfkeogzvhjn.info | udp |
| US | 8.8.8.8:53 | genixiporuz.net | udp |
| US | 8.8.8.8:53 | egxuhfgou.info | udp |
| US | 8.8.8.8:53 | hvfwdgd.info | udp |
| US | 8.8.8.8:53 | dflqknsl.net | udp |
| US | 8.8.8.8:53 | bjfsfiztdka.net | udp |
| US | 8.8.8.8:53 | qtgqqinahbp.info | udp |
| US | 8.8.8.8:53 | jmhitynsj.net | udp |
| US | 8.8.8.8:53 | dahtliaj.net | udp |
| US | 8.8.8.8:53 | forxzgh.info | udp |
| US | 8.8.8.8:53 | vsbejpyc.net | udp |
| US | 8.8.8.8:53 | xskfka.info | udp |
| US | 8.8.8.8:53 | tcvuvhjwh.info | udp |
| US | 8.8.8.8:53 | qsoknmnfjlzf.info | udp |
| US | 8.8.8.8:53 | ygiywk.com | udp |
| US | 8.8.8.8:53 | sobigdv.info | udp |
| US | 8.8.8.8:53 | scoywommwkse.com | udp |
| US | 8.8.8.8:53 | zuryddduf.com | udp |
| US | 8.8.8.8:53 | gintmwcfhdz.info | udp |
| US | 8.8.8.8:53 | jubvpax.info | udp |
| US | 8.8.8.8:53 | hkpcjvjnvcb.info | udp |
| US | 8.8.8.8:53 | owwkussqmqoq.org | udp |
| US | 8.8.8.8:53 | yivymd.net | udp |
| US | 8.8.8.8:53 | paurpzscia.info | udp |
| US | 8.8.8.8:53 | aknsgwkcl.net | udp |
| US | 8.8.8.8:53 | wcimsg.org | udp |
| US | 8.8.8.8:53 | eewqmwso.com | udp |
| US | 8.8.8.8:53 | orpxsexyh.info | udp |
| US | 8.8.8.8:53 | gmcwscqwaaas.com | udp |
| US | 8.8.8.8:53 | dyhytonij.com | udp |
| US | 8.8.8.8:53 | ecbwysbz.info | udp |
| US | 8.8.8.8:53 | nrtqaxuvsp.info | udp |
| US | 8.8.8.8:53 | mhnkngexjb.info | udp |
| US | 8.8.8.8:53 | njmyupro.net | udp |
| US | 8.8.8.8:53 | sgukossswawk.org | udp |
| US | 8.8.8.8:53 | ugxyozirf.net | udp |
| US | 8.8.8.8:53 | ruzweolcr.org | udp |
| US | 8.8.8.8:53 | riaxtjzzxwke.net | udp |
| US | 8.8.8.8:53 | xrpwmsl.info | udp |
| US | 8.8.8.8:53 | zghamis.net | udp |
| US | 8.8.8.8:53 | ytkmqlxm.info | udp |
| US | 8.8.8.8:53 | hmwutyrzvjq.info | udp |
| US | 8.8.8.8:53 | oaaqbkcdjxx.info | udp |
| US | 8.8.8.8:53 | midhaztyfunq.info | udp |
| US | 8.8.8.8:53 | nipcbhgzdsjj.net | udp |
| US | 8.8.8.8:53 | ezxcjtvhqaf.net | udp |
| US | 8.8.8.8:53 | iusioomq.org | udp |
| US | 8.8.8.8:53 | gkweqo.org | udp |
| US | 8.8.8.8:53 | zhsolezzrm.net | udp |
| US | 8.8.8.8:53 | iwqqwkeaogwm.com | udp |
| US | 8.8.8.8:53 | norfab.info | udp |
| US | 8.8.8.8:53 | wcsbrpz.net | udp |
| US | 8.8.8.8:53 | dbiokrlu.net | udp |
| US | 8.8.8.8:53 | popthjxbeny.info | udp |
| US | 8.8.8.8:53 | couimmoc.com | udp |
| US | 8.8.8.8:53 | olvkdumqgq.info | udp |
| US | 8.8.8.8:53 | uwcuws.org | udp |
| US | 8.8.8.8:53 | jiaihlx.com | udp |
| US | 8.8.8.8:53 | gckzqp.info | udp |
| US | 8.8.8.8:53 | azlfou.info | udp |
| US | 8.8.8.8:53 | yuckeeckwu.com | udp |
| BG | 89.106.97.91:42152 | tcp | |
| US | 8.8.8.8:53 | vtwblsrkx.com | udp |
| US | 8.8.8.8:53 | vtlhxlifz.com | udp |
| US | 8.8.8.8:53 | umyicieyee.org | udp |
| US | 8.8.8.8:53 | relcbiihawnj.info | udp |
| US | 8.8.8.8:53 | doamvcjut.com | udp |
| US | 8.8.8.8:53 | qfndzq.net | udp |
| US | 8.8.8.8:53 | vcsuct.net | udp |
| US | 8.8.8.8:53 | oyvscxkylev.info | udp |
| US | 8.8.8.8:53 | tknsxkyox.org | udp |
| US | 8.8.8.8:53 | hswuogrpnch.org | udp |
| US | 8.8.8.8:53 | jjniskc.net | udp |
| US | 8.8.8.8:53 | fsyczawoha.info | udp |
| US | 8.8.8.8:53 | uoxcqdb.info | udp |
| US | 8.8.8.8:53 | dqnhjkjgasf.com | udp |
| US | 8.8.8.8:53 | xgkoesnqhqn.info | udp |
| US | 8.8.8.8:53 | atkzfclhbift.info | udp |
| US | 8.8.8.8:53 | xtdoosxyrmf.net | udp |
| US | 8.8.8.8:53 | scrtoyzur.net | udp |
| US | 8.8.8.8:53 | acyqkcqoko.org | udp |
| US | 8.8.8.8:53 | dwhogmf.net | udp |
| US | 8.8.8.8:53 | wueysyqiyg.org | udp |
| US | 8.8.8.8:53 | itwwovfpb.net | udp |
| US | 8.8.8.8:53 | rwzwjlfb.info | udp |
| US | 8.8.8.8:53 | zvckwl.info | udp |
| US | 8.8.8.8:53 | vxdtqmkmgwdh.info | udp |
| US | 8.8.8.8:53 | jjrefkv.net | udp |
| US | 8.8.8.8:53 | wipkgxsenef.info | udp |
| US | 8.8.8.8:53 | wgieme.org | udp |
| US | 8.8.8.8:53 | erfohgc.info | udp |
| US | 8.8.8.8:53 | aquawwwoseec.org | udp |
| US | 8.8.8.8:53 | kjskvzf.info | udp |
| US | 8.8.8.8:53 | lzbjkx.info | udp |
| US | 8.8.8.8:53 | xbahfcdypbh.info | udp |
| US | 8.8.8.8:53 | bqpgwt.info | udp |
| US | 8.8.8.8:53 | hyrztykhp.com | udp |
| US | 8.8.8.8:53 | blriytvijot.com | udp |
| US | 8.8.8.8:53 | gihuzdjfx.info | udp |
| US | 8.8.8.8:53 | tahcpxf.info | udp |
| US | 8.8.8.8:53 | iqcozon.net | udp |
| US | 8.8.8.8:53 | kyilnx.net | udp |
| US | 8.8.8.8:53 | fkfoblhtect.net | udp |
| US | 8.8.8.8:53 | dgkare.info | udp |
| US | 8.8.8.8:53 | gaufzuhtlm.net | udp |
| US | 8.8.8.8:53 | esghdplg.net | udp |
| US | 8.8.8.8:53 | rwlaxbv.net | udp |
| US | 8.8.8.8:53 | gaqkygwq.org | udp |
| US | 8.8.8.8:53 | pltmczynl.info | udp |
| US | 8.8.8.8:53 | ntglts.net | udp |
