Malware Analysis Report

2025-08-10 16:33

Sample ID 250415-n4j88stlv7
Target JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0
SHA256 19bfc62f4162a8399e6c22f14721710d96007e027aaa8154e3d80bb725c360e4
Tags
pykspa defense_evasion discovery persistence privilege_escalation trojan worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

19bfc62f4162a8399e6c22f14721710d96007e027aaa8154e3d80bb725c360e4

Threat Level: Known bad

The file JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0 was found to be: Known bad.

Malicious Activity Summary

pykspa defense_evasion discovery persistence privilege_escalation trojan worm

Pykspa family

Modifies WinLogon for persistence

Pykspa

UAC bypass

Detect Pykspa worm

Disables RegEdit via registry modification

Adds policy Run key to start application

Checks computer location settings

Impair Defenses: Safe Mode Boot

Executes dropped EXE

Checks whether UAC is enabled

Looks up external IP address via web service

Adds Run key to start application

Hijack Execution Flow: Executable Installer File Permissions Weakness

Drops file in System32 directory

Drops autorun.inf file

Drops file in Program Files directory

Drops file in Windows directory

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

System policy modification

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-04-15 11:57

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-04-15 11:57

Reported

2025-04-15 11:59

Platform

win10v2004-20250410-en

Max time kernel

49s

Max time network

131s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\pnxcmr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\pnxcmr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A

Pykspa

worm pykspa

Pykspa family

pykspa

UAC bypass

defense_evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\pnxcmr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\pnxcmr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\pnxcmr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\pnxcmr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\pnxcmr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\pnxcmr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\pnxcmr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\pnxcmr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A

Detect Pykspa worm

worm
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\pnxcmr.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ijwerzdqx = "bjdsmbmguhojaftf.exe" C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ijwerzdqx = "irmcxnzujxfbtzobq.exe" C:\Users\Admin\AppData\Local\Temp\pnxcmr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ijwerzdqx = "pbzsqjywofqpktlbtqlx.exe" C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ijwerzdqx = "pbzsqjywofqpktlbtqlx.exe" C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pnxcmr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cnkczrfctjtrltkzqmg.exe" C:\Users\Admin\AppData\Local\Temp\pnxcmr.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ijwerzdqx = "bjdsmbmguhojaftf.exe" C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ijwerzdqx = "cnkczrfctjtrltkzqmg.exe" C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pnxcmr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\erqkjdtsldpplvofywsfe.exe" C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ijwerzdqx = "erqkjdtsldpplvofywsfe.exe" C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pnxcmr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pbzsqjywofqpktlbtqlx.exe" C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ijwerzdqx = "rbxokbokapyvovlzpk.exe" C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pnxcmr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\irmcxnzujxfbtzobq.exe" C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pnxcmr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rbxokbokapyvovlzpk.exe" C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ijwerzdqx = "rbxokbokapyvovlzpk.exe" C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pnxcmr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pbzsqjywofqpktlbtqlx.exe" C:\Users\Admin\AppData\Local\Temp\pnxcmr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pnxcmr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\irmcxnzujxfbtzobq.exe" C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ijwerzdqx = "irmcxnzujxfbtzobq.exe" C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ijwerzdqx = "erqkjdtsldpplvofywsfe.exe" C:\Users\Admin\AppData\Local\Temp\pnxcmr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pnxcmr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rbxokbokapyvovlzpk.exe" C:\Users\Admin\AppData\Local\Temp\pnxcmr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ijwerzdqx = "bjdsmbmguhojaftf.exe" C:\Users\Admin\AppData\Local\Temp\pnxcmr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pnxcmr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rbxokbokapyvovlzpk.exe" C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pnxcmr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\irmcxnzujxfbtzobq.exe" C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ijwerzdqx = "irmcxnzujxfbtzobq.exe" C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ijwerzdqx = "pbzsqjywofqpktlbtqlx.exe" C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pnxcmr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rbxokbokapyvovlzpk.exe" C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pnxcmr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bjdsmbmguhojaftf.exe" C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ijwerzdqx = "rbxokbokapyvovlzpk.exe" C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pnxcmr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\erqkjdtsldpplvofywsfe.exe" C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pnxcmr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\erqkjdtsldpplvofywsfe.exe" C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pnxcmr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\irmcxnzujxfbtzobq.exe" C:\Users\Admin\AppData\Local\Temp\pnxcmr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ijwerzdqx = "pbzsqjywofqpktlbtqlx.exe" C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ijwerzdqx = "bjdsmbmguhojaftf.exe" C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ijwerzdqx = "cnkczrfctjtrltkzqmg.exe" C:\Users\Admin\AppData\Local\Temp\pnxcmr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pnxcmr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bjdsmbmguhojaftf.exe" C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ijwerzdqx = "pbzsqjywofqpktlbtqlx.exe" C:\Users\Admin\AppData\Local\Temp\pnxcmr.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pnxcmr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rbxokbokapyvovlzpk.exe" C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pnxcmr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bjdsmbmguhojaftf.exe" C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pnxcmr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cnkczrfctjtrltkzqmg.exe" C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ijwerzdqx = "pbzsqjywofqpktlbtqlx.exe" C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pnxcmr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rbxokbokapyvovlzpk.exe" C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\pnxcmr.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ijwerzdqx = "irmcxnzujxfbtzobq.exe" C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pnxcmr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rbxokbokapyvovlzpk.exe" C:\Users\Admin\AppData\Local\Temp\pnxcmr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ijwerzdqx = "bjdsmbmguhojaftf.exe" C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ijwerzdqx = "pbzsqjywofqpktlbtqlx.exe" C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A

Disables RegEdit via registry modification

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\pnxcmr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\pnxcmr.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\pnxcmr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\pnxcmr.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\International\Geo\Nation C:\Windows\irmcxnzujxfbtzobq.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\International\Geo\Nation C:\Windows\cnkczrfctjtrltkzqmg.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\International\Geo\Nation C:\Windows\cnkczrfctjtrltkzqmg.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\International\Geo\Nation C:\Windows\irmcxnzujxfbtzobq.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\International\Geo\Nation C:\Windows\pbzsqjywofqpktlbtqlx.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\International\Geo\Nation C:\Windows\irmcxnzujxfbtzobq.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\International\Geo\Nation C:\Windows\rbxokbokapyvovlzpk.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\International\Geo\Nation C:\Windows\bjdsmbmguhojaftf.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\International\Geo\Nation C:\Windows\cnkczrfctjtrltkzqmg.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\International\Geo\Nation C:\Windows\erqkjdtsldpplvofywsfe.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\International\Geo\Nation C:\Windows\pbzsqjywofqpktlbtqlx.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\erqkjdtsldpplvofywsfe.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\rbxokbokapyvovlzpk.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\International\Geo\Nation C:\Windows\irmcxnzujxfbtzobq.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\International\Geo\Nation C:\Windows\cnkczrfctjtrltkzqmg.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\rbxokbokapyvovlzpk.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\rbxokbokapyvovlzpk.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\International\Geo\Nation C:\Windows\bjdsmbmguhojaftf.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\International\Geo\Nation C:\Windows\cnkczrfctjtrltkzqmg.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\International\Geo\Nation C:\Windows\cnkczrfctjtrltkzqmg.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\erqkjdtsldpplvofywsfe.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\International\Geo\Nation C:\Windows\irmcxnzujxfbtzobq.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\International\Geo\Nation C:\Windows\bjdsmbmguhojaftf.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\International\Geo\Nation C:\Windows\irmcxnzujxfbtzobq.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\International\Geo\Nation C:\Windows\bjdsmbmguhojaftf.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\International\Geo\Nation C:\Windows\erqkjdtsldpplvofywsfe.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\erqkjdtsldpplvofywsfe.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\International\Geo\Nation C:\Windows\bjdsmbmguhojaftf.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\International\Geo\Nation C:\Windows\erqkjdtsldpplvofywsfe.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\International\Geo\Nation C:\Windows\pbzsqjywofqpktlbtqlx.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\erqkjdtsldpplvofywsfe.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\rbxokbokapyvovlzpk.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\rbxokbokapyvovlzpk.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\International\Geo\Nation C:\Windows\rbxokbokapyvovlzpk.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\International\Geo\Nation C:\Windows\cnkczrfctjtrltkzqmg.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\International\Geo\Nation C:\Windows\bjdsmbmguhojaftf.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\International\Geo\Nation C:\Windows\pbzsqjywofqpktlbtqlx.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\erqkjdtsldpplvofywsfe.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\International\Geo\Nation C:\Windows\bjdsmbmguhojaftf.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
N/A N/A C:\Windows\bjdsmbmguhojaftf.exe N/A
N/A N/A C:\Windows\bjdsmbmguhojaftf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
N/A N/A C:\Windows\erqkjdtsldpplvofywsfe.exe N/A
N/A N/A C:\Windows\bjdsmbmguhojaftf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pnxcmr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pnxcmr.exe N/A
N/A N/A C:\Windows\erqkjdtsldpplvofywsfe.exe N/A
N/A N/A C:\Windows\pbzsqjywofqpktlbtqlx.exe N/A
N/A N/A C:\Windows\cnkczrfctjtrltkzqmg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe N/A
N/A N/A C:\Windows\bjdsmbmguhojaftf.exe N/A
N/A N/A C:\Windows\rbxokbokapyvovlzpk.exe N/A
N/A N/A C:\Windows\rbxokbokapyvovlzpk.exe N/A
N/A N/A C:\Windows\rbxokbokapyvovlzpk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe N/A
N/A N/A C:\Windows\cnkczrfctjtrltkzqmg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe N/A
N/A N/A C:\Windows\rbxokbokapyvovlzpk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe N/A
N/A N/A C:\Windows\irmcxnzujxfbtzobq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
N/A N/A C:\Windows\pbzsqjywofqpktlbtqlx.exe N/A
N/A N/A C:\Windows\bjdsmbmguhojaftf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\erqkjdtsldpplvofywsfe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\erqkjdtsldpplvofywsfe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
N/A N/A C:\Windows\cnkczrfctjtrltkzqmg.exe N/A
N/A N/A C:\Windows\irmcxnzujxfbtzobq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
N/A N/A C:\Windows\rbxokbokapyvovlzpk.exe N/A
N/A N/A C:\Windows\rbxokbokapyvovlzpk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe N/A
N/A N/A C:\Windows\cnkczrfctjtrltkzqmg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe N/A
N/A N/A C:\Windows\rbxokbokapyvovlzpk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
N/A N/A C:\Windows\irmcxnzujxfbtzobq.exe N/A

