Analysis Overview
SHA256
439986cced413f04733bd254fd9e49da3c687518b6562ee8ba13b1bfa21b3fd3
Threat Level: Known bad
The file JaffaCakes118_b7ec123ae0594510d03149cc1e4a7843 was found to be: Known bad.
Malicious Activity Summary
Modifies WinLogon for persistence
UAC bypass
Pykspa family
Pykspa
Detect Pykspa worm
Blocklisted process makes network request
Adds policy Run key to start application
Disables RegEdit via registry modification
Impair Defenses: Safe Mode Boot
Executes dropped EXE
Checks computer location settings
Looks up external IP address via web service
Checks whether UAC is enabled
Adds Run key to start application
Hijack Execution Flow: Executable Installer File Permissions Weakness
Drops file in System32 directory
Drops file in Windows directory
Drops file in Program Files directory
Unsigned PE
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
System policy modification
MITRE ATT&CK
Enterprise Matrix V16
Analysis: static1
Detonation Overview
Reported
2025-04-14 13:30
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-04-14 13:30
Reported
2025-04-14 13:32
Platform
win10v2004-20250314-en
Max time kernel
50s
Max time network
150s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\mtxgfq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\mtxgfq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
Pykspa
Pykspa family
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\mtxgfq.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\mtxgfq.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\mtxgfq.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\mtxgfq.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\mtxgfq.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\mtxgfq.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\mtxgfq.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\mtxgfq.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
Detect Pykspa worm
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oxdopcet = "bxqoccrthflvcumzcnple.exe" | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oxdopcet = "ztkgsqddplpxcsitudd.exe" | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oxdopcet = "fxmgqmxvfzbhkymvu.exe" | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bhksq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ypdwfakhqjkprerz.exe" | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bhksq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bxqoccrthflvcumzcnple.exe" | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bhksq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ohxsdamlwrubfujttb.exe" | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oxdopcet = "mhzwjiwxkhmvbsjvxhid.exe" | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bhksq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ztkgsqddplpxcsitudd.exe" | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bhksq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ypdwfakhqjkprerz.exe" | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oxdopcet = "ztkgsqddplpxcsitudd.exe" | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oxdopcet = "bxqoccrthflvcumzcnple.exe" | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oxdopcet = "bxqoccrthflvcumzcnple.exe" | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bhksq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ohxsdamlwrubfujttb.exe" | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oxdopcet = "ohxsdamlwrubfujttb.exe" | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bhksq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ohxsdamlwrubfujttb.exe" | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bhksq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ztkgsqddplpxcsitudd.exe" | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oxdopcet = "ztkgsqddplpxcsitudd.exe" | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oxdopcet = "ztkgsqddplpxcsitudd.exe" | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oxdopcet = "fxmgqmxvfzbhkymvu.exe" | C:\Users\Admin\AppData\Local\Temp\mtxgfq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oxdopcet = "ztkgsqddplpxcsitudd.exe" | C:\Users\Admin\AppData\Local\Temp\mtxgfq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oxdopcet = "ypdwfakhqjkprerz.exe" | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bhksq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ypdwfakhqjkprerz.exe" | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oxdopcet = "fxmgqmxvfzbhkymvu.exe" | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\mtxgfq.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bhksq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mhzwjiwxkhmvbsjvxhid.exe" | C:\Users\Admin\AppData\Local\Temp\mtxgfq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oxdopcet = "ztkgsqddplpxcsitudd.exe" | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\mtxgfq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oxdopcet = "ypdwfakhqjkprerz.exe" | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oxdopcet = "ztkgsqddplpxcsitudd.exe" | C:\Users\Admin\AppData\Local\Temp\mtxgfq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oxdopcet = "mhzwjiwxkhmvbsjvxhid.exe" | C:\Users\Admin\AppData\Local\Temp\mtxgfq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oxdopcet = "ypdwfakhqjkprerz.exe" | C:\Users\Admin\AppData\Local\Temp\mtxgfq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bhksq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ypdwfakhqjkprerz.exe" | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oxdopcet = "bxqoccrthflvcumzcnple.exe" | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oxdopcet = "ztkgsqddplpxcsitudd.exe" | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bhksq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ypdwfakhqjkprerz.exe" | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oxdopcet = "ohxsdamlwrubfujttb.exe" | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bhksq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ohxsdamlwrubfujttb.exe" | C:\Users\Admin\AppData\Local\Temp\mtxgfq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oxdopcet = "bxqoccrthflvcumzcnple.exe" | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bhksq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ztkgsqddplpxcsitudd.exe" | C:\Users\Admin\AppData\Local\Temp\mtxgfq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bhksq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ypdwfakhqjkprerz.exe" | C:\Users\Admin\AppData\Local\Temp\mtxgfq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bhksq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ohxsdamlwrubfujttb.exe" | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oxdopcet = "ztkgsqddplpxcsitudd.exe" | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bhksq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fxmgqmxvfzbhkymvu.exe" | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bhksq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ztkgsqddplpxcsitudd.exe" | C:\Users\Admin\AppData\Local\Temp\mtxgfq.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bhksq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ypdwfakhqjkprerz.exe" | C:\Users\Admin\AppData\Local\Temp\mtxgfq.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bhksq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ohxsdamlwrubfujttb.exe" | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bhksq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bxqoccrthflvcumzcnple.exe" | C:\Users\Admin\AppData\Local\Temp\mtxgfq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oxdopcet = "bxqoccrthflvcumzcnple.exe" | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bhksq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fxmgqmxvfzbhkymvu.exe" | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Disables RegEdit via registry modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\mtxgfq.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\mtxgfq.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\mtxgfq.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\mtxgfq.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\ztkgsqddplpxcsitudd.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\bxqoccrthflvcumzcnple.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation | C:\Windows\ohxsdamlwrubfujttb.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation | C:\Windows\ztkgsqddplpxcsitudd.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation | C:\Windows\fxmgqmxvfzbhkymvu.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation | C:\Windows\fxmgqmxvfzbhkymvu.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation | C:\Windows\ohxsdamlwrubfujttb.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\bxqoccrthflvcumzcnple.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\bxqoccrthflvcumzcnple.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation | C:\Windows\mhzwjiwxkhmvbsjvxhid.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation | C:\Windows\fxmgqmxvfzbhkymvu.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation | C:\Windows\bxqoccrthflvcumzcnple.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation | C:\Windows\ztkgsqddplpxcsitudd.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation | C:\Windows\fxmgqmxvfzbhkymvu.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation | C:\Windows\ypdwfakhqjkprerz.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\ztkgsqddplpxcsitudd.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation | C:\Windows\ohxsdamlwrubfujttb.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\bxqoccrthflvcumzcnple.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation | C:\Windows\fxmgqmxvfzbhkymvu.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation | C:\Windows\ypdwfakhqjkprerz.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation | C:\Windows\ohxsdamlwrubfujttb.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation | C:\Windows\mhzwjiwxkhmvbsjvxhid.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\ztkgsqddplpxcsitudd.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation | C:\Windows\ohxsdamlwrubfujttb.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\ztkgsqddplpxcsitudd.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation | C:\Windows\bxqoccrthflvcumzcnple.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\ztkgsqddplpxcsitudd.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\bxqoccrthflvcumzcnple.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\bxqoccrthflvcumzcnple.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\ztkgsqddplpxcsitudd.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation | C:\Windows\bxqoccrthflvcumzcnple.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation | C:\Windows\bxqoccrthflvcumzcnple.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation | C:\Windows\mhzwjiwxkhmvbsjvxhid.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation | C:\Windows\fxmgqmxvfzbhkymvu.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation | C:\Windows\bxqoccrthflvcumzcnple.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation | C:\Windows\ztkgsqddplpxcsitudd.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation | C:\Windows\ohxsdamlwrubfujttb.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\ztkgsqddplpxcsitudd.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\ztkgsqddplpxcsitudd.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation | C:\Windows\ohxsdamlwrubfujttb.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation | C:\Windows\mhzwjiwxkhmvbsjvxhid.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exe | N/A |
Executes dropped EXE
Impair Defenses: Safe Mode Boot
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager | C:\Users\Admin\AppData\Local\Temp\mtxgfq.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys | C:\Users\Admin\AppData\Local\Temp\mtxgfq.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc | C:\Users\Admin\AppData\Local\Temp\mtxgfq.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power | C:\Users\Admin\AppData\Local\Temp\mtxgfq.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys | C:\Users\Admin\AppData\Local\Temp\mtxgfq.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc | C:\Users\Admin\AppData\Local\Temp\mtxgfq.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tfocgwbtxlh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ztkgsqddplpxcsitudd.exe ." | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\yjrehwaruh = "mhzwjiwxkhmvbsjvxhid.exe ." | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mtxgfq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ztkgsqddplpxcsitudd.exe" | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fpwikybrt = "mhzwjiwxkhmvbsjvxhid.exe" | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\yjrehwaruh = "fxmgqmxvfzbhkymvu.exe ." | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zhmwwij = "ypdwfakhqjkprerz.exe ." | C:\Users\Admin\AppData\Local\Temp\mtxgfq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tfocgwbtxlh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ypdwfakhqjkprerz.exe ." | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fpwikybrt = "ohxsdamlwrubfujttb.exe" | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fpwikybrt = "ohxsdamlwrubfujttb.exe" | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qdnchyexcrop = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mhzwjiwxkhmvbsjvxhid.exe" | C:\Users\Admin\AppData\Local\Temp\mtxgfq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zhmwwij = "ohxsdamlwrubfujttb.exe ." | C:\Users\Admin\AppData\Local\Temp\mtxgfq.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\zhmwwij = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ohxsdamlwrubfujttb.exe ." | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zhmwwij = "ohxsdamlwrubfujttb.exe ." | C:\Users\Admin\AppData\Local\Temp\mtxgfq.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fpwikybrt = "fxmgqmxvfzbhkymvu.exe" | C:\Users\Admin\AppData\Local\Temp\mtxgfq.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\yjrehwaruh = "ohxsdamlwrubfujttb.exe ." | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\zhmwwij = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ohxsdamlwrubfujttb.exe ." | C:\Users\Admin\AppData\Local\Temp\mtxgfq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tfocgwbtxlh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bxqoccrthflvcumzcnple.exe ." | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\yjrehwaruh = "ohxsdamlwrubfujttb.exe ." | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qdnchyexcrop = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mhzwjiwxkhmvbsjvxhid.exe" | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\zhmwwij = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fxmgqmxvfzbhkymvu.exe ." | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mtxgfq = "bxqoccrthflvcumzcnple.exe" | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mtxgfq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ztkgsqddplpxcsitudd.exe" | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tfocgwbtxlh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fxmgqmxvfzbhkymvu.exe ." | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\yjrehwaruh = "ypdwfakhqjkprerz.exe ." | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mtxgfq = "bxqoccrthflvcumzcnple.exe" | C:\Users\Admin\AppData\Local\Temp\mtxgfq.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mtxgfq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fxmgqmxvfzbhkymvu.exe" | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mtxgfq = "mhzwjiwxkhmvbsjvxhid.exe" | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tfocgwbtxlh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ypdwfakhqjkprerz.exe ." | C:\Users\Admin\AppData\Local\Temp\mtxgfq.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fpwikybrt = "ypdwfakhqjkprerz.exe" | C:\Users\Admin\AppData\Local\Temp\mtxgfq.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fpwikybrt = "mhzwjiwxkhmvbsjvxhid.exe" | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\yjrehwaruh = "ypdwfakhqjkprerz.exe ." | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mtxgfq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ypdwfakhqjkprerz.exe" | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mtxgfq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ohxsdamlwrubfujttb.exe" | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\zhmwwij = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fxmgqmxvfzbhkymvu.exe ." | C:\Users\Admin\AppData\Local\Temp\mtxgfq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mtxgfq = "ztkgsqddplpxcsitudd.exe" | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fpwikybrt = "bxqoccrthflvcumzcnple.exe" | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qdnchyexcrop = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ypdwfakhqjkprerz.exe" | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\yjrehwaruh = "ohxsdamlwrubfujttb.exe ." | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mtxgfq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ypdwfakhqjkprerz.exe" | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\yjrehwaruh = "ztkgsqddplpxcsitudd.exe ." | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qdnchyexcrop = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bxqoccrthflvcumzcnple.exe" | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mtxgfq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ypdwfakhqjkprerz.exe" | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tfocgwbtxlh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fxmgqmxvfzbhkymvu.exe ." | C:\Users\Admin\AppData\Local\Temp\mtxgfq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mtxgfq = "ohxsdamlwrubfujttb.exe" | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zhmwwij = "ohxsdamlwrubfujttb.exe ." | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tfocgwbtxlh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ypdwfakhqjkprerz.exe ." | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tfocgwbtxlh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mhzwjiwxkhmvbsjvxhid.exe ." | C:\Users\Admin\AppData\Local\Temp\mtxgfq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qdnchyexcrop = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mhzwjiwxkhmvbsjvxhid.exe" | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mtxgfq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ohxsdamlwrubfujttb.exe" | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zhmwwij = "ypdwfakhqjkprerz.exe ." | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zhmwwij = "bxqoccrthflvcumzcnple.exe ." | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mtxgfq = "ztkgsqddplpxcsitudd.exe" | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\zhmwwij = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ztkgsqddplpxcsitudd.exe ." | C:\Users\Admin\AppData\Local\Temp\mtxgfq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tfocgwbtxlh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ztkgsqddplpxcsitudd.exe ." | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mtxgfq = "mhzwjiwxkhmvbsjvxhid.exe" | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zhmwwij = "mhzwjiwxkhmvbsjvxhid.exe ." | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\yjrehwaruh = "ohxsdamlwrubfujttb.exe ." | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fpwikybrt = "bxqoccrthflvcumzcnple.exe" | C:\Users\Admin\AppData\Local\Temp\mtxgfq.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\zhmwwij = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ypdwfakhqjkprerz.exe ." | C:\Users\Admin\AppData\Local\Temp\mtxgfq.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fpwikybrt = "bxqoccrthflvcumzcnple.exe" | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tfocgwbtxlh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mhzwjiwxkhmvbsjvxhid.exe ." | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zhmwwij = "ohxsdamlwrubfujttb.exe ." | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\yjrehwaruh = "fxmgqmxvfzbhkymvu.exe ." | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\yjrehwaruh = "ztkgsqddplpxcsitudd.exe ." | C:\Users\Admin\AppData\Local\Temp\mtxgfq.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\mtxgfq.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\mtxgfq.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\mtxgfq.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\mtxgfq.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
Hijack Execution Flow: Executable Installer File Permissions Weakness
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" | C:\Users\Admin\AppData\Local\Temp\mtxgfq.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" | C:\Users\Admin\AppData\Local\Temp\mtxgfq.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | www.showmyipaddress.com | N/A | N/A |
| N/A | whatismyipaddress.com | N/A | N/A |
| N/A | www.whatismyip.ca | N/A | N/A |
| N/A | whatismyip.everdot.org | N/A | N/A |
| N/A | www.whatismyip.ca | N/A | N/A |
| N/A | whatismyip.everdot.org | N/A | N/A |
