Analysis Overview
SHA256
7be6ccadfe39aff45029a30fe34b3c87ac49ebbad791c34e2ff8bb30e7e07721
Threat Level: Known bad
The file JaffaCakes118_c45c7c3be165367d7676c127dbdc2050 was found to be: Known bad.
Malicious Activity Summary
UAC bypass
Modifies WinLogon for persistence
Pykspa
Pykspa family
Detect Pykspa worm
Disables RegEdit via registry modification
Adds policy Run key to start application
Checks computer location settings
Impair Defenses: Safe Mode Boot
Executes dropped EXE
Hijack Execution Flow: Executable Installer File Permissions Weakness
Checks whether UAC is enabled
Adds Run key to start application
Looks up external IP address via web service
Drops autorun.inf file
Drops file in System32 directory
Drops file in Program Files directory
Drops file in Windows directory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
System policy modification
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V16
Analysis: static1
Detonation Overview
Reported
2025-04-20 03:34
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2025-04-20 03:34
Reported
2025-04-20 03:37
Platform
win11-20250410-en
Max time kernel
54s
Max time network
158s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\bgmsq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\bgmsq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
Pykspa
Pykspa family
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\bgmsq.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\bgmsq.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\bgmsq.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\bgmsq.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\bgmsq.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\bgmsq.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\bgmsq.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\bgmsq.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
Detect Pykspa worm
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zgowwdr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yofwfvsjsjpbvbhr.exe" | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yitehritwh = "bwsocxzvjfqhgrcrhqpkg.exe" | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yitehritwh = "yofwfvsjsjpbvbhr.exe" | C:\Users\Admin\AppData\Local\Temp\bgmsq.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zgowwdr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yofwfvsjsjpbvbhr.exe" | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yitehritwh = "yofwfvsjsjpbvbhr.exe" | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yitehritwh = "ogzsdvunyrznjrzlye.exe" | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zgowwdr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yofwfvsjsjpbvbhr.exe" | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yitehritwh = "bwsocxzvjfqhgrcrhqpkg.exe" | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yitehritwh = "fwogqhfxhzgtovcnz.exe" | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yitehritwh = "zsmgsllfrlujgpylzgd.exe" | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zgowwdr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bwsocxzvjfqhgrcrhqpkg.exe" | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zgowwdr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fwogqhfxhzgtovcnz.exe" | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yitehritwh = "yofwfvsjsjpbvbhr.exe" | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\bgmsq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zgowwdr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fwogqhfxhzgtovcnz.exe" | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yitehritwh = "zsmgsllfrlujgpylzgd.exe" | C:\Users\Admin\AppData\Local\Temp\bgmsq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zgowwdr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zsmgsllfrlujgpylzgd.exe" | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yitehritwh = "yofwfvsjsjpbvbhr.exe" | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zgowwdr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yofwfvsjsjpbvbhr.exe" | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zgowwdr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zsmgsllfrlujgpylzgd.exe" | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\bgmsq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yitehritwh = "yofwfvsjsjpbvbhr.exe" | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zgowwdr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bwsocxzvjfqhgrcrhqpkg.exe" | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zgowwdr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ogzsdvunyrznjrzlye.exe" | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zgowwdr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mgbwjdezmhrhfpznckic.exe" | C:\Users\Admin\AppData\Local\Temp\bgmsq.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zgowwdr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zsmgsllfrlujgpylzgd.exe" | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yitehritwh = "mgbwjdezmhrhfpznckic.exe" | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yitehritwh = "mgbwjdezmhrhfpznckic.exe" | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yitehritwh = "ogzsdvunyrznjrzlye.exe" | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yitehritwh = "fwogqhfxhzgtovcnz.exe" | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zgowwdr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yofwfvsjsjpbvbhr.exe" | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yitehritwh = "yofwfvsjsjpbvbhr.exe" | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yitehritwh = "mgbwjdezmhrhfpznckic.exe" | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yitehritwh = "ogzsdvunyrznjrzlye.exe" | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yitehritwh = "bwsocxzvjfqhgrcrhqpkg.exe" | C:\Users\Admin\AppData\Local\Temp\bgmsq.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yitehritwh = "bwsocxzvjfqhgrcrhqpkg.exe" | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zgowwdr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bwsocxzvjfqhgrcrhqpkg.exe" | C:\Users\Admin\AppData\Local\Temp\bgmsq.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yitehritwh = "zsmgsllfrlujgpylzgd.exe" | C:\Users\Admin\AppData\Local\Temp\bgmsq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zgowwdr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fwogqhfxhzgtovcnz.exe" | C:\Users\Admin\AppData\Local\Temp\bgmsq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zgowwdr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ogzsdvunyrznjrzlye.exe" | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yitehritwh = "bwsocxzvjfqhgrcrhqpkg.exe" | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zgowwdr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mgbwjdezmhrhfpznckic.exe" | C:\Users\Admin\AppData\Local\Temp\bgmsq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yitehritwh = "fwogqhfxhzgtovcnz.exe" | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zgowwdr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zsmgsllfrlujgpylzgd.exe" | C:\Users\Admin\AppData\Local\Temp\bgmsq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yitehritwh = "mgbwjdezmhrhfpznckic.exe" | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yitehritwh = "yofwfvsjsjpbvbhr.exe" | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zgowwdr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mgbwjdezmhrhfpznckic.exe" | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
Disables RegEdit via registry modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\bgmsq.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\bgmsq.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\bgmsq.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\bgmsq.exe | N/A |
Executes dropped EXE
Impair Defenses: Safe Mode Boot
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager | C:\Users\Admin\AppData\Local\Temp\bgmsq.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys | C:\Users\Admin\AppData\Local\Temp\bgmsq.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc | C:\Users\Admin\AppData\Local\Temp\bgmsq.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power | C:\Users\Admin\AppData\Local\Temp\bgmsq.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys | C:\Users\Admin\AppData\Local\Temp\bgmsq.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc | C:\Users\Admin\AppData\Local\Temp\bgmsq.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\foyiktjtv = "bwsocxzvjfqhgrcrhqpkg.exe ." | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qetipdynujnxpt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bwsocxzvjfqhgrcrhqpkg.exe" | C:\Users\Admin\AppData\Local\Temp\bgmsq.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\foyiktjtv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fwogqhfxhzgtovcnz.exe ." | C:\Users\Admin\AppData\Local\Temp\bgmsq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pcqekxrflzclc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zsmgsllfrlujgpylzgd.exe ." | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Software\Microsoft\Windows\CurrentVersion\Run\owfopxmv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ogzsdvunyrznjrzlye.exe" | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\qcpchtmzertb = "fwogqhfxhzgtovcnz.exe ." | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Software\Microsoft\Windows\CurrentVersion\Run\teqcgrjvzlm = "fwogqhfxhzgtovcnz.exe" | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\foyiktjtv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mgbwjdezmhrhfpznckic.exe ." | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\foyiktjtv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mgbwjdezmhrhfpznckic.exe ." | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Software\Microsoft\Windows\CurrentVersion\Run\owfopxmv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ogzsdvunyrznjrzlye.exe" | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\foyiktjtv = "mgbwjdezmhrhfpznckic.exe ." | C:\Users\Admin\AppData\Local\Temp\bgmsq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\foyiktjtv = "fwogqhfxhzgtovcnz.exe ." | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\qcpchtmzertb = "ogzsdvunyrznjrzlye.exe ." | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\qcpchtmzertb = "fwogqhfxhzgtovcnz.exe ." | C:\Users\Admin\AppData\Local\Temp\bgmsq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pcqekxrflzclc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fwogqhfxhzgtovcnz.exe ." | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Software\Microsoft\Windows\CurrentVersion\Run\teqcgrjvzlm = "bwsocxzvjfqhgrcrhqpkg.exe" | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\owfopxmv = "yofwfvsjsjpbvbhr.exe" | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Software\Microsoft\Windows\CurrentVersion\Run\owfopxmv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mgbwjdezmhrhfpznckic.exe" | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\foyiktjtv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fwogqhfxhzgtovcnz.exe ." | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Software\Microsoft\Windows\CurrentVersion\Run\owfopxmv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fwogqhfxhzgtovcnz.exe" | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\foyiktjtv = "mgbwjdezmhrhfpznckic.exe ." | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\qcpchtmzertb = "mgbwjdezmhrhfpznckic.exe ." | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pcqekxrflzclc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bwsocxzvjfqhgrcrhqpkg.exe ." | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\owfopxmv = "zsmgsllfrlujgpylzgd.exe" | C:\Users\Admin\AppData\Local\Temp\bgmsq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qetipdynujnxpt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zsmgsllfrlujgpylzgd.exe" | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\qcpchtmzertb = "zsmgsllfrlujgpylzgd.exe ." | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Software\Microsoft\Windows\CurrentVersion\Run\teqcgrjvzlm = "ogzsdvunyrznjrzlye.exe" | C:\Users\Admin\AppData\Local\Temp\bgmsq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qetipdynujnxpt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ogzsdvunyrznjrzlye.exe" | C:\Users\Admin\AppData\Local\Temp\bgmsq.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Software\Microsoft\Windows\CurrentVersion\Run\owfopxmv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mgbwjdezmhrhfpznckic.exe" | C:\Users\Admin\AppData\Local\Temp\bgmsq.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Software\Microsoft\Windows\CurrentVersion\Run\owfopxmv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yofwfvsjsjpbvbhr.exe" | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\qcpchtmzertb = "bwsocxzvjfqhgrcrhqpkg.exe ." | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\owfopxmv = "yofwfvsjsjpbvbhr.exe" | C:\Users\Admin\AppData\Local\Temp\bgmsq.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Software\Microsoft\Windows\CurrentVersion\Run\teqcgrjvzlm = "mgbwjdezmhrhfpznckic.exe" | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pcqekxrflzclc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fwogqhfxhzgtovcnz.exe ." | C:\Users\Admin\AppData\Local\Temp\bgmsq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\owfopxmv = "mgbwjdezmhrhfpznckic.exe" | C:\Users\Admin\AppData\Local\Temp\bgmsq.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Software\Microsoft\Windows\CurrentVersion\Run\owfopxmv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yofwfvsjsjpbvbhr.exe" | C:\Users\Admin\AppData\Local\Temp\bgmsq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pcqekxrflzclc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bwsocxzvjfqhgrcrhqpkg.exe ." | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\owfopxmv = "fwogqhfxhzgtovcnz.exe" | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\qcpchtmzertb = "mgbwjdezmhrhfpznckic.exe ." | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\foyiktjtv = "zsmgsllfrlujgpylzgd.exe ." | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\foyiktjtv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ogzsdvunyrznjrzlye.exe ." | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\owfopxmv = "zsmgsllfrlujgpylzgd.exe" | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\foyiktjtv = "ogzsdvunyrznjrzlye.exe ." | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\owfopxmv = "yofwfvsjsjpbvbhr.exe" | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\owfopxmv = "yofwfvsjsjpbvbhr.exe" | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\qcpchtmzertb = "mgbwjdezmhrhfpznckic.exe ." | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\foyiktjtv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ogzsdvunyrznjrzlye.exe ." | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\foyiktjtv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zsmgsllfrlujgpylzgd.exe ." | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\foyiktjtv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ogzsdvunyrznjrzlye.exe ." | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\foyiktjtv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yofwfvsjsjpbvbhr.exe ." | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\foyiktjtv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mgbwjdezmhrhfpznckic.exe ." | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Software\Microsoft\Windows\CurrentVersion\Run\teqcgrjvzlm = "ogzsdvunyrznjrzlye.exe" | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pcqekxrflzclc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fwogqhfxhzgtovcnz.exe ." | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\foyiktjtv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bwsocxzvjfqhgrcrhqpkg.exe ." | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Software\Microsoft\Windows\CurrentVersion\Run\teqcgrjvzlm = "mgbwjdezmhrhfpznckic.exe" | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Software\Microsoft\Windows\CurrentVersion\Run\teqcgrjvzlm = "ogzsdvunyrznjrzlye.exe" | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\qcpchtmzertb = "zsmgsllfrlujgpylzgd.exe ." | C:\Users\Admin\AppData\Local\Temp\bgmsq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qetipdynujnxpt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ogzsdvunyrznjrzlye.exe" | C:\Users\Admin\AppData\Local\Temp\bgmsq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qetipdynujnxpt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yofwfvsjsjpbvbhr.exe" | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\foyiktjtv = "ogzsdvunyrznjrzlye.exe ." | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Software\Microsoft\Windows\CurrentVersion\Run\teqcgrjvzlm = "bwsocxzvjfqhgrcrhqpkg.exe" | C:\Users\Admin\AppData\Local\Temp\bgmsq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\foyiktjtv = "mgbwjdezmhrhfpznckic.exe ." | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\foyiktjtv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yofwfvsjsjpbvbhr.exe ." | C:\Users\Admin\AppData\Local\Temp\bgmsq.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\foyiktjtv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mgbwjdezmhrhfpznckic.exe ." | C:\Users\Admin\AppData\Local\Temp\bgmsq.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\bgmsq.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\bgmsq.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\bgmsq.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\bgmsq.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
Hijack Execution Flow: Executable Installer File Permissions Weakness
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" | C:\Users\Admin\AppData\Local\Temp\bgmsq.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" | C:\Users\Admin\AppData\Local\Temp\bgmsq.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | www.whatismyip.ca | N/A | N/A |
| N/A | whatismyip.everdot.org | N/A | N/A |
| N/A | whatismyipaddress.com | N/A | N/A |
| N/A | www.showmyipaddress.com | N/A | N/A |
Drops autorun.inf file
| Description | Indicator | Process | Target |
| File opened for modification | F:\autorun.inf | C:\Users\Admin\AppData\Local\Temp\bgmsq.exe | N/A |
| File created | F:\autorun.inf | C:\Users\Admin\AppData\Local\Temp\bgmsq.exe | N/A |
| File opened for modification | C:\autorun.inf | C:\Users\Admin\AppData\Local\Temp\bgmsq.exe | N/A |
| File created | C:\autorun.inf | C:\Users\Admin\AppData\Local\Temp\bgmsq.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\zsmgsllfrlujgpylzgd.exe | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\fwogqhfxhzgtovcnz.exe | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ogzsdvunyrznjrzlye.exe | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\yofwfvsjsjpbvbhr.exe | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\fwogqhfxhzgtovcnz.exe | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\mgbwjdezmhrhfpznckic.exe | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\mgbwjdezmhrhfpznckic.exe | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\zsmgsllfrlujgpylzgd.exe | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\solixtwtifrjjvhxoyyuro.exe | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\mgbwjdezmhrhfpznckic.exe | C:\Users\Admin\AppData\Local\Temp\bgmsq.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\fwogqhfxhzgtovcnz.exe | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\mgbwjdezmhrhfpznckic.exe | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ogzsdvunyrznjrzlye.exe | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\yofwfvsjsjpbvbhr.exe | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\mgbwjdezmhrhfpznckic.exe | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ogzsdvunyrznjrzlye.exe | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ogzsdvunyrznjrzlye.exe | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| File created | C:\Windows\SysWOW64\gilojluxsvnlrjbxukqsvytv.hcf | C:\Users\Admin\AppData\Local\Temp\bgmsq.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\zsmgsllfrlujgpylzgd.exe | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ogzsdvunyrznjrzlye.exe | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\mgbwjdezmhrhfpznckic.exe | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\solixtwtifrjjvhxoyyuro.exe | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\yofwfvsjsjpbvbhr.exe | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ogzsdvunyrznjrzlye.exe | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\yofwfvsjsjpbvbhr.exe | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ogzsdvunyrznjrzlye.exe | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\bwsocxzvjfqhgrcrhqpkg.exe | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\zsmgsllfrlujgpylzgd.exe | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\fwogqhfxhzgtovcnz.exe | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\mgbwjdezmhrhfpznckic.exe | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\fwogqhfxhzgtovcnz.exe | C:\Users\Admin\AppData\Local\Temp\bgmsq.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\solixtwtifrjjvhxoyyuro.exe | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\bwsocxzvjfqhgrcrhqpkg.exe | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\mgbwjdezmhrhfpznckic.exe | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\mgbwjdezmhrhfpznckic.exe | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ogzsdvunyrznjrzlye.exe | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\zsmgsllfrlujgpylzgd.exe | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\mgbwjdezmhrhfpznckic.exe | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\mgbwjdezmhrhfpznckic.exe | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\yofwfvsjsjpbvbhr.exe | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\yofwfvsjsjpbvbhr.exe | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\fwogqhfxhzgtovcnz.exe | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\bwsocxzvjfqhgrcrhqpkg.exe | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\bwsocxzvjfqhgrcrhqpkg.exe | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\zsmgsllfrlujgpylzgd.exe | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\fwogqhfxhzgtovcnz.exe | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\mgbwjdezmhrhfpznckic.exe | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\mgbwjdezmhrhfpznckic.exe | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| File created | C:\Windows\SysWOW64\pcqekxrflzclcfipxypcqekxrflzclcfipx.pcq | C:\Users\Admin\AppData\Local\Temp\bgmsq.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ogzsdvunyrznjrzlye.exe | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\bwsocxzvjfqhgrcrhqpkg.exe | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\zsmgsllfrlujgpylzgd.exe | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ogzsdvunyrznjrzlye.exe | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\bwsocxzvjfqhgrcrhqpkg.exe | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\yofwfvsjsjpbvbhr.exe | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\zsmgsllfrlujgpylzgd.exe | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\bwsocxzvjfqhgrcrhqpkg.exe | C:\Users\Admin\AppData\Local\Temp\bgmsq.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\fwogqhfxhzgtovcnz.exe | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\solixtwtifrjjvhxoyyuro.exe | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ogzsdvunyrznjrzlye.exe | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\solixtwtifrjjvhxoyyuro.exe | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ogzsdvunyrznjrzlye.exe | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\solixtwtifrjjvhxoyyuro.exe | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\zsmgsllfrlujgpylzgd.exe | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\gilojluxsvnlrjbxukqsvytv.hcf | C:\Users\Admin\AppData\Local\Temp\bgmsq.exe | N/A |
| File created | C:\Program Files (x86)\gilojluxsvnlrjbxukqsvytv.hcf | C:\Users\Admin\AppData\Local\Temp\bgmsq.exe | N/A |
| File opened for modification | C:\Program Files (x86)\pcqekxrflzclcfipxypcqekxrflzclcfipx.pcq | C:\Users\Admin\AppData\Local\Temp\bgmsq.exe | N/A |
| File created | C:\Program Files (x86)\pcqekxrflzclcfipxypcqekxrflzclcfipx.pcq | C:\Users\Admin\AppData\Local\Temp\bgmsq.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\ogzsdvunyrznjrzlye.exe | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| File opened for modification | C:\Windows\solixtwtifrjjvhxoyyuro.exe | C:\Users\Admin\AppData\Local\Temp\bgmsq.exe | N/A |
| File opened for modification | C:\Windows\mgbwjdezmhrhfpznckic.exe | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| File opened for modification | C:\Windows\fwogqhfxhzgtovcnz.exe | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| File opened for modification | C:\Windows\bwsocxzvjfqhgrcrhqpkg.exe | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| File opened for modification | C:\Windows\zsmgsllfrlujgpylzgd.exe | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| File opened for modification | C:\Windows\solixtwtifrjjvhxoyyuro.exe | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| File opened for modification | C:\Windows\fwogqhfxhzgtovcnz.exe | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| File opened for modification | C:\Windows\yofwfvsjsjpbvbhr.exe | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| File opened for modification | C:\Windows\ogzsdvunyrznjrzlye.exe | C:\Users\Admin\AppData\Local\Temp\bgmsq.exe | N/A |
| File opened for modification | C:\Windows\yofwfvsjsjpbvbhr.exe | C:\Users\Admin\AppData\Local\Temp\bgmsq.exe | N/A |
| File created | C:\Windows\gilojluxsvnlrjbxukqsvytv.hcf | C:\Users\Admin\AppData\Local\Temp\bgmsq.exe | N/A |
| File opened for modification | C:\Windows\zsmgsllfrlujgpylzgd.exe | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| File opened for modification | C:\Windows\yofwfvsjsjpbvbhr.exe | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| File opened for modification | C:\Windows\bwsocxzvjfqhgrcrhqpkg.exe | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| File opened for modification | C:\Windows\mgbwjdezmhrhfpznckic.exe | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| File opened for modification | C:\Windows\mgbwjdezmhrhfpznckic.exe | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| File opened for modification | C:\Windows\ogzsdvunyrznjrzlye.exe | C:\Users\Admin\AppData\Local\Temp\bgmsq.exe | N/A |
| File opened for modification | C:\Windows\solixtwtifrjjvhxoyyuro.exe | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| File opened for modification | C:\Windows\ogzsdvunyrznjrzlye.exe | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| File opened for modification | C:\Windows\mgbwjdezmhrhfpznckic.exe | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| File opened for modification | C:\Windows\mgbwjdezmhrhfpznckic.exe | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| File opened for modification | C:\Windows\ogzsdvunyrznjrzlye.exe | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| File opened for modification | C:\Windows\solixtwtifrjjvhxoyyuro.exe | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| File opened for modification | C:\Windows\yofwfvsjsjpbvbhr.exe | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| File opened for modification | C:\Windows\zsmgsllfrlujgpylzgd.exe | C:\Users\Admin\AppData\Local\Temp\bgmsq.exe | N/A |
| File opened for modification | C:\Windows\bwsocxzvjfqhgrcrhqpkg.exe | C:\Users\Admin\AppData\Local\Temp\bgmsq.exe | N/A |
| File opened for modification | C:\Windows\solixtwtifrjjvhxoyyuro.exe | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| File opened for modification | C:\Windows\solixtwtifrjjvhxoyyuro.exe | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| File opened for modification | C:\Windows\solixtwtifrjjvhxoyyuro.exe | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| File opened for modification | C:\Windows\bwsocxzvjfqhgrcrhqpkg.exe | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| File opened for modification | C:\Windows\solixtwtifrjjvhxoyyuro.exe | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| File opened for modification | C:\Windows\mgbwjdezmhrhfpznckic.exe | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| File opened for modification | C:\Windows\bwsocxzvjfqhgrcrhqpkg.exe | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| File opened for modification | C:\Windows\fwogqhfxhzgtovcnz.exe | C:\Users\Admin\AppData\Local\Temp\bgmsq.exe | N/A |
| File opened for modification | C:\Windows\ogzsdvunyrznjrzlye.exe | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| File opened for modification | C:\Windows\bwsocxzvjfqhgrcrhqpkg.exe | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| File opened for modification | C:\Windows\zsmgsllfrlujgpylzgd.exe | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| File opened for modification | C:\Windows\ogzsdvunyrznjrzlye.exe | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| File opened for modification | C:\Windows\zsmgsllfrlujgpylzgd.exe | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| File opened for modification | C:\Windows\ogzsdvunyrznjrzlye.exe | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| File opened for modification | C:\Windows\bwsocxzvjfqhgrcrhqpkg.exe | C:\Users\Admin\AppData\Local\Temp\bgmsq.exe | N/A |
| File opened for modification | C:\Windows\yofwfvsjsjpbvbhr.exe | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| File opened for modification | C:\Windows\solixtwtifrjjvhxoyyuro.exe | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| File opened for modification | C:\Windows\mgbwjdezmhrhfpznckic.exe | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| File opened for modification | C:\Windows\zsmgsllfrlujgpylzgd.exe | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| File opened for modification | C:\Windows\mgbwjdezmhrhfpznckic.exe | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| File opened for modification | C:\Windows\zsmgsllfrlujgpylzgd.exe | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| File opened for modification | C:\Windows\ogzsdvunyrznjrzlye.exe | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| File opened for modification | C:\Windows\fwogqhfxhzgtovcnz.exe | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| File opened for modification | C:\Windows\zsmgsllfrlujgpylzgd.exe | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| File opened for modification | C:\Windows\yofwfvsjsjpbvbhr.exe | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| File opened for modification | C:\Windows\solixtwtifrjjvhxoyyuro.exe | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| File opened for modification | C:\Windows\ogzsdvunyrznjrzlye.exe | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| File opened for modification | C:\Windows\yofwfvsjsjpbvbhr.exe | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| File opened for modification | C:\Windows\fwogqhfxhzgtovcnz.exe | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| File opened for modification | C:\Windows\fwogqhfxhzgtovcnz.exe | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| File opened for modification | C:\Windows\fwogqhfxhzgtovcnz.exe | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| File opened for modification | C:\Windows\yofwfvsjsjpbvbhr.exe | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| File opened for modification | C:\Windows\bwsocxzvjfqhgrcrhqpkg.exe | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| File opened for modification | C:\Windows\ogzsdvunyrznjrzlye.exe | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| File opened for modification | C:\Windows\yofwfvsjsjpbvbhr.exe | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| File opened for modification | C:\Windows\bwsocxzvjfqhgrcrhqpkg.exe | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| File opened for modification | C:\Windows\bwsocxzvjfqhgrcrhqpkg.exe | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\ogzsdvunyrznjrzlye.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\bwsocxzvjfqhgrcrhqpkg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\yofwfvsjsjpbvbhr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\bwsocxzvjfqhgrcrhqpkg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\yofwfvsjsjpbvbhr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\ogzsdvunyrznjrzlye.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\zsmgsllfrlujgpylzgd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\yofwfvsjsjpbvbhr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\ogzsdvunyrznjrzlye.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\fwogqhfxhzgtovcnz.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\mgbwjdezmhrhfpznckic.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\fwogqhfxhzgtovcnz.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\mgbwjdezmhrhfpznckic.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\fwogqhfxhzgtovcnz.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\fwogqhfxhzgtovcnz.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\mgbwjdezmhrhfpznckic.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\zsmgsllfrlujgpylzgd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\ogzsdvunyrznjrzlye.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\bwsocxzvjfqhgrcrhqpkg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\mgbwjdezmhrhfpznckic.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\bwsocxzvjfqhgrcrhqpkg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\fwogqhfxhzgtovcnz.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\ogzsdvunyrznjrzlye.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\mgbwjdezmhrhfpznckic.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\fwogqhfxhzgtovcnz.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\bwsocxzvjfqhgrcrhqpkg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\fwogqhfxhzgtovcnz.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\mgbwjdezmhrhfpznckic.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\bwsocxzvjfqhgrcrhqpkg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\bgmsq.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" | C:\Users\Admin\AppData\Local\Temp\bgmsq.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" | C:\Users\Admin\AppData\Local\Temp\bgmsq.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\bgmsq.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" | C:\Users\Admin\AppData\Local\Temp\bgmsq.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\bgmsq.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\bgmsq.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\bgmsq.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\bgmsq.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\bgmsq.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" | C:\Users\Admin\AppData\Local\Temp\bgmsq.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\bgmsq.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\bgmsq.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\bgmsq.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\bgmsq.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" | C:\Users\Admin\AppData\Local\Temp\bgmsq.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe"
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\jaffacakes118_c45c7c3be165367d7676c127dbdc2050.exe*"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yofwfvsjsjpbvbhr.exe
C:\Windows\yofwfvsjsjpbvbhr.exe
yofwfvsjsjpbvbhr.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fwogqhfxhzgtovcnz.exe .
C:\Windows\fwogqhfxhzgtovcnz.exe
fwogqhfxhzgtovcnz.exe .
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\fwogqhfxhzgtovcnz.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bwsocxzvjfqhgrcrhqpkg.exe
C:\Windows\bwsocxzvjfqhgrcrhqpkg.exe
bwsocxzvjfqhgrcrhqpkg.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ogzsdvunyrznjrzlye.exe .
C:\Windows\ogzsdvunyrznjrzlye.exe
ogzsdvunyrznjrzlye.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\ogzsdvunyrznjrzlye.exe*."
C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe
C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe .
C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe
C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe .
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\yofwfvsjsjpbvbhr.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe
C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe
C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe .
C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe
C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe .
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\mgbwjdezmhrhfpznckic.exe*."
C:\Users\Admin\AppData\Local\Temp\bgmsq.exe
"C:\Users\Admin\AppData\Local\Temp\bgmsq.exe" "-C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe"
C:\Users\Admin\AppData\Local\Temp\bgmsq.exe
"C:\Users\Admin\AppData\Local\Temp\bgmsq.exe" "-C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fwogqhfxhzgtovcnz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yofwfvsjsjpbvbhr.exe
C:\Windows\yofwfvsjsjpbvbhr.exe
yofwfvsjsjpbvbhr.exe
C:\Windows\fwogqhfxhzgtovcnz.exe
fwogqhfxhzgtovcnz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bwsocxzvjfqhgrcrhqpkg.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ogzsdvunyrznjrzlye.exe .
C:\Windows\bwsocxzvjfqhgrcrhqpkg.exe
bwsocxzvjfqhgrcrhqpkg.exe .
C:\Windows\ogzsdvunyrznjrzlye.exe
ogzsdvunyrznjrzlye.exe .
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\bwsocxzvjfqhgrcrhqpkg.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ogzsdvunyrznjrzlye.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mgbwjdezmhrhfpznckic.exe
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\ogzsdvunyrznjrzlye.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mgbwjdezmhrhfpznckic.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ogzsdvunyrznjrzlye.exe .
C:\Windows\mgbwjdezmhrhfpznckic.exe
mgbwjdezmhrhfpznckic.exe
C:\Windows\ogzsdvunyrznjrzlye.exe
ogzsdvunyrznjrzlye.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe
C:\Windows\ogzsdvunyrznjrzlye.exe
ogzsdvunyrznjrzlye.exe .
C:\Windows\mgbwjdezmhrhfpznckic.exe
mgbwjdezmhrhfpznckic.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe .
C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe
C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe
C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe
C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\ogzsdvunyrznjrzlye.exe*."
C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe
C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe .
C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe
C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe .
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\mgbwjdezmhrhfpznckic.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe .
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\bwsocxzvjfqhgrcrhqpkg.exe*."
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\zsmgsllfrlujgpylzgd.exe*."
C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe
C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe
C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe
C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe
C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe
C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe .
C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe
C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe .
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\zsmgsllfrlujgpylzgd.exe*."
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\zsmgsllfrlujgpylzgd.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bwsocxzvjfqhgrcrhqpkg.exe
C:\Windows\bwsocxzvjfqhgrcrhqpkg.exe
bwsocxzvjfqhgrcrhqpkg.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mgbwjdezmhrhfpznckic.exe .
C:\Windows\mgbwjdezmhrhfpznckic.exe
mgbwjdezmhrhfpznckic.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zsmgsllfrlujgpylzgd.exe
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\mgbwjdezmhrhfpznckic.exe*."
C:\Windows\zsmgsllfrlujgpylzgd.exe
zsmgsllfrlujgpylzgd.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mgbwjdezmhrhfpznckic.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe
C:\Windows\mgbwjdezmhrhfpznckic.exe
mgbwjdezmhrhfpznckic.exe .
C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe
C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe .
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\mgbwjdezmhrhfpznckic.exe*."
C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe
C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe .
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\bwsocxzvjfqhgrcrhqpkg.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe
C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe
C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe .
C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe
C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe .
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\ogzsdvunyrznjrzlye.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bwsocxzvjfqhgrcrhqpkg.exe
C:\Windows\bwsocxzvjfqhgrcrhqpkg.exe
bwsocxzvjfqhgrcrhqpkg.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bwsocxzvjfqhgrcrhqpkg.exe .
C:\Windows\bwsocxzvjfqhgrcrhqpkg.exe
bwsocxzvjfqhgrcrhqpkg.exe .
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\bwsocxzvjfqhgrcrhqpkg.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zsmgsllfrlujgpylzgd.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mgbwjdezmhrhfpznckic.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mgbwjdezmhrhfpznckic.exe
C:\Windows\zsmgsllfrlujgpylzgd.exe
zsmgsllfrlujgpylzgd.exe
C:\Windows\mgbwjdezmhrhfpznckic.exe
mgbwjdezmhrhfpznckic.exe
C:\Windows\mgbwjdezmhrhfpznckic.exe
mgbwjdezmhrhfpznckic.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yofwfvsjsjpbvbhr.exe .
C:\Windows\yofwfvsjsjpbvbhr.exe
yofwfvsjsjpbvbhr.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zsmgsllfrlujgpylzgd.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fwogqhfxhzgtovcnz.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe
C:\Windows\fwogqhfxhzgtovcnz.exe
fwogqhfxhzgtovcnz.exe .
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\yofwfvsjsjpbvbhr.exe*."
C:\Windows\zsmgsllfrlujgpylzgd.exe
zsmgsllfrlujgpylzgd.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe .
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe
C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yofwfvsjsjpbvbhr.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zsmgsllfrlujgpylzgd.exe
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\fwogqhfxhzgtovcnz.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bwsocxzvjfqhgrcrhqpkg.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bwsocxzvjfqhgrcrhqpkg.exe .
C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe
C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe .
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\zsmgsllfrlujgpylzgd.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe
C:\Windows\yofwfvsjsjpbvbhr.exe
yofwfvsjsjpbvbhr.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe .
C:\Windows\bwsocxzvjfqhgrcrhqpkg.exe
bwsocxzvjfqhgrcrhqpkg.exe .
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\fwogqhfxhzgtovcnz.exe*."
C:\Windows\bwsocxzvjfqhgrcrhqpkg.exe
bwsocxzvjfqhgrcrhqpkg.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe .
C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe
C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe
C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe
C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe
C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe
C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe .
C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe
C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\bwsocxzvjfqhgrcrhqpkg.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\bwsocxzvjfqhgrcrhqpkg.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe .
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\fwogqhfxhzgtovcnz.exe*."
C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe
C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe
C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe
C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe
C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe
C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe .
C:\Windows\zsmgsllfrlujgpylzgd.exe
zsmgsllfrlujgpylzgd.exe
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\ogzsdvunyrznjrzlye.exe*."
C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe
C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe .
C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe
C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe .
C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe
C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fwogqhfxhzgtovcnz.exe
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\yofwfvsjsjpbvbhr.exe*."
C:\Windows\fwogqhfxhzgtovcnz.exe
fwogqhfxhzgtovcnz.exe
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\yofwfvsjsjpbvbhr.exe*."
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\yofwfvsjsjpbvbhr.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mgbwjdezmhrhfpznckic.exe .
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\mgbwjdezmhrhfpznckic.exe
mgbwjdezmhrhfpznckic.exe .
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\mgbwjdezmhrhfpznckic.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ogzsdvunyrznjrzlye.exe
C:\Windows\ogzsdvunyrznjrzlye.exe
ogzsdvunyrznjrzlye.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ogzsdvunyrznjrzlye.exe .
C:\Windows\ogzsdvunyrznjrzlye.exe
ogzsdvunyrznjrzlye.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\ogzsdvunyrznjrzlye.exe*."
C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe
C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe .
C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe
C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe .
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\mgbwjdezmhrhfpznckic.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe
C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe
C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe .
C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe
C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe .
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\zsmgsllfrlujgpylzgd.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bwsocxzvjfqhgrcrhqpkg.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\bwsocxzvjfqhgrcrhqpkg.exe
bwsocxzvjfqhgrcrhqpkg.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zsmgsllfrlujgpylzgd.exe .
C:\Windows\zsmgsllfrlujgpylzgd.exe
zsmgsllfrlujgpylzgd.exe .
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\zsmgsllfrlujgpylzgd.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yofwfvsjsjpbvbhr.exe
C:\Windows\yofwfvsjsjpbvbhr.exe
yofwfvsjsjpbvbhr.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yofwfvsjsjpbvbhr.exe .
C:\Windows\yofwfvsjsjpbvbhr.exe
yofwfvsjsjpbvbhr.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\yofwfvsjsjpbvbhr.exe*."
C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe
C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe .
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe
C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe .
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\yofwfvsjsjpbvbhr.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe
C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe
C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe .
C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe
C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe .
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\ogzsdvunyrznjrzlye.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yofwfvsjsjpbvbhr.exe
C:\Windows\yofwfvsjsjpbvbhr.exe
yofwfvsjsjpbvbhr.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ogzsdvunyrznjrzlye.exe .
C:\Windows\ogzsdvunyrznjrzlye.exe
ogzsdvunyrznjrzlye.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fwogqhfxhzgtovcnz.exe
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\ogzsdvunyrznjrzlye.exe*."
C:\Windows\fwogqhfxhzgtovcnz.exe
fwogqhfxhzgtovcnz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ogzsdvunyrznjrzlye.exe .
C:\Windows\ogzsdvunyrznjrzlye.exe
ogzsdvunyrznjrzlye.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe
C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe
C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe .
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\ogzsdvunyrznjrzlye.exe*."
C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe
C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe .
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\fwogqhfxhzgtovcnz.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe
C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe
C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe .
C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe
C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe .
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\mgbwjdezmhrhfpznckic.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ogzsdvunyrznjrzlye.exe
C:\Windows\ogzsdvunyrznjrzlye.exe
ogzsdvunyrznjrzlye.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yofwfvsjsjpbvbhr.exe .
C:\Windows\yofwfvsjsjpbvbhr.exe
yofwfvsjsjpbvbhr.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zsmgsllfrlujgpylzgd.exe
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\yofwfvsjsjpbvbhr.exe*."
C:\Windows\zsmgsllfrlujgpylzgd.exe
zsmgsllfrlujgpylzgd.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bwsocxzvjfqhgrcrhqpkg.exe .
C:\Windows\bwsocxzvjfqhgrcrhqpkg.exe
bwsocxzvjfqhgrcrhqpkg.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe
C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe
C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\bwsocxzvjfqhgrcrhqpkg.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe .
C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe
C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe .
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\zsmgsllfrlujgpylzgd.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe
C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe
C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe .
C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe
C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe .
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\mgbwjdezmhrhfpznckic.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ogzsdvunyrznjrzlye.exe
C:\Windows\ogzsdvunyrznjrzlye.exe
ogzsdvunyrznjrzlye.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zsmgsllfrlujgpylzgd.exe .
C:\Windows\zsmgsllfrlujgpylzgd.exe
zsmgsllfrlujgpylzgd.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zsmgsllfrlujgpylzgd.exe
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\zsmgsllfrlujgpylzgd.exe*."
C:\Windows\zsmgsllfrlujgpylzgd.exe
zsmgsllfrlujgpylzgd.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ogzsdvunyrznjrzlye.exe .
C:\Windows\ogzsdvunyrznjrzlye.exe
ogzsdvunyrznjrzlye.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe
C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe
C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe .
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\ogzsdvunyrznjrzlye.exe*."
C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe
C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe .
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\zsmgsllfrlujgpylzgd.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe
C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe
C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe .
C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe
C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe .
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\yofwfvsjsjpbvbhr.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fwogqhfxhzgtovcnz.exe
C:\Windows\fwogqhfxhzgtovcnz.exe
fwogqhfxhzgtovcnz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bwsocxzvjfqhgrcrhqpkg.exe .
C:\Windows\bwsocxzvjfqhgrcrhqpkg.exe
bwsocxzvjfqhgrcrhqpkg.exe .
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\bwsocxzvjfqhgrcrhqpkg.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ogzsdvunyrznjrzlye.exe
C:\Windows\ogzsdvunyrznjrzlye.exe
ogzsdvunyrznjrzlye.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zsmgsllfrlujgpylzgd.exe .
C:\Windows\zsmgsllfrlujgpylzgd.exe
zsmgsllfrlujgpylzgd.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\zsmgsllfrlujgpylzgd.exe*."
C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe
C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe .
C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe
C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe .
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\fwogqhfxhzgtovcnz.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe
C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe
C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe .
C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe
C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe .
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\fwogqhfxhzgtovcnz.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yofwfvsjsjpbvbhr.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\yofwfvsjsjpbvbhr.exe
yofwfvsjsjpbvbhr.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yofwfvsjsjpbvbhr.exe .
C:\Windows\yofwfvsjsjpbvbhr.exe
yofwfvsjsjpbvbhr.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ogzsdvunyrznjrzlye.exe
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\yofwfvsjsjpbvbhr.exe*."
C:\Windows\ogzsdvunyrznjrzlye.exe
ogzsdvunyrznjrzlye.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mgbwjdezmhrhfpznckic.exe .
C:\Windows\mgbwjdezmhrhfpznckic.exe
mgbwjdezmhrhfpznckic.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe
C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe
C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe .
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\mgbwjdezmhrhfpznckic.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mgbwjdezmhrhfpznckic.exe
C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe
C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe .
C:\Windows\mgbwjdezmhrhfpznckic.exe
mgbwjdezmhrhfpznckic.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fwogqhfxhzgtovcnz.exe
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\zsmgsllfrlujgpylzgd.exe*."
C:\Windows\fwogqhfxhzgtovcnz.exe
fwogqhfxhzgtovcnz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zsmgsllfrlujgpylzgd.exe .
C:\Windows\zsmgsllfrlujgpylzgd.exe
zsmgsllfrlujgpylzgd.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mgbwjdezmhrhfpznckic.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe
C:\Windows\mgbwjdezmhrhfpznckic.exe
mgbwjdezmhrhfpznckic.exe .
C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe
C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bwsocxzvjfqhgrcrhqpkg.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe .
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\zsmgsllfrlujgpylzgd.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ogzsdvunyrznjrzlye.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mgbwjdezmhrhfpznckic.exe .
C:\Windows\bwsocxzvjfqhgrcrhqpkg.exe
bwsocxzvjfqhgrcrhqpkg.exe
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\mgbwjdezmhrhfpznckic.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fwogqhfxhzgtovcnz.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe
C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe .
C:\Windows\mgbwjdezmhrhfpznckic.exe
mgbwjdezmhrhfpznckic.exe .
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\ogzsdvunyrznjrzlye.exe*."
C:\Windows\fwogqhfxhzgtovcnz.exe
fwogqhfxhzgtovcnz.exe .
C:\Windows\ogzsdvunyrznjrzlye.exe
ogzsdvunyrznjrzlye.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fwogqhfxhzgtovcnz.exe
C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe
C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe
C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe
C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe
C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe
C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe
C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe
C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\mgbwjdezmhrhfpznckic.exe*."
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bwsocxzvjfqhgrcrhqpkg.exe .
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\fwogqhfxhzgtovcnz.exe*."
C:\Windows\fwogqhfxhzgtovcnz.exe
fwogqhfxhzgtovcnz.exe
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\ogzsdvunyrznjrzlye.exe*."
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\ogzsdvunyrznjrzlye.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bwsocxzvjfqhgrcrhqpkg.exe
C:\Windows\bwsocxzvjfqhgrcrhqpkg.exe
bwsocxzvjfqhgrcrhqpkg.exe .
C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe
C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe
C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe
C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe .
C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe
C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ogzsdvunyrznjrzlye.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe
C:\Windows\bwsocxzvjfqhgrcrhqpkg.exe
bwsocxzvjfqhgrcrhqpkg.exe
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\fwogqhfxhzgtovcnz.exe*."
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\bwsocxzvjfqhgrcrhqpkg.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe .
C:\Windows\ogzsdvunyrznjrzlye.exe
ogzsdvunyrznjrzlye.exe .
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\mgbwjdezmhrhfpznckic.exe*."
C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe
C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe .
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\ogzsdvunyrznjrzlye.exe*."
C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe
C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe
C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe
C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\bwsocxzvjfqhgrcrhqpkg.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe
C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe .
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe
C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe .
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\ogzsdvunyrznjrzlye.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bwsocxzvjfqhgrcrhqpkg.exe
C:\Windows\bwsocxzvjfqhgrcrhqpkg.exe
bwsocxzvjfqhgrcrhqpkg.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mgbwjdezmhrhfpznckic.exe .
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\mgbwjdezmhrhfpznckic.exe
mgbwjdezmhrhfpznckic.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mgbwjdezmhrhfpznckic.exe
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\mgbwjdezmhrhfpznckic.exe*."
C:\Windows\mgbwjdezmhrhfpznckic.exe
mgbwjdezmhrhfpznckic.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fwogqhfxhzgtovcnz.exe .
C:\Windows\fwogqhfxhzgtovcnz.exe
fwogqhfxhzgtovcnz.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe
C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe
C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe .
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\fwogqhfxhzgtovcnz.exe*."
C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe
C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe .
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\bwsocxzvjfqhgrcrhqpkg.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe
C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe
C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe .
C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe
C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe .
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\mgbwjdezmhrhfpznckic.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fwogqhfxhzgtovcnz.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\fwogqhfxhzgtovcnz.exe
fwogqhfxhzgtovcnz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bwsocxzvjfqhgrcrhqpkg.exe .
C:\Windows\bwsocxzvjfqhgrcrhqpkg.exe
bwsocxzvjfqhgrcrhqpkg.exe .
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\bwsocxzvjfqhgrcrhqpkg.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fwogqhfxhzgtovcnz.exe
C:\Windows\fwogqhfxhzgtovcnz.exe
fwogqhfxhzgtovcnz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mgbwjdezmhrhfpznckic.exe .
C:\Windows\mgbwjdezmhrhfpznckic.exe
mgbwjdezmhrhfpznckic.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe
C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe
C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe .
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\mgbwjdezmhrhfpznckic.exe*."
C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe
C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe .
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\fwogqhfxhzgtovcnz.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe
C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe
C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe .
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe
C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe .
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\bwsocxzvjfqhgrcrhqpkg.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yofwfvsjsjpbvbhr.exe
C:\Windows\yofwfvsjsjpbvbhr.exe
yofwfvsjsjpbvbhr.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fwogqhfxhzgtovcnz.exe .
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\fwogqhfxhzgtovcnz.exe
fwogqhfxhzgtovcnz.exe .
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\fwogqhfxhzgtovcnz.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mgbwjdezmhrhfpznckic.exe
C:\Windows\mgbwjdezmhrhfpznckic.exe
mgbwjdezmhrhfpznckic.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mgbwjdezmhrhfpznckic.exe .
C:\Windows\mgbwjdezmhrhfpznckic.exe
mgbwjdezmhrhfpznckic.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\mgbwjdezmhrhfpznckic.exe*."
C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe
C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe .
C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe
C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe .
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\fwogqhfxhzgtovcnz.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe
C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe
C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe .
C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe
C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe .
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\yofwfvsjsjpbvbhr.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yofwfvsjsjpbvbhr.exe
C:\Windows\yofwfvsjsjpbvbhr.exe
yofwfvsjsjpbvbhr.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zsmgsllfrlujgpylzgd.exe .
C:\Windows\zsmgsllfrlujgpylzgd.exe
zsmgsllfrlujgpylzgd.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fwogqhfxhzgtovcnz.exe
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\zsmgsllfrlujgpylzgd.exe*."
C:\Windows\fwogqhfxhzgtovcnz.exe
fwogqhfxhzgtovcnz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bwsocxzvjfqhgrcrhqpkg.exe .
C:\Windows\bwsocxzvjfqhgrcrhqpkg.exe
bwsocxzvjfqhgrcrhqpkg.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe
C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe
C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe .
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\bwsocxzvjfqhgrcrhqpkg.exe*."
C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe
C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe .
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\mgbwjdezmhrhfpznckic.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe
C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe
C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe .
C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe
C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe .
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\fwogqhfxhzgtovcnz.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yofwfvsjsjpbvbhr.exe
C:\Windows\yofwfvsjsjpbvbhr.exe
yofwfvsjsjpbvbhr.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yofwfvsjsjpbvbhr.exe .
C:\Windows\yofwfvsjsjpbvbhr.exe
yofwfvsjsjpbvbhr.exe .
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\yofwfvsjsjpbvbhr.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bwsocxzvjfqhgrcrhqpkg.exe
C:\Windows\bwsocxzvjfqhgrcrhqpkg.exe
bwsocxzvjfqhgrcrhqpkg.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bwsocxzvjfqhgrcrhqpkg.exe .
C:\Windows\bwsocxzvjfqhgrcrhqpkg.exe
bwsocxzvjfqhgrcrhqpkg.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe
C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe
C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe .
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\bwsocxzvjfqhgrcrhqpkg.exe*."
C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe
C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe .
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\bwsocxzvjfqhgrcrhqpkg.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe
C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe
C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe .
C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe
C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe .
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\zsmgsllfrlujgpylzgd.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zsmgsllfrlujgpylzgd.exe
C:\Windows\zsmgsllfrlujgpylzgd.exe
zsmgsllfrlujgpylzgd.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yofwfvsjsjpbvbhr.exe .
C:\Windows\yofwfvsjsjpbvbhr.exe
yofwfvsjsjpbvbhr.exe .
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\yofwfvsjsjpbvbhr.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ogzsdvunyrznjrzlye.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mgbwjdezmhrhfpznckic.exe .
C:\Windows\ogzsdvunyrznjrzlye.exe
ogzsdvunyrznjrzlye.exe
C:\Windows\mgbwjdezmhrhfpznckic.exe
mgbwjdezmhrhfpznckic.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe
C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe
C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\mgbwjdezmhrhfpznckic.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe .
C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe
C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe .
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\ogzsdvunyrznjrzlye.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mgbwjdezmhrhfpznckic.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe
C:\Windows\mgbwjdezmhrhfpznckic.exe
mgbwjdezmhrhfpznckic.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fwogqhfxhzgtovcnz.exe
C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe
C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe .
C:\Windows\fwogqhfxhzgtovcnz.exe
fwogqhfxhzgtovcnz.exe
C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe
C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yofwfvsjsjpbvbhr.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zsmgsllfrlujgpylzgd.exe .
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\ogzsdvunyrznjrzlye.exe*."
C:\Windows\yofwfvsjsjpbvbhr.exe
yofwfvsjsjpbvbhr.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ogzsdvunyrznjrzlye.exe
C:\Windows\zsmgsllfrlujgpylzgd.exe
zsmgsllfrlujgpylzgd.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zsmgsllfrlujgpylzgd.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mgbwjdezmhrhfpznckic.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bwsocxzvjfqhgrcrhqpkg.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\yofwfvsjsjpbvbhr.exe*."
C:\Windows\ogzsdvunyrznjrzlye.exe
ogzsdvunyrznjrzlye.exe
C:\Windows\mgbwjdezmhrhfpznckic.exe
mgbwjdezmhrhfpznckic.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zsmgsllfrlujgpylzgd.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\zsmgsllfrlujgpylzgd.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe .
C:\Windows\zsmgsllfrlujgpylzgd.exe
zsmgsllfrlujgpylzgd.exe
C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe
C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe
C:\Windows\bwsocxzvjfqhgrcrhqpkg.exe
bwsocxzvjfqhgrcrhqpkg.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mgbwjdezmhrhfpznckic.exe .
C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe
C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\mgbwjdezmhrhfpznckic.exe*."
C:\Windows\zsmgsllfrlujgpylzgd.exe
zsmgsllfrlujgpylzgd.exe
C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe
C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yofwfvsjsjpbvbhr.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe
C:\Windows\mgbwjdezmhrhfpznckic.exe
mgbwjdezmhrhfpznckic.exe .
C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe
C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\bwsocxzvjfqhgrcrhqpkg.exe*."
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\mgbwjdezmhrhfpznckic.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mgbwjdezmhrhfpznckic.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe .
C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe
C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\yofwfvsjsjpbvbhr.exe*."
C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe
C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe .
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\mgbwjdezmhrhfpznckic.exe*."
C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe
C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe .
C:\Windows\yofwfvsjsjpbvbhr.exe
yofwfvsjsjpbvbhr.exe
C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe
C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe
C:\Windows\mgbwjdezmhrhfpznckic.exe
mgbwjdezmhrhfpznckic.exe .
C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe
C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe .
C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe
C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe .
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\mgbwjdezmhrhfpznckic.exe*."
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\zsmgsllfrlujgpylzgd.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\fwogqhfxhzgtovcnz.exe*."
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\ogzsdvunyrznjrzlye.exe*."
C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe
C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe .
C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe
C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe .
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\mgbwjdezmhrhfpznckic.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fwogqhfxhzgtovcnz.exe
C:\Windows\fwogqhfxhzgtovcnz.exe
fwogqhfxhzgtovcnz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fwogqhfxhzgtovcnz.exe .
C:\Windows\fwogqhfxhzgtovcnz.exe
fwogqhfxhzgtovcnz.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yofwfvsjsjpbvbhr.exe
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\fwogqhfxhzgtovcnz.exe*."
C:\Windows\yofwfvsjsjpbvbhr.exe
yofwfvsjsjpbvbhr.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mgbwjdezmhrhfpznckic.exe .
C:\Windows\mgbwjdezmhrhfpznckic.exe
mgbwjdezmhrhfpznckic.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe
C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe
C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\mgbwjdezmhrhfpznckic.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe .
C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe
C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe .
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\yofwfvsjsjpbvbhr.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe
C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe
C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe .
C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe
C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe .
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\bwsocxzvjfqhgrcrhqpkg.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mgbwjdezmhrhfpznckic.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\mgbwjdezmhrhfpznckic.exe
mgbwjdezmhrhfpznckic.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fwogqhfxhzgtovcnz.exe .
C:\Windows\fwogqhfxhzgtovcnz.exe
fwogqhfxhzgtovcnz.exe .
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\fwogqhfxhzgtovcnz.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bwsocxzvjfqhgrcrhqpkg.exe
C:\Windows\bwsocxzvjfqhgrcrhqpkg.exe
bwsocxzvjfqhgrcrhqpkg.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mgbwjdezmhrhfpznckic.exe .
C:\Windows\mgbwjdezmhrhfpznckic.exe
mgbwjdezmhrhfpznckic.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\mgbwjdezmhrhfpznckic.exe*."
C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe
C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe .
C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe
C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe .
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\zsmgsllfrlujgpylzgd.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe
C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe .
C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe
C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe .
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\fwogqhfxhzgtovcnz.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zsmgsllfrlujgpylzgd.exe
C:\Windows\zsmgsllfrlujgpylzgd.exe
zsmgsllfrlujgpylzgd.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fwogqhfxhzgtovcnz.exe .
C:\Windows\fwogqhfxhzgtovcnz.exe
fwogqhfxhzgtovcnz.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bwsocxzvjfqhgrcrhqpkg.exe
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\fwogqhfxhzgtovcnz.exe*."
C:\Windows\bwsocxzvjfqhgrcrhqpkg.exe
bwsocxzvjfqhgrcrhqpkg.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mgbwjdezmhrhfpznckic.exe .
C:\Windows\mgbwjdezmhrhfpznckic.exe
mgbwjdezmhrhfpznckic.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe
C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe
C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\mgbwjdezmhrhfpznckic.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe .
C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe
C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe .
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\zsmgsllfrlujgpylzgd.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe .
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe
C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe
C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe
C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe .
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\ogzsdvunyrznjrzlye.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yofwfvsjsjpbvbhr.exe
C:\Windows\yofwfvsjsjpbvbhr.exe
yofwfvsjsjpbvbhr.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mgbwjdezmhrhfpznckic.exe .
C:\Windows\mgbwjdezmhrhfpznckic.exe
mgbwjdezmhrhfpznckic.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fwogqhfxhzgtovcnz.exe
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\mgbwjdezmhrhfpznckic.exe*."
C:\Windows\fwogqhfxhzgtovcnz.exe
fwogqhfxhzgtovcnz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yofwfvsjsjpbvbhr.exe .
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\yofwfvsjsjpbvbhr.exe
yofwfvsjsjpbvbhr.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\yofwfvsjsjpbvbhr.exe*."
C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe
C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe .
C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe
C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe .
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\bwsocxzvjfqhgrcrhqpkg.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe
C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe
C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe .
C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe
C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe .
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\ogzsdvunyrznjrzlye.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fwogqhfxhzgtovcnz.exe
C:\Windows\fwogqhfxhzgtovcnz.exe
fwogqhfxhzgtovcnz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ogzsdvunyrznjrzlye.exe .
C:\Windows\ogzsdvunyrznjrzlye.exe
ogzsdvunyrznjrzlye.exe .
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\ogzsdvunyrznjrzlye.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ogzsdvunyrznjrzlye.exe
C:\Windows\ogzsdvunyrznjrzlye.exe
ogzsdvunyrznjrzlye.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bwsocxzvjfqhgrcrhqpkg.exe .
C:\Windows\bwsocxzvjfqhgrcrhqpkg.exe
bwsocxzvjfqhgrcrhqpkg.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe
C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe
C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe .
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\bwsocxzvjfqhgrcrhqpkg.exe*."
C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe
C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe .
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\fwogqhfxhzgtovcnz.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe
C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe
C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe .
C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe
C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe .
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\zsmgsllfrlujgpylzgd.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yofwfvsjsjpbvbhr.exe
C:\Windows\yofwfvsjsjpbvbhr.exe
yofwfvsjsjpbvbhr.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ogzsdvunyrznjrzlye.exe .
C:\Windows\ogzsdvunyrznjrzlye.exe
ogzsdvunyrznjrzlye.exe .
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\ogzsdvunyrznjrzlye.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bwsocxzvjfqhgrcrhqpkg.exe
C:\Windows\bwsocxzvjfqhgrcrhqpkg.exe
bwsocxzvjfqhgrcrhqpkg.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fwogqhfxhzgtovcnz.exe .
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\fwogqhfxhzgtovcnz.exe
fwogqhfxhzgtovcnz.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe
C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe
C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe .
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\fwogqhfxhzgtovcnz.exe*."
C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe
C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe .
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\yofwfvsjsjpbvbhr.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ogzsdvunyrznjrzlye.exe
C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe
C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe .
C:\Windows\ogzsdvunyrznjrzlye.exe
ogzsdvunyrznjrzlye.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fwogqhfxhzgtovcnz.exe
C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe
C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mgbwjdezmhrhfpznckic.exe .
C:\Windows\fwogqhfxhzgtovcnz.exe
fwogqhfxhzgtovcnz.exe
C:\Windows\mgbwjdezmhrhfpznckic.exe
mgbwjdezmhrhfpznckic.exe .
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\mgbwjdezmhrhfpznckic.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fwogqhfxhzgtovcnz.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ogzsdvunyrznjrzlye.exe
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\mgbwjdezmhrhfpznckic.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zsmgsllfrlujgpylzgd.exe .
C:\Windows\fwogqhfxhzgtovcnz.exe
fwogqhfxhzgtovcnz.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yofwfvsjsjpbvbhr.exe
C:\Windows\ogzsdvunyrznjrzlye.exe
ogzsdvunyrznjrzlye.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mgbwjdezmhrhfpznckic.exe .
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yofwfvsjsjpbvbhr.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe
C:\Windows\zsmgsllfrlujgpylzgd.exe
zsmgsllfrlujgpylzgd.exe .
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\yofwfvsjsjpbvbhr.exe
yofwfvsjsjpbvbhr.exe
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\fwogqhfxhzgtovcnz.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ogzsdvunyrznjrzlye.exe .
C:\Windows\mgbwjdezmhrhfpznckic.exe
mgbwjdezmhrhfpznckic.exe .
C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe
C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\zsmgsllfrlujgpylzgd.exe*."
C:\Windows\yofwfvsjsjpbvbhr.exe
yofwfvsjsjpbvbhr.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mgbwjdezmhrhfpznckic.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe
C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe
C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe
C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe
C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe .
C:\Windows\ogzsdvunyrznjrzlye.exe
ogzsdvunyrznjrzlye.exe .
C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe
C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ogzsdvunyrznjrzlye.exe .
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\mgbwjdezmhrhfpznckic.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe
C:\Windows\mgbwjdezmhrhfpznckic.exe
mgbwjdezmhrhfpznckic.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe .
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\mgbwjdezmhrhfpznckic.exe*."
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\bwsocxzvjfqhgrcrhqpkg.exe*."
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\ogzsdvunyrznjrzlye.exe*."
C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe
C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe .
C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe
C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe
C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe
C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe
C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe
C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe .
C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe
C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe .
C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe
C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe
C:\Windows\ogzsdvunyrznjrzlye.exe
ogzsdvunyrznjrzlye.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\zsmgsllfrlujgpylzgd.exe*."
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\yofwfvsjsjpbvbhr.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe .
C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe
C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\mgbwjdezmhrhfpznckic.exe*."
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\ogzsdvunyrznjrzlye.exe*."
C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe
C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe .
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\ogzsdvunyrznjrzlye.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zsmgsllfrlujgpylzgd.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\zsmgsllfrlujgpylzgd.exe
zsmgsllfrlujgpylzgd.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ogzsdvunyrznjrzlye.exe .
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\ogzsdvunyrznjrzlye.exe
ogzsdvunyrznjrzlye.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yofwfvsjsjpbvbhr.exe
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\ogzsdvunyrznjrzlye.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fwogqhfxhzgtovcnz.exe .
C:\Windows\yofwfvsjsjpbvbhr.exe
yofwfvsjsjpbvbhr.exe
C:\Windows\fwogqhfxhzgtovcnz.exe
fwogqhfxhzgtovcnz.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe
C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe
C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe .
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\fwogqhfxhzgtovcnz.exe*."
C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe
C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe .
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\fwogqhfxhzgtovcnz.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe
C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe
C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe .
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe
C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe .
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\zsmgsllfrlujgpylzgd.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zsmgsllfrlujgpylzgd.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\zsmgsllfrlujgpylzgd.exe
zsmgsllfrlujgpylzgd.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ogzsdvunyrznjrzlye.exe .
C:\Windows\ogzsdvunyrznjrzlye.exe
ogzsdvunyrznjrzlye.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yofwfvsjsjpbvbhr.exe
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\ogzsdvunyrznjrzlye.exe*."
C:\Windows\yofwfvsjsjpbvbhr.exe
yofwfvsjsjpbvbhr.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mgbwjdezmhrhfpznckic.exe .
C:\Windows\mgbwjdezmhrhfpznckic.exe
mgbwjdezmhrhfpznckic.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe
C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe .
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\mgbwjdezmhrhfpznckic.exe*."
C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe
C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe .
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\mgbwjdezmhrhfpznckic.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe
C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe
C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe .
C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe
C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe .
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\mgbwjdezmhrhfpznckic.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ogzsdvunyrznjrzlye.exe
C:\Windows\ogzsdvunyrznjrzlye.exe
ogzsdvunyrznjrzlye.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yofwfvsjsjpbvbhr.exe .
C:\Windows\yofwfvsjsjpbvbhr.exe
yofwfvsjsjpbvbhr.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fwogqhfxhzgtovcnz.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\yofwfvsjsjpbvbhr.exe*."
C:\Windows\fwogqhfxhzgtovcnz.exe
fwogqhfxhzgtovcnz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mgbwjdezmhrhfpznckic.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe
C:\Windows\mgbwjdezmhrhfpznckic.exe
mgbwjdezmhrhfpznckic.exe .
C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe
C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe .
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\mgbwjdezmhrhfpznckic.exe*."
C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe
C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe .
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\bwsocxzvjfqhgrcrhqpkg.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe
C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe
C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe .
C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe
C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe .
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\zsmgsllfrlujgpylzgd.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mgbwjdezmhrhfpznckic.exe
C:\Windows\mgbwjdezmhrhfpznckic.exe
mgbwjdezmhrhfpznckic.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zsmgsllfrlujgpylzgd.exe .
C:\Windows\zsmgsllfrlujgpylzgd.exe
zsmgsllfrlujgpylzgd.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zsmgsllfrlujgpylzgd.exe
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\zsmgsllfrlujgpylzgd.exe*."
C:\Windows\zsmgsllfrlujgpylzgd.exe
zsmgsllfrlujgpylzgd.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zsmgsllfrlujgpylzgd.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe
C:\Windows\zsmgsllfrlujgpylzgd.exe
zsmgsllfrlujgpylzgd.exe .
C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe
C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe .
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\zsmgsllfrlujgpylzgd.exe*."
C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe
C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe .
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\fwogqhfxhzgtovcnz.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe
C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe
C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe .
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe
C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe .
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\yofwfvsjsjpbvbhr.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ogzsdvunyrznjrzlye.exe
C:\Windows\ogzsdvunyrznjrzlye.exe
ogzsdvunyrznjrzlye.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fwogqhfxhzgtovcnz.exe .
C:\Windows\fwogqhfxhzgtovcnz.exe
fwogqhfxhzgtovcnz.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yofwfvsjsjpbvbhr.exe
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\fwogqhfxhzgtovcnz.exe*."
C:\Windows\yofwfvsjsjpbvbhr.exe
yofwfvsjsjpbvbhr.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yofwfvsjsjpbvbhr.exe .
C:\Windows\yofwfvsjsjpbvbhr.exe
yofwfvsjsjpbvbhr.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\yofwfvsjsjpbvbhr.exe*."
C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe
C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe .
C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe
C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe .
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\fwogqhfxhzgtovcnz.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe
C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe
C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe .
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe
C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe .
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\yofwfvsjsjpbvbhr.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ogzsdvunyrznjrzlye.exe
C:\Windows\ogzsdvunyrznjrzlye.exe
ogzsdvunyrznjrzlye.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fwogqhfxhzgtovcnz.exe .
C:\Windows\fwogqhfxhzgtovcnz.exe
fwogqhfxhzgtovcnz.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fwogqhfxhzgtovcnz.exe
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\fwogqhfxhzgtovcnz.exe*."
C:\Windows\fwogqhfxhzgtovcnz.exe
fwogqhfxhzgtovcnz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ogzsdvunyrznjrzlye.exe .
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\ogzsdvunyrznjrzlye.exe
ogzsdvunyrznjrzlye.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\ogzsdvunyrznjrzlye.exe*."
C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe
C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe .
C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe
C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe .
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\yofwfvsjsjpbvbhr.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe
C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe
C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe .
C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe
C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zsmgsllfrlujgpylzgd.exe
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\bwsocxzvjfqhgrcrhqpkg.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bwsocxzvjfqhgrcrhqpkg.exe
C:\Windows\zsmgsllfrlujgpylzgd.exe
zsmgsllfrlujgpylzgd.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zsmgsllfrlujgpylzgd.exe .
C:\Windows\bwsocxzvjfqhgrcrhqpkg.exe
bwsocxzvjfqhgrcrhqpkg.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fwogqhfxhzgtovcnz.exe .
C:\Windows\zsmgsllfrlujgpylzgd.exe
zsmgsllfrlujgpylzgd.exe .
C:\Windows\fwogqhfxhzgtovcnz.exe
fwogqhfxhzgtovcnz.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yofwfvsjsjpbvbhr.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yofwfvsjsjpbvbhr.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yofwfvsjsjpbvbhr.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ogzsdvunyrznjrzlye.exe .
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\zsmgsllfrlujgpylzgd.exe*."
C:\Windows\yofwfvsjsjpbvbhr.exe
yofwfvsjsjpbvbhr.exe
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\fwogqhfxhzgtovcnz.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ogzsdvunyrznjrzlye.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe
C:\Windows\yofwfvsjsjpbvbhr.exe
yofwfvsjsjpbvbhr.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zsmgsllfrlujgpylzgd.exe .
C:\Windows\yofwfvsjsjpbvbhr.exe
yofwfvsjsjpbvbhr.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe .
C:\Windows\ogzsdvunyrznjrzlye.exe
ogzsdvunyrznjrzlye.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fwogqhfxhzgtovcnz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe .
C:\Windows\zsmgsllfrlujgpylzgd.exe
zsmgsllfrlujgpylzgd.exe .
C:\Windows\ogzsdvunyrznjrzlye.exe
ogzsdvunyrznjrzlye.exe .
C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe
C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bwsocxzvjfqhgrcrhqpkg.exe .
C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe
C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe .
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\ogzsdvunyrznjrzlye.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe
C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe
C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\zsmgsllfrlujgpylzgd.exe*."
C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe
C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\ogzsdvunyrznjrzlye.exe*."
C:\Windows\bwsocxzvjfqhgrcrhqpkg.exe
bwsocxzvjfqhgrcrhqpkg.exe .
C:\Windows\fwogqhfxhzgtovcnz.exe
fwogqhfxhzgtovcnz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe .
C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe
C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\zsmgsllfrlujgpylzgd.exe*."
C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe
C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\fwogqhfxhzgtovcnz.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe
C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe
C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe .
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe
C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe .
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\bwsocxzvjfqhgrcrhqpkg.exe*."
C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe
C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe .
C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe
C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe .
C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe
C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\bwsocxzvjfqhgrcrhqpkg.exe*."
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\bwsocxzvjfqhgrcrhqpkg.exe*."
C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe
C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe .
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\ogzsdvunyrznjrzlye.exe*."
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\ogzsdvunyrznjrzlye.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bwsocxzvjfqhgrcrhqpkg.exe
C:\Windows\bwsocxzvjfqhgrcrhqpkg.exe
bwsocxzvjfqhgrcrhqpkg.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mgbwjdezmhrhfpznckic.exe .
C:\Windows\mgbwjdezmhrhfpznckic.exe
mgbwjdezmhrhfpznckic.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fwogqhfxhzgtovcnz.exe
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\mgbwjdezmhrhfpznckic.exe*."
C:\Windows\fwogqhfxhzgtovcnz.exe
fwogqhfxhzgtovcnz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bwsocxzvjfqhgrcrhqpkg.exe .
C:\Windows\bwsocxzvjfqhgrcrhqpkg.exe
bwsocxzvjfqhgrcrhqpkg.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\bwsocxzvjfqhgrcrhqpkg.exe*."
C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe
C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe .
C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe
C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe .
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\fwogqhfxhzgtovcnz.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe
C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe
C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe .
C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe
C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe .
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\zsmgsllfrlujgpylzgd.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zsmgsllfrlujgpylzgd.exe
C:\Windows\zsmgsllfrlujgpylzgd.exe
zsmgsllfrlujgpylzgd.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fwogqhfxhzgtovcnz.exe .
C:\Windows\fwogqhfxhzgtovcnz.exe
fwogqhfxhzgtovcnz.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mgbwjdezmhrhfpznckic.exe
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\fwogqhfxhzgtovcnz.exe*."
C:\Windows\mgbwjdezmhrhfpznckic.exe
mgbwjdezmhrhfpznckic.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ogzsdvunyrznjrzlye.exe .
C:\Windows\ogzsdvunyrznjrzlye.exe
ogzsdvunyrznjrzlye.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\ogzsdvunyrznjrzlye.exe*."
C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe
C:\Users\Admin\AppData\Local\Temp\bwsocxzvjfqhgrcrhqpkg.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe .
C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe
C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe .
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\mgbwjdezmhrhfpznckic.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe
C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe
C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe .
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe
C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe .
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\mgbwjdezmhrhfpznckic.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yofwfvsjsjpbvbhr.exe
C:\Windows\yofwfvsjsjpbvbhr.exe
yofwfvsjsjpbvbhr.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mgbwjdezmhrhfpznckic.exe .
C:\Windows\mgbwjdezmhrhfpznckic.exe
mgbwjdezmhrhfpznckic.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mgbwjdezmhrhfpznckic.exe
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\mgbwjdezmhrhfpznckic.exe*."
C:\Windows\mgbwjdezmhrhfpznckic.exe
mgbwjdezmhrhfpznckic.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bwsocxzvjfqhgrcrhqpkg.exe .
C:\Windows\bwsocxzvjfqhgrcrhqpkg.exe
bwsocxzvjfqhgrcrhqpkg.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe
C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe
C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\bwsocxzvjfqhgrcrhqpkg.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe .
C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe
C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe .
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\yofwfvsjsjpbvbhr.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe
C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe
C:\Users\Admin\AppData\Local\Temp\zsmgsllfrlujgpylzgd.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe .
C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe
C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe .
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\fwogqhfxhzgtovcnz.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yofwfvsjsjpbvbhr.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\yofwfvsjsjpbvbhr.exe
yofwfvsjsjpbvbhr.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fwogqhfxhzgtovcnz.exe .
C:\Windows\fwogqhfxhzgtovcnz.exe
fwogqhfxhzgtovcnz.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fwogqhfxhzgtovcnz.exe
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\fwogqhfxhzgtovcnz.exe*."
C:\Windows\fwogqhfxhzgtovcnz.exe
fwogqhfxhzgtovcnz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fwogqhfxhzgtovcnz.exe .
C:\Windows\fwogqhfxhzgtovcnz.exe
fwogqhfxhzgtovcnz.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\fwogqhfxhzgtovcnz.exe*."
C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe
C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe .
C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe
C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe .
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\mgbwjdezmhrhfpznckic.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe
C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe
C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe .
C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe
C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe .
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\yofwfvsjsjpbvbhr.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zsmgsllfrlujgpylzgd.exe
C:\Windows\zsmgsllfrlujgpylzgd.exe
zsmgsllfrlujgpylzgd.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fwogqhfxhzgtovcnz.exe .
C:\Windows\fwogqhfxhzgtovcnz.exe
fwogqhfxhzgtovcnz.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bwsocxzvjfqhgrcrhqpkg.exe
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\fwogqhfxhzgtovcnz.exe*."
C:\Windows\bwsocxzvjfqhgrcrhqpkg.exe
bwsocxzvjfqhgrcrhqpkg.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mgbwjdezmhrhfpznckic.exe .
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\mgbwjdezmhrhfpznckic.exe
mgbwjdezmhrhfpznckic.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe
C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe
C:\Users\Admin\AppData\Local\Temp\mgbwjdezmhrhfpznckic.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe .
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\windows\mgbwjdezmhrhfpznckic.exe*."
C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe
C:\Users\Admin\AppData\Local\Temp\ogzsdvunyrznjrzlye.exe .
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\ogzsdvunyrznjrzlye.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe
C:\Users\Admin\AppData\Local\Temp\yofwfvsjsjpbvbhr.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe .
C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe
C:\Users\Admin\AppData\Local\Temp\fwogqhfxhzgtovcnz.exe .
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe" "c:\users\admin\appdata\local\temp\fwogqhfxhzgtovcnz.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yofwfvsjsjpbvbhr.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.showmyipaddress.com | udp |
| US | 104.21.74.56:80 | www.showmyipaddress.com | tcp |
| US | 104.21.74.56:80 | www.showmyipaddress.com | tcp |
| US | 172.66.43.169:80 | www.whatismyip.com | tcp |
| US | 172.66.43.169:80 | www.whatismyip.com | tcp |
| US | 172.66.43.169:80 | www.whatismyip.com | tcp |
| US | 104.21.74.56:80 | www.showmyipaddress.com | tcp |
| US | 104.21.74.56:80 | www.showmyipaddress.com | tcp |
| US | 104.21.74.56:80 | www.showmyipaddress.com | tcp |
| US | 104.21.74.56:80 | www.showmyipaddress.com | tcp |
| US | 172.66.43.169:80 | www.whatismyip.com | tcp |
| US | 172.66.43.169:80 | www.whatismyip.com | tcp |
| US | 104.19.222.79:80 | whatismyipaddress.com | tcp |
| NL | 108.177.127.91:80 | www.youtube.com | tcp |
| KZ | 95.56.12.117:42839 | tcp | |
| DE | 85.214.228.140:80 | gyuuym.org | tcp |
| SG | 18.142.91.111:80 | unxfuild.info | tcp |
| US | 104.156.155.94:80 | cydlrge.info | tcp |
| MD | 94.243.110.54:24785 | tcp | |
| US | 8.8.8.8:53 | ewhqxezcwwc.net | udp |
| LT | 91.231.76.205:23375 | tcp | |
| US | 8.8.8.8:53 | berijmyob.com | udp |
| US | 8.8.8.8:53 | zyfitez.info | udp |
| US | 8.8.8.8:53 | wactfwugvnh.info | udp |
| KZ | 95.56.12.117:42839 | tcp | |
| US | 8.8.8.8:53 | cxewloz.net | udp |
| US | 8.8.8.8:53 | ialtjonec.info | udp |
| BY | 178.172.241.45:24629 | tcp | |
| US | 8.8.8.8:53 | dflqknsl.net | udp |
| US | 8.8.8.8:53 | rsmgvipsbxn.org | udp |
| US | 8.8.8.8:53 | stfzpsrmqkdz.info | udp |
| TN | 196.203.63.157:26832 | tcp | |
| US | 8.8.8.8:53 | njmyupro.net | udp |
| US | 8.8.8.8:53 | ofrvdxkvxege.info | udp |
| LT | 78.60.137.134:36561 | tcp | |
| US | 8.8.8.8:53 | qyomwiskoe.com | udp |
| US | 8.8.8.8:53 | edorjl.info | udp |
| US | 8.8.8.8:53 | ioqpsalu.info | udp |
| LT | 5.20.66.115:45152 | tcp | |
| US | 8.8.8.8:53 | lzbjkx.info | udp |
| US | 8.8.8.8:53 | blriytvijot.com | udp |
| BG | 94.139.219.143:24499 | tcp | |
| US | 8.8.8.8:53 | tqyfnr.info | udp |
| US | 8.8.8.8:53 | zrizzt.net | udp |
| BG | 212.73.158.164:38314 | tcp | |
| US | 8.8.8.8:53 | ndlxacdmjh.net | udp |
| US | 8.8.8.8:53 | xrctizgjhu.net | udp |
| US | 8.8.8.8:53 | mvunzteads.info | udp |
| BG | 212.73.158.164:38314 | tcp | |
| US | 8.8.8.8:53 | tmwgqroevroo.info | udp |
| US | 8.8.8.8:53 | snbblgoowog.info | udp |
| US | 8.8.8.8:53 | gyquywiaos.org | udp |
| US | 8.8.8.8:53 | pslxxdt.net | udp |
| IT | 151.51.22.129:24742 | tcp | |
| US | 8.8.8.8:53 | eufesoo.info | udp |
| US | 8.8.8.8:53 | vyvijbihvn.info | udp |
| AM | 46.241.134.173:23589 | tcp | |
| US | 8.8.8.8:53 | hbaqnoo.net | udp |
| US | 8.8.8.8:53 | bzdmnahcvcac.net | udp |
| US | 8.8.8.8:53 | wcnawcg.info | udp |
| US | 8.8.8.8:53 | cegiuoky.org | udp |
| US | 8.8.8.8:53 | aoukgega.org | udp |
| US | 8.8.8.8:53 | aqzabijoxac.net | udp |
| US | 8.8.8.8:53 | bpdtvknodwoy.info | udp |
| US | 8.8.8.8:53 | qmcajgg.info | udp |
| US | 8.8.8.8:53 | gdrhrvfi.net | udp |
| US | 8.8.8.8:53 | sinwfk.info | udp |
| US | 8.8.8.8:53 | nsfkudrunez.net | udp |
| DE | 24.134.86.213:37182 | tcp | |
| US | 8.8.8.8:53 | cykogcgqqcuu.com | udp |
| US | 8.8.8.8:53 | wcfnrgfs.net | udp |
| US | 8.8.8.8:53 | qyqigk.com | udp |
| US | 8.8.8.8:53 | nidozf.info | udp |
| US | 8.8.8.8:53 | mkwgaooe.com | udp |
| US | 8.8.8.8:53 | oyuusybipen.info | udp |
| US | 8.8.8.8:53 | bjdoxjburcjd.info | udp |
| US | 8.8.8.8:53 | opmapihwl.net | udp |
| US | 8.8.8.8:53 | crsgcadvaz.net | udp |
| US | 8.8.8.8:53 | ekqaao.com | udp |
| RU | 77.223.78.79:38707 | tcp | |
| US | 8.8.8.8:53 | gyjwtahmpgs.info | udp |
| US | 8.8.8.8:53 | egdyuex.info | udp |
| US | 8.8.8.8:53 | zrwyvfag.info | udp |
| US | 8.8.8.8:53 | hjfdpmp.org | udp |
| US | 8.8.8.8:53 | vfpxrtqrrdaf.info | udp |
| US | 8.8.8.8:53 | dloueuwi.info | udp |
| US | 8.8.8.8:53 | ehjskpaeaelw.info | udp |
| US | 8.8.8.8:53 | yqdindvszcl.info | udp |
| US | 8.8.8.8:53 | dxyslmpozuo.net | udp |
| US | 8.8.8.8:53 | enfmfb.info | udp |
| US | 8.8.8.8:53 | oqxxpz.info | udp |
| US | 8.8.8.8:53 | vzqkjd.net | udp |
| US | 8.8.8.8:53 | vxfwhrnddrzi.info | udp |
| US | 8.8.8.8:53 | rqntqjqa.info | udp |
| US | 8.8.8.8:53 | owtumceqt.info | udp |
| US | 8.8.8.8:53 | ugwfhgwodot.net | udp |
| US | 8.8.8.8:53 | sqkopyr.info | udp |
| US | 8.8.8.8:53 | vsshddtk.net | udp |
| US | 8.8.8.8:53 | yiwycqmk.com | udp |
| US | 8.8.8.8:53 | uceotyqjb.net | udp |
| US | 8.8.8.8:53 | wgueumiiqsma.org | udp |
| US | 8.8.8.8:53 | poavzckqsq.net | udp |
| US | 8.8.8.8:53 | nmqeugpunoyn.info | udp |
| US | 8.8.8.8:53 | ieieid.info | udp |
| US | 8.8.8.8:53 | ouqidxb.info | udp |
| US | 8.8.8.8:53 | xkaumqztnxdp.info | udp |
| RU | 37.78.53.100:31421 | tcp | |
| US | 8.8.8.8:53 | cmnwyj.net | udp |
| US | 8.8.8.8:53 | zhkzkjvahw.info | udp |
| US | 8.8.8.8:53 | akyaagygymke.com | udp |
| US | 8.8.8.8:53 | tezyggnrhcr.info | udp |
| US | 8.8.8.8:53 | tkjttkr.info | udp |
| US | 8.8.8.8:53 | lktcrbw.com | udp |
| US | 8.8.8.8:53 | xengsf.info | udp |
| US | 8.8.8.8:53 | sulaoihqudx.info | udp |
| US | 8.8.8.8:53 | zzqifvyi.net | udp |
| US | 8.8.8.8:53 | uutucqocfv.info | udp |
Files
C:\Users\Admin\AppData\Local\Temp\gncdejpoqxm.exe
| MD5 | 1dd5dd5561723f37ccc81e15ecdbf830 |
| SHA1 | eeb9131c8d276ceb710d163e89fdc62b3e111971 |
| SHA256 | c8c542ac3f6526d1501c2b9d6262bfa029a1ac0d9dd6b3c1965977abdd8bd126 |
| SHA512 | b4881d7cd0c2ceeba067e13d23763e739389108d1269acd6c343dd308aa1fedde89da696a8482944342f44ea1094ea6b50021a15d4c6d03762ba032a9598bba5 |
C:\Windows\SysWOW64\ogzsdvunyrznjrzlye.exe
| MD5 | c45c7c3be165367d7676c127dbdc2050 |
| SHA1 | 0ca4bbd08beb9ce9e8bd6807113345389aa07588 |
| SHA256 | 7be6ccadfe39aff45029a30fe34b3c87ac49ebbad791c34e2ff8bb30e7e07721 |
| SHA512 | d0aa1e6158da64512f9098ed1ae8d33d1882a1c23fb2c7bbbc3a3c0e331355d24dc302ef4f5b778d17f952fdd93adfd5e77fc81c73c5b119793b398edb43bbb3 |
C:\Users\Admin\AppData\Local\Temp\bgmsq.exe
| MD5 | 9b1be8accec33c5b7beb6711c76dfae2 |
| SHA1 | 5312f362bc5881f433ade4527ebdbb57259d35bd |
| SHA256 | 43a4724768897e3163dbfa6f7479bb2db6b294b66d050be0aff2e8dc09ce4715 |
| SHA512 | 2dae7b343b86c41b598d8adb1d598f9e6289c37b7c0d52616cbfed7144ac99500f5bf9adbd34b9a5d2e15c57255d09e7acbfa9ca292387685ef3a71278408055 |
C:\Users\Admin\AppData\Local\gilojluxsvnlrjbxukqsvytv.hcf
| MD5 | 7b8e0bf33294d53b402c9fde89252477 |
| SHA1 | e5e2d5e66d3b7832277c60df533b9c34de1c4a5e |
| SHA256 | 1cd2d5d3526b4ed79a866275e29d67aa2bd57a37dc695350df6317f46d762958 |
| SHA512 | 38f764525ef57e31cbbdbeca28081853313a2daf35fffb771d23da9886ba772f42b86c15fc6d763e9602de98704511b246dd6673f127d54c4ed4ba8bb3ad41f1 |
C:\Users\Admin\AppData\Local\pcqekxrflzclcfipxypcqekxrflzclcfipx.pcq
| MD5 | 897cf0c69c02e6ea109606327103bac8 |
| SHA1 | 09edd7dc7d8665ede0698ec2dc178e59ffce5d3d |
| SHA256 | 1c4ea4eb92a0c81da6e079f19eba812ff16422cf53f0fc0605212e426cae1718 |
| SHA512 | 4d7a06c8d51842522be673457d02588311614b61be6498b047d125e4544a5963ec49825df78b3ddb7cd5b4b0a1e30fd97a7c9cc537f8fc37c34e313a0c687aba |
C:\Program Files (x86)\gilojluxsvnlrjbxukqsvytv.hcf
| MD5 | ba3d7f8ee3c82a13a67ab55a75e591b5 |
| SHA1 | 41513507db2af6f132e09bb8b9b6f2cc06f98e41 |
| SHA256 | 30d60c058d395d11cef3c2e29335ba980a212f91f6ae6f8a11b4f21f61905872 |
| SHA512 | 0d9e0222694aea8e60226210f149406b2045f019eb8b2a01ac8f26a3941f77a7df3beed533c0481116d605901db032a7e0b935341423486ecd761a4a3b5b7feb |
C:\Program Files (x86)\gilojluxsvnlrjbxukqsvytv.hcf
| MD5 | 0abad651bdca5f3c325c74e86f969747 |
| SHA1 | 91ace5566978db16ae1aca8437848fe3a84ced3a |
| SHA256 | 132703b05e0d6a083b44f0d384179e22a0cabe946d96dbd7698c7cb7de0d3762 |
| SHA512 | d94dcd68551ac7fe8f642b18abde0c5e88f02d4fcb4d22487139612c640699ab55f6dec0281815bb99c848ccfae78109b5c7fed1580d062b552c228f3aa5f454 |
C:\Program Files (x86)\gilojluxsvnlrjbxukqsvytv.hcf
| MD5 | 84bcf59b800466b46f654cd46931e73a |
| SHA1 | 18df896842f60e84f2d0baeb406c4489ef6b767a |
| SHA256 | 0b19af35d337302f1acfac58e622773430ccdeb7b9c900dd3e9b7a8b2e333e24 |
| SHA512 | 542fbc493bc7e4dd1aadf6300eb2badd3a7e63ce97415568b28cdd53c8d4dfaf353e8f2db3c5d62fe1c582b3ef9693d7af28d9d750b89442d0153ad14ed6a3a3 |
C:\Program Files (x86)\gilojluxsvnlrjbxukqsvytv.hcf
| MD5 | 0239a0f4222162b5abf7c3d129f70d4c |
| SHA1 | ae73d691609b2f1d592d64835f89ffa379d7045f |
| SHA256 | f5b6958571480df1eb2c0805d03d116ba0dc466dda10f72e0d07cd1e63f5ffa9 |
| SHA512 | 262eb7561df1e0ca27ae5c0564ac700d01e0af955968b1fbdd8b95e7f842e3f7999c059843fa2109315590c50f8a0801353c2d52899d9499a1b0c318c7dfb166 |
C:\Program Files (x86)\gilojluxsvnlrjbxukqsvytv.hcf
| MD5 | 3a70d23c58a5dafad65772cb10e8a304 |
| SHA1 | 6c048c19fad3d1460b96febf3038f955fb26699b |
| SHA256 | 39a9d888c225995ce687f00cf58bf2353fb68d4841b11f7bbdbda455c2be0e22 |
| SHA512 | 3df13f508751e3cf0a8371338dc52bb1fb1525e6a9a6cc79709fe7aebb66000f1d0b9351a4d1b07c8fc5c4043a16c516196f45a785d444b59d1c14f39e73dd07 |
Analysis: behavioral1
Detonation Overview
Submitted
2025-04-20 03:34
Reported
2025-04-20 03:36
Platform
win10v2004-20250410-en
Max time kernel
36s
Max time network
150s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
Pykspa
Pykspa family
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe | N/A |
Detect Pykspa worm
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ndqznvdpbkc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gfbtqhytoghwbozbebcb.exe" | C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ndqznvdpbkc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ifzpkzohaqpcfqzzav.exe" | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kdtfwhshwidmls = "trmdzpfztkkycoyzbxx.exe" | C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kdtfwhshwidmls = "trmdzpfztkkycoyzbxx.exe" | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kdtfwhshwidmls = "zvodxlzrjywikucbb.exe" | C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ndqznvdpbkc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vvsljbtplegwcqcfjhjjg.exe" | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bltbhrglwn = "rjzpdvsfyxknyhhidl.exe" | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kdtfwhshwidmls = "vvsljbtplegwcqcfjhjjg.exe" | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ndqznvdpbkc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\snftmzmduifqrahf.exe" | C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kdtfwhshwidmls = "zvodxlzrjywikucbb.exe" | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ndqznvdpbkc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vvsljbtplegwcqcfjhjjg.exe" | C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ndqznvdpbkc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\trmdzpfztkkycoyzbxx.exe" | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ndqznvdpbkc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ifzpkzohaqpcfqzzav.exe" | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kdtfwhshwidmls = "vvsljbtplegwcqcfjhjjg.exe" | C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ndqznvdpbkc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\trmdzpfztkkycoyzbxx.exe" | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kdtfwhshwidmls = "gfbtqhytoghwbozbebcb.exe" | C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kdtfwhshwidmls = "zvodxlzrjywikucbb.exe" | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ndqznvdpbkc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\snftmzmduifqrahf.exe" | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ndqznvdpbkc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\trmdzpfztkkycoyzbxx.exe" | C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ndqznvdpbkc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ifzpkzohaqpcfqzzav.exe" | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kdtfwhshwidmls = "gfbtqhytoghwbozbebcb.exe" | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ndqznvdpbkc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ifzpkzohaqpcfqzzav.exe" | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kdtfwhshwidmls = "gfbtqhytoghwbozbebcb.exe" | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kdtfwhshwidmls = "zvodxlzrjywikucbb.exe" | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kdtfwhshwidmls = "ifzpkzohaqpcfqzzav.exe" | C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ndqznvdpbkc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gfbtqhytoghwbozbebcb.exe" | C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kdtfwhshwidmls = "gfbtqhytoghwbozbebcb.exe" | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ndqznvdpbkc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\snftmzmduifqrahf.exe" | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kdtfwhshwidmls = "gfbtqhytoghwbozbebcb.exe" | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kdtfwhshwidmls = "ifzpkzohaqpcfqzzav.exe" | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ndqznvdpbkc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vvsljbtplegwcqcfjhjjg.exe" | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kdtfwhshwidmls = "ifzpkzohaqpcfqzzav.exe" | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kdtfwhshwidmls = "vvsljbtplegwcqcfjhjjg.exe" | C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ndqznvdpbkc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\trmdzpfztkkycoyzbxx.exe" | C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bltbhrglwn = "ezslcxxnjlbhvhkomxsle.exe" | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ndqznvdpbkc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gfbtqhytoghwbozbebcb.exe" | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kdtfwhshwidmls = "snftmzmduifqrahf.exe" | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ndqznvdpbkc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\snftmzmduifqrahf.exe" | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ndqznvdpbkc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zvodxlzrjywikucbb.exe" | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\cjotwdp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rjzpdvsfyxknyhhidl.exe" | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kdtfwhshwidmls = "vvsljbtplegwcqcfjhjjg.exe" | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ndqznvdpbkc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zvodxlzrjywikucbb.exe" | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kdtfwhshwidmls = "snftmzmduifqrahf.exe" | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\cjotwdp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cvmdsljxrrfjvfgieng.exe" | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
Disables RegEdit via registry modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation | C:\Windows\gfbtqhytoghwbozbebcb.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation | C:\Windows\zvodxlzrjywikucbb.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation | C:\Windows\gfbtqhytoghwbozbebcb.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\gfbtqhytoghwbozbebcb.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation | C:\Windows\zvodxlzrjywikucbb.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation | C:\Windows\vvsljbtplegwcqcfjhjjg.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\ifzpkzohaqpcfqzzav.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation | C:\Windows\vvsljbtplegwcqcfjhjjg.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation | C:\Windows\zvodxlzrjywikucbb.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\gfbtqhytoghwbozbebcb.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation | C:\Windows\snftmzmduifqrahf.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation | C:\Windows\trmdzpfztkkycoyzbxx.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation | C:\Windows\ifzpkzohaqpcfqzzav.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation | C:\Windows\trmdzpfztkkycoyzbxx.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation | C:\Windows\vvsljbtplegwcqcfjhjjg.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation | C:\Windows\gfbtqhytoghwbozbebcb.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation | C:\Windows\gfbtqhytoghwbozbebcb.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation | C:\Windows\trmdzpfztkkycoyzbxx.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation | C:\Windows\zvodxlzrjywikucbb.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\gfbtqhytoghwbozbebcb.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation | C:\Windows\zvodxlzrjywikucbb.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation | C:\Windows\snftmzmduifqrahf.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation | C:\Windows\gfbtqhytoghwbozbebcb.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation | C:\Windows\gfbtqhytoghwbozbebcb.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation | C:\Windows\ifzpkzohaqpcfqzzav.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\ifzpkzohaqpcfqzzav.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\ifzpkzohaqpcfqzzav.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\ifzpkzohaqpcfqzzav.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation | C:\Windows\vvsljbtplegwcqcfjhjjg.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation | C:\Windows\vvsljbtplegwcqcfjhjjg.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation | C:\Windows\vvsljbtplegwcqcfjhjjg.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\ifzpkzohaqpcfqzzav.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\gfbtqhytoghwbozbebcb.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation | C:\Windows\zvodxlzrjywikucbb.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation | C:\Windows\vvsljbtplegwcqcfjhjjg.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation | C:\Windows\vvsljbtplegwcqcfjhjjg.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation | C:\Windows\zvodxlzrjywikucbb.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe | N/A |
Executes dropped EXE
Impair Defenses: Safe Mode Boot