| US | 8.8.8.8:53 | bwnyduw.info | udp |
| US | 8.8.8.8:53 | ogghlyuavuxz.net | udp |
| US | 8.8.8.8:53 | vhtjmkpo.info | udp |
| LT | 78.62.154.180:42294 | tcp | |
| US | 8.8.8.8:53 | mmsvfey.net | udp |
| US | 8.8.8.8:53 | eaykigwi.org | udp |
| US | 8.8.8.8:53 | zyguunjincn.net | udp |
| US | 8.8.8.8:53 | cnzlnepvveyh.info | udp |
| US | 8.8.8.8:53 | jrbulad.info | udp |
| US | 8.8.8.8:53 | lgtddzvs.info | udp |
| US | 8.8.8.8:53 | bpzorpfuhtf.org | udp |
| US | 8.8.8.8:53 | kekuimesam.com | udp |
| US | 8.8.8.8:53 | rjttjryk.info | udp |
| US | 8.8.8.8:53 | mqmchqvgb.info | udp |
| US | 8.8.8.8:53 | bkngmvgi.net | udp |
| US | 8.8.8.8:53 | fxjgxcddmqwh.info | udp |
| US | 8.8.8.8:53 | otrncozw.info | udp |
| US | 8.8.8.8:53 | hojlimfu.info | udp |
| US | 8.8.8.8:53 | bdbpdxxapwo.net | udp |
| US | 8.8.8.8:53 | bqdindvszcl.com | udp |
| US | 8.8.8.8:53 | fkfsxmj.info | udp |
| US | 8.8.8.8:53 | lynmqmisexnf.info | udp |
| US | 8.8.8.8:53 | jjpyrgbgtoa.com | udp |
| US | 8.8.8.8:53 | jvibdsjkch.net | udp |
| US | 8.8.8.8:53 | azxqxmzepfz.net | udp |
| US | 8.8.8.8:53 | nfjxxn.info | udp |
| US | 8.8.8.8:53 | lwqnpvuu.net | udp |
| US | 8.8.8.8:53 | xcxooibqtch.info | udp |
| US | 8.8.8.8:53 | dykwknvmdfdj.info | udp |
| US | 8.8.8.8:53 | awlplgukhmu.net | udp |
| US | 8.8.8.8:53 | bbquoh.net | udp |
| US | 8.8.8.8:53 | wawaoiyk.com | udp |
| US | 8.8.8.8:53 | fednxrvm.info | udp |
| US | 8.8.8.8:53 | citroy.info | udp |
| US | 8.8.8.8:53 | bugihxnxrdoh.net | udp |
| US | 8.8.8.8:53 | drjqqqjvbd.info | udp |
| US | 8.8.8.8:53 | kxyuozlwmlhj.info | udp |
| US | 8.8.8.8:53 | lczoradauoz.net | udp |
| US | 8.8.8.8:53 | twynxgrbf.info | udp |
| US | 8.8.8.8:53 | natyybmfc.org | udp |
| US | 8.8.8.8:53 | kkrotfcn.net | udp |
| US | 8.8.8.8:53 | lcvdlg.net | udp |
| US | 8.8.8.8:53 | augmgogsoo.com | udp |
| US | 8.8.8.8:53 | loyjuwhvpef.info | udp |
| US | 8.8.8.8:53 | pyvnxkgdvagp.info | udp |
| BG | 77.85.226.99:18761 | tcp | |
| US | 8.8.8.8:53 | qetmxm.net | udp |
| US | 8.8.8.8:53 | mgkgeh.info | udp |
| US | 8.8.8.8:53 | dazulnj.org | udp |
| US | 8.8.8.8:53 | fskyqgyx.info | udp |
| US | 8.8.8.8:53 | mbawvtparsth.info | udp |
| US | 8.8.8.8:53 | imtgyeqbr.info | udp |
| US | 8.8.8.8:53 | roboqmdazwl.com | udp |
| US | 8.8.8.8:53 | hjucwjcg.info | udp |
| US | 8.8.8.8:53 | qdccxfllqw.info | udp |
| US | 8.8.8.8:53 | uypqyvl.info | udp |
| US | 8.8.8.8:53 | fjusznt.com | udp |
| US | 8.8.8.8:53 | dmxlnsmgxndu.net | udp |
| US | 8.8.8.8:53 | zuhmapbot.net | udp |
| US | 8.8.8.8:53 | ukvdpgxa.net | udp |
| US | 8.8.8.8:53 | ukpxnhrd.info | udp |
| US | 8.8.8.8:53 | aigqkqmiaigi.com | udp |
| US | 8.8.8.8:53 | lpisxdihpg.net | udp |
| US | 8.8.8.8:53 | vjvlnnztmb.net | udp |
| US | 8.8.8.8:53 | eqrjrrdgnld.info | udp |
| US | 8.8.8.8:53 | omvayqj.info | udp |
| US | 8.8.8.8:53 | plyebuj.net | udp |
| US | 8.8.8.8:53 | majbxhzum.net | udp |
| US | 8.8.8.8:53 | yojkaljecqs.info | udp |
| US | 8.8.8.8:53 | eclqfz.info | udp |
| US | 8.8.8.8:53 | uesahof.net | udp |
| US | 8.8.8.8:53 | eokvub.info | udp |
| US | 8.8.8.8:53 | gsscummmgs.org | udp |
| US | 8.8.8.8:53 | ecegeakc.org | udp |
| US | 8.8.8.8:53 | ymzepu.info | udp |
| US | 8.8.8.8:53 | ekcscggiimws.com | udp |
| US | 8.8.8.8:53 | miorzj.net | udp |
| US | 8.8.8.8:53 | lttmgntl.net | udp |
| US | 8.8.8.8:53 | wfdjjbuwx.net | udp |
| US | 8.8.8.8:53 | ootkjdzphd.net | udp |
| US | 8.8.8.8:53 | hxenopuehqeu.net | udp |
| US | 8.8.8.8:53 | swguyosise.com | udp |
| US | 8.8.8.8:53 | qhpxfiicix.info | udp |
| US | 8.8.8.8:53 | aararuzmj.info | udp |
| US | 8.8.8.8:53 | banxxjtu.info | udp |
| US | 8.8.8.8:53 | fvmgrsz.info | udp |
| US | 8.8.8.8:53 | zrizzt.net | udp |
| US | 8.8.8.8:53 | aiudfswgldd.net | udp |
| US | 8.8.8.8:53 | wkeoyc.com | udp |
| US | 8.8.8.8:53 | xgfndjlmcqzo.info | udp |
| US | 8.8.8.8:53 | dybrupvt.info | udp |
| US | 8.8.8.8:53 | cczszraytqf.info | udp |
| US | 8.8.8.8:53 | nsjnpn.net | udp |
| US | 8.8.8.8:53 | ukicmwccsksg.org | udp |
| US | 8.8.8.8:53 | uowtxj.net | udp |
| US | 8.8.8.8:53 | iwvsdcv.net | udp |
| US | 8.8.8.8:53 | ivewnr.info | udp |
| US | 8.8.8.8:53 | aabbtrsevgil.net | udp |
| US | 8.8.8.8:53 | jqfnrjmvckl.com | udp |
| US | 8.8.8.8:53 | kqoqlq.info | udp |
| GB | 94.195.124.59:43889 | tcp | |
| US | 8.8.8.8:53 | rkmgeoyyf.com | udp |
| US | 8.8.8.8:53 | zgsqwczun.com | udp |
| US | 8.8.8.8:53 | xkrkxtgcren.info | udp |
| US | 8.8.8.8:53 | uevvygcfaynz.net | udp |
| US | 8.8.8.8:53 | stbkwekl.info | udp |
| US | 8.8.8.8:53 | cguddd.info | udp |
| US | 8.8.8.8:53 | nqxijbihvn.info | udp |
| US | 8.8.8.8:53 | kktgbof.net | udp |