| N/A | www.whatismyip.ca | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\ohxsdamlwrubfujttb.exe | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| File created | C:\Windows\SysWOW64\qdnchyexcropnwfjdfylvkpgmfkzwxvenr.ngt | C:\Users\Admin\AppData\Local\Temp\mtxgfq.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\spjixyorgfmxfyrfjvyvpo.exe | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\fxmgqmxvfzbhkymvu.exe | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\mhzwjiwxkhmvbsjvxhid.exe | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\spjixyorgfmxfyrfjvyvpo.exe | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\mhzwjiwxkhmvbsjvxhid.exe | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\mhzwjiwxkhmvbsjvxhid.exe | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ztkgsqddplpxcsitudd.exe | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\spjixyorgfmxfyrfjvyvpo.exe | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\fxmgqmxvfzbhkymvu.exe | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ztkgsqddplpxcsitudd.exe | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ztkgsqddplpxcsitudd.exe | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\mhzwjiwxkhmvbsjvxhid.exe | C:\Users\Admin\AppData\Local\Temp\mtxgfq.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\mhzwjiwxkhmvbsjvxhid.exe | C:\Users\Admin\AppData\Local\Temp\mtxgfq.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ztkgsqddplpxcsitudd.exe | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ztkgsqddplpxcsitudd.exe | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\spjixyorgfmxfyrfjvyvpo.exe | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\fxmgqmxvfzbhkymvu.exe | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\bxqoccrthflvcumzcnple.exe | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ohxsdamlwrubfujttb.exe | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ypdwfakhqjkprerz.exe | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\spjixyorgfmxfyrfjvyvpo.exe | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\mhzwjiwxkhmvbsjvxhid.exe | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\spjixyorgfmxfyrfjvyvpo.exe | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ypdwfakhqjkprerz.exe | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ohxsdamlwrubfujttb.exe | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ohxsdamlwrubfujttb.exe | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\dfeicidlfjvlywunwnvxwau.vdx | C:\Users\Admin\AppData\Local\Temp\mtxgfq.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ypdwfakhqjkprerz.exe | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ztkgsqddplpxcsitudd.exe | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\mhzwjiwxkhmvbsjvxhid.exe | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\spjixyorgfmxfyrfjvyvpo.exe | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\mhzwjiwxkhmvbsjvxhid.exe | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\fxmgqmxvfzbhkymvu.exe | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\bxqoccrthflvcumzcnple.exe | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\bxqoccrthflvcumzcnple.exe | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\bxqoccrthflvcumzcnple.exe | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ypdwfakhqjkprerz.exe | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\mhzwjiwxkhmvbsjvxhid.exe | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ztkgsqddplpxcsitudd.exe | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ohxsdamlwrubfujttb.exe | C:\Users\Admin\AppData\Local\Temp\mtxgfq.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\bxqoccrthflvcumzcnple.exe | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\spjixyorgfmxfyrfjvyvpo.exe | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\fxmgqmxvfzbhkymvu.exe | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\spjixyorgfmxfyrfjvyvpo.exe | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\bxqoccrthflvcumzcnple.exe | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\fxmgqmxvfzbhkymvu.exe | C:\Users\Admin\AppData\Local\Temp\mtxgfq.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\bxqoccrthflvcumzcnple.exe | C:\Users\Admin\AppData\Local\Temp\mtxgfq.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ypdwfakhqjkprerz.exe | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ztkgsqddplpxcsitudd.exe | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ohxsdamlwrubfujttb.exe | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ohxsdamlwrubfujttb.exe | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\bxqoccrthflvcumzcnple.exe | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\fxmgqmxvfzbhkymvu.exe | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ohxsdamlwrubfujttb.exe | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\mhzwjiwxkhmvbsjvxhid.exe | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\fxmgqmxvfzbhkymvu.exe | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ztkgsqddplpxcsitudd.exe | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\bxqoccrthflvcumzcnple.exe | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ztkgsqddplpxcsitudd.exe | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\spjixyorgfmxfyrfjvyvpo.exe | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\fxmgqmxvfzbhkymvu.exe | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ztkgsqddplpxcsitudd.exe | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\dfeicidlfjvlywunwnvxwau.vdx | C:\Users\Admin\AppData\Local\Temp\mtxgfq.exe | N/A |
| File opened for modification | C:\Program Files (x86)\qdnchyexcropnwfjdfylvkpgmfkzwxvenr.ngt | C:\Users\Admin\AppData\Local\Temp\mtxgfq.exe | N/A |
| File created | C:\Program Files (x86)\qdnchyexcropnwfjdfylvkpgmfkzwxvenr.ngt | C:\Users\Admin\AppData\Local\Temp\mtxgfq.exe | N/A |
| File opened for modification | C:\Program Files (x86)\dfeicidlfjvlywunwnvxwau.vdx | C:\Users\Admin\AppData\Local\Temp\mtxgfq.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\spjixyorgfmxfyrfjvyvpo.exe | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| File opened for modification | C:\Windows\bxqoccrthflvcumzcnple.exe | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| File opened for modification | C:\Windows\ztkgsqddplpxcsitudd.exe | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| File opened for modification | C:\Windows\spjixyorgfmxfyrfjvyvpo.exe | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| File opened for modification | C:\Windows\ohxsdamlwrubfujttb.exe | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| File opened for modification | C:\Windows\ypdwfakhqjkprerz.exe | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| File opened for modification | C:\Windows\spjixyorgfmxfyrfjvyvpo.exe | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| File opened for modification | C:\Windows\ypdwfakhqjkprerz.exe | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| File opened for modification | C:\Windows\fxmgqmxvfzbhkymvu.exe | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| File opened for modification | C:\Windows\ohxsdamlwrubfujttb.exe | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| File opened for modification | C:\Windows\fxmgqmxvfzbhkymvu.exe | C:\Users\Admin\AppData\Local\Temp\mtxgfq.exe | N/A |
| File opened for modification | C:\Windows\bxqoccrthflvcumzcnple.exe | C:\Users\Admin\AppData\Local\Temp\mtxgfq.exe | N/A |
| File opened for modification | C:\Windows\ohxsdamlwrubfujttb.exe | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| File opened for modification | C:\Windows\ztkgsqddplpxcsitudd.exe | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| File opened for modification | C:\Windows\fxmgqmxvfzbhkymvu.exe | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| File opened for modification | C:\Windows\spjixyorgfmxfyrfjvyvpo.exe | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| File opened for modification | C:\Windows\ohxsdamlwrubfujttb.exe | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| File opened for modification | C:\Windows\bxqoccrthflvcumzcnple.exe | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| File opened for modification | C:\Windows\mhzwjiwxkhmvbsjvxhid.exe | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| File opened for modification | C:\Windows\fxmgqmxvfzbhkymvu.exe | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| File opened for modification | C:\Windows\bxqoccrthflvcumzcnple.exe | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| File opened for modification | C:\Windows\ypdwfakhqjkprerz.exe | C:\Users\Admin\AppData\Local\Temp\mtxgfq.exe | N/A |
| File opened for modification | C:\Windows\ypdwfakhqjkprerz.exe | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| File opened for modification | C:\Windows\fxmgqmxvfzbhkymvu.exe | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| File opened for modification | C:\Windows\ohxsdamlwrubfujttb.exe | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| File opened for modification | C:\Windows\ypdwfakhqjkprerz.exe | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| File opened for modification | C:\Windows\bxqoccrthflvcumzcnple.exe | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| File opened for modification | C:\Windows\fxmgqmxvfzbhkymvu.exe | C:\Users\Admin\AppData\Local\Temp\mtxgfq.exe | N/A |
| File opened for modification | C:\Windows\ohxsdamlwrubfujttb.exe | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| File opened for modification | C:\Windows\mhzwjiwxkhmvbsjvxhid.exe | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| File opened for modification | C:\Windows\spjixyorgfmxfyrfjvyvpo.exe | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| File opened for modification | C:\Windows\bxqoccrthflvcumzcnple.exe | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| File opened for modification | C:\Windows\fxmgqmxvfzbhkymvu.exe | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| File created | C:\Windows\dfeicidlfjvlywunwnvxwau.vdx | C:\Users\Admin\AppData\Local\Temp\mtxgfq.exe | N/A |
| File opened for modification | C:\Windows\ohxsdamlwrubfujttb.exe | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| File opened for modification | C:\Windows\mhzwjiwxkhmvbsjvxhid.exe | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| File opened for modification | C:\Windows\ypdwfakhqjkprerz.exe | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| File opened for modification | C:\Windows\ypdwfakhqjkprerz.exe | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| File opened for modification | C:\Windows\bxqoccrthflvcumzcnple.exe | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| File opened for modification | C:\Windows\fxmgqmxvfzbhkymvu.exe | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| File opened for modification | C:\Windows\ypdwfakhqjkprerz.exe | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| File opened for modification | C:\Windows\mhzwjiwxkhmvbsjvxhid.exe | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| File opened for modification | C:\Windows\fxmgqmxvfzbhkymvu.exe | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| File opened for modification | C:\Windows\mhzwjiwxkhmvbsjvxhid.exe | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| File opened for modification | C:\Windows\bxqoccrthflvcumzcnple.exe | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| File opened for modification | C:\Windows\fxmgqmxvfzbhkymvu.exe | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| File opened for modification | C:\Windows\ztkgsqddplpxcsitudd.exe | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| File opened for modification | C:\Windows\ohxsdamlwrubfujttb.exe | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| File opened for modification | C:\Windows\ypdwfakhqjkprerz.exe | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| File opened for modification | C:\Windows\spjixyorgfmxfyrfjvyvpo.exe | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| File opened for modification | C:\Windows\bxqoccrthflvcumzcnple.exe | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| File opened for modification | C:\Windows\ztkgsqddplpxcsitudd.exe | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| File opened for modification | C:\Windows\spjixyorgfmxfyrfjvyvpo.exe | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| File opened for modification | C:\Windows\spjixyorgfmxfyrfjvyvpo.exe | C:\Users\Admin\AppData\Local\Temp\mtxgfq.exe | N/A |
| File opened for modification | C:\Windows\fxmgqmxvfzbhkymvu.exe | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| File opened for modification | C:\Windows\bxqoccrthflvcumzcnple.exe | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| File opened for modification | C:\Windows\ypdwfakhqjkprerz.exe | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| File opened for modification | C:\Windows\bxqoccrthflvcumzcnple.exe | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| File opened for modification | C:\Windows\mhzwjiwxkhmvbsjvxhid.exe | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| File opened for modification | C:\Windows\mhzwjiwxkhmvbsjvxhid.exe | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| File opened for modification | C:\Windows\ypdwfakhqjkprerz.exe | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| File opened for modification | C:\Windows\fxmgqmxvfzbhkymvu.exe | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| File opened for modification | C:\Windows\ztkgsqddplpxcsitudd.exe | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| File opened for modification | C:\Windows\mhzwjiwxkhmvbsjvxhid.exe | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\mhzwjiwxkhmvbsjvxhid.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\ztkgsqddplpxcsitudd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\fxmgqmxvfzbhkymvu.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\ohxsdamlwrubfujttb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\ypdwfakhqjkprerz.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\bxqoccrthflvcumzcnple.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\bxqoccrthflvcumzcnple.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\ztkgsqddplpxcsitudd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ztkgsqddplpxcsitudd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\ypdwfakhqjkprerz.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\ohxsdamlwrubfujttb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\fxmgqmxvfzbhkymvu.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\ohxsdamlwrubfujttb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\ypdwfakhqjkprerz.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\bxqoccrthflvcumzcnple.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\ypdwfakhqjkprerz.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\fxmgqmxvfzbhkymvu.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\mhzwjiwxkhmvbsjvxhid.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ztkgsqddplpxcsitudd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\ohxsdamlwrubfujttb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\bxqoccrthflvcumzcnple.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\fxmgqmxvfzbhkymvu.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\ohxsdamlwrubfujttb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\bxqoccrthflvcumzcnple.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\ohxsdamlwrubfujttb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\mhzwjiwxkhmvbsjvxhid.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\bxqoccrthflvcumzcnple.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\bxqoccrthflvcumzcnple.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\mhzwjiwxkhmvbsjvxhid.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\fxmgqmxvfzbhkymvu.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\mhzwjiwxkhmvbsjvxhid.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\bxqoccrthflvcumzcnple.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\ohxsdamlwrubfujttb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\fxmgqmxvfzbhkymvu.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ztkgsqddplpxcsitudd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\ztkgsqddplpxcsitudd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ztkgsqddplpxcsitudd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\ohxsdamlwrubfujttb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\mtxgfq.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\mtxgfq.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\ztkgsqddplpxcsitudd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\mhzwjiwxkhmvbsjvxhid.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ztkgsqddplpxcsitudd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\ohxsdamlwrubfujttb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\ztkgsqddplpxcsitudd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\fxmgqmxvfzbhkymvu.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ztkgsqddplpxcsitudd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\ohxsdamlwrubfujttb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\bxqoccrthflvcumzcnple.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\mtxgfq.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\mtxgfq.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\mtxgfq.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" | C:\Users\Admin\AppData\Local\Temp\mtxgfq.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\AppData\Local\Temp\mtxgfq.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\mtxgfq.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" | C:\Users\Admin\AppData\Local\Temp\mtxgfq.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" | C:\Users\Admin\AppData\Local\Temp\mtxgfq.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\mtxgfq.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" | C:\Users\Admin\AppData\Local\Temp\mtxgfq.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\mtxgfq.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" | C:\Users\Admin\AppData\Local\Temp\mtxgfq.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\mtxgfq.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\mtxgfq.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" | C:\Users\Admin\AppData\Local\Temp\mtxgfq.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\mtxgfq.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" | C:\Users\Admin\AppData\Local\Temp\mtxgfq.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\mtxgfq.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" | C:\Users\Admin\AppData\Local\Temp\mtxgfq.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\AppData\Local\Temp\mtxgfq.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b7ec123ae0594510d03149cc1e4a7843.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b7ec123ae0594510d03149cc1e4a7843.exe"
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\jaffacakes118_b7ec123ae0594510d03149cc1e4a7843.exe*"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ohxsdamlwrubfujttb.exe
C:\Windows\ohxsdamlwrubfujttb.exe
ohxsdamlwrubfujttb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ohxsdamlwrubfujttb.exe .
C:\Windows\ohxsdamlwrubfujttb.exe
ohxsdamlwrubfujttb.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ztkgsqddplpxcsitudd.exe
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ohxsdamlwrubfujttb.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fxmgqmxvfzbhkymvu.exe .
C:\Windows\ztkgsqddplpxcsitudd.exe
ztkgsqddplpxcsitudd.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztkgsqddplpxcsitudd.exe
C:\Windows\fxmgqmxvfzbhkymvu.exe
fxmgqmxvfzbhkymvu.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxqoccrthflvcumzcnple.exe .
C:\Users\Admin\AppData\Local\Temp\ztkgsqddplpxcsitudd.exe
C:\Users\Admin\AppData\Local\Temp\ztkgsqddplpxcsitudd.exe
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\fxmgqmxvfzbhkymvu.exe*."
C:\Users\Admin\AppData\Local\Temp\bxqoccrthflvcumzcnple.exe
C:\Users\Admin\AppData\Local\Temp\bxqoccrthflvcumzcnple.exe .
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\bxqoccrthflvcumzcnple.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztkgsqddplpxcsitudd.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exe .
C:\Users\Admin\AppData\Local\Temp\ztkgsqddplpxcsitudd.exe
C:\Users\Admin\AppData\Local\Temp\ztkgsqddplpxcsitudd.exe
C:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exe
C:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exe .
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ypdwfakhqjkprerz.exe*."
C:\Users\Admin\AppData\Local\Temp\mtxgfq.exe
"C:\Users\Admin\AppData\Local\Temp\mtxgfq.exe" "-C:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exe"
C:\Users\Admin\AppData\Local\Temp\mtxgfq.exe
"C:\Users\Admin\AppData\Local\Temp\mtxgfq.exe" "-C:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ohxsdamlwrubfujttb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ypdwfakhqjkprerz.exe
C:\Windows\ypdwfakhqjkprerz.exe
ypdwfakhqjkprerz.exe
C:\Windows\ohxsdamlwrubfujttb.exe
ohxsdamlwrubfujttb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ztkgsqddplpxcsitudd.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ohxsdamlwrubfujttb.exe .
C:\Windows\ohxsdamlwrubfujttb.exe
ohxsdamlwrubfujttb.exe .
C:\Windows\ztkgsqddplpxcsitudd.exe
ztkgsqddplpxcsitudd.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ztkgsqddplpxcsitudd.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mhzwjiwxkhmvbsjvxhid.exe
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ohxsdamlwrubfujttb.exe*."
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ztkgsqddplpxcsitudd.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fxmgqmxvfzbhkymvu.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxqoccrthflvcumzcnple.exe .
C:\Windows\ztkgsqddplpxcsitudd.exe
ztkgsqddplpxcsitudd.exe
C:\Windows\mhzwjiwxkhmvbsjvxhid.exe
mhzwjiwxkhmvbsjvxhid.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exe
C:\Windows\bxqoccrthflvcumzcnple.exe
bxqoccrthflvcumzcnple.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztkgsqddplpxcsitudd.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztkgsqddplpxcsitudd.exe .
C:\Windows\fxmgqmxvfzbhkymvu.exe
fxmgqmxvfzbhkymvu.exe .
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\fxmgqmxvfzbhkymvu.exe*."
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\bxqoccrthflvcumzcnple.exe*."
C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe
C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe
C:\Users\Admin\AppData\Local\Temp\ztkgsqddplpxcsitudd.exe
C:\Users\Admin\AppData\Local\Temp\ztkgsqddplpxcsitudd.exe .
C:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exe
C:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exe
C:\Users\Admin\AppData\Local\Temp\ztkgsqddplpxcsitudd.exe
C:\Users\Admin\AppData\Local\Temp\ztkgsqddplpxcsitudd.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxqoccrthflvcumzcnple.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxqoccrthflvcumzcnple.exe .
C:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exe
C:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ztkgsqddplpxcsitudd.exe
C:\Users\Admin\AppData\Local\Temp\bxqoccrthflvcumzcnple.exe
C:\Users\Admin\AppData\Local\Temp\bxqoccrthflvcumzcnple.exe .
C:\Users\Admin\AppData\Local\Temp\bxqoccrthflvcumzcnple.exe
C:\Users\Admin\AppData\Local\Temp\bxqoccrthflvcumzcnple.exe .
C:\Windows\ztkgsqddplpxcsitudd.exe
ztkgsqddplpxcsitudd.exe
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\bxqoccrthflvcumzcnple.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxqoccrthflvcumzcnple.exe .
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\bxqoccrthflvcumzcnple.exe*."
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ztkgsqddplpxcsitudd.exe*."