Impair Defenses: Safe Mode Boot

defense_evasion
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager C:\Users\Admin\AppData\Local\Temp\pnxcmr.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys C:\Users\Admin\AppData\Local\Temp\pnxcmr.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc C:\Users\Admin\AppData\Local\Temp\pnxcmr.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power C:\Users\Admin\AppData\Local\Temp\pnxcmr.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys C:\Users\Admin\AppData\Local\Temp\pnxcmr.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc C:\Users\Admin\AppData\Local\Temp\pnxcmr.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sxoardlcnxbth = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cnkczrfctjtrltkzqmg.exe" C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\txnyozgwgpsj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\irmcxnzujxfbtzobq.exe ." C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cbmsdjl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cnkczrfctjtrltkzqmg.exe" C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wzoynxdsbjl = "irmcxnzujxfbtzobq.exe ." C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\txnyozgwgpsj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cnkczrfctjtrltkzqmg.exe ." C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\txnyozgwgpsj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bjdsmbmguhojaftf.exe ." C:\Users\Admin\AppData\Local\Temp\pnxcmr.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cbmsdjl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cnkczrfctjtrltkzqmg.exe" C:\Users\Admin\AppData\Local\Temp\pnxcmr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rrdkwdgs = "bjdsmbmguhojaftf.exe ." C:\Users\Admin\AppData\Local\Temp\pnxcmr.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bdraoxcqyf = "rbxokbokapyvovlzpk.exe" C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bdraoxcqyf = "bjdsmbmguhojaftf.exe" C:\Users\Admin\AppData\Local\Temp\pnxcmr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\txnyozgwgpsj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\irmcxnzujxfbtzobq.exe ." C:\Users\Admin\AppData\Local\Temp\pnxcmr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sxoardlcnxbth = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bjdsmbmguhojaftf.exe" C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\txnyozgwgpsj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rbxokbokapyvovlzpk.exe ." C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sxoardlcnxbth = "C:\\Users\\Admin\\AppData\\Local\\Temp\\irmcxnzujxfbtzobq.exe" C:\Users\Admin\AppData\Local\Temp\pnxcmr.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\rrdkwdgs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\irmcxnzujxfbtzobq.exe ." C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\txnyozgwgpsj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rbxokbokapyvovlzpk.exe ." C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\txnyozgwgpsj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\erqkjdtsldpplvofywsfe.exe ." C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cbmsdjl = "pbzsqjywofqpktlbtqlx.exe" C:\Users\Admin\AppData\Local\Temp\pnxcmr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rrdkwdgs = "irmcxnzujxfbtzobq.exe ." C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cbmsdjl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rbxokbokapyvovlzpk.exe" C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cbmsdjl = "rbxokbokapyvovlzpk.exe" C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bdraoxcqyf = "cnkczrfctjtrltkzqmg.exe" C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\rrdkwdgs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bjdsmbmguhojaftf.exe ." C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\txnyozgwgpsj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pbzsqjywofqpktlbtqlx.exe ." C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\rrdkwdgs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rbxokbokapyvovlzpk.exe ." C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wzoynxdsbjl = "erqkjdtsldpplvofywsfe.exe ." C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\rrdkwdgs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pbzsqjywofqpktlbtqlx.exe ." C:\Users\Admin\AppData\Local\Temp\pnxcmr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cbmsdjl = "cnkczrfctjtrltkzqmg.exe" C:\Users\Admin\AppData\Local\Temp\pnxcmr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cbmsdjl = "irmcxnzujxfbtzobq.exe" C:\Users\Admin\AppData\Local\Temp\pnxcmr.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bdraoxcqyf = "erqkjdtsldpplvofywsfe.exe" C:\Users\Admin\AppData\Local\Temp\pnxcmr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\txnyozgwgpsj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bjdsmbmguhojaftf.exe ." C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rrdkwdgs = "bjdsmbmguhojaftf.exe ." C:\Users\Admin\AppData\Local\Temp\pnxcmr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cbmsdjl = "erqkjdtsldpplvofywsfe.exe" C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wzoynxdsbjl = "erqkjdtsldpplvofywsfe.exe ." C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\rrdkwdgs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\erqkjdtsldpplvofywsfe.exe ." C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sxoardlcnxbth = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pbzsqjywofqpktlbtqlx.exe" C:\Users\Admin\AppData\Local\Temp\pnxcmr.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\rrdkwdgs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pbzsqjywofqpktlbtqlx.exe ." C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bdraoxcqyf = "rbxokbokapyvovlzpk.exe" C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wzoynxdsbjl = "irmcxnzujxfbtzobq.exe ." C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\rrdkwdgs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pbzsqjywofqpktlbtqlx.exe ." C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cbmsdjl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pbzsqjywofqpktlbtqlx.exe" C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bdraoxcqyf = "bjdsmbmguhojaftf.exe" C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cbmsdjl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\irmcxnzujxfbtzobq.exe" C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rrdkwdgs = "rbxokbokapyvovlzpk.exe ." C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sxoardlcnxbth = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pbzsqjywofqpktlbtqlx.exe" C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sxoardlcnxbth = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pbzsqjywofqpktlbtqlx.exe" C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wzoynxdsbjl = "pbzsqjywofqpktlbtqlx.exe ." C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sxoardlcnxbth = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cnkczrfctjtrltkzqmg.exe" C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wzoynxdsbjl = "cnkczrfctjtrltkzqmg.exe ." C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cbmsdjl = "bjdsmbmguhojaftf.exe" C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\rrdkwdgs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pbzsqjywofqpktlbtqlx.exe ." C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cbmsdjl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\erqkjdtsldpplvofywsfe.exe" C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wzoynxdsbjl = "cnkczrfctjtrltkzqmg.exe ." C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\rrdkwdgs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bjdsmbmguhojaftf.exe ." C:\Users\Admin\AppData\Local\Temp\pnxcmr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cbmsdjl = "pbzsqjywofqpktlbtqlx.exe" C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wzoynxdsbjl = "cnkczrfctjtrltkzqmg.exe ." C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bdraoxcqyf = "rbxokbokapyvovlzpk.exe" C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wzoynxdsbjl = "cnkczrfctjtrltkzqmg.exe ." C:\Users\Admin\AppData\Local\Temp\pnxcmr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\txnyozgwgpsj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\erqkjdtsldpplvofywsfe.exe ." C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bdraoxcqyf = "bjdsmbmguhojaftf.exe" C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\txnyozgwgpsj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cnkczrfctjtrltkzqmg.exe ." C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\rrdkwdgs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\irmcxnzujxfbtzobq.exe ." C:\Users\Admin\AppData\Local\Temp\pnxcmr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\txnyozgwgpsj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\erqkjdtsldpplvofywsfe.exe ." C:\Users\Admin\AppData\Local\Temp\pnxcmr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cbmsdjl = "pbzsqjywofqpktlbtqlx.exe" C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A