| US | 8.8.8.8:53 | pttmxqqqbia.info | udp |
| US | 8.8.8.8:53 | gsrlwi.info | udp |
| US | 8.8.8.8:53 | jrdllvfg.info | udp |
| US | 8.8.8.8:53 | yspynbdonzn.net | udp |
| US | 8.8.8.8:53 | ksnelpckjan.info | udp |
| US | 8.8.8.8:53 | kroura.net | udp |
| US | 8.8.8.8:53 | agwkyw.org | udp |
| US | 8.8.8.8:53 | xrctizgjhu.net | udp |
| US | 8.8.8.8:53 | gyamaciq.org | udp |
| US | 8.8.8.8:53 | qpdyxyxy.info | udp |
| US | 8.8.8.8:53 | ksncxd.info | udp |
| US | 8.8.8.8:53 | ztdlen.net | udp |
| US | 8.8.8.8:53 | rlolyw.info | udp |
| US | 8.8.8.8:53 | vjheqchqfu.net | udp |
| US | 8.8.8.8:53 | parkhmyoxyt.info | udp |
| US | 8.8.8.8:53 | rfcqjgcwrllk.info | udp |
| US | 8.8.8.8:53 | mlltxlztnktg.net | udp |
| US | 8.8.8.8:53 | ocqeaqwmao.com | udp |
| US | 8.8.8.8:53 | ooewwc.org | udp |
| US | 8.8.8.8:53 | bmnynvkvxody.net | udp |
| US | 8.8.8.8:53 | eyukhwx.net | udp |
| US | 8.8.8.8:53 | nqqnngzfzq.net | udp |
| US | 8.8.8.8:53 | jufzfodmgfn.com | udp |
| US | 8.8.8.8:53 | jypigkw.net | udp |
| US | 8.8.8.8:53 | xclgbajfzsm.info | udp |
| US | 8.8.8.8:53 | izbhnj.info | udp |
| US | 8.8.8.8:53 | dgfyhmo.org | udp |
| US | 8.8.8.8:53 | jphhtgd.com | udp |
| US | 8.8.8.8:53 | nmeqwb.net | udp |
| US | 8.8.8.8:53 | cmvhmg.info | udp |
| US | 8.8.8.8:53 | fjqcgvtzrbhp.net | udp |
| US | 8.8.8.8:53 | zkvqpqpdh.net | udp |
| US | 8.8.8.8:53 | jxcueyixuj.info | udp |
| US | 8.8.8.8:53 | omierhazkhgw.net | udp |
| US | 8.8.8.8:53 | wsnihyhlusad.net | udp |
| US | 8.8.8.8:53 | ncgzwp.info | udp |
| US | 8.8.8.8:53 | nqpwnou.com | udp |
| US | 8.8.8.8:53 | cwhyvuo.net | udp |
| US | 8.8.8.8:53 | woqyiqgicsyo.com | udp |
| US | 8.8.8.8:53 | kwdrqyzrhd.net | udp |
| US | 8.8.8.8:53 | rgomxzze.info | udp |
| US | 8.8.8.8:53 | lmxehfbwziu.org | udp |
| US | 8.8.8.8:53 | dnyuxs.info | udp |
| US | 8.8.8.8:53 | xrjmbmgmisvh.info | udp |
| US | 8.8.8.8:53 | hmnwnbiyx.org | udp |
| US | 8.8.8.8:53 | rbsrttfe.info | udp |
| US | 8.8.8.8:53 | tudyxihdnjo.org | udp |
| US | 8.8.8.8:53 | wmusrbzou.info | udp |
| US | 8.8.8.8:53 | gooyaceg.org | udp |
| US | 8.8.8.8:53 | jqtenkdayoy.org | udp |
| US | 8.8.8.8:53 | bbcdek.info | udp |
| US | 8.8.8.8:53 | wsnkjol.info | udp |
| US | 8.8.8.8:53 | lvbbmybbcq.net | udp |
| US | 8.8.8.8:53 | vulqosrgxel.com | udp |
| US | 8.8.8.8:53 | ndrdfdfd.net | udp |
| US | 8.8.8.8:53 | beeubfbbqo.net | udp |
| US | 8.8.8.8:53 | lvliwxsju.net | udp |
| US | 8.8.8.8:53 | umanobqbkxyf.info | udp |
| US | 8.8.8.8:53 | swdvbyf.net | udp |
| US | 8.8.8.8:53 | wcgcuuiu.org | udp |
| US | 8.8.8.8:53 | xrfbfifxxuj.info | udp |
| US | 8.8.8.8:53 | nhmyomxjv.info | udp |
| US | 8.8.8.8:53 | olfijm.net | udp |
| US | 8.8.8.8:53 | cgqikqgo.com | udp |
| US | 8.8.8.8:53 | rocugsx.org | udp |
| BG | 77.71.13.138:26221 | tcp | |
| US | 8.8.8.8:53 | aoiusiqk.org | udp |
| US | 8.8.8.8:53 | ygyamiuy.org | udp |
| US | 8.8.8.8:53 | yhqqtkuixch.info | udp |
| US | 8.8.8.8:53 | tyzkrdhyl.info | udp |
| US | 8.8.8.8:53 | karojwf.info | udp |
| US | 8.8.8.8:53 | rfpyujjnkb.net | udp |
| US | 8.8.8.8:53 | vyvijbihvn.info | udp |
| US | 8.8.8.8:53 | dspuhevizsh.info | udp |
| US | 8.8.8.8:53 | adncgdng.net | udp |
| US | 8.8.8.8:53 | hsrofavrq.net | udp |
| US | 8.8.8.8:53 | zshqxoo.com | udp |
| US | 8.8.8.8:53 | vcpuibujb.net | udp |
| US | 8.8.8.8:53 | teneax.info | udp |
| US | 8.8.8.8:53 | jehdyx.net | udp |
| US | 8.8.8.8:53 | qaiuttgavp.info | udp |
| US | 8.8.8.8:53 | ueuqjgrvtvu.info | udp |
| US | 8.8.8.8:53 | llpwlrlwpx.net | udp |
| US | 8.8.8.8:53 | nygqlgcq.info | udp |
| US | 8.8.8.8:53 | gsscwmyyusis.org | udp |
| US | 8.8.8.8:53 | wffuqaze.net | udp |
| US | 8.8.8.8:53 | bctwfgikb.org | udp |
| US | 8.8.8.8:53 | ordxkqunjg.info | udp |
| US | 8.8.8.8:53 | wmmcacmwomqs.org | udp |
| US | 8.8.8.8:53 | sbciatvffc.info | udp |
| US | 8.8.8.8:53 | fzqqksnzg.net | udp |
| US | 8.8.8.8:53 | vwzcnlroce.net | udp |
| US | 8.8.8.8:53 | ssskjib.info | udp |
| US | 8.8.8.8:53 | xmlymtnez.org | udp |
| US | 8.8.8.8:53 | hmpysghyr.com | udp |
| US | 8.8.8.8:53 | vidpfbqkmwzq.net | udp |
| US | 8.8.8.8:53 | kunshfjwnjx.net | udp |
| US | 8.8.8.8:53 | asqsgmwiom.org | udp |
| US | 8.8.8.8:53 | gaqocgrqrao.net | udp |
| US | 8.8.8.8:53 | dinwria.com | udp |
| US | 8.8.8.8:53 | odzbrjqoy.info | udp |
| US | 8.8.8.8:53 | ekloliafxwj.net | udp |
| US | 8.8.8.8:53 | cmcikuukucwe.org | udp |
| US | 8.8.8.8:53 | hmofylikkw.net | udp |
| US | 8.8.8.8:53 | rlbtjyk.net | udp |
| US | 8.8.8.8:53 | aalijqi.info | udp |
| US | 8.8.8.8:53 | dorczznoh.com | udp |
| US | 8.8.8.8:53 | nmffdls.com | udp |
| US | 8.8.8.8:53 | kjbefkipt.info | udp |