C:\Windows\bxqoccrthflvcumzcnple.exe
bxqoccrthflvcumzcnple.exe .
C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe
C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ztkgsqddplpxcsitudd.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxqoccrthflvcumzcnple.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\bxqoccrthflvcumzcnple.exe*."
C:\Windows\bxqoccrthflvcumzcnple.exe
bxqoccrthflvcumzcnple.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ohxsdamlwrubfujttb.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exe
C:\Windows\ohxsdamlwrubfujttb.exe
ohxsdamlwrubfujttb.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exe .
C:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exe
C:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exe
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ohxsdamlwrubfujttb.exe*."
C:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exe
C:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exe .
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ohxsdamlwrubfujttb.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exe .
C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe
C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe
C:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exe
C:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exe .
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ohxsdamlwrubfujttb.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ztkgsqddplpxcsitudd.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\ztkgsqddplpxcsitudd.exe
ztkgsqddplpxcsitudd.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ypdwfakhqjkprerz.exe .
C:\Windows\ypdwfakhqjkprerz.exe
ypdwfakhqjkprerz.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxqoccrthflvcumzcnple.exe
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ypdwfakhqjkprerz.exe*."
C:\Windows\bxqoccrthflvcumzcnple.exe
bxqoccrthflvcumzcnple.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ohxsdamlwrubfujttb.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ohxsdamlwrubfujttb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ohxsdamlwrubfujttb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exe
C:\Windows\ohxsdamlwrubfujttb.exe
ohxsdamlwrubfujttb.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxqoccrthflvcumzcnple.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ypdwfakhqjkprerz.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ypdwfakhqjkprerz.exe .
C:\Windows\ohxsdamlwrubfujttb.exe
ohxsdamlwrubfujttb.exe
C:\Windows\ohxsdamlwrubfujttb.exe
ohxsdamlwrubfujttb.exe
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ohxsdamlwrubfujttb.exe*."
C:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exe
C:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exe
C:\Windows\ypdwfakhqjkprerz.exe
ypdwfakhqjkprerz.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxqoccrthflvcumzcnple.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxqoccrthflvcumzcnple.exe
C:\Windows\ypdwfakhqjkprerz.exe
ypdwfakhqjkprerz.exe .
C:\Users\Admin\AppData\Local\Temp\bxqoccrthflvcumzcnple.exe
C:\Users\Admin\AppData\Local\Temp\bxqoccrthflvcumzcnple.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mhzwjiwxkhmvbsjvxhid.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mhzwjiwxkhmvbsjvxhid.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztkgsqddplpxcsitudd.exe .
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ypdwfakhqjkprerz.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exe
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\bxqoccrthflvcumzcnple.exe*."
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ypdwfakhqjkprerz.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe .
C:\Windows\bxqoccrthflvcumzcnple.exe
bxqoccrthflvcumzcnple.exe
C:\Windows\bxqoccrthflvcumzcnple.exe
bxqoccrthflvcumzcnple.exe
C:\Windows\mhzwjiwxkhmvbsjvxhid.exe
mhzwjiwxkhmvbsjvxhid.exe .
C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe
C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxqoccrthflvcumzcnple.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exe .
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\mhzwjiwxkhmvbsjvxhid.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe .
C:\Users\Admin\AppData\Local\Temp\ztkgsqddplpxcsitudd.exe
C:\Users\Admin\AppData\Local\Temp\ztkgsqddplpxcsitudd.exe .
C:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exe
C:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exe .
C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe
C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxqoccrthflvcumzcnple.exe
C:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exe
C:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exe
C:\Windows\mhzwjiwxkhmvbsjvxhid.exe
mhzwjiwxkhmvbsjvxhid.exe .
C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe
C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe
C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe
C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe .
C:\Users\Admin\AppData\Local\Temp\bxqoccrthflvcumzcnple.exe
C:\Users\Admin\AppData\Local\Temp\bxqoccrthflvcumzcnple.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ztkgsqddplpxcsitudd.exe .
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\fxmgqmxvfzbhkymvu.exe*."
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ztkgsqddplpxcsitudd.exe*."
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ypdwfakhqjkprerz.exe*."
C:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exe
C:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exe
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\mhzwjiwxkhmvbsjvxhid.exe*."
C:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exe
C:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exe .
C:\Windows\bxqoccrthflvcumzcnple.exe
bxqoccrthflvcumzcnple.exe
C:\Windows\ztkgsqddplpxcsitudd.exe
ztkgsqddplpxcsitudd.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mhzwjiwxkhmvbsjvxhid.exe
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\fxmgqmxvfzbhkymvu.exe*."
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ypdwfakhqjkprerz.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ohxsdamlwrubfujttb.exe .
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ztkgsqddplpxcsitudd.exe*."
C:\Windows\mhzwjiwxkhmvbsjvxhid.exe
mhzwjiwxkhmvbsjvxhid.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exe
C:\Windows\ohxsdamlwrubfujttb.exe
ohxsdamlwrubfujttb.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exe .
C:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exe
C:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exe
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ohxsdamlwrubfujttb.exe*."
C:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exe
C:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exe .
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ypdwfakhqjkprerz.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxqoccrthflvcumzcnple.exe .
C:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exe
C:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exe
C:\Users\Admin\AppData\Local\Temp\bxqoccrthflvcumzcnple.exe
C:\Users\Admin\AppData\Local\Temp\bxqoccrthflvcumzcnple.exe .
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\bxqoccrthflvcumzcnple.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ohxsdamlwrubfujttb.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\ohxsdamlwrubfujttb.exe
ohxsdamlwrubfujttb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ypdwfakhqjkprerz.exe .
C:\Windows\ypdwfakhqjkprerz.exe
ypdwfakhqjkprerz.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mhzwjiwxkhmvbsjvxhid.exe
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ypdwfakhqjkprerz.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ohxsdamlwrubfujttb.exe .
C:\Windows\mhzwjiwxkhmvbsjvxhid.exe
mhzwjiwxkhmvbsjvxhid.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exe
C:\Windows\ohxsdamlwrubfujttb.exe
ohxsdamlwrubfujttb.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxqoccrthflvcumzcnple.exe .
C:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exe
C:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exe
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ohxsdamlwrubfujttb.exe*."
C:\Users\Admin\AppData\Local\Temp\bxqoccrthflvcumzcnple.exe
C:\Users\Admin\AppData\Local\Temp\bxqoccrthflvcumzcnple.exe .
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\bxqoccrthflvcumzcnple.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exe .
C:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exe
C:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exe
C:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exe
C:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exe .
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ypdwfakhqjkprerz.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fxmgqmxvfzbhkymvu.exe
C:\Windows\fxmgqmxvfzbhkymvu.exe
fxmgqmxvfzbhkymvu.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mhzwjiwxkhmvbsjvxhid.exe .
C:\Windows\mhzwjiwxkhmvbsjvxhid.exe
mhzwjiwxkhmvbsjvxhid.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ztkgsqddplpxcsitudd.exe
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\mhzwjiwxkhmvbsjvxhid.exe*."
C:\Windows\ztkgsqddplpxcsitudd.exe
ztkgsqddplpxcsitudd.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mhzwjiwxkhmvbsjvxhid.exe .
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe
C:\Windows\mhzwjiwxkhmvbsjvxhid.exe
mhzwjiwxkhmvbsjvxhid.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exe .
C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe
C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\mhzwjiwxkhmvbsjvxhid.exe*."
C:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exe
C:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exe .
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ypdwfakhqjkprerz.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe .
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exe
C:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exe
C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe
C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe .
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\fxmgqmxvfzbhkymvu.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ypdwfakhqjkprerz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxqoccrthflvcumzcnple.exe .
C:\Windows\ypdwfakhqjkprerz.exe
ypdwfakhqjkprerz.exe
C:\Windows\bxqoccrthflvcumzcnple.exe
bxqoccrthflvcumzcnple.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ohxsdamlwrubfujttb.exe
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\bxqoccrthflvcumzcnple.exe*."
C:\Windows\ohxsdamlwrubfujttb.exe
ohxsdamlwrubfujttb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ztkgsqddplpxcsitudd.exe .
C:\Windows\ztkgsqddplpxcsitudd.exe
ztkgsqddplpxcsitudd.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exe
C:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exe
C:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe .
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ztkgsqddplpxcsitudd.exe*."
C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe
C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe .
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\fxmgqmxvfzbhkymvu.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxqoccrthflvcumzcnple.exe .
C:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exe
C:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exe
C:\Users\Admin\AppData\Local\Temp\bxqoccrthflvcumzcnple.exe
C:\Users\Admin\AppData\Local\Temp\bxqoccrthflvcumzcnple.exe .
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\bxqoccrthflvcumzcnple.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mhzwjiwxkhmvbsjvxhid.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxqoccrthflvcumzcnple.exe .
C:\Windows\mhzwjiwxkhmvbsjvxhid.exe
mhzwjiwxkhmvbsjvxhid.exe
C:\Windows\bxqoccrthflvcumzcnple.exe
bxqoccrthflvcumzcnple.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxqoccrthflvcumzcnple.exe
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\bxqoccrthflvcumzcnple.exe*."
C:\Windows\bxqoccrthflvcumzcnple.exe
bxqoccrthflvcumzcnple.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxqoccrthflvcumzcnple.exe .
C:\Windows\bxqoccrthflvcumzcnple.exe
bxqoccrthflvcumzcnple.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe
C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe
C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exe .
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\bxqoccrthflvcumzcnple.exe*."
C:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exe
C:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exe .
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ohxsdamlwrubfujttb.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe
C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe
C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe .
C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe
C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe .
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\fxmgqmxvfzbhkymvu.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxqoccrthflvcumzcnple.exe
C:\Windows\bxqoccrthflvcumzcnple.exe
bxqoccrthflvcumzcnple.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fxmgqmxvfzbhkymvu.exe .
C:\Windows\fxmgqmxvfzbhkymvu.exe
fxmgqmxvfzbhkymvu.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mhzwjiwxkhmvbsjvxhid.exe
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\fxmgqmxvfzbhkymvu.exe*."
C:\Windows\mhzwjiwxkhmvbsjvxhid.exe
mhzwjiwxkhmvbsjvxhid.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ypdwfakhqjkprerz.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exe
C:\Windows\ypdwfakhqjkprerz.exe
ypdwfakhqjkprerz.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exe .
C:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exe
C:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exe
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ypdwfakhqjkprerz.exe*."
C:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exe
C:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exe .
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\mhzwjiwxkhmvbsjvxhid.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe .
C:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exe
C:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exe
C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe
C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe .
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\fxmgqmxvfzbhkymvu.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ztkgsqddplpxcsitudd.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ypdwfakhqjkprerz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ztkgsqddplpxcsitudd.exe
C:\Windows\ztkgsqddplpxcsitudd.exe
ztkgsqddplpxcsitudd.exe
C:\Windows\ypdwfakhqjkprerz.exe
ypdwfakhqjkprerz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxqoccrthflvcumzcnple.exe .
C:\Windows\ztkgsqddplpxcsitudd.exe
ztkgsqddplpxcsitudd.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ztkgsqddplpxcsitudd.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fxmgqmxvfzbhkymvu.exe .
C:\Windows\bxqoccrthflvcumzcnple.exe
bxqoccrthflvcumzcnple.exe .
C:\Windows\ztkgsqddplpxcsitudd.exe
ztkgsqddplpxcsitudd.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fxmgqmxvfzbhkymvu.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ohxsdamlwrubfujttb.exe
C:\Windows\fxmgqmxvfzbhkymvu.exe
fxmgqmxvfzbhkymvu.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxqoccrthflvcumzcnple.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ohxsdamlwrubfujttb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fxmgqmxvfzbhkymvu.exe .
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\bxqoccrthflvcumzcnple.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ohxsdamlwrubfujttb.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ztkgsqddplpxcsitudd.exe*."
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exe
C:\Windows\ohxsdamlwrubfujttb.exe
ohxsdamlwrubfujttb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxqoccrthflvcumzcnple.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztkgsqddplpxcsitudd.exe .
C:\Windows\fxmgqmxvfzbhkymvu.exe
fxmgqmxvfzbhkymvu.exe
C:\Windows\ohxsdamlwrubfujttb.exe
ohxsdamlwrubfujttb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exe .
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\fxmgqmxvfzbhkymvu.exe*."
C:\Windows\bxqoccrthflvcumzcnple.exe
bxqoccrthflvcumzcnple.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exe
C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe
C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exe
C:\Windows\fxmgqmxvfzbhkymvu.exe
fxmgqmxvfzbhkymvu.exe .
C:\Windows\ohxsdamlwrubfujttb.exe
ohxsdamlwrubfujttb.exe .
C:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exe
C:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztkgsqddplpxcsitudd.exe .
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\bxqoccrthflvcumzcnple.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe .
C:\Users\Admin\AppData\Local\Temp\ztkgsqddplpxcsitudd.exe
C:\Users\Admin\AppData\Local\Temp\ztkgsqddplpxcsitudd.exe .
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\fxmgqmxvfzbhkymvu.exe*."
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ohxsdamlwrubfujttb.exe*."
C:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exe
C:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exe .
C:\Users\Admin\AppData\Local\Temp\bxqoccrthflvcumzcnple.exe
C:\Users\Admin\AppData\Local\Temp\bxqoccrthflvcumzcnple.exe
C:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exe
C:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exe .
C:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exe
C:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exe
C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe
C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe .
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ztkgsqddplpxcsitudd.exe*."
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\mhzwjiwxkhmvbsjvxhid.exe*."
C:\Users\Admin\AppData\Local\Temp\ztkgsqddplpxcsitudd.exe
C:\Users\Admin\AppData\Local\Temp\ztkgsqddplpxcsitudd.exe .
C:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exe
C:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exe
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ohxsdamlwrubfujttb.exe*."
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\fxmgqmxvfzbhkymvu.exe*."
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ztkgsqddplpxcsitudd.exe*."
C:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exe
C:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exe
C:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exe
C:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ztkgsqddplpxcsitudd.exe
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ypdwfakhqjkprerz.exe*."
C:\Windows\ztkgsqddplpxcsitudd.exe
ztkgsqddplpxcsitudd.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fxmgqmxvfzbhkymvu.exe .
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\fxmgqmxvfzbhkymvu.exe
fxmgqmxvfzbhkymvu.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxqoccrthflvcumzcnple.exe
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\fxmgqmxvfzbhkymvu.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ohxsdamlwrubfujttb.exe .
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\bxqoccrthflvcumzcnple.exe
bxqoccrthflvcumzcnple.exe
C:\Windows\ohxsdamlwrubfujttb.exe
ohxsdamlwrubfujttb.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe
C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe
C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztkgsqddplpxcsitudd.exe .
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ohxsdamlwrubfujttb.exe*."
C:\Users\Admin\AppData\Local\Temp\ztkgsqddplpxcsitudd.exe
C:\Users\Admin\AppData\Local\Temp\ztkgsqddplpxcsitudd.exe .
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ztkgsqddplpxcsitudd.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxqoccrthflvcumzcnple.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxqoccrthflvcumzcnple.exe .
C:\Users\Admin\AppData\Local\Temp\bxqoccrthflvcumzcnple.exe
C:\Users\Admin\AppData\Local\Temp\bxqoccrthflvcumzcnple.exe
C:\Users\Admin\AppData\Local\Temp\bxqoccrthflvcumzcnple.exe
C:\Users\Admin\AppData\Local\Temp\bxqoccrthflvcumzcnple.exe .
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\bxqoccrthflvcumzcnple.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ohxsdamlwrubfujttb.exe
C:\Windows\ohxsdamlwrubfujttb.exe
ohxsdamlwrubfujttb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxqoccrthflvcumzcnple.exe .
C:\Windows\bxqoccrthflvcumzcnple.exe
bxqoccrthflvcumzcnple.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ypdwfakhqjkprerz.exe
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\bxqoccrthflvcumzcnple.exe*."
C:\Windows\ypdwfakhqjkprerz.exe
ypdwfakhqjkprerz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fxmgqmxvfzbhkymvu.exe .
C:\Windows\fxmgqmxvfzbhkymvu.exe
fxmgqmxvfzbhkymvu.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exe .
C:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exe
C:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\fxmgqmxvfzbhkymvu.exe*."
C:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exe
C:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exe .
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\mhzwjiwxkhmvbsjvxhid.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exe
C:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exe
C:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe .
C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe
C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe .
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\fxmgqmxvfzbhkymvu.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxqoccrthflvcumzcnple.exe
C:\Windows\bxqoccrthflvcumzcnple.exe
bxqoccrthflvcumzcnple.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ohxsdamlwrubfujttb.exe .
C:\Windows\ohxsdamlwrubfujttb.exe
ohxsdamlwrubfujttb.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxqoccrthflvcumzcnple.exe
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ohxsdamlwrubfujttb.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mhzwjiwxkhmvbsjvxhid.exe .