Checks whether UAC is enabled

defense_evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\pnxcmr.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\pnxcmr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\pnxcmr.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\pnxcmr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A

Hijack Execution Flow: Executable Installer File Permissions Weakness

defense_evasion persistence privilege_escalation
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\pnxcmr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\pnxcmr.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A www.whatismyip.ca N/A N/A
N/A whatismyip.everdot.org N/A N/A
N/A www.showmyipaddress.com N/A N/A
N/A whatismyipaddress.com N/A N/A
N/A whatismyip.everdot.org N/A N/A
N/A whatismyip.everdot.org N/A N/A
N/A www.whatismyip.ca N/A N/A
N/A whatismyip.everdot.org N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\cnkczrfctjtrltkzqmg.exe C:\Users\Admin\AppData\Local\Temp\pnxcmr.exe N/A
File opened for modification C:\Windows\SysWOW64\rbxokbokapyvovlzpk.exe C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
File opened for modification C:\Windows\SysWOW64\bjdsmbmguhojaftf.exe C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
File opened for modification C:\Windows\SysWOW64\pbzsqjywofqpktlbtqlx.exe C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
File opened for modification C:\Windows\SysWOW64\bjdsmbmguhojaftf.exe C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
File opened for modification C:\Windows\SysWOW64\rbxokbokapyvovlzpk.exe C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
File opened for modification C:\Windows\SysWOW64\vjjeezqqkdqroztlfebppk.exe C:\Users\Admin\AppData\Local\Temp\pnxcmr.exe N/A
File opened for modification C:\Windows\SysWOW64\bjdsmbmguhojaftf.exe C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
File opened for modification C:\Windows\SysWOW64\cnkczrfctjtrltkzqmg.exe C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
File opened for modification C:\Windows\SysWOW64\irmcxnzujxfbtzobq.exe C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
File opened for modification C:\Windows\SysWOW64\rbxokbokapyvovlzpk.exe C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
File opened for modification C:\Windows\SysWOW64\pbzsqjywofqpktlbtqlx.exe C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
File opened for modification C:\Windows\SysWOW64\pbzsqjywofqpktlbtqlx.exe C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
File opened for modification C:\Windows\SysWOW64\cnkczrfctjtrltkzqmg.exe C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
File opened for modification C:\Windows\SysWOW64\vjjeezqqkdqroztlfebppk.exe C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
File opened for modification C:\Windows\SysWOW64\rbxokbokapyvovlzpk.exe C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
File opened for modification C:\Windows\SysWOW64\erqkjdtsldpplvofywsfe.exe C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
File opened for modification C:\Windows\SysWOW64\erqkjdtsldpplvofywsfe.exe C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
File opened for modification C:\Windows\SysWOW64\rbxokbokapyvovlzpk.exe C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
File opened for modification C:\Windows\SysWOW64\bjdsmbmguhojaftf.exe C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
File opened for modification C:\Windows\SysWOW64\vjjeezqqkdqroztlfebppk.exe C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
File opened for modification C:\Windows\SysWOW64\vjjeezqqkdqroztlfebppk.exe C:\Users\Admin\AppData\Local\Temp\pnxcmr.exe N/A
File opened for modification C:\Windows\SysWOW64\irmcxnzujxfbtzobq.exe C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
File opened for modification C:\Windows\SysWOW64\cnkczrfctjtrltkzqmg.exe C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
File opened for modification C:\Windows\SysWOW64\cnkczrfctjtrltkzqmg.exe C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
File opened for modification C:\Windows\SysWOW64\irmcxnzujxfbtzobq.exe C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
File opened for modification C:\Windows\SysWOW64\vjjeezqqkdqroztlfebppk.exe C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
File opened for modification C:\Windows\SysWOW64\bjdsmbmguhojaftf.exe C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
File opened for modification C:\Windows\SysWOW64\irmcxnzujxfbtzobq.exe C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
File opened for modification C:\Windows\SysWOW64\irmcxnzujxfbtzobq.exe C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
File opened for modification C:\Windows\SysWOW64\pbzsqjywofqpktlbtqlx.exe C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
File opened for modification C:\Windows\SysWOW64\vjjeezqqkdqroztlfebppk.exe C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
File opened for modification C:\Windows\SysWOW64\cnkczrfctjtrltkzqmg.exe C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
File opened for modification C:\Windows\SysWOW64\bjdsmbmguhojaftf.exe C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
File opened for modification C:\Windows\SysWOW64\cnkczrfctjtrltkzqmg.exe C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
File opened for modification C:\Windows\SysWOW64\erqkjdtsldpplvofywsfe.exe C:\Users\Admin\AppData\Local\Temp\pnxcmr.exe N/A
File opened for modification C:\Windows\SysWOW64\vjjeezqqkdqroztlfebppk.exe C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
File opened for modification C:\Windows\SysWOW64\rbxokbokapyvovlzpk.exe C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
File opened for modification C:\Windows\SysWOW64\irmcxnzujxfbtzobq.exe C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
File opened for modification C:\Windows\SysWOW64\cnkczrfctjtrltkzqmg.exe C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
File opened for modification C:\Windows\SysWOW64\pbzsqjywofqpktlbtqlx.exe C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
File opened for modification C:\Windows\SysWOW64\erqkjdtsldpplvofywsfe.exe C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
File opened for modification C:\Windows\SysWOW64\irmcxnzujxfbtzobq.exe C:\Users\Admin\AppData\Local\Temp\pnxcmr.exe N/A
File opened for modification C:\Windows\SysWOW64\rbxokbokapyvovlzpk.exe C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
File opened for modification C:\Windows\SysWOW64\cnkczrfctjtrltkzqmg.exe C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
File opened for modification C:\Windows\SysWOW64\cnkczrfctjtrltkzqmg.exe C:\Users\Admin\AppData\Local\Temp\pnxcmr.exe N/A
File opened for modification C:\Windows\SysWOW64\bjdsmbmguhojaftf.exe C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
File opened for modification C:\Windows\SysWOW64\rbxokbokapyvovlzpk.exe C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
File opened for modification C:\Windows\SysWOW64\erqkjdtsldpplvofywsfe.exe C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
File created C:\Windows\SysWOW64\bdraoxcqyfgvgfntbozbpymvaowdeted.rzm C:\Users\Admin\AppData\Local\Temp\pnxcmr.exe N/A
File opened for modification C:\Windows\SysWOW64\irmcxnzujxfbtzobq.exe C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
File opened for modification C:\Windows\SysWOW64\cnkczrfctjtrltkzqmg.exe C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
File opened for modification C:\Windows\SysWOW64\bjdsmbmguhojaftf.exe C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
File opened for modification C:\Windows\SysWOW64\rbxokbokapyvovlzpk.exe C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
File opened for modification C:\Windows\SysWOW64\bjdsmbmguhojaftf.exe C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
File opened for modification C:\Windows\SysWOW64\vjjeezqqkdqroztlfebppk.exe C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
File opened for modification C:\Windows\SysWOW64\bjdsmbmguhojaftf.exe C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
File opened for modification C:\Windows\SysWOW64\erqkjdtsldpplvofywsfe.exe C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
File opened for modification C:\Windows\SysWOW64\vjjeezqqkdqroztlfebppk.exe C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
File opened for modification C:\Windows\SysWOW64\pbzsqjywofqpktlbtqlx.exe C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
File opened for modification C:\Windows\SysWOW64\pbzsqjywofqpktlbtqlx.exe C:\Users\Admin\AppData\Local\Temp\pnxcmr.exe N/A
File opened for modification C:\Windows\SysWOW64\gxaybztwtpfjjxupmoofi.jhb C:\Users\Admin\AppData\Local\Temp\pnxcmr.exe N/A
File opened for modification C:\Windows\SysWOW64\bdraoxcqyfgvgfntbozbpymvaowdeted.rzm C:\Users\Admin\AppData\Local\Temp\pnxcmr.exe N/A
File opened for modification C:\Windows\SysWOW64\cnkczrfctjtrltkzqmg.exe C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\bdraoxcqyfgvgfntbozbpymvaowdeted.rzm C:\Users\Admin\AppData\Local\Temp\pnxcmr.exe N/A
File created C:\Program Files (x86)\bdraoxcqyfgvgfntbozbpymvaowdeted.rzm C:\Users\Admin\AppData\Local\Temp\pnxcmr.exe N/A
File opened for modification C:\Program Files (x86)\gxaybztwtpfjjxupmoofi.jhb C:\Users\Admin\AppData\Local\Temp\pnxcmr.exe N/A
File created C:\Program Files (x86)\gxaybztwtpfjjxupmoofi.jhb C:\Users\Admin\AppData\Local\Temp\pnxcmr.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\cnkczrfctjtrltkzqmg.exe C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
File opened for modification C:\Windows\pbzsqjywofqpktlbtqlx.exe C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
File opened for modification C:\Windows\bjdsmbmguhojaftf.exe C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
File opened for modification C:\Windows\rbxokbokapyvovlzpk.exe C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
File opened for modification C:\Windows\erqkjdtsldpplvofywsfe.exe C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
File opened for modification C:\Windows\erqkjdtsldpplvofywsfe.exe C:\Users\Admin\AppData\Local\Temp\pnxcmr.exe N/A
File opened for modification C:\Windows\rbxokbokapyvovlzpk.exe C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
File opened for modification C:\Windows\pbzsqjywofqpktlbtqlx.exe C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
File opened for modification C:\Windows\vjjeezqqkdqroztlfebppk.exe C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
File opened for modification C:\Windows\bjdsmbmguhojaftf.exe C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
File opened for modification C:\Windows\rbxokbokapyvovlzpk.exe C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
File opened for modification C:\Windows\erqkjdtsldpplvofywsfe.exe C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
File opened for modification C:\Windows\irmcxnzujxfbtzobq.exe C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
File opened for modification C:\Windows\irmcxnzujxfbtzobq.exe C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
File opened for modification C:\Windows\rbxokbokapyvovlzpk.exe C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
File opened for modification C:\Windows\cnkczrfctjtrltkzqmg.exe C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
File opened for modification C:\Windows\bjdsmbmguhojaftf.exe C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
File opened for modification C:\Windows\bjdsmbmguhojaftf.exe C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
File opened for modification C:\Windows\erqkjdtsldpplvofywsfe.exe C:\Users\Admin\AppData\Local\Temp\pnxcmr.exe N/A
File opened for modification C:\Windows\vjjeezqqkdqroztlfebppk.exe C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
File opened for modification C:\Windows\rbxokbokapyvovlzpk.exe C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
File opened for modification C:\Windows\irmcxnzujxfbtzobq.exe C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
File opened for modification C:\Windows\vjjeezqqkdqroztlfebppk.exe C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
File opened for modification C:\Windows\rbxokbokapyvovlzpk.exe C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
File opened for modification C:\Windows\bjdsmbmguhojaftf.exe C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
File opened for modification C:\Windows\erqkjdtsldpplvofywsfe.exe C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
File opened for modification C:\Windows\cnkczrfctjtrltkzqmg.exe C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
File opened for modification C:\Windows\erqkjdtsldpplvofywsfe.exe C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
File opened for modification C:\Windows\rbxokbokapyvovlzpk.exe C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
File opened for modification C:\Windows\rbxokbokapyvovlzpk.exe C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
File opened for modification C:\Windows\vjjeezqqkdqroztlfebppk.exe C:\Users\Admin\AppData\Local\Temp\pnxcmr.exe N/A