| BG | 213.167.29.19:39541 | tcp | |
| US | 8.8.8.8:53 | odqisf.info | udp |
| US | 8.8.8.8:53 | kcadzkzfz.info | udp |
| US | 8.8.8.8:53 | drgvvqqbal.info | udp |
| US | 8.8.8.8:53 | ncpmyszzt.info | udp |
| US | 8.8.8.8:53 | ybxsqlwexbnh.info | udp |
| US | 8.8.8.8:53 | belkzkgyt.com | udp |
| US | 8.8.8.8:53 | tfeopp.info | udp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| NL | 173.194.69.94:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | uxrqiwtcm.info | udp |
| US | 8.8.8.8:53 | wafydbdssb.info | udp |
| US | 8.8.8.8:53 | kkiamiym.com | udp |
| US | 8.8.8.8:53 | jcdgln.info | udp |
| US | 8.8.8.8:53 | sqkkcsuccm.com | udp |
| US | 8.8.8.8:53 | mglyesvca.info | udp |
| US | 8.8.8.8:53 | jatdaajehomt.net | udp |
| US | 8.8.8.8:53 | gmgesg.org | udp |
| US | 8.8.8.8:53 | qixefwzij.net | udp |
| US | 8.8.8.8:53 | mwgkuyee.org | udp |
| US | 8.8.8.8:53 | qeoggcyamgmq.com | udp |
| US | 8.8.8.8:53 | ecicgswuii.org | udp |
| US | 8.8.8.8:53 | pgjifyr.net | udp |
| US | 8.8.8.8:53 | vmivrrxebxt.com | udp |
| US | 8.8.8.8:53 | kixprvoqr.net | udp |
| US | 8.8.8.8:53 | klnuxgxljmyx.info | udp |
| US | 8.8.8.8:53 | psahbazj.net | udp |
| US | 8.8.8.8:53 | peshlqnfkz.net | udp |
| US | 8.8.8.8:53 | bzaydhbkyko.info | udp |
| US | 8.8.8.8:53 | musyuyayeq.org | udp |
| US | 8.8.8.8:53 | dwhodat.info | udp |
| US | 8.8.8.8:53 | ovjaqtegctbk.info | udp |
| BG | 213.240.193.179:15999 | tcp | |
| US | 8.8.8.8:53 | dzeathod.net | udp |
| US | 8.8.8.8:53 | yunlgymo.info | udp |
| US | 8.8.8.8:53 | pqggjqkolti.org | udp |
| US | 8.8.8.8:53 | uoxjsmld.info | udp |
| US | 8.8.8.8:53 | nbtgzznlqbnh.info | udp |
| US | 8.8.8.8:53 | xlxymelkjaj.org | udp |
| US | 8.8.8.8:53 | kmoarvsun.net | udp |
| US | 8.8.8.8:53 | ewiuauieao.com | udp |
| US | 8.8.8.8:53 | akyyfyjnvgc.info | udp |
| US | 8.8.8.8:53 | eyqimgwqka.org | udp |
| US | 8.8.8.8:53 | bjpwlrlwpx.net | udp |
| US | 8.8.8.8:53 | tvqsxjner.net | udp |
| US | 8.8.8.8:53 | nmhryadkp.info | udp |
| US | 8.8.8.8:53 | hfvmdeovt.info | udp |
| US | 8.8.8.8:53 | kanyxqtgnkh.net | udp |
| US | 8.8.8.8:53 | snxrgwggbm.info | udp |
| US | 8.8.8.8:53 | imwkkoik.com | udp |
| US | 8.8.8.8:53 | henirgspeq.net | udp |
| US | 8.8.8.8:53 | uqykawscag.org | udp |
| US | 8.8.8.8:53 | kbyiqznaieb.net | udp |
| US | 8.8.8.8:53 | pwtwfsjwpyl.info | udp |
| US | 8.8.8.8:53 | ucqiyigqoaiq.com | udp |
| US | 8.8.8.8:53 | sewuvwb.net | udp |
| US | 8.8.8.8:53 | jesklrzdhksy.net | udp |
| US | 8.8.8.8:53 | asqqtmhqdgl.net | udp |
| US | 8.8.8.8:53 | femwaxbeduto.net | udp |
| US | 8.8.8.8:53 | qvrufmr.info | udp |
| US | 8.8.8.8:53 | jgfdnmitxed.info | udp |
| US | 8.8.8.8:53 | oaewcmmi.com | udp |
| US | 8.8.8.8:53 | zacghmv.org | udp |
| MD | 95.65.27.35:35875 | tcp | |
| US | 8.8.8.8:53 | oalwpcngx.info | udp |
| US | 8.8.8.8:53 | vqjcyivgbub.com | udp |
| US | 8.8.8.8:53 | cgcgkgmk.org | udp |
| US | 8.8.8.8:53 | mucuccse.org | udp |
| US | 8.8.8.8:53 | xcrfxbihvn.info | udp |
| US | 8.8.8.8:53 | vqtremnd.net | udp |
| US | 8.8.8.8:53 | hxockobonvj.com | udp |
| US | 8.8.8.8:53 | wthudp.info | udp |
| US | 8.8.8.8:53 | wjlmtauara.net | udp |
| US | 8.8.8.8:53 | pvesxitaordl.info | udp |
| US | 8.8.8.8:53 | uahpfat.net | udp |
| US | 8.8.8.8:53 | aamiyigmescm.org | udp |
| US | 8.8.8.8:53 | euouqqmq.com | udp |
| US | 8.8.8.8:53 | nvbqfjpyue.net | udp |
| US | 8.8.8.8:53 | hmbbxsksid.info | udp |
| US | 8.8.8.8:53 | yemmaiye.com | udp |
| US | 8.8.8.8:53 | dzrmxez.com | udp |
| US | 8.8.8.8:53 | nevjvj.info | udp |
| US | 8.8.8.8:53 | iojdyvbbzc.info | udp |
| US | 8.8.8.8:53 | keanqoxhwecz.info | udp |
| US | 8.8.8.8:53 | kxldwaoqfn.info | udp |
| US | 8.8.8.8:53 | jfludhaebi.net | udp |
| US | 8.8.8.8:53 | xxbuvavqnao.net | udp |
| US | 8.8.8.8:53 | hogvnulyue.info | udp |
| US | 8.8.8.8:53 | aaftpevwng.net | udp |
| US | 8.8.8.8:53 | xogjaoh.org | udp |
| US | 8.8.8.8:53 | yqgymomeqscy.org | udp |
| US | 8.8.8.8:53 | tgzzsilpuoyu.info | udp |
| US | 8.8.8.8:53 | wadajafybmt.net | udp |
| US | 8.8.8.8:53 | zjxluxeb.info | udp |
| US | 8.8.8.8:53 | gyroqyd.info | udp |
| US | 8.8.8.8:53 | rejwrwpoa.info | udp |
| US | 8.8.8.8:53 | jmuyzwjxj.net | udp |
| US | 8.8.8.8:53 | jygbbfpqpsb.net | udp |
| US | 8.8.8.8:53 | czbzsq.net | udp |
| US | 8.8.8.8:53 | rgmudgkbvf.info | udp |
| US | 8.8.8.8:53 | sgescokcmo.org | udp |
| US | 8.8.8.8:53 | vmbsqsfsfafj.info | udp |
| US | 8.8.8.8:53 | jkdqziejdel.info | udp |
| US | 8.8.8.8:53 | uqenlwgfp.net | udp |
| US | 8.8.8.8:53 | raamhchopod.net | udp |
| US | 8.8.8.8:53 | gmmovvrpxh.net | udp |
| US | 8.8.8.8:53 | lzwgpqnxhy.net | udp |
| US | 8.8.8.8:53 | kmcudehty.net | udp |