C:\Windows\bxqoccrthflvcumzcnple.exe
bxqoccrthflvcumzcnple.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxqoccrthflvcumzcnple.exe
C:\Windows\mhzwjiwxkhmvbsjvxhid.exe
mhzwjiwxkhmvbsjvxhid.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exe .
C:\Users\Admin\AppData\Local\Temp\bxqoccrthflvcumzcnple.exe
C:\Users\Admin\AppData\Local\Temp\bxqoccrthflvcumzcnple.exe
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\mhzwjiwxkhmvbsjvxhid.exe*."
C:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exe
C:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exe .
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ypdwfakhqjkprerz.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztkgsqddplpxcsitudd.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe .
C:\Users\Admin\AppData\Local\Temp\ztkgsqddplpxcsitudd.exe
C:\Users\Admin\AppData\Local\Temp\ztkgsqddplpxcsitudd.exe
C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe
C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe .
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\fxmgqmxvfzbhkymvu.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxqoccrthflvcumzcnple.exe
C:\Windows\bxqoccrthflvcumzcnple.exe
bxqoccrthflvcumzcnple.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fxmgqmxvfzbhkymvu.exe .
C:\Windows\fxmgqmxvfzbhkymvu.exe
fxmgqmxvfzbhkymvu.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ztkgsqddplpxcsitudd.exe
C:\Windows\ztkgsqddplpxcsitudd.exe
ztkgsqddplpxcsitudd.exe
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\fxmgqmxvfzbhkymvu.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ztkgsqddplpxcsitudd.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe
C:\Windows\ztkgsqddplpxcsitudd.exe
ztkgsqddplpxcsitudd.exe .
C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe
C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe .
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ztkgsqddplpxcsitudd.exe*."
C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe
C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe .
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\fxmgqmxvfzbhkymvu.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exe .
C:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exe
C:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exe
C:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exe
C:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exe .
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ohxsdamlwrubfujttb.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fxmgqmxvfzbhkymvu.exe
C:\Windows\fxmgqmxvfzbhkymvu.exe
fxmgqmxvfzbhkymvu.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ypdwfakhqjkprerz.exe .
C:\Windows\ypdwfakhqjkprerz.exe
ypdwfakhqjkprerz.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ohxsdamlwrubfujttb.exe
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ypdwfakhqjkprerz.exe*."
C:\Windows\ohxsdamlwrubfujttb.exe
ohxsdamlwrubfujttb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ypdwfakhqjkprerz.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\ypdwfakhqjkprerz.exe
ypdwfakhqjkprerz.exe .
C:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exe
C:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztkgsqddplpxcsitudd.exe .
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ypdwfakhqjkprerz.exe*."
C:\Users\Admin\AppData\Local\Temp\ztkgsqddplpxcsitudd.exe
C:\Users\Admin\AppData\Local\Temp\ztkgsqddplpxcsitudd.exe .
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ztkgsqddplpxcsitudd.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exe .
C:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exe
C:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exe
C:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exe
C:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exe .
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\mhzwjiwxkhmvbsjvxhid.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ypdwfakhqjkprerz.exe
C:\Windows\ypdwfakhqjkprerz.exe
ypdwfakhqjkprerz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ohxsdamlwrubfujttb.exe .
C:\Windows\ohxsdamlwrubfujttb.exe
ohxsdamlwrubfujttb.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fxmgqmxvfzbhkymvu.exe
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ohxsdamlwrubfujttb.exe*."
C:\Windows\fxmgqmxvfzbhkymvu.exe
fxmgqmxvfzbhkymvu.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fxmgqmxvfzbhkymvu.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\fxmgqmxvfzbhkymvu.exe
fxmgqmxvfzbhkymvu.exe .
C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe
C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exe .
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\fxmgqmxvfzbhkymvu.exe*."
C:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exe
C:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exe .
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ohxsdamlwrubfujttb.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exe .
C:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exe
C:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ohxsdamlwrubfujttb.exe
C:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exe
C:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxqoccrthflvcumzcnple.exe
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ohxsdamlwrubfujttb.exe*."
C:\Windows\ohxsdamlwrubfujttb.exe
ohxsdamlwrubfujttb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ohxsdamlwrubfujttb.exe .
C:\Windows\bxqoccrthflvcumzcnple.exe
bxqoccrthflvcumzcnple.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ohxsdamlwrubfujttb.exe .
C:\Windows\ohxsdamlwrubfujttb.exe
ohxsdamlwrubfujttb.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxqoccrthflvcumzcnple.exe
C:\Windows\ohxsdamlwrubfujttb.exe
ohxsdamlwrubfujttb.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ztkgsqddplpxcsitudd.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ypdwfakhqjkprerz.exe
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ohxsdamlwrubfujttb.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mhzwjiwxkhmvbsjvxhid.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\bxqoccrthflvcumzcnple.exe
bxqoccrthflvcumzcnple.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ztkgsqddplpxcsitudd.exe
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ohxsdamlwrubfujttb.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exe .
C:\Windows\ypdwfakhqjkprerz.exe
ypdwfakhqjkprerz.exe
C:\Windows\ztkgsqddplpxcsitudd.exe
ztkgsqddplpxcsitudd.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fxmgqmxvfzbhkymvu.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exe
C:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exe
C:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exe .
C:\Windows\ztkgsqddplpxcsitudd.exe
ztkgsqddplpxcsitudd.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxqoccrthflvcumzcnple.exe
C:\Windows\mhzwjiwxkhmvbsjvxhid.exe
mhzwjiwxkhmvbsjvxhid.exe .
C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe
C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe .
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ztkgsqddplpxcsitudd.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mhzwjiwxkhmvbsjvxhid.exe .
C:\Windows\fxmgqmxvfzbhkymvu.exe
fxmgqmxvfzbhkymvu.exe .
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxqoccrthflvcumzcnple.exe .
C:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exe
C:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztkgsqddplpxcsitudd.exe .
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\mhzwjiwxkhmvbsjvxhid.exe*."
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\mhzwjiwxkhmvbsjvxhid.exe*."
C:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exe
C:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exe
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\fxmgqmxvfzbhkymvu.exe*."
C:\Windows\bxqoccrthflvcumzcnple.exe
bxqoccrthflvcumzcnple.exe
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\mhzwjiwxkhmvbsjvxhid.exe*."
C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe
C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztkgsqddplpxcsitudd.exe
C:\Windows\mhzwjiwxkhmvbsjvxhid.exe
mhzwjiwxkhmvbsjvxhid.exe .
C:\Users\Admin\AppData\Local\Temp\bxqoccrthflvcumzcnple.exe
C:\Users\Admin\AppData\Local\Temp\bxqoccrthflvcumzcnple.exe .
C:\Users\Admin\AppData\Local\Temp\ztkgsqddplpxcsitudd.exe
C:\Users\Admin\AppData\Local\Temp\ztkgsqddplpxcsitudd.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exe .
C:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exe
C:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exe
C:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exe
C:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exe
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\fxmgqmxvfzbhkymvu.exe*."
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\bxqoccrthflvcumzcnple.exe*."
C:\Users\Admin\AppData\Local\Temp\ztkgsqddplpxcsitudd.exe
C:\Users\Admin\AppData\Local\Temp\ztkgsqddplpxcsitudd.exe
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\mhzwjiwxkhmvbsjvxhid.exe*."
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ztkgsqddplpxcsitudd.exe*."
C:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exe
C:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exe .
C:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exe
C:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exe
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ohxsdamlwrubfujttb.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mhzwjiwxkhmvbsjvxhid.exe
C:\Windows\mhzwjiwxkhmvbsjvxhid.exe
mhzwjiwxkhmvbsjvxhid.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ohxsdamlwrubfujttb.exe .
C:\Windows\ohxsdamlwrubfujttb.exe
ohxsdamlwrubfujttb.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mhzwjiwxkhmvbsjvxhid.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ohxsdamlwrubfujttb.exe*."
C:\Windows\mhzwjiwxkhmvbsjvxhid.exe
mhzwjiwxkhmvbsjvxhid.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ohxsdamlwrubfujttb.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exe
C:\Windows\ohxsdamlwrubfujttb.exe
ohxsdamlwrubfujttb.exe .
C:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exe
C:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztkgsqddplpxcsitudd.exe .
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ohxsdamlwrubfujttb.exe*."
C:\Users\Admin\AppData\Local\Temp\ztkgsqddplpxcsitudd.exe
C:\Users\Admin\AppData\Local\Temp\ztkgsqddplpxcsitudd.exe .
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ztkgsqddplpxcsitudd.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exe .
C:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exe
C:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exe
C:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exe
C:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exe .
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ohxsdamlwrubfujttb.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mhzwjiwxkhmvbsjvxhid.exe
C:\Windows\mhzwjiwxkhmvbsjvxhid.exe
mhzwjiwxkhmvbsjvxhid.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mhzwjiwxkhmvbsjvxhid.exe .
C:\Windows\mhzwjiwxkhmvbsjvxhid.exe
mhzwjiwxkhmvbsjvxhid.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ztkgsqddplpxcsitudd.exe
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\mhzwjiwxkhmvbsjvxhid.exe*."
C:\Windows\ztkgsqddplpxcsitudd.exe
ztkgsqddplpxcsitudd.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fxmgqmxvfzbhkymvu.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxqoccrthflvcumzcnple.exe
C:\Windows\fxmgqmxvfzbhkymvu.exe
fxmgqmxvfzbhkymvu.exe .
C:\Users\Admin\AppData\Local\Temp\bxqoccrthflvcumzcnple.exe
C:\Users\Admin\AppData\Local\Temp\bxqoccrthflvcumzcnple.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exe .
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\fxmgqmxvfzbhkymvu.exe*."
C:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exe
C:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exe .
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ohxsdamlwrubfujttb.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exe .
C:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exe
C:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exe
C:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exe
C:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exe .
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ypdwfakhqjkprerz.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ztkgsqddplpxcsitudd.exe
C:\Windows\ztkgsqddplpxcsitudd.exe
ztkgsqddplpxcsitudd.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ohxsdamlwrubfujttb.exe .
C:\Windows\ohxsdamlwrubfujttb.exe
ohxsdamlwrubfujttb.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mhzwjiwxkhmvbsjvxhid.exe
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ohxsdamlwrubfujttb.exe*."
C:\Windows\mhzwjiwxkhmvbsjvxhid.exe
mhzwjiwxkhmvbsjvxhid.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fxmgqmxvfzbhkymvu.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exe
C:\Windows\fxmgqmxvfzbhkymvu.exe
fxmgqmxvfzbhkymvu.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exe .
C:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exe
C:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exe
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\fxmgqmxvfzbhkymvu.exe*."
C:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exe
C:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exe .
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ypdwfakhqjkprerz.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exe .
C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe
C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe
C:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exe
C:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exe .
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ypdwfakhqjkprerz.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ztkgsqddplpxcsitudd.exe
C:\Windows\ztkgsqddplpxcsitudd.exe
ztkgsqddplpxcsitudd.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ohxsdamlwrubfujttb.exe .
C:\Windows\ohxsdamlwrubfujttb.exe
ohxsdamlwrubfujttb.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ypdwfakhqjkprerz.exe
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ohxsdamlwrubfujttb.exe*."
C:\Windows\ypdwfakhqjkprerz.exe
ypdwfakhqjkprerz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ohxsdamlwrubfujttb.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxqoccrthflvcumzcnple.exe
C:\Windows\ohxsdamlwrubfujttb.exe
ohxsdamlwrubfujttb.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxqoccrthflvcumzcnple.exe .
C:\Users\Admin\AppData\Local\Temp\bxqoccrthflvcumzcnple.exe
C:\Users\Admin\AppData\Local\Temp\bxqoccrthflvcumzcnple.exe
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ohxsdamlwrubfujttb.exe*."
C:\Users\Admin\AppData\Local\Temp\bxqoccrthflvcumzcnple.exe
C:\Users\Admin\AppData\Local\Temp\bxqoccrthflvcumzcnple.exe .
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\bxqoccrthflvcumzcnple.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxqoccrthflvcumzcnple.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exe .
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\bxqoccrthflvcumzcnple.exe
C:\Users\Admin\AppData\Local\Temp\bxqoccrthflvcumzcnple.exe
C:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exe
C:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exe .
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ohxsdamlwrubfujttb.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mhzwjiwxkhmvbsjvxhid.exe
C:\Windows\mhzwjiwxkhmvbsjvxhid.exe
mhzwjiwxkhmvbsjvxhid.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mhzwjiwxkhmvbsjvxhid.exe .
C:\Windows\mhzwjiwxkhmvbsjvxhid.exe
mhzwjiwxkhmvbsjvxhid.exe .
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\mhzwjiwxkhmvbsjvxhid.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ztkgsqddplpxcsitudd.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mhzwjiwxkhmvbsjvxhid.exe .
C:\Windows\ztkgsqddplpxcsitudd.exe
ztkgsqddplpxcsitudd.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztkgsqddplpxcsitudd.exe
C:\Windows\mhzwjiwxkhmvbsjvxhid.exe
mhzwjiwxkhmvbsjvxhid.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exe .
C:\Users\Admin\AppData\Local\Temp\ztkgsqddplpxcsitudd.exe
C:\Users\Admin\AppData\Local\Temp\ztkgsqddplpxcsitudd.exe
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\mhzwjiwxkhmvbsjvxhid.exe*."
C:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exe
C:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exe .
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ohxsdamlwrubfujttb.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxqoccrthflvcumzcnple.exe .
C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe
C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\bxqoccrthflvcumzcnple.exe
C:\Users\Admin\AppData\Local\Temp\bxqoccrthflvcumzcnple.exe .
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\bxqoccrthflvcumzcnple.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ohxsdamlwrubfujttb.exe
C:\Windows\ohxsdamlwrubfujttb.exe
ohxsdamlwrubfujttb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ypdwfakhqjkprerz.exe .
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\ypdwfakhqjkprerz.exe
ypdwfakhqjkprerz.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ohxsdamlwrubfujttb.exe
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ypdwfakhqjkprerz.exe*."
C:\Windows\ohxsdamlwrubfujttb.exe
ohxsdamlwrubfujttb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxqoccrthflvcumzcnple.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztkgsqddplpxcsitudd.exe
C:\Windows\bxqoccrthflvcumzcnple.exe
bxqoccrthflvcumzcnple.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe .
C:\Users\Admin\AppData\Local\Temp\ztkgsqddplpxcsitudd.exe
C:\Users\Admin\AppData\Local\Temp\ztkgsqddplpxcsitudd.exe
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\bxqoccrthflvcumzcnple.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ztkgsqddplpxcsitudd.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mhzwjiwxkhmvbsjvxhid.exe
C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe
C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe .
C:\Windows\ztkgsqddplpxcsitudd.exe
ztkgsqddplpxcsitudd.exe
C:\Windows\mhzwjiwxkhmvbsjvxhid.exe
mhzwjiwxkhmvbsjvxhid.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ypdwfakhqjkprerz.exe .
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\fxmgqmxvfzbhkymvu.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mhzwjiwxkhmvbsjvxhid.exe .
C:\Windows\ypdwfakhqjkprerz.exe
ypdwfakhqjkprerz.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ypdwfakhqjkprerz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ztkgsqddplpxcsitudd.exe
C:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exe
C:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exe
C:\Windows\mhzwjiwxkhmvbsjvxhid.exe
mhzwjiwxkhmvbsjvxhid.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mhzwjiwxkhmvbsjvxhid.exe .
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ypdwfakhqjkprerz.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ypdwfakhqjkprerz.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exe
C:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exe .
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\mhzwjiwxkhmvbsjvxhid.exe*."
C:\Windows\ztkgsqddplpxcsitudd.exe
ztkgsqddplpxcsitudd.exe
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\mhzwjiwxkhmvbsjvxhid.exe*."
C:\Windows\ypdwfakhqjkprerz.exe
ypdwfakhqjkprerz.exe .
C:\Windows\ypdwfakhqjkprerz.exe
ypdwfakhqjkprerz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztkgsqddplpxcsitudd.exe
C:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exe
C:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxqoccrthflvcumzcnple.exe
C:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exe
C:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exe .
C:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exe
C:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ztkgsqddplpxcsitudd.exe
C:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exe
C:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe .
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ypdwfakhqjkprerz.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztkgsqddplpxcsitudd.exe .
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mhzwjiwxkhmvbsjvxhid.exe .
C:\Users\Admin\AppData\Local\Temp\ztkgsqddplpxcsitudd.exe
C:\Users\Admin\AppData\Local\Temp\ztkgsqddplpxcsitudd.exe
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\mhzwjiwxkhmvbsjvxhid.exe*."
C:\Users\Admin\AppData\Local\Temp\bxqoccrthflvcumzcnple.exe
C:\Users\Admin\AppData\Local\Temp\bxqoccrthflvcumzcnple.exe
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ohxsdamlwrubfujttb.exe*."
C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe
C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe .
C:\Windows\ztkgsqddplpxcsitudd.exe
ztkgsqddplpxcsitudd.exe
C:\Users\Admin\AppData\Local\Temp\ztkgsqddplpxcsitudd.exe
C:\Users\Admin\AppData\Local\Temp\ztkgsqddplpxcsitudd.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fxmgqmxvfzbhkymvu.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\fxmgqmxvfzbhkymvu.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxqoccrthflvcumzcnple.exe .
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ztkgsqddplpxcsitudd.exe*."
C:\Windows\bxqoccrthflvcumzcnple.exe
bxqoccrthflvcumzcnple.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\bxqoccrthflvcumzcnple.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exe .
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe
C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe
C:\Windows\mhzwjiwxkhmvbsjvxhid.exe
mhzwjiwxkhmvbsjvxhid.exe .
C:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exe
C:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exe .
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\mhzwjiwxkhmvbsjvxhid.exe*."
C:\Windows\mhzwjiwxkhmvbsjvxhid.exe
mhzwjiwxkhmvbsjvxhid.exe .
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\mhzwjiwxkhmvbsjvxhid.exe*."
C:\Windows\fxmgqmxvfzbhkymvu.exe
fxmgqmxvfzbhkymvu.exe
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\mhzwjiwxkhmvbsjvxhid.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe .
C:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exe
C:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exe
C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe
C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe .
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\fxmgqmxvfzbhkymvu.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ypdwfakhqjkprerz.exe
C:\Windows\ypdwfakhqjkprerz.exe
ypdwfakhqjkprerz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fxmgqmxvfzbhkymvu.exe .
C:\Windows\fxmgqmxvfzbhkymvu.exe
fxmgqmxvfzbhkymvu.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxqoccrthflvcumzcnple.exe
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\fxmgqmxvfzbhkymvu.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fxmgqmxvfzbhkymvu.exe .
C:\Windows\bxqoccrthflvcumzcnple.exe
bxqoccrthflvcumzcnple.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztkgsqddplpxcsitudd.exe
C:\Windows\fxmgqmxvfzbhkymvu.exe
fxmgqmxvfzbhkymvu.exe .
C:\Users\Admin\AppData\Local\Temp\ztkgsqddplpxcsitudd.exe
C:\Users\Admin\AppData\Local\Temp\ztkgsqddplpxcsitudd.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exe .
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\fxmgqmxvfzbhkymvu.exe*."
C:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exe
C:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exe .
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\mhzwjiwxkhmvbsjvxhid.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztkgsqddplpxcsitudd.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztkgsqddplpxcsitudd.exe .
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\ztkgsqddplpxcsitudd.exe
C:\Users\Admin\AppData\Local\Temp\ztkgsqddplpxcsitudd.exe
C:\Users\Admin\AppData\Local\Temp\ztkgsqddplpxcsitudd.exe
C:\Users\Admin\AppData\Local\Temp\ztkgsqddplpxcsitudd.exe .
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ztkgsqddplpxcsitudd.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ohxsdamlwrubfujttb.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\ohxsdamlwrubfujttb.exe
ohxsdamlwrubfujttb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fxmgqmxvfzbhkymvu.exe .
C:\Windows\fxmgqmxvfzbhkymvu.exe
fxmgqmxvfzbhkymvu.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ypdwfakhqjkprerz.exe
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\fxmgqmxvfzbhkymvu.exe*."
C:\Windows\ypdwfakhqjkprerz.exe
ypdwfakhqjkprerz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fxmgqmxvfzbhkymvu.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztkgsqddplpxcsitudd.exe
C:\Windows\fxmgqmxvfzbhkymvu.exe
fxmgqmxvfzbhkymvu.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxqoccrthflvcumzcnple.exe .
C:\Users\Admin\AppData\Local\Temp\ztkgsqddplpxcsitudd.exe
C:\Users\Admin\AppData\Local\Temp\ztkgsqddplpxcsitudd.exe
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\fxmgqmxvfzbhkymvu.exe*."
C:\Users\Admin\AppData\Local\Temp\bxqoccrthflvcumzcnple.exe
C:\Users\Admin\AppData\Local\Temp\bxqoccrthflvcumzcnple.exe .
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\bxqoccrthflvcumzcnple.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxqoccrthflvcumzcnple.exe .
C:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exe
C:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exe
C:\Users\Admin\AppData\Local\Temp\bxqoccrthflvcumzcnple.exe
C:\Users\Admin\AppData\Local\Temp\bxqoccrthflvcumzcnple.exe .
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\bxqoccrthflvcumzcnple.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fxmgqmxvfzbhkymvu.exe
C:\Windows\fxmgqmxvfzbhkymvu.exe
fxmgqmxvfzbhkymvu.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxqoccrthflvcumzcnple.exe .
C:\Windows\bxqoccrthflvcumzcnple.exe
bxqoccrthflvcumzcnple.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ohxsdamlwrubfujttb.exe
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\bxqoccrthflvcumzcnple.exe*."
C:\Windows\ohxsdamlwrubfujttb.exe
ohxsdamlwrubfujttb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ohxsdamlwrubfujttb.exe .
C:\Windows\ohxsdamlwrubfujttb.exe
ohxsdamlwrubfujttb.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxqoccrthflvcumzcnple.exe
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ohxsdamlwrubfujttb.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe .
C:\Users\Admin\AppData\Local\Temp\bxqoccrthflvcumzcnple.exe
C:\Users\Admin\AppData\Local\Temp\bxqoccrthflvcumzcnple.exe
C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe
C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe .
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\fxmgqmxvfzbhkymvu.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exe .
C:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exe
C:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exe
C:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exe
C:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exe .
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ohxsdamlwrubfujttb.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fxmgqmxvfzbhkymvu.exe
C:\Windows\fxmgqmxvfzbhkymvu.exe
fxmgqmxvfzbhkymvu.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ohxsdamlwrubfujttb.exe .
C:\Windows\ohxsdamlwrubfujttb.exe
ohxsdamlwrubfujttb.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ohxsdamlwrubfujttb.exe
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ohxsdamlwrubfujttb.exe*."
C:\Windows\ohxsdamlwrubfujttb.exe
ohxsdamlwrubfujttb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ohxsdamlwrubfujttb.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe
C:\Windows\ohxsdamlwrubfujttb.exe
ohxsdamlwrubfujttb.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exe .
C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe
C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ohxsdamlwrubfujttb.exe*."
C:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exe
C:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exe .
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\mhzwjiwxkhmvbsjvxhid.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxqoccrthflvcumzcnple.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztkgsqddplpxcsitudd.exe .
C:\Users\Admin\AppData\Local\Temp\bxqoccrthflvcumzcnple.exe
C:\Users\Admin\AppData\Local\Temp\bxqoccrthflvcumzcnple.exe
C:\Users\Admin\AppData\Local\Temp\ztkgsqddplpxcsitudd.exe
C:\Users\Admin\AppData\Local\Temp\ztkgsqddplpxcsitudd.exe .
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ztkgsqddplpxcsitudd.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ohxsdamlwrubfujttb.exe
C:\Windows\ohxsdamlwrubfujttb.exe
ohxsdamlwrubfujttb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fxmgqmxvfzbhkymvu.exe .
C:\Windows\fxmgqmxvfzbhkymvu.exe
fxmgqmxvfzbhkymvu.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ypdwfakhqjkprerz.exe
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\fxmgqmxvfzbhkymvu.exe*."
C:\Windows\ypdwfakhqjkprerz.exe
ypdwfakhqjkprerz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxqoccrthflvcumzcnple.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exe
C:\Windows\bxqoccrthflvcumzcnple.exe
bxqoccrthflvcumzcnple.exe .
C:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exe
C:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxqoccrthflvcumzcnple.exe .
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\bxqoccrthflvcumzcnple.exe*."
C:\Users\Admin\AppData\Local\Temp\bxqoccrthflvcumzcnple.exe
C:\Users\Admin\AppData\Local\Temp\bxqoccrthflvcumzcnple.exe .
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\bxqoccrthflvcumzcnple.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztkgsqddplpxcsitudd.exe .
C:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exe
C:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exe
C:\Users\Admin\AppData\Local\Temp\ztkgsqddplpxcsitudd.exe
C:\Users\Admin\AppData\Local\Temp\ztkgsqddplpxcsitudd.exe .
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ztkgsqddplpxcsitudd.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ohxsdamlwrubfujttb.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mhzwjiwxkhmvbsjvxhid.exe
C:\Windows\ohxsdamlwrubfujttb.exe
ohxsdamlwrubfujttb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mhzwjiwxkhmvbsjvxhid.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ohxsdamlwrubfujttb.exe .
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\mhzwjiwxkhmvbsjvxhid.exe
mhzwjiwxkhmvbsjvxhid.exe
C:\Windows\mhzwjiwxkhmvbsjvxhid.exe
mhzwjiwxkhmvbsjvxhid.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fxmgqmxvfzbhkymvu.exe .
C:\Windows\ohxsdamlwrubfujttb.exe
ohxsdamlwrubfujttb.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fxmgqmxvfzbhkymvu.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ohxsdamlwrubfujttb.exe
C:\Windows\fxmgqmxvfzbhkymvu.exe
fxmgqmxvfzbhkymvu.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ypdwfakhqjkprerz.exe
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ohxsdamlwrubfujttb.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ohxsdamlwrubfujttb.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fxmgqmxvfzbhkymvu.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fxmgqmxvfzbhkymvu.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exe
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\fxmgqmxvfzbhkymvu.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mhzwjiwxkhmvbsjvxhid.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztkgsqddplpxcsitudd.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exe .
C:\Windows\fxmgqmxvfzbhkymvu.exe
fxmgqmxvfzbhkymvu.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztkgsqddplpxcsitudd.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe .
C:\Windows\ypdwfakhqjkprerz.exe
ypdwfakhqjkprerz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe .
C:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exe
C:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exe
C:\Windows\fxmgqmxvfzbhkymvu.exe
fxmgqmxvfzbhkymvu.exe .
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\fxmgqmxvfzbhkymvu.exe*."
C:\Windows\fxmgqmxvfzbhkymvu.exe
fxmgqmxvfzbhkymvu.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxqoccrthflvcumzcnple.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxqoccrthflvcumzcnple.exe .
C:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exe
C:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exe .
C:\Windows\mhzwjiwxkhmvbsjvxhid.exe
mhzwjiwxkhmvbsjvxhid.exe .
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\fxmgqmxvfzbhkymvu.exe*."
C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe
C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe .
C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe
C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe .
C:\Users\Admin\AppData\Local\Temp\bxqoccrthflvcumzcnple.exe
C:\Users\Admin\AppData\Local\Temp\bxqoccrthflvcumzcnple.exe .
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\mhzwjiwxkhmvbsjvxhid.exe*."
C:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exe
C:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exe
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\mhzwjiwxkhmvbsjvxhid.exe*."
C:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exe
C:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exe .
C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe
C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\fxmgqmxvfzbhkymvu.exe*."
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\fxmgqmxvfzbhkymvu.exe*."
C:\Users\Admin\AppData\Local\Temp\bxqoccrthflvcumzcnple.exe
C:\Users\Admin\AppData\Local\Temp\bxqoccrthflvcumzcnple.exe .
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\bxqoccrthflvcumzcnple.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fxmgqmxvfzbhkymvu.exe
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\mhzwjiwxkhmvbsjvxhid.exe*."
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\bxqoccrthflvcumzcnple.exe*."
C:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exe
C:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exe
C:\Users\Admin\AppData\Local\Temp\ztkgsqddplpxcsitudd.exe
C:\Users\Admin\AppData\Local\Temp\ztkgsqddplpxcsitudd.exe
C:\Windows\fxmgqmxvfzbhkymvu.exe
fxmgqmxvfzbhkymvu.exe
C:\Users\Admin\AppData\Local\Temp\ztkgsqddplpxcsitudd.exe
C:\Users\Admin\AppData\Local\Temp\ztkgsqddplpxcsitudd.exe
C:\Windows\ohxsdamlwrubfujttb.exe
ohxsdamlwrubfujttb.exe .
C:\Windows\ohxsdamlwrubfujttb.exe
ohxsdamlwrubfujttb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ztkgsqddplpxcsitudd.exe .
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ohxsdamlwrubfujttb.exe*."
C:\Windows\ztkgsqddplpxcsitudd.exe
ztkgsqddplpxcsitudd.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mhzwjiwxkhmvbsjvxhid.exe
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ztkgsqddplpxcsitudd.exe*."
C:\Windows\mhzwjiwxkhmvbsjvxhid.exe
mhzwjiwxkhmvbsjvxhid.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ztkgsqddplpxcsitudd.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exe
C:\Windows\ztkgsqddplpxcsitudd.exe
ztkgsqddplpxcsitudd.exe .
C:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exe
C:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztkgsqddplpxcsitudd.exe .
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ztkgsqddplpxcsitudd.exe*."
C:\Users\Admin\AppData\Local\Temp\ztkgsqddplpxcsitudd.exe
C:\Users\Admin\AppData\Local\Temp\ztkgsqddplpxcsitudd.exe .
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ztkgsqddplpxcsitudd.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe .
C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe
C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe
C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe
C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe .
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\fxmgqmxvfzbhkymvu.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ztkgsqddplpxcsitudd.exe
C:\Windows\ztkgsqddplpxcsitudd.exe
ztkgsqddplpxcsitudd.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fxmgqmxvfzbhkymvu.exe .
C:\Windows\fxmgqmxvfzbhkymvu.exe
fxmgqmxvfzbhkymvu.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fxmgqmxvfzbhkymvu.exe
C:\Windows\fxmgqmxvfzbhkymvu.exe
fxmgqmxvfzbhkymvu.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxqoccrthflvcumzcnple.exe .
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\fxmgqmxvfzbhkymvu.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exe
C:\Windows\bxqoccrthflvcumzcnple.exe
bxqoccrthflvcumzcnple.exe .
C:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exe
C:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exe .
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\bxqoccrthflvcumzcnple.exe*."
C:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exe
C:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exe .
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ypdwfakhqjkprerz.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exe .
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exe
C:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exe
C:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exe
C:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exe .
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ohxsdamlwrubfujttb.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ztkgsqddplpxcsitudd.exe
C:\Windows\ztkgsqddplpxcsitudd.exe
ztkgsqddplpxcsitudd.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fxmgqmxvfzbhkymvu.exe .
C:\Windows\fxmgqmxvfzbhkymvu.exe
fxmgqmxvfzbhkymvu.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fxmgqmxvfzbhkymvu.exe
C:\Windows\fxmgqmxvfzbhkymvu.exe
fxmgqmxvfzbhkymvu.exe
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\fxmgqmxvfzbhkymvu.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ohxsdamlwrubfujttb.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe
C:\Windows\ohxsdamlwrubfujttb.exe
ohxsdamlwrubfujttb.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztkgsqddplpxcsitudd.exe .
C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe
C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ohxsdamlwrubfujttb.exe*."
C:\Users\Admin\AppData\Local\Temp\ztkgsqddplpxcsitudd.exe
C:\Users\Admin\AppData\Local\Temp\ztkgsqddplpxcsitudd.exe .
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ztkgsqddplpxcsitudd.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztkgsqddplpxcsitudd.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exe .
C:\Users\Admin\AppData\Local\Temp\ztkgsqddplpxcsitudd.exe
C:\Users\Admin\AppData\Local\Temp\ztkgsqddplpxcsitudd.exe
C:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exe
C:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exe .
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\mhzwjiwxkhmvbsjvxhid.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ypdwfakhqjkprerz.exe
C:\Windows\ypdwfakhqjkprerz.exe
ypdwfakhqjkprerz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fxmgqmxvfzbhkymvu.exe .
C:\Windows\fxmgqmxvfzbhkymvu.exe
fxmgqmxvfzbhkymvu.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ztkgsqddplpxcsitudd.exe
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\fxmgqmxvfzbhkymvu.exe*."
C:\Windows\ztkgsqddplpxcsitudd.exe
ztkgsqddplpxcsitudd.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ztkgsqddplpxcsitudd.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztkgsqddplpxcsitudd.exe
C:\Windows\ztkgsqddplpxcsitudd.exe
ztkgsqddplpxcsitudd.exe .
C:\Users\Admin\AppData\Local\Temp\ztkgsqddplpxcsitudd.exe
C:\Users\Admin\AppData\Local\Temp\ztkgsqddplpxcsitudd.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exe .
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ztkgsqddplpxcsitudd.exe*."
C:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exe
C:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exe .
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\mhzwjiwxkhmvbsjvxhid.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exe .
C:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exe
C:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exe
C:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exe
C:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exe .
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ypdwfakhqjkprerz.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ohxsdamlwrubfujttb.exe
C:\Windows\ohxsdamlwrubfujttb.exe
ohxsdamlwrubfujttb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ypdwfakhqjkprerz.exe .
C:\Windows\ypdwfakhqjkprerz.exe
ypdwfakhqjkprerz.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fxmgqmxvfzbhkymvu.exe
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ypdwfakhqjkprerz.exe*."