File opened for modification C:\Windows\cnkczrfctjtrltkzqmg.exe C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
File opened for modification C:\Windows\rbxokbokapyvovlzpk.exe C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
File opened for modification C:\Windows\irmcxnzujxfbtzobq.exe C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
File opened for modification C:\Windows\cnkczrfctjtrltkzqmg.exe C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
File opened for modification C:\Windows\vjjeezqqkdqroztlfebppk.exe C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
File opened for modification C:\Windows\pbzsqjywofqpktlbtqlx.exe C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
File opened for modification C:\Windows\irmcxnzujxfbtzobq.exe C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
File opened for modification C:\Windows\cnkczrfctjtrltkzqmg.exe C:\Users\Admin\AppData\Local\Temp\pnxcmr.exe N/A
File opened for modification C:\Windows\rbxokbokapyvovlzpk.exe C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
File opened for modification C:\Windows\pbzsqjywofqpktlbtqlx.exe C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
File opened for modification C:\Windows\erqkjdtsldpplvofywsfe.exe C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
File opened for modification C:\Windows\rbxokbokapyvovlzpk.exe C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
File opened for modification C:\Windows\vjjeezqqkdqroztlfebppk.exe C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
File opened for modification C:\Windows\vjjeezqqkdqroztlfebppk.exe C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
File opened for modification C:\Windows\pbzsqjywofqpktlbtqlx.exe C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
File opened for modification C:\Windows\pbzsqjywofqpktlbtqlx.exe C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
File opened for modification C:\Windows\pbzsqjywofqpktlbtqlx.exe C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
File opened for modification C:\Windows\cnkczrfctjtrltkzqmg.exe C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
File opened for modification C:\Windows\rbxokbokapyvovlzpk.exe C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
File opened for modification C:\Windows\bjdsmbmguhojaftf.exe C:\Users\Admin\AppData\Local\Temp\pnxcmr.exe N/A
File opened for modification C:\Windows\irmcxnzujxfbtzobq.exe C:\Users\Admin\AppData\Local\Temp\pnxcmr.exe N/A
File opened for modification C:\Windows\vjjeezqqkdqroztlfebppk.exe C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
File opened for modification C:\Windows\erqkjdtsldpplvofywsfe.exe C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
File opened for modification C:\Windows\cnkczrfctjtrltkzqmg.exe C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
File opened for modification C:\Windows\pbzsqjywofqpktlbtqlx.exe C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
File opened for modification C:\Windows\vjjeezqqkdqroztlfebppk.exe C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
File opened for modification C:\Windows\rbxokbokapyvovlzpk.exe C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
File opened for modification C:\Windows\cnkczrfctjtrltkzqmg.exe C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
File opened for modification C:\Windows\vjjeezqqkdqroztlfebppk.exe C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
File opened for modification C:\Windows\irmcxnzujxfbtzobq.exe C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
File opened for modification C:\Windows\cnkczrfctjtrltkzqmg.exe C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
File opened for modification C:\Windows\irmcxnzujxfbtzobq.exe C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
File opened for modification C:\Windows\irmcxnzujxfbtzobq.exe C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\erqkjdtsldpplvofywsfe.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\bjdsmbmguhojaftf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\erqkjdtsldpplvofywsfe.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\irmcxnzujxfbtzobq.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\irmcxnzujxfbtzobq.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\erqkjdtsldpplvofywsfe.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\cnkczrfctjtrltkzqmg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\irmcxnzujxfbtzobq.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\erqkjdtsldpplvofywsfe.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\rbxokbokapyvovlzpk.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\erqkjdtsldpplvofywsfe.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\rbxokbokapyvovlzpk.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\rbxokbokapyvovlzpk.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\rbxokbokapyvovlzpk.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\cnkczrfctjtrltkzqmg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\rbxokbokapyvovlzpk.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\irmcxnzujxfbtzobq.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\pbzsqjywofqpktlbtqlx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\cnkczrfctjtrltkzqmg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\rbxokbokapyvovlzpk.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\erqkjdtsldpplvofywsfe.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\rbxokbokapyvovlzpk.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\pbzsqjywofqpktlbtqlx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\rbxokbokapyvovlzpk.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\erqkjdtsldpplvofywsfe.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\irmcxnzujxfbtzobq.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\erqkjdtsldpplvofywsfe.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\erqkjdtsldpplvofywsfe.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\rbxokbokapyvovlzpk.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\bjdsmbmguhojaftf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\cnkczrfctjtrltkzqmg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\bjdsmbmguhojaftf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\bjdsmbmguhojaftf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\bjdsmbmguhojaftf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\cnkczrfctjtrltkzqmg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\pbzsqjywofqpktlbtqlx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\bjdsmbmguhojaftf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\erqkjdtsldpplvofywsfe.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pnxcmr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pnxcmr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\pnxcmr.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2624 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe
PID 2624 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe
PID 2624 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe
PID 972 wrote to memory of 4460 N/A C:\Windows\system32\cmd.exe C:\Windows\bjdsmbmguhojaftf.exe
PID 972 wrote to memory of 4460 N/A C:\Windows\system32\cmd.exe C:\Windows\bjdsmbmguhojaftf.exe
PID 972 wrote to memory of 4460 N/A C:\Windows\system32\cmd.exe C:\Windows\bjdsmbmguhojaftf.exe
PID 4536 wrote to memory of 4496 N/A C:\Windows\system32\cmd.exe C:\Windows\bjdsmbmguhojaftf.exe
PID 4536 wrote to memory of 4496 N/A C:\Windows\system32\cmd.exe C:\Windows\bjdsmbmguhojaftf.exe
PID 4536 wrote to memory of 4496 N/A C:\Windows\system32\cmd.exe C:\Windows\bjdsmbmguhojaftf.exe
PID 4496 wrote to memory of 2840 N/A C:\Windows\bjdsmbmguhojaftf.exe C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe
PID 4496 wrote to memory of 2840 N/A C:\Windows\bjdsmbmguhojaftf.exe C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe
PID 4496 wrote to memory of 2840 N/A C:\Windows\bjdsmbmguhojaftf.exe C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe
PID 4788 wrote to memory of 4616 N/A C:\Windows\system32\cmd.exe C:\Windows\erqkjdtsldpplvofywsfe.exe
PID 4788 wrote to memory of 4616 N/A C:\Windows\system32\cmd.exe C:\Windows\erqkjdtsldpplvofywsfe.exe
PID 4788 wrote to memory of 4616 N/A C:\Windows\system32\cmd.exe C:\Windows\erqkjdtsldpplvofywsfe.exe
PID 5068 wrote to memory of 4632 N/A C:\Windows\system32\cmd.exe C:\Windows\bjdsmbmguhojaftf.exe
PID 5068 wrote to memory of 4632 N/A C:\Windows\system32\cmd.exe C:\Windows\bjdsmbmguhojaftf.exe
PID 5068 wrote to memory of 4632 N/A C:\Windows\system32\cmd.exe C:\Windows\bjdsmbmguhojaftf.exe
PID 4960 wrote to memory of 1212 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe
PID 4960 wrote to memory of 1212 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe
PID 4960 wrote to memory of 1212 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe
PID 4632 wrote to memory of 4912 N/A C:\Windows\bjdsmbmguhojaftf.exe C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe
PID 4632 wrote to memory of 4912 N/A C:\Windows\bjdsmbmguhojaftf.exe C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe
PID 4632 wrote to memory of 4912 N/A C:\Windows\bjdsmbmguhojaftf.exe C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe
PID 336 wrote to memory of 4920 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe
PID 336 wrote to memory of 4920 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe
PID 336 wrote to memory of 4920 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe
PID 5208 wrote to memory of 1128 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Conhost.exe
PID 5208 wrote to memory of 1128 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Conhost.exe
PID 5208 wrote to memory of 1128 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Conhost.exe
PID 4920 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe
PID 4920 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe
PID 4920 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe
PID 1180 wrote to memory of 4712 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe
PID 1180 wrote to memory of 4712 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe
PID 1180 wrote to memory of 4712 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe
PID 4712 wrote to memory of 5660 N/A C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe
PID 4712 wrote to memory of 5660 N/A C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe
PID 4712 wrote to memory of 5660 N/A C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe
PID 2712 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe C:\Users\Admin\AppData\Local\Temp\pnxcmr.exe
PID 2712 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe C:\Users\Admin\AppData\Local\Temp\pnxcmr.exe
PID 2712 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe C:\Users\Admin\AppData\Local\Temp\pnxcmr.exe
PID 2712 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe C:\Users\Admin\AppData\Local\Temp\pnxcmr.exe
PID 2712 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe C:\Users\Admin\AppData\Local\Temp\pnxcmr.exe
PID 2712 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe C:\Users\Admin\AppData\Local\Temp\pnxcmr.exe
PID 3004 wrote to memory of 4040 N/A C:\Windows\system32\cmd.exe C:\Windows\erqkjdtsldpplvofywsfe.exe
PID 3004 wrote to memory of 4040 N/A C:\Windows\system32\cmd.exe C:\Windows\erqkjdtsldpplvofywsfe.exe
PID 3004 wrote to memory of 4040 N/A C:\Windows\system32\cmd.exe C:\Windows\erqkjdtsldpplvofywsfe.exe
PID 2332 wrote to memory of 2652 N/A C:\Windows\system32\cmd.exe C:\Windows\cnkczrfctjtrltkzqmg.exe
PID 2332 wrote to memory of 2652 N/A C:\Windows\system32\cmd.exe C:\Windows\cnkczrfctjtrltkzqmg.exe
PID 2332 wrote to memory of 2652 N/A C:\Windows\system32\cmd.exe C:\Windows\cnkczrfctjtrltkzqmg.exe
PID 5864 wrote to memory of 760 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Conhost.exe
PID 5864 wrote to memory of 760 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Conhost.exe
PID 5864 wrote to memory of 760 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Conhost.exe
PID 2652 wrote to memory of 3512 N/A C:\Windows\pbzsqjywofqpktlbtqlx.exe C:\Windows\system32\cmd.exe
PID 2652 wrote to memory of 3512 N/A C:\Windows\pbzsqjywofqpktlbtqlx.exe C:\Windows\system32\cmd.exe
PID 2652 wrote to memory of 3512 N/A C:\Windows\pbzsqjywofqpktlbtqlx.exe C:\Windows\system32\cmd.exe
PID 2500 wrote to memory of 6120 N/A C:\Windows\system32\cmd.exe C:\Windows\irmcxnzujxfbtzobq.exe
PID 2500 wrote to memory of 6120 N/A C:\Windows\system32\cmd.exe C:\Windows\irmcxnzujxfbtzobq.exe
PID 2500 wrote to memory of 6120 N/A C:\Windows\system32\cmd.exe C:\Windows\irmcxnzujxfbtzobq.exe
PID 3132 wrote to memory of 3068 N/A C:\Windows\system32\cmd.exe C:\Windows\bjdsmbmguhojaftf.exe
PID 3132 wrote to memory of 3068 N/A C:\Windows\system32\cmd.exe C:\Windows\bjdsmbmguhojaftf.exe
PID 3132 wrote to memory of 3068 N/A C:\Windows\system32\cmd.exe C:\Windows\bjdsmbmguhojaftf.exe
PID 880 wrote to memory of 5244 N/A C:\Windows\system32\cmd.exe C:\Windows\rbxokbokapyvovlzpk.exe