| US | 8.8.8.8:53 | jqnifqb.com | udp |
| US | 8.8.8.8:53 | djavumhcjkj.net | udp |
| US | 8.8.8.8:53 | arjyed.net | udp |
| US | 8.8.8.8:53 | jehyhpbob.com | udp |
| US | 8.8.8.8:53 | iyqwsaug.org | udp |
| US | 8.8.8.8:53 | sahybuudhs.net | udp |
| US | 8.8.8.8:53 | kiaqceyw.com | udp |
| US | 8.8.8.8:53 | tdxalylplwd.net | udp |
| US | 8.8.8.8:53 | luaiurlae.info | udp |
| US | 8.8.8.8:53 | befuffpmb.info | udp |
| US | 8.8.8.8:53 | veridpgl.info | udp |
| US | 8.8.8.8:53 | jhyaxofdlhe.org | udp |
| US | 8.8.8.8:53 | tmezjobct.org | udp |
| US | 8.8.8.8:53 | dyrabo.net | udp |
| US | 8.8.8.8:53 | zpzfed.net | udp |
| US | 8.8.8.8:53 | hsfspwfirsr.org | udp |
| US | 8.8.8.8:53 | xnngqv.net | udp |
| US | 8.8.8.8:53 | jljyxlkgjmxh.info | udp |
| US | 8.8.8.8:53 | somiqqcgmoao.org | udp |
| US | 8.8.8.8:53 | fumvct.net | udp |
| US | 8.8.8.8:53 | qgfttnzahij.info | udp |
| US | 8.8.8.8:53 | okjnriz.info | udp |
| US | 8.8.8.8:53 | ohnusmlasyt.net | udp |
| US | 8.8.8.8:53 | ebpqhzooesb.info | udp |
| US | 8.8.8.8:53 | wwmqcmoq.com | udp |
| US | 8.8.8.8:53 | dnyidwf.info | udp |
| US | 8.8.8.8:53 | eiwmoymqwssw.org | udp |
| US | 8.8.8.8:53 | iiksnougjqx.info | udp |
| US | 8.8.8.8:53 | ryhwpwrtisx.com | udp |
| US | 8.8.8.8:53 | yadxtkefpqdf.net | udp |
| US | 8.8.8.8:53 | prjruclfruku.net | udp |
| US | 8.8.8.8:53 | qngitmingp.net | udp |
| US | 8.8.8.8:53 | koyamgee.com | udp |
| US | 8.8.8.8:53 | dvxedhtmf.net | udp |
| US | 8.8.8.8:53 | ulwprsdpevsj.info | udp |
| US | 8.8.8.8:53 | tpredfpal.net | udp |
| MD | 93.116.33.161:45365 | tcp | |
| US | 8.8.8.8:53 | fxosedxpvuwb.info | udp |
| US | 8.8.8.8:53 | nqpstiiwvsd.info | udp |
| US | 8.8.8.8:53 | nxdcomtddaw.com | udp |
| US | 8.8.8.8:53 | gkammqok.com | udp |
| US | 8.8.8.8:53 | ywiygi.com | udp |
| US | 8.8.8.8:53 | robtrede.net | udp |
| US | 8.8.8.8:53 | pipwbsbdy.com | udp |
| US | 8.8.8.8:53 | xplogp.info | udp |
| US | 8.8.8.8:53 | qwhptudqu.info | udp |
| US | 8.8.8.8:53 | qyjxvcif.net | udp |
| US | 8.8.8.8:53 | elysrgelce.info | udp |
| US | 8.8.8.8:53 | rsmctszkniw.net | udp |
| US | 8.8.8.8:53 | ciagiakywm.org | udp |
| US | 8.8.8.8:53 | tiamroi.info | udp |
| US | 8.8.8.8:53 | rkwlhccy.info | udp |
| US | 8.8.8.8:53 | hnkrmupmodsp.net | udp |
| US | 8.8.8.8:53 | jnxaaglmxvtt.info | udp |
| US | 8.8.8.8:53 | uahwdirqu.info | udp |
| US | 8.8.8.8:53 | mciedphx.net | udp |
| US | 8.8.8.8:53 | grtvjbna.info | udp |
| US | 8.8.8.8:53 | ppnhptg.com | udp |
| US | 8.8.8.8:53 | rhxbrocpjwt.org | udp |
| US | 8.8.8.8:53 | nthafgeqx.org | udp |
| US | 8.8.8.8:53 | buxwxgjsaqu.info | udp |
| US | 8.8.8.8:53 | omgobwjdgffu.net | udp |
| US | 8.8.8.8:53 | zcgnsn.net | udp |
| US | 8.8.8.8:53 | xxlkanjvji.info | udp |
| US | 8.8.8.8:53 | xrjshdpogxk.net | udp |
| US | 8.8.8.8:53 | vibshiiel.net | udp |
| US | 8.8.8.8:53 | zzhbgtenymza.info | udp |
| US | 8.8.8.8:53 | kwweqwos.com | udp |
| US | 8.8.8.8:53 | vcrapudrlyx.com | udp |
| US | 8.8.8.8:53 | idqpzjog.net | udp |
| US | 8.8.8.8:53 | lvlyggoepsu.info | udp |
| US | 8.8.8.8:53 | jjqtpeerkb.net | udp |
| US | 8.8.8.8:53 | aowfeyron.net | udp |
| US | 8.8.8.8:53 | flftjrnoyu.info | udp |
| US | 8.8.8.8:53 | nptjrelfhm.net | udp |
| US | 8.8.8.8:53 | ugugugwkqi.com | udp |
| US | 8.8.8.8:53 | vszyrsr.info | udp |
| US | 8.8.8.8:53 | urkcltobhpwf.net | udp |
| US | 8.8.8.8:53 | xvmuvilgbpw.com | udp |
| US | 8.8.8.8:53 | bfpylyvbekh.com | udp |
| US | 8.8.8.8:53 | ilrxpqfsv.info | udp |
| US | 8.8.8.8:53 | oivsdkqkbgo.net | udp |
| US | 8.8.8.8:53 | wcqsegcu.org | udp |
| US | 8.8.8.8:53 | icjjnapiwig.info | udp |
| US | 8.8.8.8:53 | eheflhppvg.net | udp |
| US | 8.8.8.8:53 | gwcimptjuotu.info | udp |
| US | 8.8.8.8:53 | usschmuipyz.net | udp |
| US | 8.8.8.8:53 | cykogcgqqcuu.com | udp |
| US | 8.8.8.8:53 | dpmybe.net | udp |
| US | 8.8.8.8:53 | iyjofui.info | udp |
| ES | 84.123.143.245:15997 | tcp | |
| US | 8.8.8.8:53 | btoblc.info | udp |
| US | 8.8.8.8:53 | tdfkdijpra.info | udp |
| US | 8.8.8.8:53 | qwcecuawd.net | udp |
| US | 8.8.8.8:53 | dovowvbqkapj.info | udp |
| US | 8.8.8.8:53 | ugjyfpgfl.net | udp |
| US | 8.8.8.8:53 | imrwoykzhwxr.info | udp |
| US | 8.8.8.8:53 | fabcrsqo.info | udp |
| US | 8.8.8.8:53 | myrwjqkrwpbk.info | udp |
| US | 8.8.8.8:53 | ktzipcqov.info | udp |
| US | 8.8.8.8:53 | apptfhae.net | udp |
| US | 8.8.8.8:53 | ggfybhomr.net | udp |
| US | 8.8.8.8:53 | aqrtds.net | udp |
| US | 8.8.8.8:53 | lyjpntdxge.net | udp |
| US | 8.8.8.8:53 | mpkbfsgyp.info | udp |
| US | 8.8.8.8:53 | zdqmznqz.info | udp |
| US | 8.8.8.8:53 | svdlwy.net | udp |
| US | 8.8.8.8:53 | pwizwfsdtjrb.net | udp |