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc | C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager | C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys | C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc | C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power | C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys | C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\jbqbrblznysay = "trmdzpfztkkycoyzbxx.exe ." | C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\snftmzmduifqrahf = "gfbtqhytoghwbozbebcb.exe ." | C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\snftmzmduifqrahf = "vvsljbtplegwcqcfjhjjg.exe ." | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\jbqbrblznysay = "ifzpkzohaqpcfqzzav.exe ." | C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kbpzoxgtgqjq = "ifzpkzohaqpcfqzzav.exe" | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\snftmzmduifqrahf = "snftmzmduifqrahf.exe ." | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kbpzoxgtgqjq = "ifzpkzohaqpcfqzzav.exe" | C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kbpzoxgtgqjq = "vvsljbtplegwcqcfjhjjg.exe" | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\snftmzmduifqrahf = "gfbtqhytoghwbozbebcb.exe ." | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zvodxlzrjywikucbb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\snftmzmduifqrahf.exe ." | C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\snftmzmduifqrahf = "vvsljbtplegwcqcfjhjjg.exe ." | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nhyldpbrhuqaaio = "snftmzmduifqrahf.exe" | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\iryfkthlv = "brftfvqbspabkrpo.exe ." | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\jbqbrblznysay = "trmdzpfztkkycoyzbxx.exe ." | C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ifzpkzohaqpcfqzzav = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ifzpkzohaqpcfqzzav.exe" | C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kbpzoxgtgqjq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vvsljbtplegwcqcfjhjjg.exe" | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kbpzoxgtgqjq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\trmdzpfztkkycoyzbxx.exe" | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\jbqbrblznysay = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ifzpkzohaqpcfqzzav.exe ." | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kbpzoxgtgqjq = "vvsljbtplegwcqcfjhjjg.exe" | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\jbqbrblznysay = "zvodxlzrjywikucbb.exe ." | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zvodxlzrjywikucbb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\trmdzpfztkkycoyzbxx.exe ." | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zvodxlzrjywikucbb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vvsljbtplegwcqcfjhjjg.exe ." | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kbpzoxgtgqjq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vvsljbtplegwcqcfjhjjg.exe" | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\jbqbrblznysay = "C:\\Users\\Admin\\AppData\\Local\\Temp\\snftmzmduifqrahf.exe ." | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\thtfpdwfupyxej = "C:\\Users\\Admin\\AppData\\Local\\Temp\\izodqhdphfrtdlkke.exe" | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ifzpkzohaqpcfqzzav = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vvsljbtplegwcqcfjhjjg.exe" | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nhyldpbrhuqaaio = "snftmzmduifqrahf.exe" | C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ifzpkzohaqpcfqzzav = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vvsljbtplegwcqcfjhjjg.exe" | C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kbpzoxgtgqjq = "trmdzpfztkkycoyzbxx.exe" | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kbpzoxgtgqjq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vvsljbtplegwcqcfjhjjg.exe" | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kbpzoxgtgqjq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\trmdzpfztkkycoyzbxx.exe" | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nhyldpbrhuqaaio = "vvsljbtplegwcqcfjhjjg.exe" | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\jbqbrblznysay = "vvsljbtplegwcqcfjhjjg.exe ." | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kbpzoxgtgqjq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gfbtqhytoghwbozbebcb.exe" | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zvodxlzrjywikucbb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ifzpkzohaqpcfqzzav.exe ." | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kbpzoxgtgqjq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\snftmzmduifqrahf.exe" | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nhyldpbrhuqaaio = "ifzpkzohaqpcfqzzav.exe" | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kbpzoxgtgqjq = "vvsljbtplegwcqcfjhjjg.exe" | C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kbpzoxgtgqjq = "snftmzmduifqrahf.exe" | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nhyldpbrhuqaaio = "trmdzpfztkkycoyzbxx.exe" | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\jbqbrblznysay = "vvsljbtplegwcqcfjhjjg.exe ." | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\jbqbrblznysay = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vvsljbtplegwcqcfjhjjg.exe ." | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ifzpkzohaqpcfqzzav = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gfbtqhytoghwbozbebcb.exe" | C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nhyldpbrhuqaaio = "snftmzmduifqrahf.exe" | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zvodxlzrjywikucbb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\trmdzpfztkkycoyzbxx.exe ." | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kbpzoxgtgqjq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\snftmzmduifqrahf.exe" | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\jbqbrblznysay = "C:\\Users\\Admin\\AppData\\Local\\Temp\\trmdzpfztkkycoyzbxx.exe ." | C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nhyldpbrhuqaaio = "trmdzpfztkkycoyzbxx.exe" | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nhyldpbrhuqaaio = "vvsljbtplegwcqcfjhjjg.exe" | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\snftmzmduifqrahf = "trmdzpfztkkycoyzbxx.exe ." | C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kbpzoxgtgqjq = "vvsljbtplegwcqcfjhjjg.exe" | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zvodxlzrjywikucbb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ifzpkzohaqpcfqzzav.exe ." | C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kbpzoxgtgqjq = "trmdzpfztkkycoyzbxx.exe" | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ifzpkzohaqpcfqzzav = "C:\\Users\\Admin\\AppData\\Local\\Temp\\snftmzmduifqrahf.exe" | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\snftmzmduifqrahf = "ifzpkzohaqpcfqzzav.exe ." | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\jbqbrblznysay = "zvodxlzrjywikucbb.exe ." | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ifzpkzohaqpcfqzzav = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ifzpkzohaqpcfqzzav.exe" | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zvodxlzrjywikucbb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zvodxlzrjywikucbb.exe ." | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\tfpzhtkrexeb = "brftfvqbspabkrpo.exe ." | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\jbqbrblznysay = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ifzpkzohaqpcfqzzav.exe ." | C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\jbqbrblznysay = "snftmzmduifqrahf.exe ." | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\snftmzmduifqrahf = "gfbtqhytoghwbozbebcb.exe ." | C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\tfpzhtkrexeb = "ezslcxxnjlbhvhkomxsle.exe ." | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\jbqbrblznysay = "zvodxlzrjywikucbb.exe ." | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
Hijack Execution Flow: Executable Installer File Permissions Weakness
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" | C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" | C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | www.whatismyip.ca | N/A | N/A |
| N/A | whatismyip.everdot.org | N/A | N/A |
| N/A | www.whatismyip.ca | N/A | N/A |
| N/A | whatismyipaddress.com | N/A | N/A |
| N/A | www.whatismyip.ca | N/A | N/A |
| N/A | whatismyip.everdot.org | N/A | N/A |
| N/A | whatismyip.everdot.org | N/A | N/A |
| N/A | www.showmyipaddress.com | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\snftmzmduifqrahf.exe | C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\zvodxlzrjywikucbb.exe | C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\mnlfexqnkehyfuhlqpstrl.exe | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\trmdzpfztkkycoyzbxx.exe | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\gfbtqhytoghwbozbebcb.exe | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\snftmzmduifqrahf.exe | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ifzpkzohaqpcfqzzav.exe | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\trmdzpfztkkycoyzbxx.exe | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ifzpkzohaqpcfqzzav.exe | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\snftmzmduifqrahf.exe | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\gfbtqhytoghwbozbebcb.exe | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\zvodxlzrjywikucbb.exe | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\trmdzpfztkkycoyzbxx.exe | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\gfbtqhytoghwbozbebcb.exe | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ifzpkzohaqpcfqzzav.exe | C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\snftmzmduifqrahf.exe | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\vvsljbtplegwcqcfjhjjg.exe | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\gfbtqhytoghwbozbebcb.exe | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\mnlfexqnkehyfuhlqpstrl.exe | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\trmdzpfztkkycoyzbxx.exe | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\mnlfexqnkehyfuhlqpstrl.exe | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\vvsljbtplegwcqcfjhjjg.exe | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\zvodxlzrjywikucbb.exe | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\snftmzmduifqrahf.exe | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\mnlfexqnkehyfuhlqpstrl.exe | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\gfbtqhytoghwbozbebcb.exe | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\gfbtqhytoghwbozbebcb.exe | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\snftmzmduifqrahf.exe | C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\vvsljbtplegwcqcfjhjjg.exe | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\gfbtqhytoghwbozbebcb.exe | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\zvodxlzrjywikucbb.exe | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ifzpkzohaqpcfqzzav.exe | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\vvsljbtplegwcqcfjhjjg.exe | C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\snftmzmduifqrahf.exe | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\mnlfexqnkehyfuhlqpstrl.exe | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ifzpkzohaqpcfqzzav.exe | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\vvsljbtplegwcqcfjhjjg.exe | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\trmdzpfztkkycoyzbxx.exe | C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\fnstzzzdhisqeaufrxhpuvbbb.jku | C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\zvodxlzrjywikucbb.exe | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\vvsljbtplegwcqcfjhjjg.exe | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ifzpkzohaqpcfqzzav.exe | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\zvodxlzrjywikucbb.exe | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\gfbtqhytoghwbozbebcb.exe | C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\trmdzpfztkkycoyzbxx.exe | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\trmdzpfztkkycoyzbxx.exe | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\gfbtqhytoghwbozbebcb.exe | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\gfbtqhytoghwbozbebcb.exe | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\mnlfexqnkehyfuhlqpstrl.exe | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ifzpkzohaqpcfqzzav.exe | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\mnlfexqnkehyfuhlqpstrl.exe | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\mnlfexqnkehyfuhlqpstrl.exe | C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\zvodxlzrjywikucbb.exe | C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\vvsljbtplegwcqcfjhjjg.exe | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ifzpkzohaqpcfqzzav.exe | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\gfbtqhytoghwbozbebcb.exe | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\mnlfexqnkehyfuhlqpstrl.exe | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\vvsljbtplegwcqcfjhjjg.exe | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\vvsljbtplegwcqcfjhjjg.exe | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\mnlfexqnkehyfuhlqpstrl.exe | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\mnlfexqnkehyfuhlqpstrl.exe | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ifzpkzohaqpcfqzzav.exe | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\mnlfexqnkehyfuhlqpstrl.exe | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\trmdzpfztkkycoyzbxx.exe | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\fnstzzzdhisqeaufrxhpuvbbb.jku | C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe | N/A |
| File created | C:\Program Files (x86)\fnstzzzdhisqeaufrxhpuvbbb.jku | C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe | N/A |
| File opened for modification | C:\Program Files (x86)\kdtfwhshwidmlsxtqhcvlxozkzoavedkpliz.ndp | C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe | N/A |
| File created | C:\Program Files (x86)\kdtfwhshwidmlsxtqhcvlxozkzoavedkpliz.ndp | C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\mnlfexqnkehyfuhlqpstrl.exe | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| File opened for modification | C:\Windows\gfbtqhytoghwbozbebcb.exe | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| File opened for modification | C:\Windows\zvodxlzrjywikucbb.exe | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| File opened for modification | C:\Windows\gfbtqhytoghwbozbebcb.exe | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| File created | C:\Windows\kdtfwhshwidmlsxtqhcvlxozkzoavedkpliz.ndp | C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe | N/A |
| File opened for modification | C:\Windows\zvodxlzrjywikucbb.exe | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| File opened for modification | C:\Windows\snftmzmduifqrahf.exe | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| File opened for modification | C:\Windows\zvodxlzrjywikucbb.exe | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| File opened for modification | C:\Windows\zvodxlzrjywikucbb.exe | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| File opened for modification | C:\Windows\gfbtqhytoghwbozbebcb.exe | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| File opened for modification | C:\Windows\mnlfexqnkehyfuhlqpstrl.exe | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| File opened for modification | C:\Windows\trmdzpfztkkycoyzbxx.exe | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| File opened for modification | C:\Windows\gfbtqhytoghwbozbebcb.exe | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| File opened for modification | C:\Windows\mnlfexqnkehyfuhlqpstrl.exe | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| File opened for modification | C:\Windows\snftmzmduifqrahf.exe | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| File opened for modification | C:\Windows\ifzpkzohaqpcfqzzav.exe | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| File opened for modification | C:\Windows\snftmzmduifqrahf.exe | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| File opened for modification | C:\Windows\mnlfexqnkehyfuhlqpstrl.exe | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| File opened for modification | C:\Windows\snftmzmduifqrahf.exe | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| File opened for modification | C:\Windows\ifzpkzohaqpcfqzzav.exe | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| File opened for modification | C:\Windows\gfbtqhytoghwbozbebcb.exe | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| File opened for modification | C:\Windows\ifzpkzohaqpcfqzzav.exe | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| File opened for modification | C:\Windows\snftmzmduifqrahf.exe | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| File opened for modification | C:\Windows\snftmzmduifqrahf.exe | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| File opened for modification | C:\Windows\zvodxlzrjywikucbb.exe | C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe | N/A |
| File opened for modification | C:\Windows\trmdzpfztkkycoyzbxx.exe | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| File opened for modification | C:\Windows\gfbtqhytoghwbozbebcb.exe | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| File opened for modification | C:\Windows\snftmzmduifqrahf.exe | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| File opened for modification | C:\Windows\snftmzmduifqrahf.exe | C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe | N/A |
| File opened for modification | C:\Windows\zvodxlzrjywikucbb.exe | C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe | N/A |
| File opened for modification | C:\Windows\mnlfexqnkehyfuhlqpstrl.exe | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| File opened for modification | C:\Windows\ifzpkzohaqpcfqzzav.exe | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| File opened for modification | C:\Windows\gfbtqhytoghwbozbebcb.exe | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| File opened for modification | C:\Windows\ifzpkzohaqpcfqzzav.exe | C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe | N/A |
| File opened for modification | C:\Windows\gfbtqhytoghwbozbebcb.exe | C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe | N/A |
| File opened for modification | C:\Windows\ifzpkzohaqpcfqzzav.exe | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| File opened for modification | C:\Windows\vvsljbtplegwcqcfjhjjg.exe | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| File opened for modification | C:\Windows\mnlfexqnkehyfuhlqpstrl.exe | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| File opened for modification | C:\Windows\vvsljbtplegwcqcfjhjjg.exe | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| File opened for modification | C:\Windows\gfbtqhytoghwbozbebcb.exe | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| File opened for modification | C:\Windows\trmdzpfztkkycoyzbxx.exe | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| File opened for modification | C:\Windows\ifzpkzohaqpcfqzzav.exe | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| File opened for modification | C:\Windows\ifzpkzohaqpcfqzzav.exe | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| File opened for modification | C:\Windows\zvodxlzrjywikucbb.exe | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| File opened for modification | C:\Windows\vvsljbtplegwcqcfjhjjg.exe | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| File opened for modification | C:\Windows\mnlfexqnkehyfuhlqpstrl.exe | C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe | N/A |
| File opened for modification | C:\Windows\trmdzpfztkkycoyzbxx.exe | C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe | N/A |
| File opened for modification | C:\Windows\zvodxlzrjywikucbb.exe | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| File opened for modification | C:\Windows\trmdzpfztkkycoyzbxx.exe | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| File opened for modification | C:\Windows\vvsljbtplegwcqcfjhjjg.exe | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| File opened for modification | C:\Windows\trmdzpfztkkycoyzbxx.exe | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| File opened for modification | C:\Windows\gfbtqhytoghwbozbebcb.exe | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| File opened for modification | C:\Windows\zvodxlzrjywikucbb.exe | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| File opened for modification | C:\Windows\ifzpkzohaqpcfqzzav.exe | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| File opened for modification | C:\Windows\trmdzpfztkkycoyzbxx.exe | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| File opened for modification | C:\Windows\snftmzmduifqrahf.exe | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| File opened for modification | C:\Windows\zvodxlzrjywikucbb.exe | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| File opened for modification | C:\Windows\snftmzmduifqrahf.exe | C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe | N/A |
| File opened for modification | C:\Windows\ifzpkzohaqpcfqzzav.exe | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| File opened for modification | C:\Windows\trmdzpfztkkycoyzbxx.exe | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| File opened for modification | C:\Windows\trmdzpfztkkycoyzbxx.exe | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| File opened for modification | C:\Windows\fnstzzzdhisqeaufrxhpuvbbb.jku | C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe | N/A |
| File opened for modification | C:\Windows\vvsljbtplegwcqcfjhjjg.exe | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| File opened for modification | C:\Windows\gfbtqhytoghwbozbebcb.exe | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\ifzpkzohaqpcfqzzav.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\brftfvqbspabkrpo.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\ezslcxxnjlbhvhkomxsle.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\zvodxlzrjywikucbb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\ifzpkzohaqpcfqzzav.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\ifzpkzohaqpcfqzzav.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\izodqhdphfrtdlkke.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\rjzpdvsfyxknyhhidl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\vvsljbtplegwcqcfjhjjg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\zvodxlzrjywikucbb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\zvodxlzrjywikucbb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\trmdzpfztkkycoyzbxx.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\zvodxlzrjywikucbb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\gfbtqhytoghwbozbebcb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\zvodxlzrjywikucbb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\vvsljbtplegwcqcfjhjjg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\gfbtqhytoghwbozbebcb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ezslcxxnjlbhvhkomxsle.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\zvodxlzrjywikucbb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\brftfvqbspabkrpo.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\zvodxlzrjywikucbb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\pjbtjdcrmnchufhkhrld.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\vvsljbtplegwcqcfjhjjg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\cvmdsljxrrfjvfgieng.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\cvmdsljxrrfjvfgieng.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\vvsljbtplegwcqcfjhjjg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ifzpkzohaqpcfqzzav.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\zvodxlzrjywikucbb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ifzpkzohaqpcfqzzav.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\snftmzmduifqrahf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\gfbtqhytoghwbozbebcb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\vvsljbtplegwcqcfjhjjg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\gfbtqhytoghwbozbebcb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\gfbtqhytoghwbozbebcb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\gfbtqhytoghwbozbebcb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\trmdzpfztkkycoyzbxx.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ifzpkzohaqpcfqzzav.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\ifzpkzohaqpcfqzzav.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\zvodxlzrjywikucbb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\zvodxlzrjywikucbb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\trmdzpfztkkycoyzbxx.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ifzpkzohaqpcfqzzav.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\gfbtqhytoghwbozbebcb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\snftmzmduifqrahf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\trmdzpfztkkycoyzbxx.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" | C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" | C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" | C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" | C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" | C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" | C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" | C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" | C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" | C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c45c7c3be165367d7676c127dbdc2050.exe"
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\jaffacakes118_c45c7c3be165367d7676c127dbdc2050.exe*"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ifzpkzohaqpcfqzzav.exe
C:\Windows\ifzpkzohaqpcfqzzav.exe
ifzpkzohaqpcfqzzav.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vvsljbtplegwcqcfjhjjg.exe .
C:\Windows\vvsljbtplegwcqcfjhjjg.exe
vvsljbtplegwcqcfjhjjg.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zvodxlzrjywikucbb.exe
C:\Windows\zvodxlzrjywikucbb.exe
zvodxlzrjywikucbb.exe
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\vvsljbtplegwcqcfjhjjg.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c snftmzmduifqrahf.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gfbtqhytoghwbozbebcb.exe
C:\Windows\snftmzmduifqrahf.exe
snftmzmduifqrahf.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe .
C:\Users\Admin\AppData\Local\Temp\gfbtqhytoghwbozbebcb.exe
C:\Users\Admin\AppData\Local\Temp\gfbtqhytoghwbozbebcb.exe
C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe
C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe .
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\snftmzmduifqrahf.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\trmdzpfztkkycoyzbxx.exe*."
C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe
C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe .
C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe
C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe .
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\zvodxlzrjywikucbb.exe*."
C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe
"C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe" "-C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe"
C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe
"C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe" "-C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ifzpkzohaqpcfqzzav.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ifzpkzohaqpcfqzzav.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c trmdzpfztkkycoyzbxx.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c trmdzpfztkkycoyzbxx.exe .
C:\Windows\ifzpkzohaqpcfqzzav.exe
ifzpkzohaqpcfqzzav.exe
C:\Windows\ifzpkzohaqpcfqzzav.exe
ifzpkzohaqpcfqzzav.exe
C:\Windows\trmdzpfztkkycoyzbxx.exe
trmdzpfztkkycoyzbxx.exe .
C:\Windows\trmdzpfztkkycoyzbxx.exe
trmdzpfztkkycoyzbxx.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c snftmzmduifqrahf.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c snftmzmduifqrahf.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vvsljbtplegwcqcfjhjjg.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vvsljbtplegwcqcfjhjjg.exe .
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\trmdzpfztkkycoyzbxx.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ifzpkzohaqpcfqzzav.exe
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\trmdzpfztkkycoyzbxx.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ifzpkzohaqpcfqzzav.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe .
C:\Windows\snftmzmduifqrahf.exe
snftmzmduifqrahf.exe
C:\Windows\vvsljbtplegwcqcfjhjjg.exe
vvsljbtplegwcqcfjhjjg.exe .
C:\Windows\snftmzmduifqrahf.exe
snftmzmduifqrahf.exe
C:\Windows\vvsljbtplegwcqcfjhjjg.exe
vvsljbtplegwcqcfjhjjg.exe .
C:\Users\Admin\AppData\Local\Temp\ifzpkzohaqpcfqzzav.exe
C:\Users\Admin\AppData\Local\Temp\ifzpkzohaqpcfqzzav.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe
C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe
C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe .
C:\Users\Admin\AppData\Local\Temp\ifzpkzohaqpcfqzzav.exe
C:\Users\Admin\AppData\Local\Temp\ifzpkzohaqpcfqzzav.exe
C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe
C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ifzpkzohaqpcfqzzav.exe .
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\vvsljbtplegwcqcfjhjjg.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ifzpkzohaqpcfqzzav.exe .
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\vvsljbtplegwcqcfjhjjg.exe*."
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\zvodxlzrjywikucbb.exe*."
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\zvodxlzrjywikucbb.exe*."
C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe
C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe
C:\Users\Admin\AppData\Local\Temp\ifzpkzohaqpcfqzzav.exe
C:\Users\Admin\AppData\Local\Temp\ifzpkzohaqpcfqzzav.exe .
C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe
C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe
C:\Users\Admin\AppData\Local\Temp\ifzpkzohaqpcfqzzav.exe
C:\Users\Admin\AppData\Local\Temp\ifzpkzohaqpcfqzzav.exe .
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\ifzpkzohaqpcfqzzav.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vvsljbtplegwcqcfjhjjg.exe
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\ifzpkzohaqpcfqzzav.exe*."
C:\Windows\vvsljbtplegwcqcfjhjjg.exe
vvsljbtplegwcqcfjhjjg.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c trmdzpfztkkycoyzbxx.exe .
C:\Windows\trmdzpfztkkycoyzbxx.exe
trmdzpfztkkycoyzbxx.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vvsljbtplegwcqcfjhjjg.exe
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\trmdzpfztkkycoyzbxx.exe*."
C:\Windows\vvsljbtplegwcqcfjhjjg.exe
vvsljbtplegwcqcfjhjjg.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gfbtqhytoghwbozbebcb.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ifzpkzohaqpcfqzzav.exe
C:\Windows\gfbtqhytoghwbozbebcb.exe
gfbtqhytoghwbozbebcb.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe .
C:\Users\Admin\AppData\Local\Temp\ifzpkzohaqpcfqzzav.exe
C:\Users\Admin\AppData\Local\Temp\ifzpkzohaqpcfqzzav.exe
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\gfbtqhytoghwbozbebcb.exe*."
C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe
C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe .
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\trmdzpfztkkycoyzbxx.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gfbtqhytoghwbozbebcb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ifzpkzohaqpcfqzzav.exe .
C:\Users\Admin\AppData\Local\Temp\gfbtqhytoghwbozbebcb.exe
C:\Users\Admin\AppData\Local\Temp\gfbtqhytoghwbozbebcb.exe
C:\Users\Admin\AppData\Local\Temp\ifzpkzohaqpcfqzzav.exe
C:\Users\Admin\AppData\Local\Temp\ifzpkzohaqpcfqzzav.exe .
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\ifzpkzohaqpcfqzzav.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zvodxlzrjywikucbb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gfbtqhytoghwbozbebcb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gfbtqhytoghwbozbebcb.exe
C:\Windows\zvodxlzrjywikucbb.exe
zvodxlzrjywikucbb.exe
C:\Windows\gfbtqhytoghwbozbebcb.exe
gfbtqhytoghwbozbebcb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gfbtqhytoghwbozbebcb.exe .
C:\Windows\gfbtqhytoghwbozbebcb.exe
gfbtqhytoghwbozbebcb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zvodxlzrjywikucbb.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zvodxlzrjywikucbb.exe .
C:\Windows\gfbtqhytoghwbozbebcb.exe
gfbtqhytoghwbozbebcb.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ifzpkzohaqpcfqzzav.exe
C:\Windows\zvodxlzrjywikucbb.exe
zvodxlzrjywikucbb.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c snftmzmduifqrahf.exe
C:\Windows\zvodxlzrjywikucbb.exe
zvodxlzrjywikucbb.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vvsljbtplegwcqcfjhjjg.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gfbtqhytoghwbozbebcb.exe .
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\gfbtqhytoghwbozbebcb.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zvodxlzrjywikucbb.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gfbtqhytoghwbozbebcb.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe .
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\zvodxlzrjywikucbb.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ifzpkzohaqpcfqzzav.exe .
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\zvodxlzrjywikucbb.exe*."
C:\Windows\ifzpkzohaqpcfqzzav.exe
ifzpkzohaqpcfqzzav.exe
C:\Windows\snftmzmduifqrahf.exe
snftmzmduifqrahf.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe
C:\Windows\gfbtqhytoghwbozbebcb.exe
gfbtqhytoghwbozbebcb.exe .
C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe
C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe
C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe
C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe
C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe
C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe
C:\Windows\zvodxlzrjywikucbb.exe
zvodxlzrjywikucbb.exe .
C:\Windows\gfbtqhytoghwbozbebcb.exe
gfbtqhytoghwbozbebcb.exe .
C:\Windows\vvsljbtplegwcqcfjhjjg.exe
vvsljbtplegwcqcfjhjjg.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ifzpkzohaqpcfqzzav.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe .
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\gfbtqhytoghwbozbebcb.exe*."
C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe
C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe .
C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe
C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe .
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\gfbtqhytoghwbozbebcb.exe*."
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\zvodxlzrjywikucbb.exe*."
C:\Users\Admin\AppData\Local\Temp\ifzpkzohaqpcfqzzav.exe
C:\Users\Admin\AppData\Local\Temp\ifzpkzohaqpcfqzzav.exe .
C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe
C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe
C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe
C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe
C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe
C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe .
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\snftmzmduifqrahf.exe*."
C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe
C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe
C:\Users\Admin\AppData\Local\Temp\ifzpkzohaqpcfqzzav.exe
C:\Users\Admin\AppData\Local\Temp\ifzpkzohaqpcfqzzav.exe .
C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe
C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe .
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\trmdzpfztkkycoyzbxx.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gfbtqhytoghwbozbebcb.exe
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\ifzpkzohaqpcfqzzav.exe*."
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\trmdzpfztkkycoyzbxx.exe*."
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\ifzpkzohaqpcfqzzav.exe*."
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\trmdzpfztkkycoyzbxx.exe*."
C:\Windows\gfbtqhytoghwbozbebcb.exe
gfbtqhytoghwbozbebcb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c trmdzpfztkkycoyzbxx.exe .
C:\Windows\trmdzpfztkkycoyzbxx.exe
trmdzpfztkkycoyzbxx.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vvsljbtplegwcqcfjhjjg.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vvsljbtplegwcqcfjhjjg.exe .
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\trmdzpfztkkycoyzbxx.exe*."
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\vvsljbtplegwcqcfjhjjg.exe
vvsljbtplegwcqcfjhjjg.exe
C:\Windows\vvsljbtplegwcqcfjhjjg.exe
vvsljbtplegwcqcfjhjjg.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ifzpkzohaqpcfqzzav.exe
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\vvsljbtplegwcqcfjhjjg.exe*."
C:\Users\Admin\AppData\Local\Temp\ifzpkzohaqpcfqzzav.exe
C:\Users\Admin\AppData\Local\Temp\ifzpkzohaqpcfqzzav.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ifzpkzohaqpcfqzzav.exe .
C:\Users\Admin\AppData\Local\Temp\ifzpkzohaqpcfqzzav.exe
C:\Users\Admin\AppData\Local\Temp\ifzpkzohaqpcfqzzav.exe .
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\ifzpkzohaqpcfqzzav.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe .
C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe
C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe
C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe
C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe .
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\snftmzmduifqrahf.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c trmdzpfztkkycoyzbxx.exe
C:\Windows\trmdzpfztkkycoyzbxx.exe
trmdzpfztkkycoyzbxx.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c snftmzmduifqrahf.exe .
C:\Windows\snftmzmduifqrahf.exe
snftmzmduifqrahf.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ifzpkzohaqpcfqzzav.exe
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\snftmzmduifqrahf.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vvsljbtplegwcqcfjhjjg.exe .
C:\Windows\ifzpkzohaqpcfqzzav.exe
ifzpkzohaqpcfqzzav.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe
C:\Windows\vvsljbtplegwcqcfjhjjg.exe
vvsljbtplegwcqcfjhjjg.exe .
C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe
C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe .
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\vvsljbtplegwcqcfjhjjg.exe*."
C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe
C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe .
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\vvsljbtplegwcqcfjhjjg.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gfbtqhytoghwbozbebcb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe .
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\gfbtqhytoghwbozbebcb.exe
C:\Users\Admin\AppData\Local\Temp\gfbtqhytoghwbozbebcb.exe
C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe
C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe .
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\trmdzpfztkkycoyzbxx.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c snftmzmduifqrahf.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c snftmzmduifqrahf.exe .