System policy modification

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\AppData\Local\Temp\pnxcmr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\AppData\Local\Temp\pnxcmr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" C:\Users\Admin\AppData\Local\Temp\pnxcmr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\pnxcmr.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\pnxcmr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\pnxcmr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" C:\Users\Admin\AppData\Local\Temp\pnxcmr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" C:\Users\Admin\AppData\Local\Temp\pnxcmr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Users\Admin\AppData\Local\Temp\pnxcmr.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\pnxcmr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" C:\Users\Admin\AppData\Local\Temp\pnxcmr.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" C:\Users\Admin\AppData\Local\Temp\pnxcmr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\pnxcmr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\pnxcmr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\pnxcmr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Users\Admin\AppData\Local\Temp\pnxcmr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" C:\Users\Admin\AppData\Local\Temp\pnxcmr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\pnxcmr.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\pnxcmr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\pnxcmr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\pnxcmr.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\pnxcmr.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\pnxcmr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe"

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\jaffacakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe*"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bjdsmbmguhojaftf.exe

C:\Windows\bjdsmbmguhojaftf.exe

bjdsmbmguhojaftf.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bjdsmbmguhojaftf.exe .

C:\Windows\bjdsmbmguhojaftf.exe

bjdsmbmguhojaftf.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c erqkjdtsldpplvofywsfe.exe

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\bjdsmbmguhojaftf.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bjdsmbmguhojaftf.exe .

C:\Windows\erqkjdtsldpplvofywsfe.exe

erqkjdtsldpplvofywsfe.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe

C:\Windows\bjdsmbmguhojaftf.exe

bjdsmbmguhojaftf.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe .

C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe

C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\bjdsmbmguhojaftf.exe*."

C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe

C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe .

C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe

C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\bjdsmbmguhojaftf.exe*."

C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe

C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe .

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\pbzsqjywofqpktlbtqlx.exe*."

C:\Users\Admin\AppData\Local\Temp\pnxcmr.exe

"C:\Users\Admin\AppData\Local\Temp\pnxcmr.exe" "-C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe"

C:\Users\Admin\AppData\Local\Temp\pnxcmr.exe

"C:\Users\Admin\AppData\Local\Temp\pnxcmr.exe" "-C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c erqkjdtsldpplvofywsfe.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c pbzsqjywofqpktlbtqlx.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cnkczrfctjtrltkzqmg.exe

C:\Windows\erqkjdtsldpplvofywsfe.exe

erqkjdtsldpplvofywsfe.exe

C:\Windows\pbzsqjywofqpktlbtqlx.exe

pbzsqjywofqpktlbtqlx.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bjdsmbmguhojaftf.exe

C:\Windows\cnkczrfctjtrltkzqmg.exe

cnkczrfctjtrltkzqmg.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c rbxokbokapyvovlzpk.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c rbxokbokapyvovlzpk.exe .