| US | 8.8.8.8:53 | qseoumkkca.org | udp |
| US | 8.8.8.8:53 | virvekleb.net | udp |
| US | 8.8.8.8:53 | fnrxnlbj.net | udp |
| US | 8.8.8.8:53 | qdnmhgdyrit.net | udp |
| US | 8.8.8.8:53 | lkdxrwujqhwa.info | udp |
| US | 8.8.8.8:53 | ywqmrhaam.net | udp |
| US | 8.8.8.8:53 | aeiscsgaai.com | udp |
| US | 8.8.8.8:53 | qyqigk.com | udp |
| US | 8.8.8.8:53 | qceqmomyki.com | udp |
| US | 8.8.8.8:53 | rgixcydenwn.net | udp |
| US | 8.8.8.8:53 | wusitljmkdb.net | udp |
| US | 8.8.8.8:53 | esfmnegcp.info | udp |
| US | 8.8.8.8:53 | amruiyean.info | udp |
| US | 8.8.8.8:53 | eyjybsnqfmn.net | udp |
| US | 8.8.8.8:53 | fyaylmbcb.net | udp |
| US | 8.8.8.8:53 | iyqwpyj.info | udp |
| US | 8.8.8.8:53 | tcdibmygrcf.info | udp |
| US | 8.8.8.8:53 | ldrcrq.info | udp |
| US | 8.8.8.8:53 | ekqaao.com | udp |
| US | 8.8.8.8:53 | nvgoapuqhtti.net | udp |
| US | 8.8.8.8:53 | hhjzvmi.org | udp |
| US | 8.8.8.8:53 | egvwakdov.net | udp |
| US | 8.8.8.8:53 | agtatmwgh.info | udp |
| US | 8.8.8.8:53 | qqqwgisy.com | udp |
| US | 8.8.8.8:53 | oodszysybkh.info | udp |
| US | 8.8.8.8:53 | iqrivmd.info | udp |
| US | 8.8.8.8:53 | dyjywwbb.info | udp |
| US | 8.8.8.8:53 | rkjyfrxybqd.net | udp |
| US | 8.8.8.8:53 | uiemsckqmegi.org | udp |
| US | 8.8.8.8:53 | uegsgk.org | udp |
| US | 8.8.8.8:53 | lwfaqcduobl.net | udp |
| US | 8.8.8.8:53 | sqtwlx.info | udp |
| US | 8.8.8.8:53 | hjfdpmp.org | udp |
| US | 8.8.8.8:53 | nrouxpzztl.info | udp |
| US | 8.8.8.8:53 | hksaqua.info | udp |
| US | 8.8.8.8:53 | beyhvc.net | udp |
| US | 8.8.8.8:53 | vdzyjdvqp.com | udp |
| US | 8.8.8.8:53 | rjbifug.net | udp |
| US | 8.8.8.8:53 | puuasqt.net | udp |
| US | 8.8.8.8:53 | venrqkxjh.org | udp |
| US | 8.8.8.8:53 | rtjmkrnbjr.info | udp |
| US | 8.8.8.8:53 | xdjzjkptbi.info | udp |
| US | 8.8.8.8:53 | ddjevwher.com | udp |
| US | 8.8.8.8:53 | yqdindvszcl.info | udp |
| US | 8.8.8.8:53 | uszqxch.net | udp |
| US | 8.8.8.8:53 | zjxgvooer.net | udp |
| US | 8.8.8.8:53 | kxtciiurrb.info | udp |
| US | 8.8.8.8:53 | ldlrgk.info | udp |
| US | 8.8.8.8:53 | sqijdboulhxd.info | udp |
| BG | 78.83.83.183:43316 | tcp | |
| US | 8.8.8.8:53 | uokwkaua.com | udp |
| US | 8.8.8.8:53 | dazwxokpjbx.net | udp |
| US | 8.8.8.8:53 | mjlykxysrkpt.info | udp |
| US | 8.8.8.8:53 | owtumceqt.info | udp |
| US | 8.8.8.8:53 | xitxankacx.net | udp |
| US | 8.8.8.8:53 | onxutsz.net | udp |
| US | 8.8.8.8:53 | dihrrl.info | udp |
| US | 8.8.8.8:53 | sgdzhklkvfso.info | udp |
| US | 8.8.8.8:53 | vuxspcf.info | udp |
| US | 8.8.8.8:53 | zqxgspl.org | udp |
| US | 8.8.8.8:53 | quksmc.org | udp |
| US | 8.8.8.8:53 | jlfaxsw.net | udp |
| US | 8.8.8.8:53 | culhnylkb.info | udp |
| US | 8.8.8.8:53 | skqsiiae.org | udp |
| US | 8.8.8.8:53 | yokkkc.org | udp |
| US | 8.8.8.8:53 | eqdnezux.info | udp |
| US | 8.8.8.8:53 | eyjsblk.net | udp |
| US | 8.8.8.8:53 | ekcywgnrjur.net | udp |
| US | 8.8.8.8:53 | alyypvemovoc.net | udp |
| US | 8.8.8.8:53 | npnvasgchkno.net | udp |
| US | 8.8.8.8:53 | ccgiwekeyk.org | udp |
| US | 8.8.8.8:53 | uekogikogwwa.com | udp |
| US | 8.8.8.8:53 | qlstpgkhcjbu.net | udp |
| US | 8.8.8.8:53 | uyogmici.org | udp |
| US | 8.8.8.8:53 | vgduhpdmjfj.info | udp |
| US | 8.8.8.8:53 | ukmocc.net | udp |
| US | 8.8.8.8:53 | esyqcmyoek.com | udp |
| US | 8.8.8.8:53 | nzitfaav.info | udp |
| US | 8.8.8.8:53 | forbqckcz.net | udp |
| US | 8.8.8.8:53 | xjtuwkqsrch.org | udp |
| BG | 78.90.90.188:19501 | tcp | |
| US | 8.8.8.8:53 | pmrwlws.net | udp |
| US | 8.8.8.8:53 | lktcrbw.com | udp |
| US | 8.8.8.8:53 | rrmxvwgr.info | udp |
| US | 8.8.8.8:53 | piwajyzepyp.net | udp |
| US | 8.8.8.8:53 | vllqtjhnti.info | udp |
| US | 8.8.8.8:53 | lliynip.com | udp |
| US | 8.8.8.8:53 | rhodywjrbn.info | udp |
| US | 8.8.8.8:53 | afdggulezhav.info | udp |
| US | 8.8.8.8:53 | hyjodgw.info | udp |
| US | 8.8.8.8:53 | dlpqjhthilf.info | udp |
| US | 8.8.8.8:53 | gyeirywc.net | udp |
| US | 8.8.8.8:53 | uvzeyklen.net | udp |
| US | 8.8.8.8:53 | nfkhmzdogdsd.net | udp |
| US | 8.8.8.8:53 | uglnowt.info | udp |
| US | 8.8.8.8:53 | lqblhtgjwszl.info | udp |
| US | 8.8.8.8:53 | msvplnqooyd.net | udp |
| US | 8.8.8.8:53 | itoujqvn.net | udp |
| US | 8.8.8.8:53 | eaictyqxc.info | udp |
| US | 8.8.8.8:53 | ngaxdqnufmd.org | udp |
| US | 8.8.8.8:53 | egqigrfu.net | udp |
| US | 8.8.8.8:53 | gnotxi.net | udp |
| US | 8.8.8.8:53 | bcvendpjqzgc.info | udp |
| US | 8.8.8.8:53 | zkbatesie.org | udp |
| US | 8.8.8.8:53 | vgqxvqngngx.info | udp |
| LT | 78.61.83.229:32236 | tcp | |
| US | 8.8.8.8:53 | ftvuabamtx.info | udp |
| US | 8.8.8.8:53 | talywox.info | udp |
| US | 8.8.8.8:53 | iewepwe.net | udp |
| US | 8.8.8.8:53 | cgzqtowog.info | udp |