C:\Windows\snftmzmduifqrahf.exe
snftmzmduifqrahf.exe
C:\Windows\snftmzmduifqrahf.exe
snftmzmduifqrahf.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c snftmzmduifqrahf.exe
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\snftmzmduifqrahf.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ifzpkzohaqpcfqzzav.exe .
C:\Windows\snftmzmduifqrahf.exe
snftmzmduifqrahf.exe
C:\Windows\ifzpkzohaqpcfqzzav.exe
ifzpkzohaqpcfqzzav.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe .
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\ifzpkzohaqpcfqzzav.exe*."
C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe
C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe
C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe
C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe .
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\snftmzmduifqrahf.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe .
C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe
C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe
C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe
C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe .
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\trmdzpfztkkycoyzbxx.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gfbtqhytoghwbozbebcb.exe
C:\Windows\gfbtqhytoghwbozbebcb.exe
gfbtqhytoghwbozbebcb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vvsljbtplegwcqcfjhjjg.exe .
C:\Windows\vvsljbtplegwcqcfjhjjg.exe
vvsljbtplegwcqcfjhjjg.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ifzpkzohaqpcfqzzav.exe
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\vvsljbtplegwcqcfjhjjg.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gfbtqhytoghwbozbebcb.exe .
C:\Windows\ifzpkzohaqpcfqzzav.exe
ifzpkzohaqpcfqzzav.exe
C:\Windows\gfbtqhytoghwbozbebcb.exe
gfbtqhytoghwbozbebcb.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe .
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\gfbtqhytoghwbozbebcb.exe*."
C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe
C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe
C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe
C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe .
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\snftmzmduifqrahf.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe .
C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe
C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe
C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe
C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe .
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\vvsljbtplegwcqcfjhjjg.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c trmdzpfztkkycoyzbxx.exe
C:\Windows\trmdzpfztkkycoyzbxx.exe
trmdzpfztkkycoyzbxx.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c trmdzpfztkkycoyzbxx.exe .
C:\Windows\trmdzpfztkkycoyzbxx.exe
trmdzpfztkkycoyzbxx.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c trmdzpfztkkycoyzbxx.exe
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\trmdzpfztkkycoyzbxx.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zvodxlzrjywikucbb.exe .
C:\Windows\trmdzpfztkkycoyzbxx.exe
trmdzpfztkkycoyzbxx.exe
C:\Windows\zvodxlzrjywikucbb.exe
zvodxlzrjywikucbb.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gfbtqhytoghwbozbebcb.exe .
C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe
C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\zvodxlzrjywikucbb.exe*."
C:\Users\Admin\AppData\Local\Temp\gfbtqhytoghwbozbebcb.exe
C:\Users\Admin\AppData\Local\Temp\gfbtqhytoghwbozbebcb.exe .
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\gfbtqhytoghwbozbebcb.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe .
C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe
C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe
C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe
C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe .
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\snftmzmduifqrahf.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ifzpkzohaqpcfqzzav.exe
C:\Windows\ifzpkzohaqpcfqzzav.exe
ifzpkzohaqpcfqzzav.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zvodxlzrjywikucbb.exe .
C:\Windows\zvodxlzrjywikucbb.exe
zvodxlzrjywikucbb.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ifzpkzohaqpcfqzzav.exe
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\zvodxlzrjywikucbb.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vvsljbtplegwcqcfjhjjg.exe .
C:\Windows\ifzpkzohaqpcfqzzav.exe
ifzpkzohaqpcfqzzav.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe
C:\Windows\vvsljbtplegwcqcfjhjjg.exe
vvsljbtplegwcqcfjhjjg.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe .
C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe
C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\vvsljbtplegwcqcfjhjjg.exe*."
C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe
C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe .
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\zvodxlzrjywikucbb.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vvsljbtplegwcqcfjhjjg.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vvsljbtplegwcqcfjhjjg.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe .
C:\Windows\vvsljbtplegwcqcfjhjjg.exe
vvsljbtplegwcqcfjhjjg.exe
C:\Windows\vvsljbtplegwcqcfjhjjg.exe
vvsljbtplegwcqcfjhjjg.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ifzpkzohaqpcfqzzav.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ifzpkzohaqpcfqzzav.exe .
C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe
C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe
C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe .
C:\Windows\ifzpkzohaqpcfqzzav.exe
ifzpkzohaqpcfqzzav.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ifzpkzohaqpcfqzzav.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gfbtqhytoghwbozbebcb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c trmdzpfztkkycoyzbxx.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gfbtqhytoghwbozbebcb.exe .
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\snftmzmduifqrahf.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\ifzpkzohaqpcfqzzav.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gfbtqhytoghwbozbebcb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gfbtqhytoghwbozbebcb.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gfbtqhytoghwbozbebcb.exe .
C:\Windows\gfbtqhytoghwbozbebcb.exe
gfbtqhytoghwbozbebcb.exe
C:\Windows\gfbtqhytoghwbozbebcb.exe
gfbtqhytoghwbozbebcb.exe .
C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe
C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe
C:\Users\Admin\AppData\Local\Temp\gfbtqhytoghwbozbebcb.exe
C:\Users\Admin\AppData\Local\Temp\gfbtqhytoghwbozbebcb.exe .
C:\Users\Admin\AppData\Local\Temp\gfbtqhytoghwbozbebcb.exe
C:\Users\Admin\AppData\Local\Temp\gfbtqhytoghwbozbebcb.exe
C:\Users\Admin\AppData\Local\Temp\gfbtqhytoghwbozbebcb.exe
C:\Users\Admin\AppData\Local\Temp\gfbtqhytoghwbozbebcb.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c trmdzpfztkkycoyzbxx.exe
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\gfbtqhytoghwbozbebcb.exe*."
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\gfbtqhytoghwbozbebcb.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gfbtqhytoghwbozbebcb.exe .
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\gfbtqhytoghwbozbebcb.exe*."
C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe
C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe
C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe
C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe
C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe
C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe .
C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe
C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c snftmzmduifqrahf.exe
C:\Windows\gfbtqhytoghwbozbebcb.exe
gfbtqhytoghwbozbebcb.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gfbtqhytoghwbozbebcb.exe .
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\zvodxlzrjywikucbb.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gfbtqhytoghwbozbebcb.exe
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\vvsljbtplegwcqcfjhjjg.exe*."
C:\Windows\snftmzmduifqrahf.exe
snftmzmduifqrahf.exe
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\gfbtqhytoghwbozbebcb.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gfbtqhytoghwbozbebcb.exe .
C:\Windows\gfbtqhytoghwbozbebcb.exe
gfbtqhytoghwbozbebcb.exe .
C:\Users\Admin\AppData\Local\Temp\gfbtqhytoghwbozbebcb.exe
C:\Users\Admin\AppData\Local\Temp\gfbtqhytoghwbozbebcb.exe
C:\Users\Admin\AppData\Local\Temp\gfbtqhytoghwbozbebcb.exe
C:\Users\Admin\AppData\Local\Temp\gfbtqhytoghwbozbebcb.exe .
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\gfbtqhytoghwbozbebcb.exe*."
C:\Windows\ifzpkzohaqpcfqzzav.exe
ifzpkzohaqpcfqzzav.exe
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\gfbtqhytoghwbozbebcb.exe*."
C:\Windows\ifzpkzohaqpcfqzzav.exe
ifzpkzohaqpcfqzzav.exe .
C:\Windows\trmdzpfztkkycoyzbxx.exe
trmdzpfztkkycoyzbxx.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe
C:\Windows\trmdzpfztkkycoyzbxx.exe
trmdzpfztkkycoyzbxx.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe .
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\ifzpkzohaqpcfqzzav.exe*."
C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe
C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\trmdzpfztkkycoyzbxx.exe*."
C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe
C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe .
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\snftmzmduifqrahf.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c snftmzmduifqrahf.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\snftmzmduifqrahf.exe
snftmzmduifqrahf.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zvodxlzrjywikucbb.exe .
C:\Windows\zvodxlzrjywikucbb.exe
zvodxlzrjywikucbb.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c trmdzpfztkkycoyzbxx.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\zvodxlzrjywikucbb.exe*."
C:\Windows\trmdzpfztkkycoyzbxx.exe
trmdzpfztkkycoyzbxx.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zvodxlzrjywikucbb.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ifzpkzohaqpcfqzzav.exe
C:\Windows\zvodxlzrjywikucbb.exe
zvodxlzrjywikucbb.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe .
C:\Users\Admin\AppData\Local\Temp\ifzpkzohaqpcfqzzav.exe
C:\Users\Admin\AppData\Local\Temp\ifzpkzohaqpcfqzzav.exe
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\zvodxlzrjywikucbb.exe*."
C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe
C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe .
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\snftmzmduifqrahf.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe .
C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe
C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe
C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe
C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe .
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\snftmzmduifqrahf.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c brftfvqbspabkrpo.exe
C:\Windows\brftfvqbspabkrpo.exe
brftfvqbspabkrpo.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c brftfvqbspabkrpo.exe .
C:\Windows\brftfvqbspabkrpo.exe
brftfvqbspabkrpo.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c izodqhdphfrtdlkke.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ifzpkzohaqpcfqzzav.exe
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\brftfvqbspabkrpo.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ezslcxxnjlbhvhkomxsle.exe .
C:\Windows\izodqhdphfrtdlkke.exe
izodqhdphfrtdlkke.exe
C:\Windows\ifzpkzohaqpcfqzzav.exe
ifzpkzohaqpcfqzzav.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pjbtjdcrmnchufhkhrld.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zvodxlzrjywikucbb.exe .
C:\Windows\ezslcxxnjlbhvhkomxsle.exe
ezslcxxnjlbhvhkomxsle.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rjzpdvsfyxknyhhidl.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c trmdzpfztkkycoyzbxx.exe
C:\Windows\zvodxlzrjywikucbb.exe
zvodxlzrjywikucbb.exe .
C:\Users\Admin\AppData\Local\Temp\pjbtjdcrmnchufhkhrld.exe
C:\Users\Admin\AppData\Local\Temp\pjbtjdcrmnchufhkhrld.exe
C:\Users\Admin\AppData\Local\Temp\rjzpdvsfyxknyhhidl.exe
C:\Users\Admin\AppData\Local\Temp\rjzpdvsfyxknyhhidl.exe .
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\ezslcxxnjlbhvhkomxsle.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zvodxlzrjywikucbb.exe .
C:\Windows\trmdzpfztkkycoyzbxx.exe
trmdzpfztkkycoyzbxx.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brftfvqbspabkrpo.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ifzpkzohaqpcfqzzav.exe
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\zvodxlzrjywikucbb.exe*."
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\rjzpdvsfyxknyhhidl.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\izodqhdphfrtdlkke.exe .
C:\Windows\zvodxlzrjywikucbb.exe
zvodxlzrjywikucbb.exe .
C:\Users\Admin\AppData\Local\Temp\ifzpkzohaqpcfqzzav.exe
C:\Users\Admin\AppData\Local\Temp\ifzpkzohaqpcfqzzav.exe
C:\Users\Admin\AppData\Local\Temp\brftfvqbspabkrpo.exe
C:\Users\Admin\AppData\Local\Temp\brftfvqbspabkrpo.exe
C:\Users\Admin\AppData\Local\Temp\izodqhdphfrtdlkke.exe
C:\Users\Admin\AppData\Local\Temp\izodqhdphfrtdlkke.exe .
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\zvodxlzrjywikucbb.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ifzpkzohaqpcfqzzav.exe .
C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe
C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe .
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\izodqhdphfrtdlkke.exe*."
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\zvodxlzrjywikucbb.exe*."
C:\Users\Admin\AppData\Local\Temp\ifzpkzohaqpcfqzzav.exe
C:\Users\Admin\AppData\Local\Temp\ifzpkzohaqpcfqzzav.exe .
C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe
C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe
C:\Users\Admin\AppData\Local\Temp\ejmpq.exe
"C:\Users\Admin\AppData\Local\Temp\ejmpq.exe" "-C:\Users\Admin\AppData\Local\Temp\brftfvqbspabkrpo.exe"
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\ifzpkzohaqpcfqzzav.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vvsljbtplegwcqcfjhjjg.exe
C:\Users\Admin\AppData\Local\Temp\ejmpq.exe
"C:\Users\Admin\AppData\Local\Temp\ejmpq.exe" "-C:\Users\Admin\AppData\Local\Temp\brftfvqbspabkrpo.exe"
C:\Windows\vvsljbtplegwcqcfjhjjg.exe
vvsljbtplegwcqcfjhjjg.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zvodxlzrjywikucbb.exe .
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\zvodxlzrjywikucbb.exe
zvodxlzrjywikucbb.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vvsljbtplegwcqcfjhjjg.exe
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\zvodxlzrjywikucbb.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vvsljbtplegwcqcfjhjjg.exe .
C:\Windows\vvsljbtplegwcqcfjhjjg.exe
vvsljbtplegwcqcfjhjjg.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe
C:\Windows\vvsljbtplegwcqcfjhjjg.exe
vvsljbtplegwcqcfjhjjg.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe .
C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe
C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\vvsljbtplegwcqcfjhjjg.exe*."
C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe
C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe .
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\trmdzpfztkkycoyzbxx.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ifzpkzohaqpcfqzzav.exe
C:\Users\Admin\AppData\Local\Temp\ifzpkzohaqpcfqzzav.exe
C:\Users\Admin\AppData\Local\Temp\ifzpkzohaqpcfqzzav.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe .
C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe
C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe .
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\vvsljbtplegwcqcfjhjjg.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c brftfvqbspabkrpo.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vvsljbtplegwcqcfjhjjg.exe
C:\Windows\brftfvqbspabkrpo.exe
brftfvqbspabkrpo.exe
C:\Users\Admin\AppData\Local\Temp\ejmpq.exe
"C:\Users\Admin\AppData\Local\Temp\ejmpq.exe" "-C:\Users\Admin\AppData\Local\Temp\brftfvqbspabkrpo.exe"
C:\Users\Admin\AppData\Local\Temp\ejmpq.exe
"C:\Users\Admin\AppData\Local\Temp\ejmpq.exe" "-C:\Users\Admin\AppData\Local\Temp\brftfvqbspabkrpo.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pjbtjdcrmnchufhkhrld.exe .
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\vvsljbtplegwcqcfjhjjg.exe
vvsljbtplegwcqcfjhjjg.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vvsljbtplegwcqcfjhjjg.exe .
C:\Windows\pjbtjdcrmnchufhkhrld.exe
pjbtjdcrmnchufhkhrld.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cvmdsljxrrfjvfgieng.exe
C:\Windows\vvsljbtplegwcqcfjhjjg.exe
vvsljbtplegwcqcfjhjjg.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c brftfvqbspabkrpo.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zvodxlzrjywikucbb.exe
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\pjbtjdcrmnchufhkhrld.exe*."
C:\Windows\cvmdsljxrrfjvfgieng.exe
cvmdsljxrrfjvfgieng.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vvsljbtplegwcqcfjhjjg.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\izodqhdphfrtdlkke.exe
C:\Windows\brftfvqbspabkrpo.exe
brftfvqbspabkrpo.exe .
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\vvsljbtplegwcqcfjhjjg.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ezslcxxnjlbhvhkomxsle.exe .
C:\Windows\zvodxlzrjywikucbb.exe
zvodxlzrjywikucbb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe .
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\izodqhdphfrtdlkke.exe
C:\Users\Admin\AppData\Local\Temp\izodqhdphfrtdlkke.exe
C:\Windows\vvsljbtplegwcqcfjhjjg.exe
vvsljbtplegwcqcfjhjjg.exe .
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\brftfvqbspabkrpo.exe*."
C:\Users\Admin\AppData\Local\Temp\ezslcxxnjlbhvhkomxsle.exe
C:\Users\Admin\AppData\Local\Temp\ezslcxxnjlbhvhkomxsle.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cvmdsljxrrfjvfgieng.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gfbtqhytoghwbozbebcb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cvmdsljxrrfjvfgieng.exe .
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\vvsljbtplegwcqcfjhjjg.exe*."
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\ezslcxxnjlbhvhkomxsle.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe .
C:\Users\Admin\AppData\Local\Temp\gfbtqhytoghwbozbebcb.exe
C:\Users\Admin\AppData\Local\Temp\gfbtqhytoghwbozbebcb.exe
C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe
C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe
C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe
C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe .
C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe
C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe .
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\vvsljbtplegwcqcfjhjjg.exe*."
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\vvsljbtplegwcqcfjhjjg.exe*."
C:\Users\Admin\AppData\Local\Temp\cvmdsljxrrfjvfgieng.exe
C:\Users\Admin\AppData\Local\Temp\cvmdsljxrrfjvfgieng.exe .
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\cvmdsljxrrfjvfgieng.exe*."
C:\Users\Admin\AppData\Local\Temp\ejmpq.exe
"C:\Users\Admin\AppData\Local\Temp\ejmpq.exe" "-C:\Users\Admin\AppData\Local\Temp\brftfvqbspabkrpo.exe"
C:\Users\Admin\AppData\Local\Temp\ejmpq.exe
"C:\Users\Admin\AppData\Local\Temp\ejmpq.exe" "-C:\Users\Admin\AppData\Local\Temp\brftfvqbspabkrpo.exe"
C:\Users\Admin\AppData\Local\Temp\cvmdsljxrrfjvfgieng.exe
C:\Users\Admin\AppData\Local\Temp\cvmdsljxrrfjvfgieng.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c snftmzmduifqrahf.exe
C:\Windows\snftmzmduifqrahf.exe
snftmzmduifqrahf.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gfbtqhytoghwbozbebcb.exe .
C:\Windows\gfbtqhytoghwbozbebcb.exe
gfbtqhytoghwbozbebcb.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c trmdzpfztkkycoyzbxx.exe
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\gfbtqhytoghwbozbebcb.exe*."
C:\Windows\trmdzpfztkkycoyzbxx.exe
trmdzpfztkkycoyzbxx.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vvsljbtplegwcqcfjhjjg.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe
C:\Windows\vvsljbtplegwcqcfjhjjg.exe
vvsljbtplegwcqcfjhjjg.exe .
C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe
C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe .
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\vvsljbtplegwcqcfjhjjg.exe*."
C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe
C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe .
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\zvodxlzrjywikucbb.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gfbtqhytoghwbozbebcb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe .
C:\Users\Admin\AppData\Local\Temp\gfbtqhytoghwbozbebcb.exe
C:\Users\Admin\AppData\Local\Temp\gfbtqhytoghwbozbebcb.exe
C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe
C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe .
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\zvodxlzrjywikucbb.exe*."
C:\Users\Admin\AppData\Local\Temp\ejmpq.exe
"C:\Users\Admin\AppData\Local\Temp\ejmpq.exe" "-C:\Users\Admin\AppData\Local\Temp\brftfvqbspabkrpo.exe"
C:\Users\Admin\AppData\Local\Temp\ejmpq.exe
"C:\Users\Admin\AppData\Local\Temp\ejmpq.exe" "-C:\Users\Admin\AppData\Local\Temp\brftfvqbspabkrpo.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vvsljbtplegwcqcfjhjjg.exe
C:\Windows\vvsljbtplegwcqcfjhjjg.exe
vvsljbtplegwcqcfjhjjg.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c trmdzpfztkkycoyzbxx.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ifzpkzohaqpcfqzzav.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ifzpkzohaqpcfqzzav.exe
C:\Windows\trmdzpfztkkycoyzbxx.exe
trmdzpfztkkycoyzbxx.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gfbtqhytoghwbozbebcb.exe
C:\Windows\ifzpkzohaqpcfqzzav.exe
ifzpkzohaqpcfqzzav.exe
C:\Windows\ifzpkzohaqpcfqzzav.exe
ifzpkzohaqpcfqzzav.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c snftmzmduifqrahf.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vvsljbtplegwcqcfjhjjg.exe .
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\trmdzpfztkkycoyzbxx.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ifzpkzohaqpcfqzzav.exe .
C:\Windows\gfbtqhytoghwbozbebcb.exe
gfbtqhytoghwbozbebcb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gfbtqhytoghwbozbebcb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ifzpkzohaqpcfqzzav.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gfbtqhytoghwbozbebcb.exe
C:\Windows\vvsljbtplegwcqcfjhjjg.exe
vvsljbtplegwcqcfjhjjg.exe .
C:\Windows\ifzpkzohaqpcfqzzav.exe
ifzpkzohaqpcfqzzav.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ifzpkzohaqpcfqzzav.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vvsljbtplegwcqcfjhjjg.exe .
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ifzpkzohaqpcfqzzav.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe
C:\Windows\snftmzmduifqrahf.exe
snftmzmduifqrahf.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ifzpkzohaqpcfqzzav.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ifzpkzohaqpcfqzzav.exe .
C:\Users\Admin\AppData\Local\Temp\gfbtqhytoghwbozbebcb.exe
C:\Users\Admin\AppData\Local\Temp\gfbtqhytoghwbozbebcb.exe
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\ifzpkzohaqpcfqzzav.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe .
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\vvsljbtplegwcqcfjhjjg.exe*."
C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe
C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe .
C:\Windows\gfbtqhytoghwbozbebcb.exe
gfbtqhytoghwbozbebcb.exe
C:\Windows\ifzpkzohaqpcfqzzav.exe
ifzpkzohaqpcfqzzav.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ifzpkzohaqpcfqzzav.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe .
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\snftmzmduifqrahf.exe*."
C:\Windows\ifzpkzohaqpcfqzzav.exe
ifzpkzohaqpcfqzzav.exe .
C:\Users\Admin\AppData\Local\Temp\ejmpq.exe
"C:\Users\Admin\AppData\Local\Temp\ejmpq.exe" "-C:\Users\Admin\AppData\Local\Temp\brftfvqbspabkrpo.exe"
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\vvsljbtplegwcqcfjhjjg.exe*."
C:\Users\Admin\AppData\Local\Temp\ejmpq.exe
"C:\Users\Admin\AppData\Local\Temp\ejmpq.exe" "-C:\Users\Admin\AppData\Local\Temp\brftfvqbspabkrpo.exe"
C:\Windows\vvsljbtplegwcqcfjhjjg.exe
vvsljbtplegwcqcfjhjjg.exe .
C:\Users\Admin\AppData\Local\Temp\ifzpkzohaqpcfqzzav.exe
C:\Users\Admin\AppData\Local\Temp\ifzpkzohaqpcfqzzav.exe
C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe
C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe .
C:\Users\Admin\AppData\Local\Temp\ifzpkzohaqpcfqzzav.exe
C:\Users\Admin\AppData\Local\Temp\ifzpkzohaqpcfqzzav.exe
C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe
C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe
C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe
C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zvodxlzrjywikucbb.exe
C:\Users\Admin\AppData\Local\Temp\ifzpkzohaqpcfqzzav.exe
C:\Users\Admin\AppData\Local\Temp\ifzpkzohaqpcfqzzav.exe .
C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe
C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe .
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\ifzpkzohaqpcfqzzav.exe*."
C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe
C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe .
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\vvsljbtplegwcqcfjhjjg.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gfbtqhytoghwbozbebcb.exe .
C:\Users\Admin\AppData\Local\Temp\ifzpkzohaqpcfqzzav.exe
C:\Users\Admin\AppData\Local\Temp\ifzpkzohaqpcfqzzav.exe
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\zvodxlzrjywikucbb.exe*."
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\vvsljbtplegwcqcfjhjjg.exe*."
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\ifzpkzohaqpcfqzzav.exe*."
C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe
C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe
C:\Windows\zvodxlzrjywikucbb.exe
zvodxlzrjywikucbb.exe
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\trmdzpfztkkycoyzbxx.exe*."
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\vvsljbtplegwcqcfjhjjg.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c snftmzmduifqrahf.exe
C:\Windows\gfbtqhytoghwbozbebcb.exe
gfbtqhytoghwbozbebcb.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ifzpkzohaqpcfqzzav.exe .
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe
C:\Windows\snftmzmduifqrahf.exe
snftmzmduifqrahf.exe
C:\Windows\ifzpkzohaqpcfqzzav.exe
ifzpkzohaqpcfqzzav.exe .
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\gfbtqhytoghwbozbebcb.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe .
C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe
C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\ifzpkzohaqpcfqzzav.exe*."
C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe
C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe .
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\snftmzmduifqrahf.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ifzpkzohaqpcfqzzav.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe .
C:\Users\Admin\AppData\Local\Temp\ifzpkzohaqpcfqzzav.exe
C:\Users\Admin\AppData\Local\Temp\ifzpkzohaqpcfqzzav.exe
C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe
C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe .
C:\Users\Admin\AppData\Local\Temp\ejmpq.exe
"C:\Users\Admin\AppData\Local\Temp\ejmpq.exe" "-C:\Users\Admin\AppData\Local\Temp\brftfvqbspabkrpo.exe"
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\vvsljbtplegwcqcfjhjjg.exe*."
C:\Users\Admin\AppData\Local\Temp\ejmpq.exe
"C:\Users\Admin\AppData\Local\Temp\ejmpq.exe" "-C:\Users\Admin\AppData\Local\Temp\brftfvqbspabkrpo.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ifzpkzohaqpcfqzzav.exe
C:\Windows\ifzpkzohaqpcfqzzav.exe
ifzpkzohaqpcfqzzav.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gfbtqhytoghwbozbebcb.exe .
C:\Windows\gfbtqhytoghwbozbebcb.exe
gfbtqhytoghwbozbebcb.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c trmdzpfztkkycoyzbxx.exe
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\gfbtqhytoghwbozbebcb.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ifzpkzohaqpcfqzzav.exe .
C:\Windows\trmdzpfztkkycoyzbxx.exe
trmdzpfztkkycoyzbxx.exe
C:\Windows\ifzpkzohaqpcfqzzav.exe
ifzpkzohaqpcfqzzav.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe
C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe
C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe .
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\ifzpkzohaqpcfqzzav.exe*."
C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe
C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe .
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\zvodxlzrjywikucbb.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gfbtqhytoghwbozbebcb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gfbtqhytoghwbozbebcb.exe .
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\gfbtqhytoghwbozbebcb.exe
C:\Users\Admin\AppData\Local\Temp\gfbtqhytoghwbozbebcb.exe
C:\Users\Admin\AppData\Local\Temp\gfbtqhytoghwbozbebcb.exe
C:\Users\Admin\AppData\Local\Temp\gfbtqhytoghwbozbebcb.exe .
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\gfbtqhytoghwbozbebcb.exe*."
C:\Users\Admin\AppData\Local\Temp\ejmpq.exe
"C:\Users\Admin\AppData\Local\Temp\ejmpq.exe" "-C:\Users\Admin\AppData\Local\Temp\brftfvqbspabkrpo.exe"
C:\Users\Admin\AppData\Local\Temp\ejmpq.exe
"C:\Users\Admin\AppData\Local\Temp\ejmpq.exe" "-C:\Users\Admin\AppData\Local\Temp\brftfvqbspabkrpo.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c snftmzmduifqrahf.exe
C:\Windows\snftmzmduifqrahf.exe
snftmzmduifqrahf.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ifzpkzohaqpcfqzzav.exe .
C:\Windows\ifzpkzohaqpcfqzzav.exe
ifzpkzohaqpcfqzzav.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ifzpkzohaqpcfqzzav.exe
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\ifzpkzohaqpcfqzzav.exe*."
C:\Windows\ifzpkzohaqpcfqzzav.exe
ifzpkzohaqpcfqzzav.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c trmdzpfztkkycoyzbxx.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gfbtqhytoghwbozbebcb.exe
C:\Windows\trmdzpfztkkycoyzbxx.exe
trmdzpfztkkycoyzbxx.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe .
C:\Users\Admin\AppData\Local\Temp\gfbtqhytoghwbozbebcb.exe
C:\Users\Admin\AppData\Local\Temp\gfbtqhytoghwbozbebcb.exe
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\trmdzpfztkkycoyzbxx.exe*."
C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe
C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe .
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\zvodxlzrjywikucbb.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe .
C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe
C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe
C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe
C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe .
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\trmdzpfztkkycoyzbxx.exe*."
C:\Users\Admin\AppData\Local\Temp\ejmpq.exe
"C:\Users\Admin\AppData\Local\Temp\ejmpq.exe" "-C:\Users\Admin\AppData\Local\Temp\brftfvqbspabkrpo.exe"
C:\Users\Admin\AppData\Local\Temp\ejmpq.exe
"C:\Users\Admin\AppData\Local\Temp\ejmpq.exe" "-C:\Users\Admin\AppData\Local\Temp\brftfvqbspabkrpo.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gfbtqhytoghwbozbebcb.exe
C:\Windows\gfbtqhytoghwbozbebcb.exe
gfbtqhytoghwbozbebcb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zvodxlzrjywikucbb.exe .
C:\Windows\zvodxlzrjywikucbb.exe
zvodxlzrjywikucbb.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vvsljbtplegwcqcfjhjjg.exe
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\zvodxlzrjywikucbb.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c snftmzmduifqrahf.exe .
C:\Windows\vvsljbtplegwcqcfjhjjg.exe
vvsljbtplegwcqcfjhjjg.exe
C:\Windows\snftmzmduifqrahf.exe
snftmzmduifqrahf.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe .
C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe
C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\snftmzmduifqrahf.exe*."
C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe
C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe .
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\snftmzmduifqrahf.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gfbtqhytoghwbozbebcb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ifzpkzohaqpcfqzzav.exe .
C:\Users\Admin\AppData\Local\Temp\gfbtqhytoghwbozbebcb.exe
C:\Users\Admin\AppData\Local\Temp\gfbtqhytoghwbozbebcb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rjzpdvsfyxknyhhidl.exe
C:\Users\Admin\AppData\Local\Temp\ifzpkzohaqpcfqzzav.exe
C:\Users\Admin\AppData\Local\Temp\ifzpkzohaqpcfqzzav.exe .
C:\Windows\rjzpdvsfyxknyhhidl.exe
rjzpdvsfyxknyhhidl.exe
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\ifzpkzohaqpcfqzzav.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cvmdsljxrrfjvfgieng.exe .
C:\Users\Admin\AppData\Local\Temp\ejmpq.exe
"C:\Users\Admin\AppData\Local\Temp\ejmpq.exe" "-C:\Users\Admin\AppData\Local\Temp\brftfvqbspabkrpo.exe"
C:\Users\Admin\AppData\Local\Temp\ejmpq.exe
"C:\Users\Admin\AppData\Local\Temp\ejmpq.exe" "-C:\Users\Admin\AppData\Local\Temp\brftfvqbspabkrpo.exe"
C:\Windows\cvmdsljxrrfjvfgieng.exe
cvmdsljxrrfjvfgieng.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c izodqhdphfrtdlkke.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ezslcxxnjlbhvhkomxsle.exe .
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\cvmdsljxrrfjvfgieng.exe*."
C:\Windows\izodqhdphfrtdlkke.exe
izodqhdphfrtdlkke.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pjbtjdcrmnchufhkhrld.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c trmdzpfztkkycoyzbxx.exe
C:\Windows\ezslcxxnjlbhvhkomxsle.exe
ezslcxxnjlbhvhkomxsle.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rjzpdvsfyxknyhhidl.exe .