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\pbzsqjywofqpktlbtqlx.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c rbxokbokapyvovlzpk.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cnkczrfctjtrltkzqmg.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe

C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe

C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe

C:\Windows\bjdsmbmguhojaftf.exe

bjdsmbmguhojaftf.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exe .

C:\Windows\rbxokbokapyvovlzpk.exe

rbxokbokapyvovlzpk.exe .

C:\Windows\rbxokbokapyvovlzpk.exe

rbxokbokapyvovlzpk.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c rbxokbokapyvovlzpk.exe

C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe

C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe .

C:\Windows\rbxokbokapyvovlzpk.exe

rbxokbokapyvovlzpk.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c irmcxnzujxfbtzobq.exe .

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\rbxokbokapyvovlzpk.exe*."

C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe

C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe

C:\Windows\cnkczrfctjtrltkzqmg.exe

cnkczrfctjtrltkzqmg.exe .

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\rbxokbokapyvovlzpk.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bjdsmbmguhojaftf.exe

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\pbzsqjywofqpktlbtqlx.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c pbzsqjywofqpktlbtqlx.exe .

C:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exe

C:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exe .

C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe

C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe

C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe

C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe .

C:\Windows\rbxokbokapyvovlzpk.exe

rbxokbokapyvovlzpk.exe

C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe

C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\cnkczrfctjtrltkzqmg.exe*."

C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe

C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe .

C:\Windows\irmcxnzujxfbtzobq.exe

irmcxnzujxfbtzobq.exe .

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\bjdsmbmguhojaftf.exe*."

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\irmcxnzujxfbtzobq.exe*."

C:\Windows\pbzsqjywofqpktlbtqlx.exe

pbzsqjywofqpktlbtqlx.exe .

C:\Windows\bjdsmbmguhojaftf.exe

bjdsmbmguhojaftf.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\erqkjdtsldpplvofywsfe.exe

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\pbzsqjywofqpktlbtqlx.exe*."

C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe

C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe .

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\irmcxnzujxfbtzobq.exe*."

C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe

C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\pbzsqjywofqpktlbtqlx.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\erqkjdtsldpplvofywsfe.exe .

C:\Users\Admin\AppData\Local\Temp\erqkjdtsldpplvofywsfe.exe

C:\Users\Admin\AppData\Local\Temp\erqkjdtsldpplvofywsfe.exe .

C:\Users\Admin\AppData\Local\Temp\erqkjdtsldpplvofywsfe.exe

C:\Users\Admin\AppData\Local\Temp\erqkjdtsldpplvofywsfe.exe

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\pbzsqjywofqpktlbtqlx.exe*."

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\erqkjdtsldpplvofywsfe.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cnkczrfctjtrltkzqmg.exe

C:\Windows\cnkczrfctjtrltkzqmg.exe

cnkczrfctjtrltkzqmg.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c irmcxnzujxfbtzobq.exe .

C:\Windows\irmcxnzujxfbtzobq.exe

irmcxnzujxfbtzobq.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c rbxokbokapyvovlzpk.exe

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\irmcxnzujxfbtzobq.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c rbxokbokapyvovlzpk.exe .

C:\Windows\rbxokbokapyvovlzpk.exe

rbxokbokapyvovlzpk.exe

C:\Windows\rbxokbokapyvovlzpk.exe

rbxokbokapyvovlzpk.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cnkczrfctjtrltkzqmg.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe .

C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe

C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe

C:\Windows\cnkczrfctjtrltkzqmg.exe

cnkczrfctjtrltkzqmg.exe

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\rbxokbokapyvovlzpk.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c rbxokbokapyvovlzpk.exe .

C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe

C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe .

C:\Windows\rbxokbokapyvovlzpk.exe

rbxokbokapyvovlzpk.exe .

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\pbzsqjywofqpktlbtqlx.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\rbxokbokapyvovlzpk.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c rbxokbokapyvovlzpk.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c irmcxnzujxfbtzobq.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cnkczrfctjtrltkzqmg.exe .

C:\Windows\irmcxnzujxfbtzobq.exe

irmcxnzujxfbtzobq.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bjdsmbmguhojaftf.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rbxokbokapyvovlzpk.exe

C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe

C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe

C:\Windows\rbxokbokapyvovlzpk.exe

rbxokbokapyvovlzpk.exe

C:\Windows\cnkczrfctjtrltkzqmg.exe

cnkczrfctjtrltkzqmg.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe .

C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe

C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c rbxokbokapyvovlzpk.exe

C:\Users\Admin\AppData\Local\Temp\rbxokbokapyvovlzpk.exe

C:\Users\Admin\AppData\Local\Temp\rbxokbokapyvovlzpk.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cnkczrfctjtrltkzqmg.exe .

C:\Windows\bjdsmbmguhojaftf.exe

bjdsmbmguhojaftf.exe .

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\cnkczrfctjtrltkzqmg.exe*."

C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe

C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rbxokbokapyvovlzpk.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\pbzsqjywofqpktlbtqlx.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\erqkjdtsldpplvofywsfe.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rbxokbokapyvovlzpk.exe .

C:\Windows\cnkczrfctjtrltkzqmg.exe

cnkczrfctjtrltkzqmg.exe .

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\bjdsmbmguhojaftf.exe*."

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\pbzsqjywofqpktlbtqlx.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exe .

C:\Windows\rbxokbokapyvovlzpk.exe

rbxokbokapyvovlzpk.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c irmcxnzujxfbtzobq.exe

C:\Users\Admin\AppData\Local\Temp\rbxokbokapyvovlzpk.exe

C:\Users\Admin\AppData\Local\Temp\rbxokbokapyvovlzpk.exe .

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\cnkczrfctjtrltkzqmg.exe*."

C:\Users\Admin\AppData\Local\Temp\rbxokbokapyvovlzpk.exe

C:\Users\Admin\AppData\Local\Temp\rbxokbokapyvovlzpk.exe

C:\Users\Admin\AppData\Local\Temp\erqkjdtsldpplvofywsfe.exe

C:\Users\Admin\AppData\Local\Temp\erqkjdtsldpplvofywsfe.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c erqkjdtsldpplvofywsfe.exe .

C:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exe

C:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exe

C:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exe

C:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exe .

C:\Windows\irmcxnzujxfbtzobq.exe

irmcxnzujxfbtzobq.exe

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\rbxokbokapyvovlzpk.exe*."

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\erqkjdtsldpplvofywsfe.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c rbxokbokapyvovlzpk.exe

C:\Windows\erqkjdtsldpplvofywsfe.exe

erqkjdtsldpplvofywsfe.exe .

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\cnkczrfctjtrltkzqmg.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cnkczrfctjtrltkzqmg.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\rbxokbokapyvovlzpk.exe

rbxokbokapyvovlzpk.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\erqkjdtsldpplvofywsfe.exe*."

C:\Windows\cnkczrfctjtrltkzqmg.exe

cnkczrfctjtrltkzqmg.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exe .

C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe

C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\cnkczrfctjtrltkzqmg.exe*."

C:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exe

C:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exe .

C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe

C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\irmcxnzujxfbtzobq.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exe .

C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe

C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe

C:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exe

C:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exe .

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\irmcxnzujxfbtzobq.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c pbzsqjywofqpktlbtqlx.exe

C:\Windows\pbzsqjywofqpktlbtqlx.exe

pbzsqjywofqpktlbtqlx.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c erqkjdtsldpplvofywsfe.exe .

C:\Windows\erqkjdtsldpplvofywsfe.exe

erqkjdtsldpplvofywsfe.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bjdsmbmguhojaftf.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\erqkjdtsldpplvofywsfe.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cnkczrfctjtrltkzqmg.exe .

C:\Windows\bjdsmbmguhojaftf.exe

bjdsmbmguhojaftf.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exe

C:\Windows\cnkczrfctjtrltkzqmg.exe

cnkczrfctjtrltkzqmg.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exe .

C:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exe

C:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exe

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\cnkczrfctjtrltkzqmg.exe*."

C:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exe

C:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exe .

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\irmcxnzujxfbtzobq.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exe .

C:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exe

C:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exe

C:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exe

C:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exe .