| US | 8.8.8.8:53 | eiekkckgua.org | udp |
| US | 8.8.8.8:53 | edzoeesroqjh.net | udp |
| US | 8.8.8.8:53 | mxhihzgebbgq.net | udp |
| US | 8.8.8.8:53 | padxnc.net | udp |
| US | 8.8.8.8:53 | owuucyeeiwyu.com | udp |
| US | 8.8.8.8:53 | rahaxghwhyi.com | udp |
| US | 8.8.8.8:53 | qeasooggkkye.org | udp |
| US | 8.8.8.8:53 | kbvuii.net | udp |
| US | 8.8.8.8:53 | qoqkcoymik.org | udp |
| US | 8.8.8.8:53 | ngqujab.net | udp |
| US | 8.8.8.8:53 | gdiecndz.net | udp |
| US | 8.8.8.8:53 | aeqlwcgz.info | udp |
| US | 8.8.8.8:53 | swisueoy.org | udp |
| US | 8.8.8.8:53 | fevpfshvp.org | udp |
| US | 8.8.8.8:53 | mcqqriz.info | udp |
| US | 8.8.8.8:53 | lzqrpefhsbo.org | udp |
| US | 8.8.8.8:53 | pnzutwfbmdog.info | udp |
| US | 8.8.8.8:53 | kcryxrris.info | udp |
| US | 8.8.8.8:53 | xarwmcpkjgm.net | udp |
| US | 8.8.8.8:53 | lyhqosq.org | udp |
| US | 8.8.8.8:53 | ejethawq.net | udp |
| US | 8.8.8.8:53 | dlsurad.net | udp |
| US | 8.8.8.8:53 | giekgyskeiik.org | udp |
| US | 8.8.8.8:53 | mciueunqx.net | udp |
| US | 8.8.8.8:53 | rucuykz.com | udp |
| US | 8.8.8.8:53 | hefqtblkxyjf.net | udp |
| US | 8.8.8.8:53 | aqgocsymmi.com | udp |
| US | 8.8.8.8:53 | npwaiifgfqlw.info | udp |
| US | 8.8.8.8:53 | kjzeagx.net | udp |
| US | 8.8.8.8:53 | bavppixu.net | udp |
| BG | 87.252.174.204:44464 | tcp | |
| US | 8.8.8.8:53 | dnzedwpvjg.info | udp |
| US | 8.8.8.8:53 | gwiacu.com | udp |
| US | 8.8.8.8:53 | razyzrwsa.net | udp |
| US | 8.8.8.8:53 | dvfkjfnmfyy.org | udp |
| US | 8.8.8.8:53 | arbahcbv.info | udp |
| US | 8.8.8.8:53 | fkgritslx.org | udp |
| US | 8.8.8.8:53 | lcqcmyuhvmq.net | udp |
| US | 8.8.8.8:53 | ywqwco.com | udp |
| US | 8.8.8.8:53 | rfkrnfcb.net | udp |
| US | 8.8.8.8:53 | yenoywqqp.info | udp |
| US | 8.8.8.8:53 | bxsjtakxql.net | udp |
| US | 8.8.8.8:53 | ptpwnlreeaxo.net | udp |
| US | 8.8.8.8:53 | lvyniwarirxa.info | udp |
| US | 8.8.8.8:53 | sukkwgwymmsw.com | udp |
| US | 8.8.8.8:53 | mylnoyzmjut.net | udp |
| US | 8.8.8.8:53 | eeeiusoc.com | udp |
| US | 8.8.8.8:53 | korhdwhyrom.info | udp |
| US | 8.8.8.8:53 | nqpcnuv.info | udp |
| US | 8.8.8.8:53 | ccmqsuqogs.com | udp |
| US | 8.8.8.8:53 | qzdvod.info | udp |
| US | 8.8.8.8:53 | dbrfrcxbqn.info | udp |
| US | 8.8.8.8:53 | larssxlty.org | udp |
| US | 8.8.8.8:53 | omymcysg.org | udp |
| US | 8.8.8.8:53 | dnmdtbeezw.info | udp |
| US | 8.8.8.8:53 | cmscyauocy.com | udp |
| US | 8.8.8.8:53 | wwnkhjllelum.net | udp |
| US | 8.8.8.8:53 | iuaakiwmysqi.org | udp |
| US | 8.8.8.8:53 | zbqtpeerkb.net | udp |
| US | 8.8.8.8:53 | xilxrzkve.org | udp |
| US | 8.8.8.8:53 | ezwahix.net | udp |
| BG | 87.120.179.47:27772 | tcp | |
| US | 8.8.8.8:53 | zqocyvxqpom.net | udp |
| US | 8.8.8.8:53 | zwhxiwn.com | udp |
| US | 8.8.8.8:53 | zuwrljtqss.net | udp |
| US | 8.8.8.8:53 | swjxeqn.info | udp |
| US | 8.8.8.8:53 | ozfxbirmhuhx.info | udp |
| US | 8.8.8.8:53 | mswmmooyom.com | udp |
| US | 8.8.8.8:53 | sdwzoxzjjkbx.info | udp |
| US | 8.8.8.8:53 | ykqttxlti.info | udp |
| US | 8.8.8.8:53 | msaeugqyakco.org | udp |
| US | 8.8.8.8:53 | kmbxvynhnkt.net | udp |
| US | 8.8.8.8:53 | dayelsesnsl.com | udp |
| US | 8.8.8.8:53 | hyxobb.net | udp |
| US | 8.8.8.8:53 | tmrxnmjrkb.net | udp |
| US | 8.8.8.8:53 | gcdihxrdbgl.info | udp |
| US | 8.8.8.8:53 | auyqomuqwy.com | udp |
| US | 8.8.8.8:53 | mscxpilwdsn.info | udp |
| US | 8.8.8.8:53 | wsdadebgpxi.net | udp |
| US | 8.8.8.8:53 | mmjzgaj.net | udp |
| US | 8.8.8.8:53 | bviczngffjoq.info | udp |
| US | 8.8.8.8:53 | jujklqx.info | udp |
| US | 8.8.8.8:53 | uomieuwsgywa.com | udp |
| US | 8.8.8.8:53 | wwtjrc.info | udp |
| US | 8.8.8.8:53 | daecor.info | udp |
| US | 8.8.8.8:53 | fjrjyr.info | udp |
| US | 8.8.8.8:53 | fzkrxmam.info | udp |
| US | 8.8.8.8:53 | zczolaevc.net | udp |
| US | 8.8.8.8:53 | lejynalt.net | udp |
| US | 8.8.8.8:53 | xdwqawhturpv.info | udp |
| US | 8.8.8.8:53 | oyoejii.info | udp |
| US | 8.8.8.8:53 | qifpunqk.info | udp |
| US | 8.8.8.8:53 | mgillfzw.info | udp |
| US | 8.8.8.8:53 | fixijml.org | udp |
| US | 8.8.8.8:53 | kmweuwmw.org | udp |
| US | 8.8.8.8:53 | oullaorifg.net | udp |
| US | 8.8.8.8:53 | bvrlxiawb.net | udp |
| US | 8.8.8.8:53 | nbzlxkn.org | udp |
| US | 8.8.8.8:53 | gkfhojcrxdw.info | udp |
| US | 8.8.8.8:53 | keoflefkrgn.info | udp |
| US | 8.8.8.8:53 | wckesggcywuc.com | udp |
| US | 8.8.8.8:53 | tkawsmw.org | udp |
| US | 8.8.8.8:53 | jqicsbohyedk.net | udp |
| US | 8.8.8.8:53 | faxwtiw.com | udp |
| US | 8.8.8.8:53 | sxsydftugfl.net | udp |
| US | 8.8.8.8:53 | qegcvruo.net | udp |
| US | 8.8.8.8:53 | gihfhxtpret.info | udp |
| US | 8.8.8.8:53 | nhkfwu.net | udp |