C:\Windows\fxmgqmxvfzbhkymvu.exe
fxmgqmxvfzbhkymvu.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mhzwjiwxkhmvbsjvxhid.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exe
C:\Windows\mhzwjiwxkhmvbsjvxhid.exe
mhzwjiwxkhmvbsjvxhid.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exe .
C:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exe
C:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exe
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\mhzwjiwxkhmvbsjvxhid.exe*."
C:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exe
C:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exe .
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ypdwfakhqjkprerz.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exe .
C:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exe
C:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exe
C:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exe
C:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exe .
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ohxsdamlwrubfujttb.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ypdwfakhqjkprerz.exe
C:\Windows\ypdwfakhqjkprerz.exe
ypdwfakhqjkprerz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxqoccrthflvcumzcnple.exe .
C:\Windows\bxqoccrthflvcumzcnple.exe
bxqoccrthflvcumzcnple.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxqoccrthflvcumzcnple.exe
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\bxqoccrthflvcumzcnple.exe*."
C:\Windows\bxqoccrthflvcumzcnple.exe
bxqoccrthflvcumzcnple.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ohxsdamlwrubfujttb.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe
C:\Windows\ohxsdamlwrubfujttb.exe
ohxsdamlwrubfujttb.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe .
C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe
C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ohxsdamlwrubfujttb.exe*."
C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe
C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe .
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\fxmgqmxvfzbhkymvu.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exe .
C:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exe
C:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ohxsdamlwrubfujttb.exe
C:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exe
C:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fxmgqmxvfzbhkymvu.exe
C:\Windows\ohxsdamlwrubfujttb.exe
ohxsdamlwrubfujttb.exe
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\mhzwjiwxkhmvbsjvxhid.exe*."
C:\Windows\fxmgqmxvfzbhkymvu.exe
fxmgqmxvfzbhkymvu.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ztkgsqddplpxcsitudd.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ztkgsqddplpxcsitudd.exe .
C:\Windows\ztkgsqddplpxcsitudd.exe
ztkgsqddplpxcsitudd.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ypdwfakhqjkprerz.exe
C:\Windows\ztkgsqddplpxcsitudd.exe
ztkgsqddplpxcsitudd.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mhzwjiwxkhmvbsjvxhid.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ohxsdamlwrubfujttb.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxqoccrthflvcumzcnple.exe .
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ztkgsqddplpxcsitudd.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exe
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ztkgsqddplpxcsitudd.exe*."
C:\Windows\ypdwfakhqjkprerz.exe
ypdwfakhqjkprerz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ztkgsqddplpxcsitudd.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe .
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ohxsdamlwrubfujttb.exe .
C:\Windows\ohxsdamlwrubfujttb.exe
ohxsdamlwrubfujttb.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztkgsqddplpxcsitudd.exe
C:\Windows\bxqoccrthflvcumzcnple.exe
bxqoccrthflvcumzcnple.exe .
C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe
C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ohxsdamlwrubfujttb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.showmyipaddress.com | udp |
| US | 172.67.155.175:80 | www.showmyipaddress.com | tcp |
| US | 172.67.155.175:80 | www.showmyipaddress.com | tcp |
| US | 8.8.8.8:53 | www.whatismyip.com | udp |
| US | 172.66.43.169:80 | www.whatismyip.com | tcp |
| US | 172.67.155.175:80 | www.showmyipaddress.com | tcp |
| US | 172.67.155.175:80 | www.showmyipaddress.com | tcp |
| US | 8.8.8.8:53 | whatismyipaddress.com | udp |
| US | 104.19.223.79:80 | whatismyipaddress.com | tcp |
| US | 8.8.8.8:53 | www.whatismyip.ca | udp |
| US | 172.66.43.169:80 | www.whatismyip.com | tcp |
| US | 172.67.155.175:80 | www.showmyipaddress.com | tcp |
| US | 104.19.223.79:80 | whatismyipaddress.com | tcp |
| US | 172.67.155.175:80 | www.showmyipaddress.com | tcp |
| US | 104.19.223.79:80 | whatismyipaddress.com | tcp |
| US | 172.67.155.175:80 | www.showmyipaddress.com | tcp |
| US | 8.8.8.8:53 | whatismyip.everdot.org | udp |
| US | 8.8.8.8:53 | www.whatismyip.ca | udp |
| US | 104.19.223.79:80 | whatismyipaddress.com | tcp |
| US | 172.66.43.169:80 | www.whatismyip.com | tcp |
| US | 172.67.155.175:80 | www.showmyipaddress.com | tcp |
| US | 8.8.8.8:53 | whatismyip.everdot.org | udp |
| US | 172.67.155.175:80 | www.showmyipaddress.com | tcp |
| US | 8.8.8.8:53 | www.whatismyip.ca | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 216.58.204.68:80 | www.google.com | tcp |
| RU | 185.7.154.68:21568 | tcp | |
| US | 8.8.8.8:53 | gyuuym.org | udp |
| DE | 85.214.228.140:80 | gyuuym.org | tcp |
| US | 8.8.8.8:53 | ueoblkabnh.net | udp |
| US | 8.8.8.8:53 | txhjqoihrf.net | udp |
| US | 8.8.8.8:53 | qhnjfjqvjl.info | udp |
| US | 8.8.8.8:53 | oeymgaye.com | udp |
| US | 8.8.8.8:53 | unxfuild.info | udp |
| SG | 18.142.91.111:80 | unxfuild.info | tcp |
| BG | 178.239.230.133:40763 | tcp | |
| US | 8.8.8.8:53 | ggoiukqgsikq.org | udp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| US | 8.8.8.8:53 | auqsfd.net | udp |
| US | 8.8.8.8:53 | biwdpyh.com | udp |
| US | 8.8.8.8:53 | vetoaes.info | udp |
| US | 8.8.8.8:53 | nofggbtotit.org | udp |
| US | 8.8.8.8:53 | qwymyciwqkim.org | udp |
| US | 8.8.8.8:53 | byjofytqvtc.net | udp |
| US | 8.8.8.8:53 | udzdjiddn.net | udp |
| US | 8.8.8.8:53 | wwrklqg.net | udp |
| US | 8.8.8.8:53 | ygoukmwg.org | udp |
| US | 8.8.8.8:53 | gmysmygm.com | udp |
| US | 8.8.8.8:53 | wsghgakp.info | udp |
| US | 8.8.8.8:53 | qtxcie.info | udp |
| US | 8.8.8.8:53 | suklef.net | udp |
| US | 8.8.8.8:53 | yqfttueruqb.info | udp |
| GB | 142.250.179.227:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | cydlrge.info | udp |
| US | 104.156.155.94:80 | cydlrge.info | tcp |
| US | 8.8.8.8:53 | iiyqac.org | udp |
| US | 8.8.8.8:53 | zojqqcz.net | udp |
| US | 8.8.8.8:53 | mjotpzfbosdh.info | udp |
| US | 8.8.8.8:53 | ktzwzrizcn.info | udp |
| US | 8.8.8.8:53 | luvehemiri.info | udp |
| US | 8.8.8.8:53 | ltsjlqqiyi.info | udp |
| US | 8.8.8.8:53 | uzcvwd.info | udp |
| US | 8.8.8.8:53 | lalckpw.org | udp |
| SA | 37.43.109.85:37337 | tcp | |
| US | 8.8.8.8:53 | fjrybfgg.net | udp |
| US | 8.8.8.8:53 | ecznoqkwij.net | udp |
| US | 8.8.8.8:53 | iahkospyv.net | udp |
| US | 8.8.8.8:53 | hmfurcniz.info | udp |
| US | 8.8.8.8:53 | wigsuaycsu.com | udp |
| US | 8.8.8.8:53 | hfsgjkdfjbf.com | udp |
| US | 8.8.8.8:53 | ddpobim.org | udp |
| US | 8.8.8.8:53 | qakcrppsbzw.info | udp |
| US | 8.8.8.8:53 | pavchcn.net | udp |
| US | 8.8.8.8:53 | ewhqxezcwwc.net | udp |
| US | 8.8.8.8:53 | hjzulix.org | udp |
| US | 8.8.8.8:53 | fajvtnngrz.net | udp |
| US | 8.8.8.8:53 | cmhjebvakrpv.info | udp |
| US | 8.8.8.8:53 | meapkmvl.info | udp |
| US | 8.8.8.8:53 | mdlydix.net | udp |
| US | 8.8.8.8:53 | okcspymtuedo.net | udp |
| US | 8.8.8.8:53 | yoaoooewyeeo.com | udp |
| US | 8.8.8.8:53 | eoqmgemsga.org | udp |
| US | 8.8.8.8:53 | eeooeaciququ.org | udp |
| US | 8.8.8.8:53 | iynavqt.net | udp |
| US | 8.8.8.8:53 | tzxaoz.net | udp |
| US | 8.8.8.8:53 | hxvonnqagor.org | udp |
| US | 8.8.8.8:53 | mdhpuesj.net | udp |
| US | 8.8.8.8:53 | ikqmeg.org | udp |
| US | 8.8.8.8:53 | lpqctkbsj.net | udp |
| US | 8.8.8.8:53 | pkhgxgz.org | udp |
| US | 8.8.8.8:53 | rnjtfwb.info | udp |
| US | 8.8.8.8:53 | hjzijavbgyig.info | udp |
| US | 8.8.8.8:53 | dqjrswwie.com | udp |
| US | 8.8.8.8:53 | vrxmprngmlhk.net | udp |
| US | 8.8.8.8:53 | zkponwo.org | udp |
| US | 8.8.8.8:53 | khvyxyfgg.net | udp |
| US | 8.8.8.8:53 | mxerowtawn.info | udp |
| US | 8.8.8.8:53 | hbtvhgis.net | udp |
| US | 8.8.8.8:53 | vfphjelbgp.net | udp |
| US | 8.8.8.8:53 | ivftic.net | udp |
| US | 8.8.8.8:53 | jopktjmt.net | udp |
| US | 8.8.8.8:53 | iqsjvovzd.info | udp |
| US | 8.8.8.8:53 | qqkuzemkr.net | udp |
| US | 8.8.8.8:53 | eznabol.net | udp |
| US | 8.8.8.8:53 | cgqeeggaayoq.org | udp |
| US | 8.8.8.8:53 | ckpgeezgx.info | udp |
| US | 8.8.8.8:53 | klqmnybibg.net | udp |
| US | 8.8.8.8:53 | zhbqfxmyfsdv.net | udp |
| US | 8.8.8.8:53 | qqscgi.org | udp |
| US | 8.8.8.8:53 | kswyca.com | udp |
| US | 8.8.8.8:53 | nbdtxyhovrho.net | udp |
| US | 8.8.8.8:53 | kcqcyuau.com | udp |
| US | 8.8.8.8:53 | teyjrp.info | udp |
| US | 8.8.8.8:53 | lyxmnybibg.info | udp |
| US | 8.8.8.8:53 | wgkewm.org | udp |
| US | 8.8.8.8:53 | kofwhynomga.info | udp |
| US | 8.8.8.8:53 | iqxstfahvdsh.net | udp |
| US | 8.8.8.8:53 | siuemwks.org | udp |
| US | 8.8.8.8:53 | dkouvubcpovf.info | udp |
| US | 8.8.8.8:53 | qqvfhizi.net | udp |
| US | 8.8.8.8:53 | inumobfs.info | udp |
| US | 8.8.8.8:53 | ucesnkd.net | udp |
| US | 8.8.8.8:53 | uxvikbgmxwz.info | udp |
| US | 8.8.8.8:53 | imqqisqrsil.info | udp |
| US | 8.8.8.8:53 | icvovobzsk.net | udp |
| US | 8.8.8.8:53 | lzjkuvxyh.com | udp |
| US | 8.8.8.8:53 | kgucribs.info | udp |
| US | 8.8.8.8:53 | igkcym.com | udp |
| US | 8.8.8.8:53 | kfpyjkdkhul.info | udp |
| US | 8.8.8.8:53 | zyfitez.info | udp |
| BR | 187.37.180.27:44467 | tcp | |
| US | 8.8.8.8:53 | dgluurtvj.com | udp |
| US | 8.8.8.8:53 | evsodgqbyyj.info | udp |
| US | 8.8.8.8:53 | ysscmcoy.org | udp |
| US | 8.8.8.8:53 | huppzipct.net | udp |
| US | 8.8.8.8:53 | zepzbk.net | udp |
| US | 8.8.8.8:53 | iwvqppjux.info | udp |
| US | 8.8.8.8:53 | leqdurjb.net | udp |
| US | 8.8.8.8:53 | ysjgbcxevtm.net | udp |
| US | 8.8.8.8:53 | mnmvjh.net | udp |
| US | 8.8.8.8:53 | ppzubag.org | udp |
| US | 8.8.8.8:53 | dxikspgshgbk.info | udp |
| US | 8.8.8.8:53 | hqiczdj.com | udp |
| US | 8.8.8.8:53 | ewhebkp.info | udp |
| US | 8.8.8.8:53 | fshwird.com | udp |
| US | 8.8.8.8:53 | lgmwshpwdp.net | udp |
| US | 8.8.8.8:53 | pqsqbivmv.net | udp |
| US | 8.8.8.8:53 | mcgosaue.org | udp |
| US | 8.8.8.8:53 | hpcmhcmt.info | udp |
| US | 8.8.8.8:53 | furnxe.info | udp |
| US | 8.8.8.8:53 | zgrjrexb.net | udp |
| US | 8.8.8.8:53 | bgdgmaf.com | udp |
| US | 8.8.8.8:53 | twqcfo.net | udp |
| US | 8.8.8.8:53 | xsirlapgjqx.org | udp |
| US | 8.8.8.8:53 | obkqioqdio.info | udp |
| US | 8.8.8.8:53 | cqyusygmga.com | udp |
| US | 8.8.8.8:53 | eeueccewmeem.com | udp |
| US | 8.8.8.8:53 | nkdwhbmhjyux.net | udp |
| US | 8.8.8.8:53 | ahhqumwwijkw.net | udp |