C:\Users\Admin\AppData\Local\Temp\pjbtjdcrmnchufhkhrld.exe
C:\Users\Admin\AppData\Local\Temp\pjbtjdcrmnchufhkhrld.exe
C:\Windows\trmdzpfztkkycoyzbxx.exe
trmdzpfztkkycoyzbxx.exe
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\ezslcxxnjlbhvhkomxsle.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ifzpkzohaqpcfqzzav.exe .
C:\Users\Admin\AppData\Local\Temp\rjzpdvsfyxknyhhidl.exe
C:\Users\Admin\AppData\Local\Temp\rjzpdvsfyxknyhhidl.exe .
C:\Windows\ifzpkzohaqpcfqzzav.exe
ifzpkzohaqpcfqzzav.exe .
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\rjzpdvsfyxknyhhidl.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ezslcxxnjlbhvhkomxsle.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gfbtqhytoghwbozbebcb.exe
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\ifzpkzohaqpcfqzzav.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vvsljbtplegwcqcfjhjjg.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cvmdsljxrrfjvfgieng.exe .
C:\Windows\gfbtqhytoghwbozbebcb.exe
gfbtqhytoghwbozbebcb.exe
C:\Users\Admin\AppData\Local\Temp\ezslcxxnjlbhvhkomxsle.exe
C:\Users\Admin\AppData\Local\Temp\ezslcxxnjlbhvhkomxsle.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe
C:\Windows\vvsljbtplegwcqcfjhjjg.exe
vvsljbtplegwcqcfjhjjg.exe .
C:\Users\Admin\AppData\Local\Temp\cvmdsljxrrfjvfgieng.exe
C:\Users\Admin\AppData\Local\Temp\cvmdsljxrrfjvfgieng.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe .
C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe
C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\cvmdsljxrrfjvfgieng.exe*."
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\vvsljbtplegwcqcfjhjjg.exe*."
C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe
C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe .
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\zvodxlzrjywikucbb.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gfbtqhytoghwbozbebcb.exe .
C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe
C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe
C:\Users\Admin\AppData\Local\Temp\gfbtqhytoghwbozbebcb.exe
C:\Users\Admin\AppData\Local\Temp\gfbtqhytoghwbozbebcb.exe .
C:\Users\Admin\AppData\Local\Temp\ejmpq.exe
"C:\Users\Admin\AppData\Local\Temp\ejmpq.exe" "-C:\Users\Admin\AppData\Local\Temp\brftfvqbspabkrpo.exe"
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\gfbtqhytoghwbozbebcb.exe*."
C:\Users\Admin\AppData\Local\Temp\ejmpq.exe
"C:\Users\Admin\AppData\Local\Temp\ejmpq.exe" "-C:\Users\Admin\AppData\Local\Temp\brftfvqbspabkrpo.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gfbtqhytoghwbozbebcb.exe
C:\Windows\gfbtqhytoghwbozbebcb.exe
gfbtqhytoghwbozbebcb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gfbtqhytoghwbozbebcb.exe .
C:\Windows\gfbtqhytoghwbozbebcb.exe
gfbtqhytoghwbozbebcb.exe .
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\gfbtqhytoghwbozbebcb.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zvodxlzrjywikucbb.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zvodxlzrjywikucbb.exe .
C:\Windows\zvodxlzrjywikucbb.exe
zvodxlzrjywikucbb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gfbtqhytoghwbozbebcb.exe
C:\Windows\zvodxlzrjywikucbb.exe
zvodxlzrjywikucbb.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gfbtqhytoghwbozbebcb.exe .
C:\Users\Admin\AppData\Local\Temp\gfbtqhytoghwbozbebcb.exe
C:\Users\Admin\AppData\Local\Temp\gfbtqhytoghwbozbebcb.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\zvodxlzrjywikucbb.exe*."
C:\Users\Admin\AppData\Local\Temp\gfbtqhytoghwbozbebcb.exe
C:\Users\Admin\AppData\Local\Temp\gfbtqhytoghwbozbebcb.exe .
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\gfbtqhytoghwbozbebcb.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe .
C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe
C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe
C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe
C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe .
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\vvsljbtplegwcqcfjhjjg.exe*."
C:\Users\Admin\AppData\Local\Temp\ejmpq.exe
"C:\Users\Admin\AppData\Local\Temp\ejmpq.exe" "-C:\Users\Admin\AppData\Local\Temp\brftfvqbspabkrpo.exe"
C:\Users\Admin\AppData\Local\Temp\ejmpq.exe
"C:\Users\Admin\AppData\Local\Temp\ejmpq.exe" "-C:\Users\Admin\AppData\Local\Temp\brftfvqbspabkrpo.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vvsljbtplegwcqcfjhjjg.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ifzpkzohaqpcfqzzav.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ifzpkzohaqpcfqzzav.exe
C:\Windows\ifzpkzohaqpcfqzzav.exe
ifzpkzohaqpcfqzzav.exe
C:\Windows\vvsljbtplegwcqcfjhjjg.exe
vvsljbtplegwcqcfjhjjg.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vvsljbtplegwcqcfjhjjg.exe .
C:\Windows\ifzpkzohaqpcfqzzav.exe
ifzpkzohaqpcfqzzav.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c trmdzpfztkkycoyzbxx.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c trmdzpfztkkycoyzbxx.exe .
C:\Windows\vvsljbtplegwcqcfjhjjg.exe
vvsljbtplegwcqcfjhjjg.exe .
C:\Windows\trmdzpfztkkycoyzbxx.exe
trmdzpfztkkycoyzbxx.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c snftmzmduifqrahf.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vvsljbtplegwcqcfjhjjg.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ifzpkzohaqpcfqzzav.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gfbtqhytoghwbozbebcb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c trmdzpfztkkycoyzbxx.exe .
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\vvsljbtplegwcqcfjhjjg.exe*."
C:\Windows\trmdzpfztkkycoyzbxx.exe
trmdzpfztkkycoyzbxx.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gfbtqhytoghwbozbebcb.exe
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\trmdzpfztkkycoyzbxx.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c trmdzpfztkkycoyzbxx.exe .
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe .
C:\Windows\snftmzmduifqrahf.exe
snftmzmduifqrahf.exe
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\trmdzpfztkkycoyzbxx.exe*."
C:\Windows\vvsljbtplegwcqcfjhjjg.exe
vvsljbtplegwcqcfjhjjg.exe
C:\Windows\ifzpkzohaqpcfqzzav.exe
ifzpkzohaqpcfqzzav.exe .
C:\Windows\trmdzpfztkkycoyzbxx.exe
trmdzpfztkkycoyzbxx.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe .
C:\Users\Admin\AppData\Local\Temp\gfbtqhytoghwbozbebcb.exe
C:\Users\Admin\AppData\Local\Temp\gfbtqhytoghwbozbebcb.exe
C:\Windows\gfbtqhytoghwbozbebcb.exe
gfbtqhytoghwbozbebcb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe .
C:\Users\Admin\AppData\Local\Temp\ejmpq.exe
"C:\Users\Admin\AppData\Local\Temp\ejmpq.exe" "-C:\Users\Admin\AppData\Local\Temp\brftfvqbspabkrpo.exe"
C:\Windows\trmdzpfztkkycoyzbxx.exe
trmdzpfztkkycoyzbxx.exe .
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\trmdzpfztkkycoyzbxx.exe*."
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\ifzpkzohaqpcfqzzav.exe*."
C:\Users\Admin\AppData\Local\Temp\ejmpq.exe
"C:\Users\Admin\AppData\Local\Temp\ejmpq.exe" "-C:\Users\Admin\AppData\Local\Temp\brftfvqbspabkrpo.exe"
C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe
C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe
C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe
C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe
C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe
C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe .
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\trmdzpfztkkycoyzbxx.exe*."
C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe
C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe
C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe
C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe .
C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe
C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c snftmzmduifqrahf.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\zvodxlzrjywikucbb.exe*."
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\snftmzmduifqrahf.exe*."
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\snftmzmduifqrahf.exe*."
C:\Windows\snftmzmduifqrahf.exe
snftmzmduifqrahf.exe
C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe
C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe .
C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe
C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c trmdzpfztkkycoyzbxx.exe .
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\vvsljbtplegwcqcfjhjjg.exe*."
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\vvsljbtplegwcqcfjhjjg.exe*."
C:\Windows\trmdzpfztkkycoyzbxx.exe
trmdzpfztkkycoyzbxx.exe .
C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe
C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zvodxlzrjywikucbb.exe
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\trmdzpfztkkycoyzbxx.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c trmdzpfztkkycoyzbxx.exe .
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\vvsljbtplegwcqcfjhjjg.exe*."
C:\Windows\zvodxlzrjywikucbb.exe
zvodxlzrjywikucbb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe
C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe
C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe
C:\Windows\trmdzpfztkkycoyzbxx.exe
trmdzpfztkkycoyzbxx.exe .
C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe
C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe .
C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe
C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\trmdzpfztkkycoyzbxx.exe*."
C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe
C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe .
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\snftmzmduifqrahf.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gfbtqhytoghwbozbebcb.exe .
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe
C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe
C:\Users\Admin\AppData\Local\Temp\ejmpq.exe
"C:\Users\Admin\AppData\Local\Temp\ejmpq.exe" "-C:\Users\Admin\AppData\Local\Temp\brftfvqbspabkrpo.exe"
C:\Users\Admin\AppData\Local\Temp\gfbtqhytoghwbozbebcb.exe
C:\Users\Admin\AppData\Local\Temp\gfbtqhytoghwbozbebcb.exe .
C:\Users\Admin\AppData\Local\Temp\ejmpq.exe
"C:\Users\Admin\AppData\Local\Temp\ejmpq.exe" "-C:\Users\Admin\AppData\Local\Temp\brftfvqbspabkrpo.exe"
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\gfbtqhytoghwbozbebcb.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gfbtqhytoghwbozbebcb.exe
C:\Windows\gfbtqhytoghwbozbebcb.exe
gfbtqhytoghwbozbebcb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c trmdzpfztkkycoyzbxx.exe .
C:\Windows\trmdzpfztkkycoyzbxx.exe
trmdzpfztkkycoyzbxx.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c snftmzmduifqrahf.exe
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\trmdzpfztkkycoyzbxx.exe*."
C:\Windows\snftmzmduifqrahf.exe
snftmzmduifqrahf.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gfbtqhytoghwbozbebcb.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe
C:\Windows\gfbtqhytoghwbozbebcb.exe
gfbtqhytoghwbozbebcb.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe .
C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe
C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\gfbtqhytoghwbozbebcb.exe*."
C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe
C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe .
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\zvodxlzrjywikucbb.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe .
C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe
C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe
C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe
C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe .
C:\Users\Admin\AppData\Local\Temp\ejmpq.exe
"C:\Users\Admin\AppData\Local\Temp\ejmpq.exe" "-C:\Users\Admin\AppData\Local\Temp\brftfvqbspabkrpo.exe"
C:\Users\Admin\AppData\Local\Temp\ejmpq.exe
"C:\Users\Admin\AppData\Local\Temp\ejmpq.exe" "-C:\Users\Admin\AppData\Local\Temp\brftfvqbspabkrpo.exe"
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\trmdzpfztkkycoyzbxx.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ifzpkzohaqpcfqzzav.exe
C:\Windows\ifzpkzohaqpcfqzzav.exe
ifzpkzohaqpcfqzzav.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ifzpkzohaqpcfqzzav.exe .
C:\Windows\ifzpkzohaqpcfqzzav.exe
ifzpkzohaqpcfqzzav.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zvodxlzrjywikucbb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c trmdzpfztkkycoyzbxx.exe .
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\ifzpkzohaqpcfqzzav.exe*."
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\zvodxlzrjywikucbb.exe
zvodxlzrjywikucbb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe
C:\Windows\trmdzpfztkkycoyzbxx.exe
trmdzpfztkkycoyzbxx.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe .
C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe
C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\trmdzpfztkkycoyzbxx.exe*."
C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe
C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe .
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\zvodxlzrjywikucbb.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe .
C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe
C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe
C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe
C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe .
C:\Users\Admin\AppData\Local\Temp\ejmpq.exe
"C:\Users\Admin\AppData\Local\Temp\ejmpq.exe" "-C:\Users\Admin\AppData\Local\Temp\brftfvqbspabkrpo.exe"
C:\Users\Admin\AppData\Local\Temp\ejmpq.exe
"C:\Users\Admin\AppData\Local\Temp\ejmpq.exe" "-C:\Users\Admin\AppData\Local\Temp\brftfvqbspabkrpo.exe"
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\snftmzmduifqrahf.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vvsljbtplegwcqcfjhjjg.exe
C:\Windows\vvsljbtplegwcqcfjhjjg.exe
vvsljbtplegwcqcfjhjjg.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gfbtqhytoghwbozbebcb.exe .
C:\Windows\gfbtqhytoghwbozbebcb.exe
gfbtqhytoghwbozbebcb.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zvodxlzrjywikucbb.exe
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\gfbtqhytoghwbozbebcb.exe*."
C:\Windows\zvodxlzrjywikucbb.exe
zvodxlzrjywikucbb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c snftmzmduifqrahf.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe
C:\Windows\snftmzmduifqrahf.exe
snftmzmduifqrahf.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe .
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe
C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\snftmzmduifqrahf.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pjbtjdcrmnchufhkhrld.exe
C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe
C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe .
C:\Windows\pjbtjdcrmnchufhkhrld.exe
pjbtjdcrmnchufhkhrld.exe
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\trmdzpfztkkycoyzbxx.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rjzpdvsfyxknyhhidl.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe .
C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe
C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe
C:\Windows\rjzpdvsfyxknyhhidl.exe
rjzpdvsfyxknyhhidl.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c brftfvqbspabkrpo.exe
C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe
C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe .
C:\Users\Admin\AppData\Local\Temp\ejmpq.exe
"C:\Users\Admin\AppData\Local\Temp\ejmpq.exe" "-C:\Users\Admin\AppData\Local\Temp\brftfvqbspabkrpo.exe"
C:\Users\Admin\AppData\Local\Temp\ejmpq.exe
"C:\Users\Admin\AppData\Local\Temp\ejmpq.exe" "-C:\Users\Admin\AppData\Local\Temp\brftfvqbspabkrpo.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pjbtjdcrmnchufhkhrld.exe .
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\rjzpdvsfyxknyhhidl.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ezslcxxnjlbhvhkomxsle.exe
C:\Windows\brftfvqbspabkrpo.exe
brftfvqbspabkrpo.exe
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\snftmzmduifqrahf.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ezslcxxnjlbhvhkomxsle.exe .
C:\Windows\pjbtjdcrmnchufhkhrld.exe
pjbtjdcrmnchufhkhrld.exe .
C:\Users\Admin\AppData\Local\Temp\ezslcxxnjlbhvhkomxsle.exe
C:\Users\Admin\AppData\Local\Temp\ezslcxxnjlbhvhkomxsle.exe
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\pjbtjdcrmnchufhkhrld.exe*."
C:\Users\Admin\AppData\Local\Temp\ezslcxxnjlbhvhkomxsle.exe
C:\Users\Admin\AppData\Local\Temp\ezslcxxnjlbhvhkomxsle.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rjzpdvsfyxknyhhidl.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vvsljbtplegwcqcfjhjjg.exe
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\ezslcxxnjlbhvhkomxsle.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cvmdsljxrrfjvfgieng.exe .
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\rjzpdvsfyxknyhhidl.exe
C:\Users\Admin\AppData\Local\Temp\rjzpdvsfyxknyhhidl.exe
C:\Users\Admin\AppData\Local\Temp\cvmdsljxrrfjvfgieng.exe
C:\Users\Admin\AppData\Local\Temp\cvmdsljxrrfjvfgieng.exe .
C:\Windows\vvsljbtplegwcqcfjhjjg.exe
vvsljbtplegwcqcfjhjjg.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ifzpkzohaqpcfqzzav.exe .
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\cvmdsljxrrfjvfgieng.exe*."
C:\Windows\ifzpkzohaqpcfqzzav.exe
ifzpkzohaqpcfqzzav.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ifzpkzohaqpcfqzzav.exe
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\ifzpkzohaqpcfqzzav.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c snftmzmduifqrahf.exe .
C:\Windows\ifzpkzohaqpcfqzzav.exe
ifzpkzohaqpcfqzzav.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gfbtqhytoghwbozbebcb.exe
C:\Windows\snftmzmduifqrahf.exe
snftmzmduifqrahf.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gfbtqhytoghwbozbebcb.exe .
C:\Users\Admin\AppData\Local\Temp\gfbtqhytoghwbozbebcb.exe
C:\Users\Admin\AppData\Local\Temp\gfbtqhytoghwbozbebcb.exe
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\snftmzmduifqrahf.exe*."
C:\Users\Admin\AppData\Local\Temp\gfbtqhytoghwbozbebcb.exe
C:\Users\Admin\AppData\Local\Temp\gfbtqhytoghwbozbebcb.exe .
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\gfbtqhytoghwbozbebcb.exe*."
C:\Users\Admin\AppData\Local\Temp\ejmpq.exe
"C:\Users\Admin\AppData\Local\Temp\ejmpq.exe" "-C:\Users\Admin\AppData\Local\Temp\brftfvqbspabkrpo.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe
C:\Users\Admin\AppData\Local\Temp\ejmpq.exe
"C:\Users\Admin\AppData\Local\Temp\ejmpq.exe" "-C:\Users\Admin\AppData\Local\Temp\brftfvqbspabkrpo.exe"
C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe
C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gfbtqhytoghwbozbebcb.exe .
C:\Users\Admin\AppData\Local\Temp\gfbtqhytoghwbozbebcb.exe
C:\Users\Admin\AppData\Local\Temp\gfbtqhytoghwbozbebcb.exe .
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\gfbtqhytoghwbozbebcb.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ifzpkzohaqpcfqzzav.exe
C:\Windows\ifzpkzohaqpcfqzzav.exe
ifzpkzohaqpcfqzzav.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ifzpkzohaqpcfqzzav.exe .
C:\Windows\ifzpkzohaqpcfqzzav.exe
ifzpkzohaqpcfqzzav.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c snftmzmduifqrahf.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gfbtqhytoghwbozbebcb.exe .
C:\Windows\snftmzmduifqrahf.exe
snftmzmduifqrahf.exe
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\ifzpkzohaqpcfqzzav.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe
C:\Windows\gfbtqhytoghwbozbebcb.exe
gfbtqhytoghwbozbebcb.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gfbtqhytoghwbozbebcb.exe .
C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe
C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\gfbtqhytoghwbozbebcb.exe*."
C:\Users\Admin\AppData\Local\Temp\gfbtqhytoghwbozbebcb.exe
C:\Users\Admin\AppData\Local\Temp\gfbtqhytoghwbozbebcb.exe .
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\gfbtqhytoghwbozbebcb.exe*."
C:\Users\Admin\AppData\Local\Temp\ejmpq.exe
"C:\Users\Admin\AppData\Local\Temp\ejmpq.exe" "-C:\Users\Admin\AppData\Local\Temp\brftfvqbspabkrpo.exe"
C:\Users\Admin\AppData\Local\Temp\ejmpq.exe
"C:\Users\Admin\AppData\Local\Temp\ejmpq.exe" "-C:\Users\Admin\AppData\Local\Temp\brftfvqbspabkrpo.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gfbtqhytoghwbozbebcb.exe .
C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe
C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vvsljbtplegwcqcfjhjjg.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vvsljbtplegwcqcfjhjjg.exe
C:\Users\Admin\AppData\Local\Temp\gfbtqhytoghwbozbebcb.exe
C:\Users\Admin\AppData\Local\Temp\gfbtqhytoghwbozbebcb.exe .
C:\Windows\vvsljbtplegwcqcfjhjjg.exe
vvsljbtplegwcqcfjhjjg.exe
C:\Windows\vvsljbtplegwcqcfjhjjg.exe
vvsljbtplegwcqcfjhjjg.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ifzpkzohaqpcfqzzav.exe .
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\gfbtqhytoghwbozbebcb.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ifzpkzohaqpcfqzzav.exe .
C:\Windows\ifzpkzohaqpcfqzzav.exe
ifzpkzohaqpcfqzzav.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gfbtqhytoghwbozbebcb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gfbtqhytoghwbozbebcb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c snftmzmduifqrahf.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ifzpkzohaqpcfqzzav.exe .
C:\Windows\ifzpkzohaqpcfqzzav.exe
ifzpkzohaqpcfqzzav.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\ifzpkzohaqpcfqzzav.exe*."
C:\Windows\gfbtqhytoghwbozbebcb.exe
gfbtqhytoghwbozbebcb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c snftmzmduifqrahf.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ifzpkzohaqpcfqzzav.exe .
C:\Windows\gfbtqhytoghwbozbebcb.exe
gfbtqhytoghwbozbebcb.exe
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\ifzpkzohaqpcfqzzav.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gfbtqhytoghwbozbebcb.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ifzpkzohaqpcfqzzav.exe
C:\Windows\ifzpkzohaqpcfqzzav.exe
ifzpkzohaqpcfqzzav.exe .
C:\Users\Admin\AppData\Local\Temp\ifzpkzohaqpcfqzzav.exe
C:\Users\Admin\AppData\Local\Temp\ifzpkzohaqpcfqzzav.exe .
C:\Windows\snftmzmduifqrahf.exe
snftmzmduifqrahf.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe .
C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe
C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gfbtqhytoghwbozbebcb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe .
C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe
C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe .
C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe
C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vvsljbtplegwcqcfjhjjg.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe
C:\Users\Admin\AppData\Local\Temp\ejmpq.exe
"C:\Users\Admin\AppData\Local\Temp\ejmpq.exe" "-C:\Users\Admin\AppData\Local\Temp\brftfvqbspabkrpo.exe"
C:\Windows\snftmzmduifqrahf.exe
snftmzmduifqrahf.exe
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\ifzpkzohaqpcfqzzav.exe*."
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\ifzpkzohaqpcfqzzav.exe*."
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\snftmzmduifqrahf.exe*."
C:\Users\Admin\AppData\Local\Temp\ejmpq.exe
"C:\Users\Admin\AppData\Local\Temp\ejmpq.exe" "-C:\Users\Admin\AppData\Local\Temp\brftfvqbspabkrpo.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe .
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\snftmzmduifqrahf.exe*."
C:\Windows\gfbtqhytoghwbozbebcb.exe
gfbtqhytoghwbozbebcb.exe .
C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe
C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe
C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe
C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe .
C:\Users\Admin\AppData\Local\Temp\ifzpkzohaqpcfqzzav.exe
C:\Users\Admin\AppData\Local\Temp\ifzpkzohaqpcfqzzav.exe
C:\Windows\gfbtqhytoghwbozbebcb.exe
gfbtqhytoghwbozbebcb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe
C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe
C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe .
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe
C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe
C:\Windows\vvsljbtplegwcqcfjhjjg.exe
vvsljbtplegwcqcfjhjjg.exe .
C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe
C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ifzpkzohaqpcfqzzav.exe .
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\gfbtqhytoghwbozbebcb.exe*."
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\trmdzpfztkkycoyzbxx.exe*."
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\vvsljbtplegwcqcfjhjjg.exe*."
C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe
C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\vvsljbtplegwcqcfjhjjg.exe*."
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\trmdzpfztkkycoyzbxx.exe*."
C:\Users\Admin\AppData\Local\Temp\ifzpkzohaqpcfqzzav.exe
C:\Users\Admin\AppData\Local\Temp\ifzpkzohaqpcfqzzav.exe .
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\ifzpkzohaqpcfqzzav.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ifzpkzohaqpcfqzzav.exe
C:\Windows\ifzpkzohaqpcfqzzav.exe
ifzpkzohaqpcfqzzav.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ifzpkzohaqpcfqzzav.exe .
C:\Windows\ifzpkzohaqpcfqzzav.exe
ifzpkzohaqpcfqzzav.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c trmdzpfztkkycoyzbxx.exe
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\ifzpkzohaqpcfqzzav.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vvsljbtplegwcqcfjhjjg.exe .
C:\Windows\trmdzpfztkkycoyzbxx.exe
trmdzpfztkkycoyzbxx.exe
C:\Windows\vvsljbtplegwcqcfjhjjg.exe
vvsljbtplegwcqcfjhjjg.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe
C:\Users\Admin\AppData\Local\Temp\ejmpq.exe
"C:\Users\Admin\AppData\Local\Temp\ejmpq.exe" "-C:\Users\Admin\AppData\Local\Temp\brftfvqbspabkrpo.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe .
C:\Users\Admin\AppData\Local\Temp\ejmpq.exe
"C:\Users\Admin\AppData\Local\Temp\ejmpq.exe" "-C:\Users\Admin\AppData\Local\Temp\brftfvqbspabkrpo.exe"
C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe
C:\Users\Admin\AppData\Local\Temp\vvsljbtplegwcqcfjhjjg.exe
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\vvsljbtplegwcqcfjhjjg.exe*."
C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe
C:\Users\Admin\AppData\Local\Temp\trmdzpfztkkycoyzbxx.exe .
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\trmdzpfztkkycoyzbxx.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ifzpkzohaqpcfqzzav.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe .
C:\Users\Admin\AppData\Local\Temp\ifzpkzohaqpcfqzzav.exe
C:\Users\Admin\AppData\Local\Temp\ifzpkzohaqpcfqzzav.exe
C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe
C:\Users\Admin\AppData\Local\Temp\zvodxlzrjywikucbb.exe .
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\users\admin\appdata\local\temp\zvodxlzrjywikucbb.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zvodxlzrjywikucbb.exe
C:\Windows\zvodxlzrjywikucbb.exe
zvodxlzrjywikucbb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c trmdzpfztkkycoyzbxx.exe .
C:\Windows\trmdzpfztkkycoyzbxx.exe
trmdzpfztkkycoyzbxx.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c trmdzpfztkkycoyzbxx.exe
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\trmdzpfztkkycoyzbxx.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gfbtqhytoghwbozbebcb.exe .
C:\Windows\trmdzpfztkkycoyzbxx.exe
trmdzpfztkkycoyzbxx.exe
C:\Users\Admin\AppData\Local\Temp\ejmpq.exe
"C:\Users\Admin\AppData\Local\Temp\ejmpq.exe" "-C:\Users\Admin\AppData\Local\Temp\brftfvqbspabkrpo.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe
C:\Users\Admin\AppData\Local\Temp\ejmpq.exe
"C:\Users\Admin\AppData\Local\Temp\ejmpq.exe" "-C:\Users\Admin\AppData\Local\Temp\brftfvqbspabkrpo.exe"
C:\Windows\gfbtqhytoghwbozbebcb.exe
gfbtqhytoghwbozbebcb.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ifzpkzohaqpcfqzzav.exe .
C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe
C:\Users\Admin\AppData\Local\Temp\snftmzmduifqrahf.exe
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
"C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe" "c:\windows\gfbtqhytoghwbozbebcb.exe*."