| US | 8.8.8.8:53 | giaoaygeui.com | udp |
| US | 8.8.8.8:53 | msoiygcw.org | udp |
| US | 8.8.8.8:53 | wcljfyx.info | udp |
| US | 8.8.8.8:53 | wuybbjqyvdz.net | udp |
| US | 8.8.8.8:53 | rmxqxgh.net | udp |
| US | 8.8.8.8:53 | jntxuexoq.net | udp |
| US | 8.8.8.8:53 | nuegfjvl.info | udp |
| US | 8.8.8.8:53 | zmrdepayvia.com | udp |
| US | 8.8.8.8:53 | awtrjqbmv.net | udp |
| US | 8.8.8.8:53 | bxzqfyzcuak.org | udp |
| US | 8.8.8.8:53 | sepkrsdid.info | udp |
| BG | 78.83.83.183:43316 | tcp | |
| US | 8.8.8.8:53 | osnqusdqj.net | udp |
| US | 8.8.8.8:53 | siygwiyuei.org | udp |
Files
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
| MD5 | 5be990ef06295142609c061e763f94c5 |
| SHA1 | 8e92649e057aedcae61933ddd382fdda697ea98a |
| SHA256 | 43c235b417faab687bd120df0b67f120b2f22e8947846e02178185bf5abd5be5 |
| SHA512 | 6bd2141db8b654e0dddf2cb83638675febaeebc7f34164a345ab0fa245a98af7b718c485526518fdb36a0bb88e9b4ecaa97a9801f4b3a97422e5f34788785b95 |
C:\Windows\SysWOW64\iassfcqjyrkffnxoze.exe
| MD5 | bdec6237d2f7f80e1250e09df51e3d02 |
| SHA1 | 73bbd2918a981f181299342a44b8afc0e0923f7d |
| SHA256 | a7ba2a0628020aa108b91798907146015ab98527a7b59ac8836865c6d9e1e12b |
| SHA512 | e0c1276cabc70b4fe6c936854e10eafba6c5860824d82007c2513d408d1167611b24ae6d5fe992ce12500d6d08ace5b966535ad236bb142af5f677f0ade1af8b |
C:\Users\Admin\AppData\Local\Temp\gmsghs.exe
| MD5 | a98d60dea3ed5563c16c113e2aeea939 |
| SHA1 | 7a9e89bde295d813b5a5864ccdb9cc3217bd907b |
| SHA256 | 2a3c0fb9746db654845545e663b3d6fdffa213a453d3696e9ac66aaf9ee843c5 |
| SHA512 | 7d5ac8bbf72ca0ddf3f03e272ba720d1f18e167e326097b8c6f7f23e628a0d5fc9c842610a4d97ddd474493cc73d3810722fcacc87d95ca21feb6ccacb7fc638 |
C:\Users\Admin\AppData\Local\wwwezeabyzadlbtslywwwe.eab
| MD5 | 3a5c31bb6937870cf7038af00b6a0c8e |
| SHA1 | 0e2fd7823208dd7ac62364d051c62ebf089b48a6 |
| SHA256 | 250fa470da5ef2dced8667f5c9e5c4f945f0e9b0e5f80f3b1be08198b7491d3d |
| SHA512 | 87716bcecd53a01a7c73438a4c7537bff412cf0f8f509b7d2b6dbb9fe3fad2677af4625d32cfca67cb43229652e8af7afe649cae728fa010a0287ea7db83f7f8 |
C:\Users\Admin\AppData\Local\nyjciyfrzlxlefiswudozsyovhpbnbuvy.mkt
| MD5 | 0c85e84de601cb71aa23ab7796318ef7 |
| SHA1 | cecf915a9321dc4d3be6a85312ea85ff62bf2fad |
| SHA256 | a6288dc0b2a7d6982a8cd3b2fe24711d2fe6b12573c0dedee30c47583bbbd8ea |
| SHA512 | d16a109357e4c3b5cfead73fdb96ba09830c191c591341c966b76481a4864b73d9d60bb04290b7df1759714d4af71c3fe5859f789b23450ec7345cba83d19bb4 |
C:\Program Files (x86)\wwwezeabyzadlbtslywwwe.eab
| MD5 | 2cf33247a6b2808969c868c4463898f2 |
| SHA1 | 0a4824caa2522289048418a5695d6113d86c1afd |
| SHA256 | 61bf246f465ce91c493c2bac8f6c188a87829e104fe723533a52b914fcab4a6e |
| SHA512 | 1d337f4f3392397bd8952593c45ebf3cc409a4401ef4e8136d205273d3d841e22ee6e16c0229721745d5c992af70ff5802a506f2aa773f72e1ea053911853581 |
C:\Program Files (x86)\wwwezeabyzadlbtslywwwe.eab
| MD5 | 52ec5fff929f0fbacacce4c2096a89bb |
| SHA1 | 920941e8bac673c90ae57b18db1e034905a5dde1 |
| SHA256 | 4ea900d803614273eb18b74f87c5ea92e826edd76785048f8d52a2ea072df02a |
| SHA512 | 06ab0ba2633b9aba800de043077f89498fdf92ef039a90f11c97dff4cfd71327496c2ff04408fc94a990e62d451ab828c18264c1c19eb547624de73aac072b6b |
C:\Users\Admin\AppData\Local\wwwezeabyzadlbtslywwwe.eab
| MD5 | 0db6c08d3b976455b3b1d64aa27cd8f4 |
| SHA1 | 61642662e6335bd8c81f46d28fe51b07b3a14146 |
| SHA256 | a3cf444551b4900d890bae92c528e9a5b4b5b25477cdfbebdec730c882908808 |
| SHA512 | 30953a0720397909ccd43962a839bf081671572df13532941a39cd65c5e682b1e04f6aba27b505ec3114f4c12a6eefc542d015c0faf518fde3cc2143bd5cc9e9 |
C:\Program Files (x86)\wwwezeabyzadlbtslywwwe.eab
| MD5 | 6fffdfaa059d06b5420dc6e64f58384a |
| SHA1 | 9bd94147b645d559e5dbfaea0db0696fd0c2320b |
| SHA256 | 4eb7940c87dc0b4e5f584de17d6c6c35ae165bb9b942fcffafa2ce8059df7110 |
| SHA512 | ec1e4746d4e74aa5f2b2fc23cd64bab4659669dea0bb0c17061179b709273aeac030dcfd353f412b388f3932a18d44b7dfe1a6d551ba3dc9e2e53f20940fc20a |
C:\Program Files (x86)\wwwezeabyzadlbtslywwwe.eab
| MD5 | ad201f27b46401479d6fde407e19b99c |
| SHA1 | 6bc1194b17c2e55ee0685b77f11bb98a5613f0bd |
| SHA256 | 2afb7575872009213e00176ac8336f2bc7bf477fae721db844ea1a2be4705607 |
| SHA512 | 56781b62ae74b48fce2df966baab3584258800cb688cec6c9a050ce0f05ddb6d27d24378cce9a15f930495bbeed604d31eeb22e306473f3b6e6b7c285e592501 |
C:\Program Files (x86)\wwwezeabyzadlbtslywwwe.eab
| MD5 | 6f040ced56c17c267cad61e6ac39fe43 |
| SHA1 | 33d39d3e68fa059f7933d2cdea2c254f84686bec |
| SHA256 | d0c3a78042fa468aac0bb0818db9396c04a086f76b60bed1b735f8f81161b633 |
| SHA512 | 70043e5f4839538d3802053517260ea83953a2080f824a916c33c74cb6a82d13dd66f45e32dd19b6b358015f6172416022e9e5240e107d8c974f735ff4be29a8 |