| US | 8.8.8.8:53 | oouccmcqecye.org | udp |
| US | 8.8.8.8:53 | orwpmn.net | udp |
| US | 8.8.8.8:53 | gthoprfe.net | udp |
| US | 8.8.8.8:53 | xvpjrcpcba.net | udp |
| US | 8.8.8.8:53 | fwcucf.net | udp |
| US | 8.8.8.8:53 | vlpxze.info | udp |
| US | 8.8.8.8:53 | hoqtdy.info | udp |
| US | 8.8.8.8:53 | nqcsprfy.info | udp |
| US | 8.8.8.8:53 | liowdrrqnls.org | udp |
| US | 8.8.8.8:53 | pzumvoiqvk.net | udp |
| US | 8.8.8.8:53 | zwwecqacpse.org | udp |
| US | 8.8.8.8:53 | eearzgjluwng.net | udp |
| US | 8.8.8.8:53 | lixmuor.com | udp |
| US | 8.8.8.8:53 | skywyumxq.net | udp |
| US | 8.8.8.8:53 | prnwrmh.info | udp |
| US | 8.8.8.8:53 | kvvdll.net | udp |
| US | 8.8.8.8:53 | egsmyysc.org | udp |
| US | 8.8.8.8:53 | wkkwaijhbdav.info | udp |
| US | 8.8.8.8:53 | nnvjlkpq.info | udp |
| US | 8.8.8.8:53 | uafulin.net | udp |
| US | 8.8.8.8:53 | nshdioh.net | udp |
| US | 8.8.8.8:53 | giiwyiys.org | udp |
| US | 8.8.8.8:53 | ssqsoyoqsg.org | udp |
| US | 8.8.8.8:53 | kpdikvsvzk.info | udp |
| US | 8.8.8.8:53 | sadsgkh.net | udp |
| US | 8.8.8.8:53 | ekqqcc.org | udp |
| US | 8.8.8.8:53 | tjhajocuj.com | udp |
| US | 8.8.8.8:53 | gzrpysiq.info | udp |
| US | 8.8.8.8:53 | hcfrwoir.net | udp |
| US | 8.8.8.8:53 | dwfkeogzvhjn.info | udp |
| US | 8.8.8.8:53 | nsfenav.net | udp |
| US | 8.8.8.8:53 | yzjknxaccgjl.info | udp |
| US | 8.8.8.8:53 | dflqknsl.net | udp |
| US | 8.8.8.8:53 | zkrjlvsv.net | udp |
| US | 8.8.8.8:53 | bmxqlyvoc.com | udp |
| US | 8.8.8.8:53 | mwamwq.com | udp |
| US | 8.8.8.8:53 | bcirfkddfk.info | udp |
| US | 8.8.8.8:53 | lbqunen.info | udp |
| US | 8.8.8.8:53 | qtgqqinahbp.info | udp |
| US | 8.8.8.8:53 | qiiggm.com | udp |
| US | 8.8.8.8:53 | znxucpwzothx.net | udp |
| US | 8.8.8.8:53 | pelgjiiknsh.com | udp |
| US | 8.8.8.8:53 | swdrcwvizldl.info | udp |
| US | 8.8.8.8:53 | bfzftw.net | udp |
| US | 8.8.8.8:53 | pgrpuqskvif.com | udp |
| US | 8.8.8.8:53 | ibtqukbx.net | udp |
| US | 8.8.8.8:53 | pjbjpbpnjbzl.net | udp |
| US | 8.8.8.8:53 | mwoqaaowicgq.org | udp |
| US | 8.8.8.8:53 | tcvuvhjwh.info | udp |
| US | 8.8.8.8:53 | kqdlxuxuljmg.net | udp |
| US | 8.8.8.8:53 | cwnolptodmn.net | udp |
| US | 8.8.8.8:53 | eyxdwalqvcq.info | udp |
| US | 8.8.8.8:53 | ipyhfq.info | udp |
| US | 8.8.8.8:53 | jubvpax.info | udp |
| TR | 88.250.231.205:31764 | tcp | |
| US | 8.8.8.8:53 | osmmvonwx.info | udp |
| US | 8.8.8.8:53 | wsooukocsoqe.org | udp |
| US | 8.8.8.8:53 | qsykosgugq.com | udp |
| US | 8.8.8.8:53 | thciuolpzs.info | udp |
| US | 8.8.8.8:53 | ecbwysbz.info | udp |
| US | 8.8.8.8:53 | vlqmgmz.net | udp |
| US | 8.8.8.8:53 | reormcpmxurp.net | udp |
| US | 8.8.8.8:53 | njmyupro.net | udp |
| US | 8.8.8.8:53 | eomcom.com | udp |
| US | 8.8.8.8:53 | jebezuqyk.net | udp |
| US | 8.8.8.8:53 | rutveialtme.net | udp |
| US | 8.8.8.8:53 | jjeqzzp.net | udp |
| US | 8.8.8.8:53 | xrpwmsl.info | udp |
| US | 8.8.8.8:53 | wddoedoeq.net | udp |
| US | 8.8.8.8:53 | rgsgipjev.com | udp |
| US | 8.8.8.8:53 | ncerna.info | udp |
| US | 8.8.8.8:53 | iusioomq.org | udp |
| US | 8.8.8.8:53 | wucyhq.info | udp |
| US | 8.8.8.8:53 | vcdgmfbhdvxk.info | udp |
| US | 8.8.8.8:53 | lswqqgsupgk.com | udp |
| US | 8.8.8.8:53 | sfzrxaw.info | udp |
| US | 8.8.8.8:53 | wotfiodctxn.net | udp |
| US | 8.8.8.8:53 | wcsbrpz.net | udp |
| US | 8.8.8.8:53 | qencplopumco.net | udp |
| US | 8.8.8.8:53 | uwcuws.org | udp |
| US | 8.8.8.8:53 | cuuuasqkigok.com | udp |
| US | 8.8.8.8:53 | xtufxif.org | udp |
| US | 8.8.8.8:53 | trjqneqpplsq.net | udp |
| US | 8.8.8.8:53 | qwocicwy.org | udp |
| US | 8.8.8.8:53 | iwhylqf.net | udp |
| US | 8.8.8.8:53 | twtxvsppnppm.net | udp |
| US | 8.8.8.8:53 | azlfou.info | udp |
| US | 8.8.8.8:53 | lrbipi.info | udp |
| US | 8.8.8.8:53 | drgdnplgu.org | udp |
| US | 8.8.8.8:53 | yimosiqmeocc.com | udp |
| US | 8.8.8.8:53 | pwkkfcjotyf.net | udp |
| US | 8.8.8.8:53 | eokwim.com | udp |
| US | 8.8.8.8:53 | kzbinymgj.net | udp |
| US | 8.8.8.8:53 | ofxvdrmrsczz.net | udp |
| US | 8.8.8.8:53 | oascykeu.com | udp |
| US | 8.8.8.8:53 | umyicieyee.org | udp |
| US | 8.8.8.8:53 | jjdtpinl.info | udp |
| US | 8.8.8.8:53 | asbwhxyigsx.net | udp |
| US | 8.8.8.8:53 | fwlgpx.net | udp |
| US | 8.8.8.8:53 | vcsuct.net | udp |
| US | 8.8.8.8:53 | okkjrdxz.net | udp |
| US | 8.8.8.8:53 | mjzihru.net | udp |
| US | 8.8.8.8:53 | emiwkawouc.org | udp |
| US | 8.8.8.8:53 | xcxyun.info | udp |
| US | 8.8.8.8:53 | tmnxfkv.info | udp |
| US | 8.8.8.8:53 | atkzfclhbift.info | udp |
| US | 8.8.8.8:53 | qigxglwcbro.info | udp |
| US | 8.8.8.8:53 | cljqxyt.net | udp |
| US | 8.8.8.8:53 | xqydefjviohx.info | udp |
| US | 8.8.8.8:53 | wueysyqiyg.org | udp |
| US | 8.8.8.8:53 | aeflpxcwn.net | udp |
| US | 8.8.8.8:53 | cuoeinpxs.info | udp |
| US | 8.8.8.8:53 | vsjkbwjt.info | udp |
| US | 8.8.8.8:53 | rlwgvgtafx.net | udp |
| US | 8.8.8.8:53 | jjrefkv.net | udp |
| US | 8.8.8.8:53 | fgwiqkushae.org | udp |
| US | 8.8.8.8:53 | ukxahed.info | udp |
| US | 8.8.8.8:53 | vbgyettnlkzs.info | udp |
| US | 8.8.8.8:53 | kjskvzf.info | udp |
| US | 8.8.8.8:53 | vcfbxm.info | udp |
| US | 8.8.8.8:53 | sawwcw.org | udp |
| BG | 85.217.236.118:24844 | tcp | |
| US | 8.8.8.8:53 | gicioogy.org | udp |
| US | 8.8.8.8:53 | gojkvsfbruz.info | udp |
| US | 8.8.8.8:53 | lzbjkx.info | udp |
| US | 8.8.8.8:53 | iumiamgq.com | udp |
| US | 8.8.8.8:53 | lazrdal.com | udp |
| US | 8.8.8.8:53 | oqoecm.org | udp |
| US | 8.8.8.8:53 | ruiymw.info | udp |
| US | 8.8.8.8:53 | cvzepanza.info | udp |
| US | 8.8.8.8:53 | blriytvijot.com | udp |
| US | 8.8.8.8:53 | pyhchklonzi.org | udp |
| US | 8.8.8.8:53 | ktjrvimgbi.info | udp |
| US | 8.8.8.8:53 | lkdssrdk.info | udp |
| US | 8.8.8.8:53 | mokkooz.info | udp |
| US | 8.8.8.8:53 | kyilnx.net | udp |
| US | 8.8.8.8:53 | kaapvzd.net | udp |
| US | 8.8.8.8:53 | revijogplwto.net | udp |
| US | 8.8.8.8:53 | tmfdqxvmfi.info | udp |
| US | 8.8.8.8:53 | wfnoszov.info | udp |
| US | 8.8.8.8:53 | gaqkygwq.org | udp |
| US | 8.8.8.8:53 | xspefadst.org | udp |
| US | 8.8.8.8:53 | jrbulad.info | udp |
| US | 8.8.8.8:53 | ygjnbtvmvvdf.net | udp |
| US | 8.8.8.8:53 | tptbzw.info | udp |
| US | 8.8.8.8:53 | atdlzxpl.net | udp |
| US | 8.8.8.8:53 | frxoacvrjj.info | udp |
| US | 8.8.8.8:53 | wbfthddgbud.net | udp |
| US | 8.8.8.8:53 | bpzorpfuhtf.org | udp |
| US | 8.8.8.8:53 | jhuawov.net | udp |
| US | 8.8.8.8:53 | lolklqjyh.net | udp |
| US | 8.8.8.8:53 | smtoccyy.net | udp |
| US | 8.8.8.8:53 | ugkkyomicagy.org | udp |
| US | 8.8.8.8:53 | bkngmvgi.net | udp |
| US | 8.8.8.8:53 | igkgldpuh.net | udp |
| US | 8.8.8.8:53 | xojuzcxgxcl.info | udp |
| US | 8.8.8.8:53 | iyukaskmsg.org | udp |
| US | 8.8.8.8:53 | cwnzjfvarrv.info | udp |
| US | 8.8.8.8:53 | bqdindvszcl.com | udp |
| US | 8.8.8.8:53 | gumqpiv.net | udp |
| US | 8.8.8.8:53 | cunqflitlgc.net | udp |
| US | 8.8.8.8:53 | akwisu.org | udp |
| US | 8.8.8.8:53 | lhajdrnpfmkf.net | udp |
| BG | 46.238.11.183:28544 | tcp | |
| US | 8.8.8.8:53 | dykwknvmdfdj.info | udp |
| US | 8.8.8.8:53 | dxbcdjmasvkk.net | udp |
| US | 8.8.8.8:53 | tgqnpbuc.net | udp |
| US | 8.8.8.8:53 | rhpsjoqh.net | udp |
| US | 8.8.8.8:53 | tmrsrqcmpqd.info | udp |
| US | 8.8.8.8:53 | wawaoiyk.com | udp |
| US | 8.8.8.8:53 | ufcndu.info | udp |
| US | 8.8.8.8:53 | gruldiya.info | udp |
| US | 8.8.8.8:53 | rgspovpcfh.net | udp |
| US | 8.8.8.8:53 | zzsetkroa.com | udp |
| US | 8.8.8.8:53 | irzqyprkkowt.net | udp |
| US | 8.8.8.8:53 | lczoradauoz.net | udp |
| US | 8.8.8.8:53 | olxznkh.net | udp |
| US | 8.8.8.8:53 | woriydsx.net | udp |
| US | 8.8.8.8:53 | izenvqdleyde.net | udp |
| US | 8.8.8.8:53 | dxpceknefwb.net | udp |
| US | 8.8.8.8:53 | dazulnj.org | udp |
| US | 8.8.8.8:53 | midrnzeilljv.info | udp |
| US | 8.8.8.8:53 | msayvacajgn.info | udp |
| US | 8.8.8.8:53 | lyrhtecodd.info | udp |
| US | 8.8.8.8:53 | fqrbbcxnjg.net | udp |
| US | 8.8.8.8:53 | jzthxr.net | udp |
| US | 8.8.8.8:53 | chjoaw.info | udp |
| US | 8.8.8.8:53 | ewpmjkpvf.info | udp |
| US | 8.8.8.8:53 | olqgvdbo.net | udp |
| US | 8.8.8.8:53 | wakiim.org | udp |
| US | 8.8.8.8:53 | rdlhmuhaiv.info | udp |
| US | 8.8.8.8:53 | lqnfficzqco.com | udp |
| US | 8.8.8.8:53 | tmbjlqbqt.org | udp |
| US | 8.8.8.8:53 | fjusznt.com | udp |
| US | 8.8.8.8:53 | vzjddbntt.info | udp |
| US | 8.8.8.8:53 | kqtqwzl.info | udp |
| US | 8.8.8.8:53 | nobjabiozo.info | udp |
| US | 8.8.8.8:53 | iyrrchwgdbr.info | udp |
| US | 8.8.8.8:53 | csucyiycuskq.com | udp |
| US | 8.8.8.8:53 | zuhmapbot.net | udp |
| US | 8.8.8.8:53 | rcgijft.com | udp |
| US | 8.8.8.8:53 | vpxarjpm.info | udp |
| US | 8.8.8.8:53 | trhamktcoen.net | udp |
| US | 8.8.8.8:53 | gjfdpotoxqd.net | udp |
| US | 8.8.8.8:53 | vjvlnnztmb.net | udp |
| US | 8.8.8.8:53 | defqpar.org | udp |
| US | 8.8.8.8:53 | yojkaljecqs.info | udp |
| US | 8.8.8.8:53 | mugsgica.org | udp |
| US | 8.8.8.8:53 | zclsbubgalm.info | udp |
| US | 8.8.8.8:53 | ecegeakc.org | udp |
| US | 8.8.8.8:53 | jwclkm.info | udp |
| US | 8.8.8.8:53 | zabrpyp.com | udp |
| US | 8.8.8.8:53 | ootkjdzphd.net | udp |
| US | 8.8.8.8:53 | muyiygqoqgou.com | udp |
| US | 8.8.8.8:53 | gancpfzuzav.info | udp |
| US | 8.8.8.8:53 | aararuzmj.info | udp |
| US | 8.8.8.8:53 | uqnmlex.net | udp |
| US | 8.8.8.8:53 | locxzt.info | udp |
| US | 8.8.8.8:53 | cczxlid.net | udp |
| US | 8.8.8.8:53 | cmiaewyqye.org | udp |
| US | 8.8.8.8:53 | cjjkbnmedwz.net | udp |
| US | 8.8.8.8:53 | dxmspobp.net | udp |
| US | 8.8.8.8:53 | xofrzhyfft.info | udp |
| US | 8.8.8.8:53 | zrizzt.net | udp |
| US | 8.8.8.8:53 | cyvvoyfp.net | udp |
| US | 8.8.8.8:53 | xklzcflmd.net | udp |
| US | 8.8.8.8:53 | oieuacceicwa.org | udp |
| US | 8.8.8.8:53 | lcsodhxdv.com | udp |
| US | 8.8.8.8:53 | xgwjttvivrrk.net | udp |
| US | 8.8.8.8:53 | nsjnpn.net | udp |
| US | 8.8.8.8:53 | deglzbzi.net | udp |
| US | 8.8.8.8:53 | tmamjxz.org | udp |
| US | 8.8.8.8:53 | kspzrdnmzahf.net | udp |
| US | 8.8.8.8:53 | waxinipgchw.info | udp |
| US | 8.8.8.8:53 | ivewnr.info | udp |
| US | 8.8.8.8:53 | wwzcljtirek.info | udp |
| US | 8.8.8.8:53 | xujkrulab.info | udp |
| US | 8.8.8.8:53 | limjsiv.net | udp |
| US | 8.8.8.8:53 | rbluiswadsl.info | udp |
| US | 8.8.8.8:53 | nmssgabaj.info | udp |
| US | 8.8.8.8:53 | nqxijbihvn.info | udp |
| US | 8.8.8.8:53 | hzugeuewnwmu.info | udp |
| US | 8.8.8.8:53 | nnwajbjgh.org | udp |
| US | 8.8.8.8:53 | yspynbdonzn.net | udp |
| BG | 95.43.207.209:39799 | tcp | |
| US | 8.8.8.8:53 | aysojx.info | udp |
| US | 8.8.8.8:53 | kuqamec.info | udp |
| US | 8.8.8.8:53 | ohxihwzjqkrd.info | udp |
| US | 8.8.8.8:53 | qaiuegkygeaa.org | udp |
| US | 8.8.8.8:53 | hqtnid.net | udp |
| US | 8.8.8.8:53 | xrctizgjhu.net | udp |
| US | 8.8.8.8:53 | muosrlb.info | udp |
| US | 8.8.8.8:53 | omayogtzh.net | udp |
| US | 8.8.8.8:53 | hyxcxexob.com | udp |
| US | 8.8.8.8:53 | fujjpg.info | udp |
| US | 8.8.8.8:53 | jfkohye.org | udp |
| US | 8.8.8.8:53 | kqmoyqmouw.org | udp |
| US | 8.8.8.8:53 | bxyort.net | udp |
| US | 8.8.8.8:53 | rfcqjgcwrllk.info | udp |
| US | 8.8.8.8:53 | cioenur.net | udp |
| US | 8.8.8.8:53 | acickqgowciy.com | udp |
| US | 8.8.8.8:53 | mkpalwhfv.info | udp |