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | whatismyipaddress.com | udp |
| US | 104.19.222.79:80 | whatismyipaddress.com | tcp |
| US | 8.8.8.8:53 | www.whatismyip.ca | udp |
| US | 8.8.8.8:53 | whatismyip.everdot.org | udp |
| US | 104.19.222.79:80 | whatismyipaddress.com | tcp |
| US | 8.8.8.8:53 | www.whatismyip.com | udp |
| US | 172.66.43.169:80 | www.whatismyip.com | tcp |
| US | 172.66.43.169:80 | www.whatismyip.com | tcp |
| US | 8.8.8.8:53 | whatismyip.everdot.org | udp |
| US | 8.8.8.8:53 | www.showmyipaddress.com | udp |
| US | 104.21.74.56:80 | www.showmyipaddress.com | tcp |
| US | 8.8.8.8:53 | www.whatismyip.ca | udp |
| US | 104.21.74.56:80 | www.showmyipaddress.com | tcp |
| US | 172.66.43.169:80 | www.whatismyip.com | tcp |
| US | 104.19.222.79:80 | whatismyipaddress.com | tcp |
| US | 104.19.222.79:80 | whatismyipaddress.com | tcp |
| US | 104.19.222.79:80 | whatismyipaddress.com | tcp |
| US | 172.66.43.169:80 | www.whatismyip.com | tcp |
| US | 172.66.43.169:80 | www.whatismyip.com | tcp |
| US | 104.21.74.56:80 | www.showmyipaddress.com | tcp |
| US | 8.8.8.8:53 | whatismyip.everdot.org | udp |
| US | 104.21.74.56:80 | www.showmyipaddress.com | tcp |
| US | 172.66.43.169:80 | www.whatismyip.com | tcp |
| US | 8.8.8.8:53 | www.whatismyip.ca | udp |
| US | 8.8.8.8:53 | www.youtube.com | udp |
| NL | 108.177.96.93:80 | www.youtube.com | tcp |
| RU | 77.223.78.79:38707 | tcp | |
| US | 8.8.8.8:53 | gyuuym.org | udp |
| DE | 85.214.228.140:80 | gyuuym.org | tcp |
| US | 8.8.8.8:53 | eexkotf.info | udp |
| US | 8.8.8.8:53 | eiwoaeokgwog.com | udp |
| US | 8.8.8.8:53 | qqgyfxxrwi.info | udp |
| US | 8.8.8.8:53 | uccqsmaceeog.com | udp |
| US | 8.8.8.8:53 | vvpqlmhsvez.org | udp |
| US | 8.8.8.8:53 | uyyqmq.org | udp |
| US | 8.8.8.8:53 | pmfrjpd.net | udp |
| US | 8.8.8.8:53 | nwnlunl.info | udp |
| US | 8.8.8.8:53 | unxfuild.info | udp |
| SG | 18.142.91.111:80 | unxfuild.info | tcp |
| US | 8.8.8.8:53 | ecarkkfge.net | udp |
| US | 8.8.8.8:53 | udxeinqijify.net | udp |
| US | 8.8.8.8:53 | gqturtz.info | udp |
| US | 8.8.8.8:53 | pzonmwzqaaxg.net | udp |
| US | 8.8.8.8:53 | mwvcdel.info | udp |
| US | 8.8.8.8:53 | zbwlzqxw.info | udp |
| US | 8.8.8.8:53 | trddaw.info | udp |
| US | 8.8.8.8:53 | ggoiukqgsikq.org | udp |
| US | 8.8.8.8:53 | kfdhntds.info | udp |
| US | 8.8.8.8:53 | soosoutg.net | udp |
| US | 8.8.8.8:53 | regnxpfm.info | udp |
| US | 8.8.8.8:53 | udzdjiddn.net | udp |
| US | 8.8.8.8:53 | gikmsuwy.net | udp |
| US | 8.8.8.8:53 | eckwgkuwmoig.org | udp |
| US | 8.8.8.8:53 | yaaqimkemuce.com | udp |
| US | 8.8.8.8:53 | chttig.net | udp |
| US | 8.8.8.8:53 | bgzztyt.net | udp |
| US | 8.8.8.8:53 | ygoukmwg.org | udp |
| RU | 81.163.102.144:42522 | tcp | |
| US | 8.8.8.8:53 | ggqywaauomwa.com | udp |
| US | 8.8.8.8:53 | uhvsgrzt.net | udp |
| US | 8.8.8.8:53 | igbrdw.net | udp |
| US | 8.8.8.8:53 | dlrwpmnz.net | udp |
| US | 8.8.8.8:53 | cydlrge.info | udp |
| US | 104.156.155.94:80 | cydlrge.info | tcp |
| US | 8.8.8.8:53 | zbbwbxbltuys.info | udp |
| US | 8.8.8.8:53 | wqguhmew.net | udp |
| US | 8.8.8.8:53 | wmimwemk.org | udp |
| US | 8.8.8.8:53 | mjotpzfbosdh.info | udp |
| US | 8.8.8.8:53 | rnjocnb.org | udp |
| US | 8.8.8.8:53 | fvmsxycepv.net | udp |
| US | 8.8.8.8:53 | vvqkmettlbmk.info | udp |
| US | 8.8.8.8:53 | dxtisnno.info | udp |
| US | 8.8.8.8:53 | luvehemiri.info | udp |
| US | 8.8.8.8:53 | emjefllcr.info | udp |
| US | 8.8.8.8:53 | grqivjdkk.info | udp |
| US | 8.8.8.8:53 | lalckpw.org | udp |
| US | 8.8.8.8:53 | pqtgwlb.org | udp |
| US | 8.8.8.8:53 | xrjgqeapv.org | udp |
| US | 8.8.8.8:53 | hmfurcniz.info | udp |
| US | 8.8.8.8:53 | drpnaxockodb.info | udp |
| US | 8.8.8.8:53 | xpyokogem.com | udp |
| US | 8.8.8.8:53 | jubqjqz.info | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| RU | 109.171.90.106:22110 | tcp | |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | lgtefafwk.com | udp |
| US | 8.8.8.8:53 | ddpobim.org | udp |
| US | 8.8.8.8:53 | xxuoecb.info | udp |
| US | 8.8.8.8:53 | jiwoyixyg.net | udp |
| US | 8.8.8.8:53 | torklmn.com | udp |
| US | 8.8.8.8:53 | xkfnifzmj.org | udp |
| US | 8.8.8.8:53 | gyfuvgp.net | udp |
| US | 8.8.8.8:53 | iqgnvszeyxj.info | udp |
| US | 8.8.8.8:53 | ewhqxezcwwc.net | udp |
| US | 8.8.8.8:53 | zvnetamn.net | udp |
| US | 8.8.8.8:53 | tpmursqydo.info | udp |
| US | 8.8.8.8:53 | sjhiaceqz.net | udp |
| US | 8.8.8.8:53 | ajkaletef.net | udp |
| US | 8.8.8.8:53 | oocqoeecym.org | udp |
| US | 8.8.8.8:53 | rgvavtfukg.net | udp |
| US | 8.8.8.8:53 | yoaoooewyeeo.com | udp |
| US | 8.8.8.8:53 | psghwaps.net | udp |
| US | 8.8.8.8:53 | qxmfwo.info | udp |
| US | 8.8.8.8:53 | mdhpuesj.net | udp |
| US | 8.8.8.8:53 | xkmdfofxu.info | udp |
| US | 8.8.8.8:53 | aiatzchrhzlw.info | udp |
| US | 8.8.8.8:53 | ocwieqwsmgom.com | udp |
| US | 8.8.8.8:53 | tqstvovrnut.com | udp |
| US | 8.8.8.8:53 | kzobzbbskkfp.net | udp |
| US | 8.8.8.8:53 | dqjrswwie.com | udp |
| US | 8.8.8.8:53 | ebzxznzyf.net | udp |
| US | 8.8.8.8:53 | magqum.org | udp |
| US | 8.8.8.8:53 | irjegoeijuj.info | udp |
| US | 8.8.8.8:53 | vrxmprngmlhk.net | udp |
| US | 8.8.8.8:53 | eznabol.net | udp |
| US | 8.8.8.8:53 | zsbgeev.org | udp |
| US | 8.8.8.8:53 | wpnlfudy.net | udp |
| US | 8.8.8.8:53 | xqnwrkdey.info | udp |
| US | 8.8.8.8:53 | vpaefgq.info | udp |
| US | 8.8.8.8:53 | nuhureuszkp.com | udp |
| US | 8.8.8.8:53 | klqmnybibg.net | udp |
| US | 8.8.8.8:53 | uumocigk.org | udp |
| US | 8.8.8.8:53 | xtwmrcheht.net | udp |
| US | 8.8.8.8:53 | ouykoueski.com | udp |
| US | 8.8.8.8:53 | lxuwvnzn.info | udp |
| US | 8.8.8.8:53 | fzephmmo.info | udp |
| US | 8.8.8.8:53 | bippbklpogp.com | udp |
| US | 8.8.8.8:53 | wsvyjilqa.net | udp |
| US | 8.8.8.8:53 | favsrkddpp.info | udp |
| US | 8.8.8.8:53 | miblxid.net | udp |
| US | 8.8.8.8:53 | llgqjodd.info | udp |
| US | 8.8.8.8:53 | dkouvubcpovf.info | udp |
| US | 8.8.8.8:53 | wzvyhpgfpx.info | udp |
| BG | 212.73.158.164:38314 | tcp | |
| US | 8.8.8.8:53 | lyfydcz.org | udp |
| US | 8.8.8.8:53 | hfnwtvpktc.net | udp |
| US | 8.8.8.8:53 | ojulvu.info | udp |
| US | 8.8.8.8:53 | kgucribs.info | udp |
| US | 8.8.8.8:53 | hvistgf.net | udp |
| US | 8.8.8.8:53 | jpmvdl.net | udp |
| US | 8.8.8.8:53 | zyfitez.info | udp |
| US | 8.8.8.8:53 | bhmarckn.net | udp |
| US | 8.8.8.8:53 | sqnjdmcsljl.info | udp |
| US | 8.8.8.8:53 | uyfwfygyt.net | udp |
| US | 8.8.8.8:53 | ckuhkr.net | udp |
| US | 8.8.8.8:53 | plawpqxu.info | udp |
| US | 8.8.8.8:53 | ivpifeg.info | udp |
| US | 8.8.8.8:53 | fbosnbkf.info | udp |
| US | 8.8.8.8:53 | leqdurjb.net | udp |
| US | 8.8.8.8:53 | wwjcfsq.net | udp |
| US | 8.8.8.8:53 | nqcmmotmvcl.org | udp |
| US | 8.8.8.8:53 | jjhkcassxjkg.info | udp |
| US | 8.8.8.8:53 | vmfyzxjop.com | udp |
| US | 8.8.8.8:53 | pevposdkzmmx.net | udp |
| US | 8.8.8.8:53 | sqjshm.net | udp |
| US | 8.8.8.8:53 | akmgqmaqycae.com | udp |
| US | 8.8.8.8:53 | dxikspgshgbk.info | udp |
| US | 8.8.8.8:53 | zitaxgf.org | udp |
| US | 8.8.8.8:53 | iqkyaqi.net | udp |
| US | 8.8.8.8:53 | iakqgqqq.org | udp |
| US | 8.8.8.8:53 | xuhjhgh.net | udp |
| US | 8.8.8.8:53 | lgmwshpwdp.net | udp |
| US | 8.8.8.8:53 | xkfcrlu.info | udp |
| US | 8.8.8.8:53 | kiswiethjbsx.info | udp |
| US | 8.8.8.8:53 | iqmqka.org | udp |
| US | 8.8.8.8:53 | imkksu.org | udp |
| US | 8.8.8.8:53 | zgrjrexb.net | udp |
| US | 8.8.8.8:53 | caqkxcv.net | udp |
| US | 8.8.8.8:53 | seymos.com | udp |
| US | 8.8.8.8:53 | jkkusoleoks.com | udp |
| US | 8.8.8.8:53 | tmswpub.net | udp |
| US | 8.8.8.8:53 | eeueccewmeem.com | udp |
| LT | 78.60.137.134:36561 | tcp | |
| US | 8.8.8.8:53 | ymqfljmkljmc.info | udp |
| US | 8.8.8.8:53 | wewsmy.com | udp |
| US | 8.8.8.8:53 | pdghwgfykon.info | udp |
| US | 8.8.8.8:53 | fffqhazzmohe.info | udp |
| US | 8.8.8.8:53 | gthoprfe.net | udp |
| US | 8.8.8.8:53 | muiyya.com | udp |
| US | 8.8.8.8:53 | xudwqcfsmygf.net | udp |
| US | 8.8.8.8:53 | vlpxze.info | udp |
| US | 8.8.8.8:53 | achoflxaa.net | udp |
| US | 8.8.8.8:53 | swdopariv.net | udp |
| US | 8.8.8.8:53 | qykweumuge.org | udp |
| US | 8.8.8.8:53 | skywyumxq.net | udp |
| US | 8.8.8.8:53 | gefvuptctc.net | udp |
| US | 8.8.8.8:53 | fupqdkuv.info | udp |
| US | 8.8.8.8:53 | aygspphuc.info | udp |
| US | 8.8.8.8:53 | seltwxls.net | udp |
| US | 8.8.8.8:53 | usikcoem.com | udp |
| US | 8.8.8.8:53 | egsmyysc.org | udp |
| US | 8.8.8.8:53 | gjbqvl.net | udp |
| US | 8.8.8.8:53 | vntcidw.com | udp |
| US | 8.8.8.8:53 | humrwvaatezj.net | udp |
| US | 8.8.8.8:53 | nshdioh.net | udp |
| US | 8.8.8.8:53 | bzgwumazks.info | udp |
| US | 8.8.8.8:53 | tckqjmvimmw.info | udp |
| US | 8.8.8.8:53 | njugbgahswnd.net | udp |
| US | 8.8.8.8:53 | ocvvzewlhdly.net | udp |
| US | 8.8.8.8:53 | ekqqcc.org | udp |
| US | 8.8.8.8:53 | lqvcwl.net | udp |
| US | 8.8.8.8:53 | ndxazqnb.net | udp |
| US | 8.8.8.8:53 | vuthfotnwmf.com | udp |
| US | 8.8.8.8:53 | ywtgbieahsr.info | udp |
| US | 8.8.8.8:53 | dwfkeogzvhjn.info | udp |
| US | 8.8.8.8:53 | gppxtymxoc.info | udp |
| US | 8.8.8.8:53 | yrubfclb.net | udp |
| US | 8.8.8.8:53 | vfylrr.net | udp |
| US | 8.8.8.8:53 | hqpqaejqff.info | udp |
| US | 8.8.8.8:53 | guwiskkcya.com | udp |
| US | 8.8.8.8:53 | gqmukaaqaagc.org | udp |
| US | 8.8.8.8:53 | aiiepcaupxr.net | udp |
| US | 8.8.8.8:53 | qtgqqinahbp.info | udp |
| US | 8.8.8.8:53 | heeufoyzrgzr.info | udp |
| US | 8.8.8.8:53 | kjomfddc.net | udp |
| US | 8.8.8.8:53 | uugtwfjkea.info | udp |
| US | 8.8.8.8:53 | rsmgvipsbxn.org | udp |
| US | 8.8.8.8:53 | tcvuvhjwh.info | udp |
| US | 8.8.8.8:53 | yykogaeeuwik.com | udp |
| US | 8.8.8.8:53 | osaoggsu.org | udp |
| US | 8.8.8.8:53 | jubvpax.info | udp |
| US | 8.8.8.8:53 | zrnddj.net | udp |
| US | 8.8.8.8:53 | kuswuaiammek.org | udp |
| US | 8.8.8.8:53 | aknsgwkcl.net | udp |
| US | 8.8.8.8:53 | mheoufbwbusq.info | udp |
| US | 8.8.8.8:53 | nuwoqwuunwy.net | udp |
| US | 8.8.8.8:53 | hyvslrtyap.info | udp |
| US | 8.8.8.8:53 | gmmikjtntd.info | udp |
| US | 8.8.8.8:53 | ecbwysbz.info | udp |
| US | 8.8.8.8:53 | njmyupro.net | udp |
| US | 8.8.8.8:53 | ucueqqeq.org | udp |
| US | 8.8.8.8:53 | lbhivufnh.info | udp |
| RU | 37.78.53.100:31421 | tcp | |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| NL | 173.194.69.94:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | hvamve.net | udp |
| US | 8.8.8.8:53 | javenjmjab.net | udp |
| US | 8.8.8.8:53 | tbifbcfqrqf.org | udp |
| US | 8.8.8.8:53 | xrpwmsl.info | udp |
| US | 8.8.8.8:53 | xmksnjkx.info | udp |
| US | 8.8.8.8:53 | xefyrbw.net | udp |
| US | 8.8.8.8:53 | inqwsjvwfih.net | udp |
| US | 8.8.8.8:53 | hcxkvqpgp.info | udp |
| US | 8.8.8.8:53 | djlewglculp.info | udp |
| US | 8.8.8.8:53 | porqmpwyjdxr.net | udp |
| US | 8.8.8.8:53 | gwjhiykur.net | udp |
| US | 8.8.8.8:53 | xuydlddpph.net | udp |
| US | 8.8.8.8:53 | iusioomq.org | udp |
| US | 8.8.8.8:53 | rmdqbsr.org | udp |
| US | 8.8.8.8:53 | huujzzqbkb.net | udp |
| US | 8.8.8.8:53 | pwbuzxafqa.info | udp |
| US | 8.8.8.8:53 | pyrkeqsjq.com | udp |
| US | 8.8.8.8:53 | eufrzjcqd.info | udp |
| US | 8.8.8.8:53 | zctqses.net | udp |
| US | 8.8.8.8:53 | zsetki.net | udp |
| US | 8.8.8.8:53 | amkwyw.com | udp |
| US | 8.8.8.8:53 | kdverxnqr.info | udp |
| US | 8.8.8.8:53 | wcsbrpz.net | udp |
| US | 8.8.8.8:53 | qicvvzbiszlq.info | udp |
| US | 8.8.8.8:53 | lemywmdxdvv.com | udp |
| US | 8.8.8.8:53 | eqhajgnyp.net | udp |
| US | 8.8.8.8:53 | uwcuws.org | udp |
| US | 8.8.8.8:53 | tsdgpzgl.net | udp |
| US | 8.8.8.8:53 | bbynszjbnxfz.net | udp |
| US | 8.8.8.8:53 | uzkkfpnqprh.net | udp |
| US | 8.8.8.8:53 | azlfou.info | udp |
| US | 8.8.8.8:53 | sqxianowwh.info | udp |
| US | 8.8.8.8:53 | iqxilwn.net | udp |
| US | 8.8.8.8:53 | tuccxwxuj.net | udp |
| US | 8.8.8.8:53 | gicwkesk.com | udp |
| US | 8.8.8.8:53 | eyrwhecqcld.net | udp |
| US | 8.8.8.8:53 | umyicieyee.org | udp |
| US | 8.8.8.8:53 | iwseueyaqw.com | udp |
| US | 8.8.8.8:53 | vcsuct.net | udp |
| US | 8.8.8.8:53 | cgmuyuwkkm.com | udp |
| US | 8.8.8.8:53 | kqvfjr.info | udp |
| US | 8.8.8.8:53 | vlrfndulx.info | udp |
| US | 8.8.8.8:53 | cwthxabhl.net | udp |
| US | 8.8.8.8:53 | vfnvyo.net | udp |
| US | 8.8.8.8:53 | ycfwxyn.info | udp |
| US | 8.8.8.8:53 | gnbqfeved.info | udp |
| US | 8.8.8.8:53 | fsyczawoha.info | udp |
| US | 8.8.8.8:53 | vtwxdsja.net | udp |
| US | 8.8.8.8:53 | qxofewvrb.info | udp |
| AM | 46.241.134.173:23589 | tcp | |
| US | 8.8.8.8:53 | bjlqfjfcb.com | udp |
| US | 8.8.8.8:53 | atkzfclhbift.info | udp |
| US | 8.8.8.8:53 | culfmfiszv.info | udp |
| US | 8.8.8.8:53 | gmbywzdol.info | udp |
| US | 8.8.8.8:53 | wkpicsh.net | udp |
| US | 8.8.8.8:53 | wueysyqiyg.org | udp |
| US | 8.8.8.8:53 | ehtosibmmys.info | udp |
| US | 8.8.8.8:53 | gltmmafax.info | udp |
| US | 8.8.8.8:53 | xhphlikerv.info | udp |
| US | 8.8.8.8:53 | gbcmemmhsqpa.net | udp |
| US | 8.8.8.8:53 | ysoqemye.org | udp |
| US | 8.8.8.8:53 | jjrefkv.net | udp |
| US | 8.8.8.8:53 | itnkwq.net | udp |
| US | 8.8.8.8:53 | zzjgyfkosf.info | udp |
| US | 8.8.8.8:53 | aldrtf.net | udp |
| US | 8.8.8.8:53 | bausazsepk.net | udp |
| US | 8.8.8.8:53 | baniuuvaaax.info | udp |
| US | 8.8.8.8:53 | kjskvzf.info | udp |
| US | 8.8.8.8:53 | tcldzk.info | udp |
| US | 8.8.8.8:53 | sjoyvjzf.info | udp |
| US | 8.8.8.8:53 | vewebedwhrv.info | udp |
| US | 8.8.8.8:53 | ckuqrjeub.net | udp |
| US | 8.8.8.8:53 | uqlqvwc.net | udp |
| US | 8.8.8.8:53 | lzbjkx.info | udp |
| US | 8.8.8.8:53 | nvfxjwp.net | udp |
| US | 8.8.8.8:53 | zjtbhml.info | udp |
| US | 8.8.8.8:53 | eivmeyn.info | udp |
| US | 8.8.8.8:53 | yjhgjgmq.net | udp |
| US | 8.8.8.8:53 | xjlsdzdaotpm.net | udp |
| US | 8.8.8.8:53 | blriytvijot.com | udp |
| US | 8.8.8.8:53 | omcuoigmv.net | udp |
| US | 8.8.8.8:53 | vsvsvsomp.com | udp |
| US | 8.8.8.8:53 | eqgsya.org | udp |
| DE | 24.134.86.213:37182 | tcp | |
| US | 8.8.8.8:53 | wstbmf.net | udp |
| US | 8.8.8.8:53 | kyilnx.net | udp |
| US | 8.8.8.8:53 | aqwwys.com | udp |
| US | 8.8.8.8:53 | jylsfen.org | udp |
| US | 8.8.8.8:53 | jklojvfnlb.net | udp |
| US | 8.8.8.8:53 | yavufybezxf.net | udp |
| US | 8.8.8.8:53 | xylupgl.com | udp |
| US | 8.8.8.8:53 | gaqkygwq.org | udp |
| US | 8.8.8.8:53 | fnzepm.net | udp |
| US | 8.8.8.8:53 | iuwkackk.org | udp |
| US | 8.8.8.8:53 | jcyigavj.info | udp |
| US | 8.8.8.8:53 | jrbulad.info | udp |
| US | 8.8.8.8:53 | kfnuyajya.net | udp |
| US | 8.8.8.8:53 | utlyppx.net | udp |
| US | 8.8.8.8:53 | spmckxrwmaso.info | udp |
| US | 8.8.8.8:53 | bkdzbgbicy.net | udp |
| US | 8.8.8.8:53 | qcwgskmqgc.com | udp |
| US | 8.8.8.8:53 | bpzorpfuhtf.org | udp |
| US | 8.8.8.8:53 | ljdgtntid.net | udp |
| US | 8.8.8.8:53 | ykosooggwmkm.com | udp |
| US | 8.8.8.8:53 | skidsahnfh.net | udp |
| US | 8.8.8.8:53 | lmxyrocqoy.info | udp |
| US | 8.8.8.8:53 | gasaimoacc.org | udp |
| US | 8.8.8.8:53 | bkngmvgi.net | udp |
| US | 8.8.8.8:53 | qceeue.org | udp |
| US | 8.8.8.8:53 | ehfsbzfmhopw.info | udp |
| US | 8.8.8.8:53 | nqygdzueec.info | udp |
| US | 8.8.8.8:53 | bqdindvszcl.com | udp |
| US | 8.8.8.8:53 | khjrjixfvoh.net | udp |
| US | 8.8.8.8:53 | dykwknvmdfdj.info | udp |
| US | 8.8.8.8:53 | rrvoahykpt.info | udp |
| DE | 24.134.86.213:37182 | tcp | |
| US | 8.8.8.8:53 | wawaoiyk.com | udp |
| US | 8.8.8.8:53 | lqrtfqem.info | udp |
| US | 8.8.8.8:53 | bzxzkk.info | udp |
| US | 8.8.8.8:53 | rkqxiqanjzte.info | udp |
| US | 8.8.8.8:53 | zbbudf.net | udp |
| US | 8.8.8.8:53 | xilurslwdcv.org | udp |
| US | 8.8.8.8:53 | szezcs.info | udp |
| US | 8.8.8.8:53 | pkqsdeb.org | udp |
| US | 8.8.8.8:53 | vxnkiyjsbfll.info | udp |
| US | 8.8.8.8:53 | fcbmrodq.net | udp |
| US | 8.8.8.8:53 | dazulnj.org | udp |
| US | 8.8.8.8:53 | skqlbuxa.info | udp |
| US | 8.8.8.8:53 | pspaksboj.info | udp |
| US | 8.8.8.8:53 | xszolrihdsb.org | udp |
| US | 8.8.8.8:53 | jzthxr.net | udp |
| US | 8.8.8.8:53 | gayqkium.com | udp |
| US | 8.8.8.8:53 | ergpaczjthrq.net | udp |
| US | 8.8.8.8:53 | fjusznt.com | udp |
| US | 8.8.8.8:53 | pmcknukxt.org | udp |
| US | 8.8.8.8:53 | gacmoaeggkiy.org | udp |
| US | 8.8.8.8:53 | aotyaxzx.net | udp |
| US | 8.8.8.8:53 | zuhmapbot.net | udp |
| US | 8.8.8.8:53 | cnzloatrxd.net | udp |
| US | 8.8.8.8:53 | iokoyicu.org | udp |
| US | 8.8.8.8:53 | pirrnagupur.info | udp |
| US | 8.8.8.8:53 | uarvmkb.info | udp |
| US | 8.8.8.8:53 | dmxgwpqsqpfb.net | udp |
| US | 8.8.8.8:53 | vjvlnnztmb.net | udp |
| US | 8.8.8.8:53 | dxtcjjvqzm.net | udp |
| US | 8.8.8.8:53 | pgaihqxg.info | udp |
| US | 8.8.8.8:53 | yojkaljecqs.info | udp |
| US | 8.8.8.8:53 | wakuwkosocgq.org | udp |
| US | 8.8.8.8:53 | lctxdahwfit.org | udp |
| US | 8.8.8.8:53 | djnaih.net | udp |
| US | 8.8.8.8:53 | ecegeakc.org | udp |
| US | 8.8.8.8:53 | jazciccsnsz.org | udp |
| US | 8.8.8.8:53 | afkezlokdt.info | udp |
| US | 8.8.8.8:53 | talfuiea.info | udp |
| US | 8.8.8.8:53 | ootkjdzphd.net | udp |
| US | 8.8.8.8:53 | fmdqzqjnt.net | udp |
| US | 8.8.8.8:53 | swhesyhutpn.net | udp |
| US | 8.8.8.8:53 | wagksk.org | udp |
| BG | 78.83.141.57:33295 | tcp | |
| US | 8.8.8.8:53 | aararuzmj.info | udp |
| US | 8.8.8.8:53 | oeuyomqoyg.com | udp |
| US | 8.8.8.8:53 | zrizzt.net | udp |
| US | 8.8.8.8:53 | mcvyjkxyonf.info | udp |
| US | 8.8.8.8:53 | dbbxjezlikvj.net | udp |
| US | 8.8.8.8:53 | nsjnpn.net | udp |
| US | 8.8.8.8:53 | hqggncb.com | udp |
| US | 8.8.8.8:53 | jbqnjatgjoq.info | udp |
| US | 8.8.8.8:53 | ogqeocmggack.com | udp |
| US | 8.8.8.8:53 | ucwzpxpgexdy.info | udp |
| US | 8.8.8.8:53 | yakuuc.org | udp |
| US | 8.8.8.8:53 | bbrqxulc.info | udp |
| US | 8.8.8.8:53 | ivewnr.info | udp |
| US | 8.8.8.8:53 | pwexny.net | udp |
| US | 8.8.8.8:53 | lkyazabydsyc.info | udp |
| US | 8.8.8.8:53 | xhjgly.info | udp |
| US | 8.8.8.8:53 | rwwonop.com | udp |
| US | 8.8.8.8:53 | hwpcjyzas.org | udp |
| US | 8.8.8.8:53 | gjdqtga.net | udp |
| US | 8.8.8.8:53 | juhcxksgyed.com | udp |
| US | 8.8.8.8:53 | nqxijbihvn.info | udp |
| US | 8.8.8.8:53 | cllotyt.info | udp |
| US | 8.8.8.8:53 | esmkkwoguqsi.org | udp |
| US | 8.8.8.8:53 | syxifqaqc.info | udp |
| US | 8.8.8.8:53 | yspynbdonzn.net | udp |
| US | 8.8.8.8:53 | lafpzlpndekd.net | udp |
| US | 8.8.8.8:53 | jsaavzp.net | udp |
| US | 8.8.8.8:53 | xrctizgjhu.net | udp |
| US | 8.8.8.8:53 | yqhjgibtrr.net | udp |
| US | 8.8.8.8:53 | rfcqjgcwrllk.info | udp |
| US | 8.8.8.8:53 | tvjkhjzkp.info | udp |
| US | 8.8.8.8:53 | dtpihozfb.info | udp |
| US | 8.8.8.8:53 | iyysqkwk.com | udp |
| US | 8.8.8.8:53 | oofhvr.info | udp |
| US | 8.8.8.8:53 | ooewwc.org | udp |
| US | 8.8.8.8:53 | fpfevmogf.org | udp |
| US | 8.8.8.8:53 | cqjkpycajgl.info | udp |
| US | 8.8.8.8:53 | jypigkw.net | udp |
| US | 8.8.8.8:53 | surbpjzrpz.info | udp |
| US | 8.8.8.8:53 | ekvrqipon.info | udp |
| MD | 37.75.78.197:39602 | tcp | |
| US | 8.8.8.8:53 | jphhtgd.com | udp |
| US | 8.8.8.8:53 | wzrgpxhnr.info | udp |
| US | 8.8.8.8:53 | ygyuos.com | udp |
| US | 8.8.8.8:53 | zwbalgplxc.info | udp |
| US | 8.8.8.8:53 | tjesbej.org | udp |
| US | 8.8.8.8:53 | qxpqcowoxj.net | udp |
| US | 8.8.8.8:53 | pqyycduqzs.info | udp |
| US | 8.8.8.8:53 | kqqshdptab.info | udp |
| US | 8.8.8.8:53 | wgwmegoucoug.org | udp |
| US | 8.8.8.8:53 | omierhazkhgw.net | udp |
| US | 8.8.8.8:53 | caxfwelvch.net | udp |
| US | 8.8.8.8:53 | gglyjmvqf.net | udp |
| US | 8.8.8.8:53 | hgfipol.net | udp |
| US | 8.8.8.8:53 | rlfwvfxudiy.org | udp |
| US | 8.8.8.8:53 | saalppztotvc.net | udp |
| US | 8.8.8.8:53 | kwdrqyzrhd.net | udp |
| US | 8.8.8.8:53 | gyquywiaos.org | udp |
| US | 8.8.8.8:53 | bhlsypeeex.info | udp |
| US | 8.8.8.8:53 | xrjmbmgmisvh.info | udp |
| US | 8.8.8.8:53 | zlentobezop.org | udp |
| US | 8.8.8.8:53 | xbhogt.net | udp |
| US | 8.8.8.8:53 | tfjkjw.net | udp |
| US | 8.8.8.8:53 | sedurcvlz.net | udp |
| US | 8.8.8.8:53 | wodmlspgi.net | udp |
| US | 8.8.8.8:53 | jqtenkdayoy.org | udp |
| US | 8.8.8.8:53 | snfpeo.info | udp |
| US | 8.8.8.8:53 | vteelbsv.info | udp |
| US | 8.8.8.8:53 | qgvvucy.net | udp |
| US | 8.8.8.8:53 | eufesoo.info | udp |
| US | 8.8.8.8:53 | nzrivburitvi.info | udp |
| US | 8.8.8.8:53 | qbzieldgeut.net | udp |
| US | 8.8.8.8:53 | lvliwxsju.net | udp |