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\irmcxnzujxfbtzobq.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c pbzsqjywofqpktlbtqlx.exe

C:\Windows\pbzsqjywofqpktlbtqlx.exe

pbzsqjywofqpktlbtqlx.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c erqkjdtsldpplvofywsfe.exe .

C:\Windows\erqkjdtsldpplvofywsfe.exe

erqkjdtsldpplvofywsfe.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c rbxokbokapyvovlzpk.exe

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\erqkjdtsldpplvofywsfe.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c pbzsqjywofqpktlbtqlx.exe .

C:\Windows\rbxokbokapyvovlzpk.exe

rbxokbokapyvovlzpk.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe

C:\Windows\pbzsqjywofqpktlbtqlx.exe

pbzsqjywofqpktlbtqlx.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe .

C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe

C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\pbzsqjywofqpktlbtqlx.exe*."

C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe

C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe .

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\bjdsmbmguhojaftf.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\erqkjdtsldpplvofywsfe.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\erqkjdtsldpplvofywsfe.exe .

C:\Users\Admin\AppData\Local\Temp\erqkjdtsldpplvofywsfe.exe

C:\Users\Admin\AppData\Local\Temp\erqkjdtsldpplvofywsfe.exe

C:\Users\Admin\AppData\Local\Temp\erqkjdtsldpplvofywsfe.exe

C:\Users\Admin\AppData\Local\Temp\erqkjdtsldpplvofywsfe.exe .

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\erqkjdtsldpplvofywsfe.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c erqkjdtsldpplvofywsfe.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bjdsmbmguhojaftf.exe .

C:\Windows\erqkjdtsldpplvofywsfe.exe

erqkjdtsldpplvofywsfe.exe

C:\Windows\bjdsmbmguhojaftf.exe

bjdsmbmguhojaftf.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c erqkjdtsldpplvofywsfe.exe

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\bjdsmbmguhojaftf.exe*."

C:\Windows\erqkjdtsldpplvofywsfe.exe

erqkjdtsldpplvofywsfe.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c pbzsqjywofqpktlbtqlx.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe

C:\Windows\pbzsqjywofqpktlbtqlx.exe

pbzsqjywofqpktlbtqlx.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exe .

C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe

C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\pbzsqjywofqpktlbtqlx.exe*."

C:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exe

C:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exe .

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\cnkczrfctjtrltkzqmg.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\erqkjdtsldpplvofywsfe.exe .

C:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exe

C:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exe

C:\Users\Admin\AppData\Local\Temp\erqkjdtsldpplvofywsfe.exe

C:\Users\Admin\AppData\Local\Temp\erqkjdtsldpplvofywsfe.exe .

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\erqkjdtsldpplvofywsfe.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cnkczrfctjtrltkzqmg.exe

C:\Windows\cnkczrfctjtrltkzqmg.exe

cnkczrfctjtrltkzqmg.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bjdsmbmguhojaftf.exe .

C:\Windows\bjdsmbmguhojaftf.exe

bjdsmbmguhojaftf.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cnkczrfctjtrltkzqmg.exe

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\bjdsmbmguhojaftf.exe*."

C:\Windows\cnkczrfctjtrltkzqmg.exe

cnkczrfctjtrltkzqmg.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c irmcxnzujxfbtzobq.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exe

C:\Windows\irmcxnzujxfbtzobq.exe

irmcxnzujxfbtzobq.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exe .

C:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exe

C:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exe

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\irmcxnzujxfbtzobq.exe*."

C:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exe

C:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exe .

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\cnkczrfctjtrltkzqmg.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exe .

C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe

C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe

C:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exe

C:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exe .

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\irmcxnzujxfbtzobq.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c erqkjdtsldpplvofywsfe.exe

C:\Windows\erqkjdtsldpplvofywsfe.exe

erqkjdtsldpplvofywsfe.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c irmcxnzujxfbtzobq.exe .

C:\Windows\irmcxnzujxfbtzobq.exe

irmcxnzujxfbtzobq.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c pbzsqjywofqpktlbtqlx.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\irmcxnzujxfbtzobq.exe*."

C:\Windows\pbzsqjywofqpktlbtqlx.exe

pbzsqjywofqpktlbtqlx.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c pbzsqjywofqpktlbtqlx.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rbxokbokapyvovlzpk.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\pbzsqjywofqpktlbtqlx.exe

pbzsqjywofqpktlbtqlx.exe .

C:\Users\Admin\AppData\Local\Temp\rbxokbokapyvovlzpk.exe

C:\Users\Admin\AppData\Local\Temp\rbxokbokapyvovlzpk.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rbxokbokapyvovlzpk.exe .

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\pbzsqjywofqpktlbtqlx.exe*."

C:\Users\Admin\AppData\Local\Temp\rbxokbokapyvovlzpk.exe

C:\Users\Admin\AppData\Local\Temp\rbxokbokapyvovlzpk.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\erqkjdtsldpplvofywsfe.exe

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\rbxokbokapyvovlzpk.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exe .

C:\Users\Admin\AppData\Local\Temp\erqkjdtsldpplvofywsfe.exe

C:\Users\Admin\AppData\Local\Temp\erqkjdtsldpplvofywsfe.exe

C:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exe

C:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exe .

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\cnkczrfctjtrltkzqmg.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c erqkjdtsldpplvofywsfe.exe

C:\Windows\erqkjdtsldpplvofywsfe.exe

erqkjdtsldpplvofywsfe.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c erqkjdtsldpplvofywsfe.exe .

C:\Windows\erqkjdtsldpplvofywsfe.exe

erqkjdtsldpplvofywsfe.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c rbxokbokapyvovlzpk.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cnkczrfctjtrltkzqmg.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bjdsmbmguhojaftf.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cnkczrfctjtrltkzqmg.exe .

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\erqkjdtsldpplvofywsfe.exe*."

C:\Windows\cnkczrfctjtrltkzqmg.exe

cnkczrfctjtrltkzqmg.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cnkczrfctjtrltkzqmg.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\bjdsmbmguhojaftf.exe

bjdsmbmguhojaftf.exe

C:\Windows\rbxokbokapyvovlzpk.exe

rbxokbokapyvovlzpk.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c pbzsqjywofqpktlbtqlx.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe .

C:\Windows\cnkczrfctjtrltkzqmg.exe

cnkczrfctjtrltkzqmg.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c erqkjdtsldpplvofywsfe.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cnkczrfctjtrltkzqmg.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c irmcxnzujxfbtzobq.exe .

C:\Windows\cnkczrfctjtrltkzqmg.exe

cnkczrfctjtrltkzqmg.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c erqkjdtsldpplvofywsfe.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe

C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe

C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exe

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\cnkczrfctjtrltkzqmg.exe*."

C:\Windows\pbzsqjywofqpktlbtqlx.exe

pbzsqjywofqpktlbtqlx.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rbxokbokapyvovlzpk.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\erqkjdtsldpplvofywsfe.exe .

C:\Windows\erqkjdtsldpplvofywsfe.exe

erqkjdtsldpplvofywsfe.exe

C:\Windows\irmcxnzujxfbtzobq.exe

irmcxnzujxfbtzobq.exe .

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\cnkczrfctjtrltkzqmg.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rbxokbokapyvovlzpk.exe

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\pbzsqjywofqpktlbtqlx.exe*."

C:\Windows\cnkczrfctjtrltkzqmg.exe

cnkczrfctjtrltkzqmg.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe

C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe

C:\Windows\erqkjdtsldpplvofywsfe.exe

erqkjdtsldpplvofywsfe.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\irmcxnzujxfbtzobq.exe*."

C:\Users\Admin\AppData\Local\Temp\rbxokbokapyvovlzpk.exe

C:\Users\Admin\AppData\Local\Temp\rbxokbokapyvovlzpk.exe .

C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe

C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe

C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe

C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe .

C:\Users\Admin\AppData\Local\Temp\erqkjdtsldpplvofywsfe.exe

C:\Users\Admin\AppData\Local\Temp\erqkjdtsldpplvofywsfe.exe .

C:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exe

C:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exe .

C:\Users\Admin\AppData\Local\Temp\rbxokbokapyvovlzpk.exe

C:\Users\Admin\AppData\Local\Temp\rbxokbokapyvovlzpk.exe

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\erqkjdtsldpplvofywsfe.exe*."

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\rbxokbokapyvovlzpk.exe*."

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\bjdsmbmguhojaftf.exe*."

C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe

C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe .

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\erqkjdtsldpplvofywsfe.exe*."

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\irmcxnzujxfbtzobq.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bjdsmbmguhojaftf.exe

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\pbzsqjywofqpktlbtqlx.exe*."