| US | 8.8.8.8:53 | ccgsekws.com | udp |
| US | 8.8.8.8:53 | iwiiyg.com | udp |
| US | 8.8.8.8:53 | yoiinkhezk.net | udp |
| US | 8.8.8.8:53 | iovcvepor.net | udp |
| US | 8.8.8.8:53 | ooewwc.org | udp |
| US | 8.8.8.8:53 | smqueqeuquke.com | udp |
| US | 8.8.8.8:53 | yrkjtdzwc.net | udp |
| US | 8.8.8.8:53 | jowuhubhhgc.net | udp |
| US | 8.8.8.8:53 | jypigkw.net | udp |
| US | 8.8.8.8:53 | fmniewn.net | udp |
| US | 8.8.8.8:53 | qfnyruqil.net | udp |
| US | 8.8.8.8:53 | ykvbkvvm.net | udp |
| US | 8.8.8.8:53 | jphhtgd.com | udp |
| US | 8.8.8.8:53 | alhofqno.info | udp |
| US | 8.8.8.8:53 | jgplzein.net | udp |
| US | 8.8.8.8:53 | muumsmcksu.com | udp |
| US | 8.8.8.8:53 | oycovsuzpls.net | udp |
| US | 8.8.8.8:53 | arwoaehqtci.info | udp |
| US | 8.8.8.8:53 | aelqzeomg.info | udp |
| US | 8.8.8.8:53 | astldrmmbor.net | udp |
| US | 8.8.8.8:53 | kcycugis.com | udp |
| US | 8.8.8.8:53 | cyuovog.net | udp |
| US | 8.8.8.8:53 | omierhazkhgw.net | udp |
| US | 8.8.8.8:53 | rwwnridywci.info | udp |
| US | 8.8.8.8:53 | kwdrqyzrhd.net | udp |
| US | 8.8.8.8:53 | iadgzibcg.net | udp |
| US | 8.8.8.8:53 | vghmcigzi.com | udp |
| US | 8.8.8.8:53 | xetejbint.net | udp |
| US | 8.8.8.8:53 | yiepbstwb.net | udp |
| US | 8.8.8.8:53 | mqmyiueiaekq.com | udp |
| US | 8.8.8.8:53 | iynajsbulen.net | udp |
| US | 8.8.8.8:53 | afeobmx.info | udp |
| US | 8.8.8.8:53 | nmpvkkljlvh.com | udp |
| US | 8.8.8.8:53 | jqtenkdayoy.org | udp |
| US | 8.8.8.8:53 | emftuy.info | udp |
| US | 8.8.8.8:53 | lvliwxsju.net | udp |
| US | 8.8.8.8:53 | rxwzzjyko.info | udp |
| US | 8.8.8.8:53 | uqgswgckwyym.com | udp |
| US | 8.8.8.8:53 | wcgcuuiu.org | udp |
| US | 8.8.8.8:53 | sewwsuwucy.org | udp |
| US | 8.8.8.8:53 | amdkloeincl.info | udp |
| US | 8.8.8.8:53 | nhmyomxjv.info | udp |
| US | 8.8.8.8:53 | ocugaiei.com | udp |
| US | 8.8.8.8:53 | cwaopwdnx.net | udp |
| US | 8.8.8.8:53 | thmspksk.net | udp |
| US | 8.8.8.8:53 | lfwqzitqv.info | udp |
| US | 8.8.8.8:53 | bzegplbu.net | udp |
| US | 8.8.8.8:53 | gykosoqu.org | udp |
| US | 8.8.8.8:53 | tyzkrdhyl.info | udp |
| US | 8.8.8.8:53 | uvyazp.net | udp |
| US | 8.8.8.8:53 | yepwjal.info | udp |
| US | 8.8.8.8:53 | odnunidwyets.net | udp |
| US | 8.8.8.8:53 | zewlpp.info | udp |
| US | 8.8.8.8:53 | dtsveb.net | udp |
| US | 8.8.8.8:53 | vyvijbihvn.info | udp |
| MD | 93.116.217.31:25844 | tcp | |
| US | 8.8.8.8:53 | evjxlbis.info | udp |
| US | 8.8.8.8:53 | izmpshmo.net | udp |
| US | 8.8.8.8:53 | wcfrrwydlcza.info | udp |
| US | 8.8.8.8:53 | vticvrbuweuq.net | udp |
| US | 8.8.8.8:53 | pchofazkt.com | udp |
| US | 8.8.8.8:53 | lmnthgo.net | udp |
| US | 8.8.8.8:53 | hsrofavrq.net | udp |
| US | 8.8.8.8:53 | asasqcyu.org | udp |
| US | 8.8.8.8:53 | xqtwdcn.net | udp |
| US | 8.8.8.8:53 | kylzcbiqo.net | udp |
| US | 8.8.8.8:53 | euqfrwoijcr.info | udp |
| US | 8.8.8.8:53 | llpwlrlwpx.net | udp |
| US | 8.8.8.8:53 | betkqih.info | udp |
| US | 8.8.8.8:53 | foapdh.net | udp |
| US | 8.8.8.8:53 | thcwyvnupatf.info | udp |
| US | 8.8.8.8:53 | prrrtg.net | udp |
| US | 8.8.8.8:53 | btiflqcdhj.net | udp |
| US | 8.8.8.8:53 | ypnfwuye.net | udp |
| US | 8.8.8.8:53 | wnxsbsqlocvb.net | udp |
| US | 8.8.8.8:53 | bctwfgikb.org | udp |
| US | 8.8.8.8:53 | sratbjpi.net | udp |
| US | 8.8.8.8:53 | oxvmuwvky.net | udp |
| US | 8.8.8.8:53 | fzqqksnzg.net | udp |
| US | 8.8.8.8:53 | xupbbabop.com | udp |
| US | 8.8.8.8:53 | nyluzyvwf.com | udp |
| US | 8.8.8.8:53 | nwpnfmrwojk.org | udp |
| US | 8.8.8.8:53 | ckwycauo.org | udp |
| US | 8.8.8.8:53 | zqgkhcn.org | udp |
| US | 8.8.8.8:53 | cuhwxvbrngl.net | udp |
| BG | 46.237.110.115:32120 | tcp | |
| US | 8.8.8.8:53 | aqjbubsaaw.net | udp |
| US | 8.8.8.8:53 | xmlymtnez.org | udp |
| US | 8.8.8.8:53 | uxljtpzsdnnh.net | udp |
| US | 8.8.8.8:53 | zwjabiauuye.info | udp |
| US | 8.8.8.8:53 | owhamuxacdf.info | udp |
| US | 8.8.8.8:53 | odzbrjqoy.info | udp |
| US | 8.8.8.8:53 | ieeywcyqay.org | udp |
| US | 8.8.8.8:53 | cwhvzhtzzxrd.net | udp |
| US | 8.8.8.8:53 | sehubezew.net | udp |
| US | 8.8.8.8:53 | ngrsyizvxqh.com | udp |
| US | 8.8.8.8:53 | koufluf.info | udp |
| US | 8.8.8.8:53 | aalijqi.info | udp |
| US | 8.8.8.8:53 | vfdsdxjdbvhc.info | udp |
| US | 8.8.8.8:53 | xbhcsgk.org | udp |
| US | 8.8.8.8:53 | lcpqxmvvqsr.org | udp |
| US | 8.8.8.8:53 | fftwhwdggmy.net | udp |
| US | 8.8.8.8:53 | obfhjeqq.net | udp |
| US | 8.8.8.8:53 | odqisf.info | udp |
| US | 8.8.8.8:53 | hxuolpfa.net | udp |
| US | 8.8.8.8:53 | pksskka.net | udp |
| US | 8.8.8.8:53 | ncpmyszzt.info | udp |
| US | 8.8.8.8:53 | kgsyoooicomg.com | udp |
| US | 8.8.8.8:53 | cmnixqgof.info | udp |
| US | 8.8.8.8:53 | ybxsqlwexbnh.info | udp |
| US | 8.8.8.8:53 | dhgevojfc.org | udp |
| US | 8.8.8.8:53 | rjhltljjl.com | udp |
| US | 8.8.8.8:53 | mfgbbglhxvlt.info | udp |
| US | 8.8.8.8:53 | ccyumsam.com | udp |
| US | 8.8.8.8:53 | kkiamiym.com | udp |
| US | 8.8.8.8:53 | jsjvbrlxl.org | udp |
| US | 8.8.8.8:53 | jppmdbpsgonw.net | udp |
| US | 8.8.8.8:53 | cylahgn.net | udp |
| US | 8.8.8.8:53 | lviujlz.org | udp |
| US | 8.8.8.8:53 | jatdaajehomt.net | udp |
| US | 8.8.8.8:53 | yantsqdcy.net | udp |
| US | 8.8.8.8:53 | wixkbudik.net | udp |
| US | 8.8.8.8:53 | xgsxzx.net | udp |
| US | 8.8.8.8:53 | dmnextlozib.com | udp |
| US | 8.8.8.8:53 | dydomis.com | udp |
| US | 8.8.8.8:53 | mwgkuyee.org | udp |
| US | 8.8.8.8:53 | yqlqjyyoqp.info | udp |
| US | 8.8.8.8:53 | fixlwsut.net | udp |
| US | 8.8.8.8:53 | tasqsirhfkj.info | udp |
| US | 8.8.8.8:53 | mwqrclwkdi.net | udp |
| US | 8.8.8.8:53 | uiceesz.info | udp |
| US | 8.8.8.8:53 | hhlidzgrpsor.info | udp |
| US | 8.8.8.8:53 | qgaadcaor.info | udp |
| DZ | 41.102.170.59:20802 | tcp | |
| US | 8.8.8.8:53 | lkxytgsxz.info | udp |
| US | 8.8.8.8:53 | fcvmfmxpbib.info | udp |
| US | 8.8.8.8:53 | dezjoebqin.net | udp |
| US | 8.8.8.8:53 | bzaydhbkyko.info | udp |
| US | 8.8.8.8:53 | uogisaiaec.org | udp |
| US | 8.8.8.8:53 | dsrmhrhqmch.net | udp |
| US | 8.8.8.8:53 | xkrcrzoez.info | udp |
| US | 8.8.8.8:53 | xqvctdey.info | udp |
| US | 8.8.8.8:53 | auaewuse.com | udp |
| US | 8.8.8.8:53 | uoxjsmld.info | udp |
| US | 8.8.8.8:53 | rnokvdwot.org | udp |
| US | 8.8.8.8:53 | liefiypoi.org | udp |
| US | 8.8.8.8:53 | pakahvwxtmr.info | udp |
| US | 8.8.8.8:53 | jovyivfzh.net | udp |
| US | 8.8.8.8:53 | ewiuauieao.com | udp |
| US | 8.8.8.8:53 | afjwnxnopem.info | udp |
| US | 8.8.8.8:53 | epiisblw.net | udp |
| US | 8.8.8.8:53 | wacgawyspf.info | udp |
| US | 8.8.8.8:53 | xrlpxvdcsy.net | udp |
| US | 8.8.8.8:53 | bjpwlrlwpx.net | udp |
| US | 8.8.8.8:53 | uwmesgwy.com | udp |
| US | 8.8.8.8:53 | acwmfkvha.net | udp |
| US | 8.8.8.8:53 | imwkkoik.com | udp |
| US | 8.8.8.8:53 | togogbwmi.net | udp |
| US | 8.8.8.8:53 | vxpodj.net | udp |
| US | 8.8.8.8:53 | uoimkp.net | udp |
| US | 8.8.8.8:53 | zxirnyrwc.info | udp |
| US | 8.8.8.8:53 | sewuvwb.net | udp |
| US | 8.8.8.8:53 | zmdotmhug.com | udp |
| US | 8.8.8.8:53 | khrzllrydvmf.info | udp |
| US | 8.8.8.8:53 | vuwgzt.info | udp |
| US | 8.8.8.8:53 | xtmfroroqfy.com | udp |
| US | 8.8.8.8:53 | riloegtqp.com | udp |
| US | 8.8.8.8:53 | ysearkxwv.net | udp |
| US | 8.8.8.8:53 | oaewcmmi.com | udp |
| US | 8.8.8.8:53 | lxytun.net | udp |
| US | 8.8.8.8:53 | hoophcfyy.org | udp |
| US | 8.8.8.8:53 | vdgmymv.info | udp |
| US | 8.8.8.8:53 | ofketorej.info | udp |
| US | 8.8.8.8:53 | symgoioiui.com | udp |
| US | 8.8.8.8:53 | aftfolsutqi.net | udp |
| US | 8.8.8.8:53 | issqvmnca.info | udp |
| US | 8.8.8.8:53 | oalwpcngx.info | udp |
| US | 8.8.8.8:53 | kuibofb.info | udp |
| US | 8.8.8.8:53 | iolsgsfqt.net | udp |
| US | 8.8.8.8:53 | kvbyaetsic.net | udp |
| US | 8.8.8.8:53 | gbenvxfo.net | udp |
| US | 8.8.8.8:53 | jyosdyycfo.info | udp |
Files
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe
| MD5 | 3e3c01087c73fb92b9e7894ea2df4f46 |
| SHA1 | 16bec38d3cf73359a2b437fdbd10bbe5c0558a6b |
| SHA256 | 42ca9867c6392defa5982df52b51a6d1479db6dc71605ef64b9884840107ccfc |
| SHA512 | 6d1fc6d68d9fe41c72f2eee047d71f4d2030482806d45b08d0d59b4c5d6a40f4dcb862e525ef7d1b6c509f2a58c5bcf131842e966f52dfe88101112c9bda365c |
C:\Windows\SysWOW64\ohxsdamlwrubfujttb.exe
| MD5 | b7ec123ae0594510d03149cc1e4a7843 |
| SHA1 | 909aec9168cdf35f241314791ef8559f88c9c672 |
| SHA256 | 439986cced413f04733bd254fd9e49da3c687518b6562ee8ba13b1bfa21b3fd3 |
| SHA512 | ddfefcf1ae377ca174c684e2e99fc11f351929b44ca62b52271204132cf3e4411cdb537466e87310253eabb16e7a943285501eb967c2b9a7e68ce745fe64dffc |
C:\Users\Admin\AppData\Local\Temp\mtxgfq.exe
| MD5 | 7c256dde8cc0e5134f3b5bba6fb5b8c4 |
| SHA1 | f96cd5f21d61596a3068bc832334c5a11ef6efcf |
| SHA256 | 89f54758d7803f225f928f5b3e764a9ff617c6b560274e6ac52888d3dc825084 |
| SHA512 | 17ac97e9907a657cae9c723500ed62393f86a6827216b25f21ea2597ceb16b3e41a9bb4534bb6b2c503ce6ea09141cb750621ed5fa8a9816c3eb1c4985c20410 |
C:\Users\Admin\AppData\Local\dfeicidlfjvlywunwnvxwau.vdx
| MD5 | 16c2ed69c2888e4459b29ffe93a5460e |
| SHA1 | 855db10b649e778fcecc2de161a63d5168ea5f8d |
| SHA256 | 8415bd9df93622a8b741353cc268b24c8cdfe354b42aa6c74792094cd4257b7b |
| SHA512 | 2723c3bff7314195c4a541d990da6959013b466a2c85e343ba2844dff783ce81a5940fd1a4b77f2432329fe42f2161ded576f43291b917e623b80597eddf87cb |
C:\Users\Admin\AppData\Local\qdnchyexcropnwfjdfylvkpgmfkzwxvenr.ngt
| MD5 | e6f7b0ed1419e209e66dab423d9fd94a |
| SHA1 | 31b7ad0591a703582840f80adf4a9194c34a11c7 |
| SHA256 | 7faabf13ac13d402feba4048b09d45d4116112f22ac74859ac1ce9f99020ee5b |
| SHA512 | a8a9ddcdc570f20825c2c06ab276658f4b40a462807ee264ff8f7696bfb85006715e41ff5774a5fca00929e779410096f2eb150e998ce822da2acd9a28f49a6f |
C:\Program Files (x86)\dfeicidlfjvlywunwnvxwau.vdx
| MD5 | c43f4beca267a1ab95ed350e303ea747 |
| SHA1 | fcf912bec9007ca1b82cad93cba91a5f70f8d7c3 |
| SHA256 | 39a2d19bbc6bb42f2d8ea74c8fe7bbdb9ec2a257806b8345849210073f6cfcc5 |
| SHA512 | 398a3a96deaf52294aa91caa72273abb3edb07e2b300299adc709763a3b6f34c7e2e61c4d28e0b66f8f1303955a48453fff70c22e4f211408c12c2259d6f15a5 |
C:\Program Files (x86)\dfeicidlfjvlywunwnvxwau.vdx
| MD5 | f572b9e2a0a8e8da01fff536dcac44f8 |
| SHA1 | 66ddcfb31a8cf80e97cbdc9789dece2ba9148e26 |
| SHA256 | 301617102da253d293791c5212de66f845c53f1721a64aa3aba149aa39924b30 |
| SHA512 | f9a1032378cf887c977e6026bf981a6b7504c6e225f9da8dfb3e978e47a4bd4f3ae16569a558f98a0af5f526d707ed986bcbbb1553e18e257ecb7180cc317149 |
C:\Program Files (x86)\dfeicidlfjvlywunwnvxwau.vdx
| MD5 | 0babbbab5adae3b855fcff1eb6727295 |
| SHA1 | 14d68139fc83cf88d8759f1b5cd8922d81395da3 |
| SHA256 | 4fc7354dc454403cb64ef82733be9960b401bac363bbcd33b986bb9c69a64b74 |
| SHA512 | 24bb3d0729e8c4e18918072a5fca8310f23117340e029ce932898eddae3810730bbf4ba0e33b8bf06450edabe99c6e3454e076615a2ccd9a009430f7f52fecaa |
C:\Program Files (x86)\dfeicidlfjvlywunwnvxwau.vdx
| MD5 | 21cd8952ba6fabfdb193263f361ebe9d |
| SHA1 | 6e251c2f24c3beae37c9d9b906a0ede0126f4993 |
| SHA256 | 82b0c72a3dc6f2e2442f70eaaa2c4a220a10e20c3ec44515d0d519dd14af9143 |
| SHA512 | 9fab80d11d83c852de3785ad2fb50f72f25c993f6e4f403a128ac4d0abfb8e82e7eaf69740aa8926863834d27f8b89e057a6c25d36595468e446f66c3e2d870f |