| US | 8.8.8.8:53 | aobjzumoeab.net | udp |
| US | 8.8.8.8:53 | lkwxxizcgmer.info | udp |
| US | 8.8.8.8:53 | gyqmes.org | udp |
| US | 8.8.8.8:53 | vmefar.net | udp |
| US | 8.8.8.8:53 | wcgcuuiu.org | udp |
| US | 8.8.8.8:53 | clccpmhqpyue.info | udp |
| US | 8.8.8.8:53 | gaagywiikeyo.com | udp |
| US | 8.8.8.8:53 | xyfaxuajx.info | udp |
| US | 8.8.8.8:53 | naziosjghmh.net | udp |
| US | 8.8.8.8:53 | oqchzve.net | udp |
| US | 8.8.8.8:53 | nhmyomxjv.info | udp |
| US | 8.8.8.8:53 | pkfrrjmr.net | udp |
| US | 8.8.8.8:53 | ybamjo.net | udp |
| US | 8.8.8.8:53 | eskmjir.net | udp |
| US | 8.8.8.8:53 | dirrkj.net | udp |
| US | 8.8.8.8:53 | tyzkrdhyl.info | udp |
| US | 8.8.8.8:53 | iiggioeaaoee.org | udp |
| LT | 5.20.66.115:45152 | tcp | |
| US | 8.8.8.8:53 | bonhivlurp.info | udp |
| US | 8.8.8.8:53 | jwferid.com | udp |
| US | 8.8.8.8:53 | vyvijbihvn.info | udp |
| US | 8.8.8.8:53 | cykxrrvwfp.net | udp |
| US | 8.8.8.8:53 | sgjopnhso.net | udp |
| US | 8.8.8.8:53 | aociqgkm.com | udp |
| US | 8.8.8.8:53 | xebolmhkpnrf.info | udp |
| US | 8.8.8.8:53 | pemqfyvnh.info | udp |
| US | 8.8.8.8:53 | hsrofavrq.net | udp |
| US | 8.8.8.8:53 | ggprqcwzbk.net | udp |
| US | 8.8.8.8:53 | jyebkpa.org | udp |
| US | 8.8.8.8:53 | bwgadgk.com | udp |
| US | 8.8.8.8:53 | nhtppsvh.info | udp |
| US | 8.8.8.8:53 | swxsxhjyqfi.info | udp |
| US | 8.8.8.8:53 | vtklsoeptekl.net | udp |
| US | 8.8.8.8:53 | llpwlrlwpx.net | udp |
| US | 8.8.8.8:53 | kgqwkeuqki.org | udp |
| US | 8.8.8.8:53 | holjji.net | udp |
| US | 8.8.8.8:53 | wieywauuciks.com | udp |
| US | 8.8.8.8:53 | oriozsxinnto.net | udp |
| US | 8.8.8.8:53 | ikuumlfbdyj.info | udp |
| US | 8.8.8.8:53 | qcwgqmum.com | udp |
| US | 8.8.8.8:53 | qucyaisc.com | udp |
| US | 8.8.8.8:53 | bctwfgikb.org | udp |
| US | 8.8.8.8:53 | wepptkf.info | udp |
| US | 8.8.8.8:53 | jkbsgcx.info | udp |
| US | 8.8.8.8:53 | vclulsd.org | udp |
| US | 8.8.8.8:53 | fzqqksnzg.net | udp |
| US | 8.8.8.8:53 | jwrzwgpyjb.info | udp |
| US | 8.8.8.8:53 | zmpcftkwvdju.net | udp |
| US | 8.8.8.8:53 | auamqesm.org | udp |
| US | 8.8.8.8:53 | xmlymtnez.org | udp |
| AM | 46.241.134.173:23589 | tcp | |
| US | 8.8.8.8:53 | odzbrjqoy.info | udp |
| US | 8.8.8.8:53 | tmdtrnnseycu.net | udp |
| US | 8.8.8.8:53 | lgkppwwc.info | udp |
| US | 8.8.8.8:53 | aalijqi.info | udp |
| US | 8.8.8.8:53 | aqxaawj.net | udp |
| US | 8.8.8.8:53 | vtckewcb.info | udp |
| US | 8.8.8.8:53 | vilifkc.net | udp |
| US | 8.8.8.8:53 | hiaojggd.info | udp |
| US | 8.8.8.8:53 | jwryicour.net | udp |
| US | 8.8.8.8:53 | suwciixf.info | udp |
| US | 8.8.8.8:53 | odqisf.info | udp |
| US | 8.8.8.8:53 | qgpihguuhzq.info | udp |
| US | 8.8.8.8:53 | ncpmyszzt.info | udp |
| US | 8.8.8.8:53 | agoiqgcy.org | udp |
| US | 8.8.8.8:53 | tewpjph.org | udp |
| US | 8.8.8.8:53 | ybxsqlwexbnh.info | udp |
| US | 8.8.8.8:53 | ydyyiuz.net | udp |
| US | 8.8.8.8:53 | ajcblsbopqna.net | udp |
| US | 8.8.8.8:53 | cjjkjzvsdw.net | udp |
| US | 8.8.8.8:53 | lnmdsr.net | udp |
| US | 8.8.8.8:53 | kkiamiym.com | udp |
| US | 8.8.8.8:53 | goknstgv.net | udp |
| US | 8.8.8.8:53 | gntfxztnljap.net | udp |
| US | 8.8.8.8:53 | wmfqbgb.net | udp |
| US | 8.8.8.8:53 | iyeuuikw.com | udp |
| US | 8.8.8.8:53 | jatdaajehomt.net | udp |
| US | 8.8.8.8:53 | strpmpuozrzs.info | udp |
| US | 8.8.8.8:53 | scdcax.info | udp |
| US | 8.8.8.8:53 | tecahnfi.net | udp |
| US | 8.8.8.8:53 | jvmvczysit.info | udp |
| US | 8.8.8.8:53 | wvneioethg.net | udp |
| US | 8.8.8.8:53 | momoemcy.com | udp |
| US | 8.8.8.8:53 | mwgkuyee.org | udp |
| US | 8.8.8.8:53 | jqabwsvxiyqr.net | udp |
| US | 8.8.8.8:53 | bmjyxypus.net | udp |
| US | 8.8.8.8:53 | gbzhlbzkj.net | udp |
| US | 8.8.8.8:53 | iwymameawasg.com | udp |
| US | 8.8.8.8:53 | xbgouwdx.net | udp |
| US | 8.8.8.8:53 | nuvyetxexaz.info | udp |
| US | 8.8.8.8:53 | rhufjc.net | udp |
| US | 8.8.8.8:53 | uiceesz.info | udp |
| US | 8.8.8.8:53 | mwueesisuk.com | udp |
| US | 8.8.8.8:53 | bzaydhbkyko.info | udp |
| US | 8.8.8.8:53 | ujxoveg.info | udp |
| US | 8.8.8.8:53 | siomfmt.net | udp |
| US | 8.8.8.8:53 | uoxjsmld.info | udp |
| US | 8.8.8.8:53 | pebyjghrn.net | udp |
| KZ | 95.56.12.117:42839 | tcp | |
| US | 8.8.8.8:53 | nakmmnboo.net | udp |
| US | 8.8.8.8:53 | ksgiaoamowmm.com | udp |
| US | 8.8.8.8:53 | dieqzcpcb.org | udp |
| US | 8.8.8.8:53 | ewiuauieao.com | udp |
| US | 8.8.8.8:53 | hgqjinfucy.net | udp |
| US | 8.8.8.8:53 | ospuaeooh.info | udp |
| US | 8.8.8.8:53 | nkscwc.net | udp |
| US | 8.8.8.8:53 | bjpwlrlwpx.net | udp |
| US | 8.8.8.8:53 | skfaqmhww.net | udp |
| US | 8.8.8.8:53 | szcwhwlcevl.info | udp |
| US | 8.8.8.8:53 | eojaqgnph.net | udp |
| US | 8.8.8.8:53 | imwkkoik.com | udp |
| US | 8.8.8.8:53 | hwlcwdzi.net | udp |
| US | 8.8.8.8:53 | wkuwoq.org | udp |
| US | 8.8.8.8:53 | mkquos.com | udp |
| US | 8.8.8.8:53 | ukgwqqigus.org | udp |
| US | 8.8.8.8:53 | sewuvwb.net | udp |
| US | 8.8.8.8:53 | hhyudahznf.info | udp |
| US | 8.8.8.8:53 | uixrff.info | udp |
| US | 8.8.8.8:53 | dtdfko.info | udp |
| US | 8.8.8.8:53 | hvrmugbonll.org | udp |
| US | 8.8.8.8:53 | oaewcmmi.com | udp |
| US | 8.8.8.8:53 | lztutm.net | udp |
| US | 8.8.8.8:53 | hbswnsc.info | udp |
| US | 8.8.8.8:53 | oweuoiqciqko.org | udp |
| US | 8.8.8.8:53 | yjyixeosc.net | udp |
| US | 8.8.8.8:53 | ytibbcvsomah.info | udp |
| US | 8.8.8.8:53 | oalwpcngx.info | udp |
| US | 8.8.8.8:53 | bspoxwrz.net | udp |
| US | 8.8.8.8:53 | xnzwaxpojetg.net | udp |
| US | 8.8.8.8:53 | qmagae.com | udp |
| US | 8.8.8.8:53 | jgkojuznm.org | udp |
| US | 8.8.8.8:53 | xcrfxbihvn.info | udp |
| US | 8.8.8.8:53 | henkkq.info | udp |
| MD | 93.116.230.64:15294 | tcp | |
| US | 8.8.8.8:53 | garynjfqf.net | udp |
| US | 8.8.8.8:53 | dunkopfdudj.org | udp |
| US | 8.8.8.8:53 | ogaaqsegcsua.com | udp |
| US | 8.8.8.8:53 | coavgckfx.net | udp |
| US | 8.8.8.8:53 | skxsxgekl.info | udp |
| US | 8.8.8.8:53 | sxjrqtaplcaj.net | udp |
| US | 8.8.8.8:53 | pvesxitaordl.info | udp |
| US | 8.8.8.8:53 | qqdjxtff.info | udp |
| US | 8.8.8.8:53 | qmmkcdx.net | udp |
| US | 8.8.8.8:53 | bcscdylqkqh.org | udp |
| US | 8.8.8.8:53 | dzrmxez.com | udp |
| US | 8.8.8.8:53 | gofevllkfor.net | udp |
| US | 8.8.8.8:53 | fcxthmvhet.net | udp |
| US | 8.8.8.8:53 | xodkihx.org | udp |
| US | 8.8.8.8:53 | kxldwaoqfn.info | udp |
| US | 8.8.8.8:53 | ekkibidnt.net | udp |
| US | 8.8.8.8:53 | vifhgu.net | udp |
| US | 8.8.8.8:53 | uozdmyyaqni.net | udp |
| US | 8.8.8.8:53 | fvjojj.info | udp |
| US | 8.8.8.8:53 | xxbuvavqnao.net | udp |
| US | 8.8.8.8:53 | rcdorur.info | udp |
| US | 8.8.8.8:53 | oonfdh.info | udp |
| US | 8.8.8.8:53 | tgzzsilpuoyu.info | udp |
| US | 8.8.8.8:53 | epzlhdvdcaat.info | udp |
| US | 8.8.8.8:53 | pyeppclzv.net | udp |
| US | 8.8.8.8:53 | hmhvlxzgizgj.net | udp |
| US | 8.8.8.8:53 | ocvnporuvqvx.net | udp |
| US | 8.8.8.8:53 | moekqcumok.com | udp |
| US | 8.8.8.8:53 | rejwrwpoa.info | udp |
| BR | 200.158.170.237:19466 | tcp | |
| US | 8.8.8.8:53 | tonqduf.info | udp |
| US | 8.8.8.8:53 | amszjoed.net | udp |
| US | 8.8.8.8:53 | ivvuttqyfeby.net | udp |
| US | 8.8.8.8:53 | iyobvrfh.info | udp |
| US | 8.8.8.8:53 | jmuyzwjxj.net | udp |
| US | 8.8.8.8:53 | minwvfhcdfcg.info | udp |
| US | 8.8.8.8:53 | qtbhhdpg.info | udp |
| US | 8.8.8.8:53 | sgescokcmo.org | udp |
| US | 8.8.8.8:53 | ilovbxgl.info | udp |
| US | 8.8.8.8:53 | tvpcqzfd.net | udp |
| US | 8.8.8.8:53 | pmrvlddqm.com | udp |
| US | 8.8.8.8:53 | uljnwoyya.net | udp |
| US | 8.8.8.8:53 | cykwsmek.com | udp |
| US | 8.8.8.8:53 | iutmxlo.net | udp |
| US | 8.8.8.8:53 | lzwgpqnxhy.net | udp |
| US | 8.8.8.8:53 | kciewo.com | udp |
| US | 8.8.8.8:53 | jwzmnwreh.info | udp |
| US | 8.8.8.8:53 | xopfrsswlo.info | udp |
| US | 8.8.8.8:53 | cnhgllwd.net | udp |
| US | 8.8.8.8:53 | jehyhpbob.com | udp |
| US | 8.8.8.8:53 | lhlfyfbjvsbs.net | udp |
| US | 8.8.8.8:53 | bzmrhx.info | udp |
| US | 8.8.8.8:53 | pifyielslmx.info | udp |
| US | 8.8.8.8:53 | xwvctcqga.info | udp |
| US | 8.8.8.8:53 | luaiurlae.info | udp |
| US | 8.8.8.8:53 | raftszrzer.info | udp |
| US | 8.8.8.8:53 | yedyywowdnj.info | udp |
| US | 8.8.8.8:53 | qouomase.com | udp |
| US | 8.8.8.8:53 | ycworew.net | udp |
| US | 8.8.8.8:53 | dhbbfl.info | udp |
| US | 8.8.8.8:53 | hsfspwfirsr.org | udp |
| US | 8.8.8.8:53 | uysoikugis.com | udp |
| US | 8.8.8.8:53 | viczrmaky.info | udp |
| US | 8.8.8.8:53 | fumvct.net | udp |
| US | 8.8.8.8:53 | ivygmakddu.net | udp |
| US | 8.8.8.8:53 | yqydhx.net | udp |
| US | 8.8.8.8:53 | dnyidwf.info | udp |
| US | 8.8.8.8:53 | tvpvdilt.info | udp |
| US | 8.8.8.8:53 | jjvldfhsugn.info | udp |
| US | 8.8.8.8:53 | iazfhmh.net | udp |
| US | 8.8.8.8:53 | mrtgnolyhuv.info | udp |
| US | 8.8.8.8:53 | gxpufsuec.info | udp |
| US | 8.8.8.8:53 | vcsaumzyc.org | udp |
| US | 8.8.8.8:53 | yadxtkefpqdf.net | udp |
| US | 8.8.8.8:53 | iguyyan.net | udp |
| US | 8.8.8.8:53 | qngitmingp.net | udp |
| US | 8.8.8.8:53 | ylxplkvhz.net | udp |
| US | 8.8.8.8:53 | kmummcqsmqck.com | udp |
| US | 8.8.8.8:53 | wallzptbdew.net | udp |
| US | 8.8.8.8:53 | ulwprsdpevsj.info | udp |
| US | 8.8.8.8:53 | fvnvthxadle.net | udp |
| US | 8.8.8.8:53 | aqgcku.com | udp |
| US | 8.8.8.8:53 | pqtkzz.net | udp |
| US | 8.8.8.8:53 | wcsuemgukkca.org | udp |
| US | 8.8.8.8:53 | qrusxmfds.info | udp |
| US | 8.8.8.8:53 | hkyabke.org | udp |
| US | 8.8.8.8:53 | qyjxvcif.net | udp |
| US | 8.8.8.8:53 | wkzctjjriqnp.net | udp |
| US | 8.8.8.8:53 | ujkabkb.net | udp |
| RU | 37.78.53.100:31421 | tcp | |
| US | 8.8.8.8:53 | rkwlhccy.info | udp |
| US | 8.8.8.8:53 | plvepgf.com | udp |
| US | 8.8.8.8:53 | lkekwo.net | udp |
| US | 8.8.8.8:53 | aoylnk.net | udp |
| US | 8.8.8.8:53 | gyiusume.org | udp |
| US | 8.8.8.8:53 | htcopwdnmg.net | udp |
| US | 8.8.8.8:53 | nthafgeqx.org | udp |
| US | 8.8.8.8:53 | lhucnlbolq.info | udp |
| US | 8.8.8.8:53 | opmixh.net | udp |
| US | 8.8.8.8:53 | vibshiiel.net | udp |
| US | 8.8.8.8:53 | agppnma.info | udp |
| US | 8.8.8.8:53 | nozmwsn.net | udp |
| US | 8.8.8.8:53 | oflyyyvsdgd.net | udp |
| US | 8.8.8.8:53 | ygjrsynrvk.info | udp |
| US | 8.8.8.8:53 | nujrrkrmuqt.org | udp |
| US | 8.8.8.8:53 | exlfvszo.net | udp |
| US | 8.8.8.8:53 | khhcdwnmzs.net | udp |
| US | 8.8.8.8:53 | jjqtpeerkb.net | udp |
| US | 8.8.8.8:53 | ldnwlopctmji.info | udp |
| US | 8.8.8.8:53 | pbttxi.net | udp |
| US | 8.8.8.8:53 | sieprydl.net | udp |
| US | 8.8.8.8:53 | urkcltobhpwf.net | udp |
| US | 8.8.8.8:53 | jobwrjdaaipt.net | udp |
| US | 8.8.8.8:53 | pxdecuwucu.info | udp |
| US | 8.8.8.8:53 | djtznyoy.info | udp |
| US | 8.8.8.8:53 | ukmuimkmssqi.com | udp |
| US | 8.8.8.8:53 | oismai.com | udp |
| US | 8.8.8.8:53 | vybefujybnd.com | udp |
| US | 8.8.8.8:53 | tpzhdy.info | udp |
| US | 8.8.8.8:53 | reakzkgq.info | udp |
| US | 8.8.8.8:53 | otwzrfzurp.net | udp |
| US | 8.8.8.8:53 | vdpyopgicm.net | udp |
| US | 8.8.8.8:53 | eheflhppvg.net | udp |
| US | 8.8.8.8:53 | yilejhoiv.info | udp |
| US | 8.8.8.8:53 | ewowia.com | udp |
| US | 8.8.8.8:53 | soetzwjijsg.net | udp |
| US | 8.8.8.8:53 | cykogcgqqcuu.com | udp |
| US | 8.8.8.8:53 | ksytlxlmmqqt.net | udp |
| US | 8.8.8.8:53 | zhpcheuuzzv.net | udp |
| US | 8.8.8.8:53 | ugjyfpgfl.net | udp |
| US | 8.8.8.8:53 | yqdptprq.info | udp |
| US | 8.8.8.8:53 | oxngtxhinvdm.net | udp |
| US | 8.8.8.8:53 | iutvfgu.net | udp |
| US | 8.8.8.8:53 | kussaayi.com | udp |
| US | 8.8.8.8:53 | tnfteszsf.net | udp |
| US | 8.8.8.8:53 | myrwjqkrwpbk.info | udp |
| US | 8.8.8.8:53 | ueiscspdhg.info | udp |
| US | 8.8.8.8:53 | mpkbfsgyp.info | udp |
| MD | 94.243.110.54:24785 | tcp | |
| US | 8.8.8.8:53 | wcfnrgfs.net | udp |
| US | 8.8.8.8:53 | wgacweyssiss.org | udp |
| US | 8.8.8.8:53 | addypknyj.info | udp |
| US | 8.8.8.8:53 | brpooxwznc.net | udp |
| US | 8.8.8.8:53 | qseoumkkca.org | udp |
| US | 8.8.8.8:53 | tezojqza.info | udp |
| US | 8.8.8.8:53 | tagipqbef.org | udp |
| US | 8.8.8.8:53 | prrsxuxdbc.net | udp |
| US | 8.8.8.8:53 | jebeqcxefee.net | udp |
| US | 8.8.8.8:53 | qdnmhgdyrit.net | udp |
| US | 8.8.8.8:53 | dqvctfbckcl.org | udp |
| US | 8.8.8.8:53 | hqknstusprqr.info | udp |
| US | 8.8.8.8:53 | qyqigk.com | udp |
| US | 8.8.8.8:53 | dmppptpv.net | udp |
| US | 8.8.8.8:53 | gobrgabax.info | udp |
| US | 8.8.8.8:53 | fyaylmbcb.net | udp |
| US | 8.8.8.8:53 | gmmecgaw.org | udp |
| US | 8.8.8.8:53 | vubktulhet.info | udp |
| US | 8.8.8.8:53 | dytjnq.net | udp |
| US | 8.8.8.8:53 | novdvyxuzpqq.net | udp |
| US | 8.8.8.8:53 | tolvztmosvdc.net | udp |
| US | 8.8.8.8:53 | icnajqztpye.info | udp |
| US | 8.8.8.8:53 | csqyuqcwys.com | udp |
| US | 8.8.8.8:53 | ekqaao.com | udp |
| US | 8.8.8.8:53 | otlwpkaya.net | udp |
| US | 8.8.8.8:53 | iibwlwkwlv.info | udp |
| US | 8.8.8.8:53 | jvbzeq.net | udp |
| US | 8.8.8.8:53 | pubmevfurefz.info | udp |
| US | 8.8.8.8:53 | xalhadmnyy.net | udp |
| US | 8.8.8.8:53 | bifytiffy.info | udp |
| US | 8.8.8.8:53 | rkjyfrxybqd.net | udp |
| US | 8.8.8.8:53 | mbmaauppwra.net | udp |
| US | 8.8.8.8:53 | vaqmtrjxg.net | udp |
| US | 8.8.8.8:53 | nqrqla.info | udp |
| US | 8.8.8.8:53 | oqwiuwegoq.org | udp |
| US | 8.8.8.8:53 | narzyojlrmb.org | udp |
| US | 8.8.8.8:53 | gkuwckaogimo.org | udp |
| US | 8.8.8.8:53 | hztnzodq.info | udp |
| US | 8.8.8.8:53 | bshqnaawayg.org | udp |
| MD | 93.116.230.64:15294 | tcp | |
| US | 8.8.8.8:53 | epeabyvep.info | udp |
| US | 8.8.8.8:53 | rjbifug.net | udp |
| US | 8.8.8.8:53 | iceynpjs.info | udp |
| US | 8.8.8.8:53 | erdcbqbzp.info | udp |
| US | 8.8.8.8:53 | kznukgsu.net | udp |
| US | 8.8.8.8:53 | qxrristtw.info | udp |
| US | 8.8.8.8:53 | yqdindvszcl.info | udp |
| US | 8.8.8.8:53 | zwtuwzy.info | udp |
| US | 8.8.8.8:53 | oezotwvr.info | udp |
| US | 8.8.8.8:53 | csaeumie.com | udp |
| US | 8.8.8.8:53 | ldlrgk.info | udp |
| US | 8.8.8.8:53 | hccvfaoit.net | udp |
| US | 8.8.8.8:53 | wuwyagsyoiis.org | udp |
| US | 8.8.8.8:53 | owtumceqt.info | udp |
| US | 8.8.8.8:53 | cmqmmwwwqwue.org | udp |
| US | 8.8.8.8:53 | dtzcfjhlbzxf.net | udp |
| US | 8.8.8.8:53 | kdiczltcyn.info | udp |
| US | 8.8.8.8:53 | ekjqlqnkzpb.net | udp |
| US | 8.8.8.8:53 | jpiyjgn.info | udp |
| US | 8.8.8.8:53 | sgdzhklkvfso.info | udp |
| US | 8.8.8.8:53 | vcxbjuufzqnu.info | udp |
| US | 8.8.8.8:53 | skqsiiae.org | udp |
| US | 8.8.8.8:53 | xzthqed.info | udp |
| US | 8.8.8.8:53 | jieoujiimk.info | udp |
| US | 8.8.8.8:53 | rdiunemv.net | udp |
| US | 8.8.8.8:53 | gfxenmj.info | udp |
| US | 8.8.8.8:53 | alyypvemovoc.net | udp |
| US | 8.8.8.8:53 | gyqywbxn.info | udp |
| AZ | 188.253.128.101:23377 | tcp | |
| US | 8.8.8.8:53 | cplsriind.net | udp |
| US | 8.8.8.8:53 | cggkgsaw.com | udp |
| US | 8.8.8.8:53 | wleiiavobljy.info | udp |
| US | 8.8.8.8:53 | hpljhaz.net | udp |
| US | 8.8.8.8:53 | rysoewivqoi.net | udp |
| US | 8.8.8.8:53 | qlstpgkhcjbu.net | udp |
| US | 8.8.8.8:53 | qucqee.org | udp |
| US | 8.8.8.8:53 | jhfuhezrqq.net | udp |
| US | 8.8.8.8:53 | wccawmmq.org | udp |
| US | 8.8.8.8:53 | skmqolgkieb.info | udp |
| US | 8.8.8.8:53 | hugahdzz.info | udp |
| US | 8.8.8.8:53 | nzitfaav.info | udp |
| US | 8.8.8.8:53 | lcimughahyi.info | udp |
| US | 8.8.8.8:53 | tmlmzuryf.net | udp |
| US | 8.8.8.8:53 | myrozlp.net | udp |
| US | 8.8.8.8:53 | lktcrbw.com | udp |
| US | 8.8.8.8:53 | vpnbzghq.info | udp |
| US | 8.8.8.8:53 | sptclzcqz.net | udp |
| US | 8.8.8.8:53 | hyjodgw.info | udp |
| US | 8.8.8.8:53 | hijzlv.net | udp |
| US | 8.8.8.8:53 | rmngtus.com | udp |
| US | 8.8.8.8:53 | ykxvjui.info | udp |
| US | 8.8.8.8:53 | dkdczgl.info | udp |
| US | 8.8.8.8:53 | zalbqoip.info | udp |
| US | 8.8.8.8:53 | datfdz.info | udp |
| US | 8.8.8.8:53 | eaictyqxc.info | udp |
| US | 8.8.8.8:53 | unaefml.net | udp |
| US | 8.8.8.8:53 | mpzooqbtun.net | udp |
| US | 8.8.8.8:53 | sdvejqt.info | udp |
| US | 8.8.8.8:53 | vgqxvqngngx.info | udp |
| US | 8.8.8.8:53 | lummpt.info | udp |
| US | 8.8.8.8:53 | jcibvsfku.org | udp |
| US | 8.8.8.8:53 | laxvlustvhf.net | udp |
| US | 8.8.8.8:53 | vlbsriakwwq.com | udp |
| US | 8.8.8.8:53 | iawiuqqk.org | udp |
Files
C:\Users\Admin\AppData\Local\Temp\wcycexrfgmi.exe
| MD5 | 1dd5dd5561723f37ccc81e15ecdbf830 |
| SHA1 | eeb9131c8d276ceb710d163e89fdc62b3e111971 |
| SHA256 | c8c542ac3f6526d1501c2b9d6262bfa029a1ac0d9dd6b3c1965977abdd8bd126 |
| SHA512 | b4881d7cd0c2ceeba067e13d23763e739389108d1269acd6c343dd308aa1fedde89da696a8482944342f44ea1094ea6b50021a15d4c6d03762ba032a9598bba5 |
C:\Windows\SysWOW64\ifzpkzohaqpcfqzzav.exe
| MD5 | c45c7c3be165367d7676c127dbdc2050 |
| SHA1 | 0ca4bbd08beb9ce9e8bd6807113345389aa07588 |
| SHA256 | 7be6ccadfe39aff45029a30fe34b3c87ac49ebbad791c34e2ff8bb30e7e07721 |
| SHA512 | d0aa1e6158da64512f9098ed1ae8d33d1882a1c23fb2c7bbbc3a3c0e331355d24dc302ef4f5b778d17f952fdd93adfd5e77fc81c73c5b119793b398edb43bbb3 |
C:\Users\Admin\AppData\Local\Temp\tfotdhl.exe
| MD5 | d54c839cd3f9c13e2f65b9fea53f68d9 |
| SHA1 | 38963222841896b25b894d08633ddee057f07b5a |
| SHA256 | 6c8fd7f119877cd7260d19fe38d1a2d4c60bf2da15175b509ba0fb67cc007385 |
| SHA512 | 809fca4f57a68c2210568348e273ebcb122fd0836523b06e5b06afab2e8d81e73b18cc970d53d5b1a3474013c95906ac53f6bc87ee1d8351428597a373352989 |
C:\Users\Admin\AppData\Local\fnstzzzdhisqeaufrxhpuvbbb.jku
| MD5 | 97b42c4faf2850d9df9fcb3a90ca8d75 |
| SHA1 | 1375d516cedd32960692efbe3da1e91f520383bb |
| SHA256 | 000bd95d7682a752284b4a8aa594319d5edb4a51eb2931aa3e3ff4d021d2d6bd |
| SHA512 | f0e27d8fe1ee8f1adbf88d6a02785ed3ec96dbe9c4c924d2213e38a9e4604ccfce0172541449b7e17eb12d0113368127cacf0a83b28e46b0f23c1096fd585910 |
C:\Users\Admin\AppData\Local\kdtfwhshwidmlsxtqhcvlxozkzoavedkpliz.ndp
| MD5 | e1836595a7c814a2d4fed52db60166a0 |
| SHA1 | 441368a8e5031d330a1ce1a1fe13030a12005923 |
| SHA256 | 61c0601ecb78a18508ff1b47e9bd2d4908dca07908a2878fd494714017f3b869 |
| SHA512 | 5aa7c0ecb627dff68b1c54b4e04c965eb2473f1586e0061ec4c6dcb9b817b292d620283cf159b3a97ae770f9bb47e39dba3766a8aef0f9c3dc9af983b70c44d9 |
C:\Program Files (x86)\fnstzzzdhisqeaufrxhpuvbbb.jku
| MD5 | c7c16ba0ad68623f27a47e2870957f8d |
| SHA1 | 8ea2254a3d2082029b85699fa22a316a797a38ac |
| SHA256 | d997339a8d65d293bbdf06a018db13764ab64cbd4b9df413b9642e6d6dc3dc98 |
| SHA512 | 4252fdd0517d7a0f232fe1e448c6bd4e99c98443f09762c3819548269ad0c4ffdb5e721c4ad0a1bc5320203610cad7127c07f23a8951b5ff14a8e24173a1babe |
C:\Program Files (x86)\fnstzzzdhisqeaufrxhpuvbbb.jku
| MD5 | 955bab5ab702922791a2c5ccd7a6a042 |
| SHA1 | 7d1329240a84e679c654ec97868907453782560a |
| SHA256 | 1ad3331e039f0770c1aef349746f18c525a0d1e47dcf1c95ad7e920f3be30944 |
| SHA512 | 47ae8252369292db8184b11c803237883ef50684b9154df9060776b6023d9461e3f914f583d2d55b7668f90b93351045c1186624b949d74eaa6b64e6b8f8e8d4 |
C:\Program Files (x86)\fnstzzzdhisqeaufrxhpuvbbb.jku
| MD5 | 0634c50b7a388fadd8d1148a7369cef9 |
| SHA1 | 008b3741e8838cf4d1867d8833c579d4caa65a4b |
| SHA256 | 7384078b38fc80757a00d49c6ded146ca46b0004dc71cbbcef345992ef0213f3 |
| SHA512 | 193980ab6fd46fc6811e21c239d3d3ef9a461d8de0df72bb9700c178ee32c5aa4eca2af1dd68b83160a5ee627e3b281d9785276beee24d0be331c6a57fde866b |
C:\Program Files (x86)\fnstzzzdhisqeaufrxhpuvbbb.jku
| MD5 | 8cb2728e73cf33d8da212cd8cb16962f |
| SHA1 | 6046fbba156bea7e394587a7796af8d1626131a4 |
| SHA256 | 35d3310b53829a2d6e3ae2bfc63ec500f52c43491eaec6171eb4d5e26a3a3645 |
| SHA512 | 8a8f8232cbfeda194cdb502af07dd5a94151790e0ef48d32c2be52b5ad04887c142a83facb7ba53980548b3a754bb8ed4ccbbfbe37516608c06e30d7f2c68225 |
C:\Program Files (x86)\fnstzzzdhisqeaufrxhpuvbbb.jku
| MD5 | a39386ad0ee355920372cb9ab66d7414 |
| SHA1 | 48b9c894ca8a2be8d62bbf84b96ea44a897feb56 |
| SHA256 | 93abced5d5b948384bd04532bb47156e0778a8de6c88a2474fca070b04c10bcd |
| SHA512 | 8c79fcd96f64559d61f288247bf21468bca7e4d36b581891731b1e4773581902e440055671b2075dab45b55cd357130323a976552af05031ec5eb35a23a66be0 |
C:\Program Files (x86)\fnstzzzdhisqeaufrxhpuvbbb.jku
| MD5 | ad8dcaf81dd808da9fe533fe9d8bbd80 |
| SHA1 | 8b649e1ea16e8de8db53b26ad8f0ec6c96621dc3 |
| SHA256 | b6c9310dcf061e42a77ff3cf211fcc2b74ed64620986de85f22ff823015b9e1e |
| SHA512 | c971cbb9456799938556131f1233762a3b92f6da339c3e2a03f899aba870fc0e23f79ca06796097d5939c2e05d13c312ed557690689b8e2baf2282234ba6e316 |