C:\Windows\bjdsmbmguhojaftf.exe

bjdsmbmguhojaftf.exe

C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe

C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bjdsmbmguhojaftf.exe .

C:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exe

C:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exe

C:\Windows\bjdsmbmguhojaftf.exe

bjdsmbmguhojaftf.exe .

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\bjdsmbmguhojaftf.exe*."

C:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exe

C:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exe

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\bjdsmbmguhojaftf.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c pbzsqjywofqpktlbtqlx.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cnkczrfctjtrltkzqmg.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\pbzsqjywofqpktlbtqlx.exe

pbzsqjywofqpktlbtqlx.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exe

C:\Windows\cnkczrfctjtrltkzqmg.exe

cnkczrfctjtrltkzqmg.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\erqkjdtsldpplvofywsfe.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exe

C:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exe

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\cnkczrfctjtrltkzqmg.exe*."

C:\Users\Admin\AppData\Local\Temp\erqkjdtsldpplvofywsfe.exe

C:\Users\Admin\AppData\Local\Temp\erqkjdtsldpplvofywsfe.exe .

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\erqkjdtsldpplvofywsfe.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rbxokbokapyvovlzpk.exe .

C:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exe

C:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exe

C:\Users\Admin\AppData\Local\Temp\rbxokbokapyvovlzpk.exe

C:\Users\Admin\AppData\Local\Temp\rbxokbokapyvovlzpk.exe .

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\rbxokbokapyvovlzpk.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cnkczrfctjtrltkzqmg.exe

C:\Windows\cnkczrfctjtrltkzqmg.exe

cnkczrfctjtrltkzqmg.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c pbzsqjywofqpktlbtqlx.exe .

C:\Windows\pbzsqjywofqpktlbtqlx.exe

pbzsqjywofqpktlbtqlx.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c pbzsqjywofqpktlbtqlx.exe

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\pbzsqjywofqpktlbtqlx.exe*."

C:\Windows\pbzsqjywofqpktlbtqlx.exe

pbzsqjywofqpktlbtqlx.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cnkczrfctjtrltkzqmg.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe

C:\Windows\cnkczrfctjtrltkzqmg.exe

cnkczrfctjtrltkzqmg.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rbxokbokapyvovlzpk.exe .

C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe

C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\cnkczrfctjtrltkzqmg.exe*."

C:\Users\Admin\AppData\Local\Temp\rbxokbokapyvovlzpk.exe

C:\Users\Admin\AppData\Local\Temp\rbxokbokapyvovlzpk.exe .

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\rbxokbokapyvovlzpk.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rbxokbokapyvovlzpk.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rbxokbokapyvovlzpk.exe .

C:\Users\Admin\AppData\Local\Temp\rbxokbokapyvovlzpk.exe

C:\Users\Admin\AppData\Local\Temp\rbxokbokapyvovlzpk.exe

C:\Users\Admin\AppData\Local\Temp\rbxokbokapyvovlzpk.exe

C:\Users\Admin\AppData\Local\Temp\rbxokbokapyvovlzpk.exe .

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\rbxokbokapyvovlzpk.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c rbxokbokapyvovlzpk.exe

C:\Windows\rbxokbokapyvovlzpk.exe

rbxokbokapyvovlzpk.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c rbxokbokapyvovlzpk.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\rbxokbokapyvovlzpk.exe

rbxokbokapyvovlzpk.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c erqkjdtsldpplvofywsfe.exe

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\rbxokbokapyvovlzpk.exe*."

C:\Windows\erqkjdtsldpplvofywsfe.exe

erqkjdtsldpplvofywsfe.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c erqkjdtsldpplvofywsfe.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exe

C:\Windows\erqkjdtsldpplvofywsfe.exe

erqkjdtsldpplvofywsfe.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exe .

C:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exe

C:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exe

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\erqkjdtsldpplvofywsfe.exe*."

C:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exe

C:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exe .

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\cnkczrfctjtrltkzqmg.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\erqkjdtsldpplvofywsfe.exe .

C:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exe

C:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exe

C:\Users\Admin\AppData\Local\Temp\erqkjdtsldpplvofywsfe.exe

C:\Users\Admin\AppData\Local\Temp\erqkjdtsldpplvofywsfe.exe .

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\erqkjdtsldpplvofywsfe.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c irmcxnzujxfbtzobq.exe

C:\Windows\irmcxnzujxfbtzobq.exe

irmcxnzujxfbtzobq.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cnkczrfctjtrltkzqmg.exe .

C:\Windows\cnkczrfctjtrltkzqmg.exe

cnkczrfctjtrltkzqmg.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cnkczrfctjtrltkzqmg.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c rbxokbokapyvovlzpk.exe .

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\cnkczrfctjtrltkzqmg.exe*."

C:\Windows\cnkczrfctjtrltkzqmg.exe

cnkczrfctjtrltkzqmg.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe

C:\Windows\rbxokbokapyvovlzpk.exe

rbxokbokapyvovlzpk.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rbxokbokapyvovlzpk.exe .

C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe

C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\rbxokbokapyvovlzpk.exe*."

C:\Users\Admin\AppData\Local\Temp\rbxokbokapyvovlzpk.exe

C:\Users\Admin\AppData\Local\Temp\rbxokbokapyvovlzpk.exe .

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\rbxokbokapyvovlzpk.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe .

C:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exe

C:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exe

C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe

C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe .

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\bjdsmbmguhojaftf.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c irmcxnzujxfbtzobq.exe

C:\Windows\irmcxnzujxfbtzobq.exe

irmcxnzujxfbtzobq.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cnkczrfctjtrltkzqmg.exe .

C:\Windows\cnkczrfctjtrltkzqmg.exe

cnkczrfctjtrltkzqmg.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c rbxokbokapyvovlzpk.exe

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\cnkczrfctjtrltkzqmg.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bjdsmbmguhojaftf.exe .

C:\Windows\rbxokbokapyvovlzpk.exe

rbxokbokapyvovlzpk.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\bjdsmbmguhojaftf.exe

bjdsmbmguhojaftf.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe .

C:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exe

C:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exe

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\bjdsmbmguhojaftf.exe*."

C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe

C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe .

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\bjdsmbmguhojaftf.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exe .

C:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exe

C:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exe

C:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exe

C:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exe .

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\irmcxnzujxfbtzobq.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c irmcxnzujxfbtzobq.exe

C:\Windows\irmcxnzujxfbtzobq.exe

irmcxnzujxfbtzobq.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c irmcxnzujxfbtzobq.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\irmcxnzujxfbtzobq.exe

irmcxnzujxfbtzobq.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bjdsmbmguhojaftf.exe

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\irmcxnzujxfbtzobq.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c pbzsqjywofqpktlbtqlx.exe

C:\Windows\bjdsmbmguhojaftf.exe

bjdsmbmguhojaftf.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bjdsmbmguhojaftf.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\pbzsqjywofqpktlbtqlx.exe

pbzsqjywofqpktlbtqlx.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe

C:\Windows\bjdsmbmguhojaftf.exe

bjdsmbmguhojaftf.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bjdsmbmguhojaftf.exe .

C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe

C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exe .

C:\Windows\bjdsmbmguhojaftf.exe

bjdsmbmguhojaftf.exe .

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\bjdsmbmguhojaftf.exe*."

C:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exe

C:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bjdsmbmguhojaftf.exe

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\bjdsmbmguhojaftf.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c pbzsqjywofqpktlbtqlx.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c erqkjdtsldpplvofywsfe.exe

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\cnkczrfctjtrltkzqmg.exe*."

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rbxokbokapyvovlzpk.exe

C:\Windows\bjdsmbmguhojaftf.exe

bjdsmbmguhojaftf.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe .

C:\Windows\pbzsqjywofqpktlbtqlx.exe

pbzsqjywofqpktlbtqlx.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\erqkjdtsldpplvofywsfe.exe

erqkjdtsldpplvofywsfe.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bjdsmbmguhojaftf.exe .

C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe

C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe

C:\Users\Admin\AppData\Local\Temp\rbxokbokapyvovlzpk.exe

C:\Users\Admin\AppData\Local\Temp\rbxokbokapyvovlzpk.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cnkczrfctjtrltkzqmg.exe

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\pbzsqjywofqpktlbtqlx.exe*."

C:\Windows\bjdsmbmguhojaftf.exe

bjdsmbmguhojaftf.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe

C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe

C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cnkczrfctjtrltkzqmg.exe .

C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe

C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\erqkjdtsldpplvofywsfe.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe .

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\bjdsmbmguhojaftf.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c erqkjdtsldpplvofywsfe.exe

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\bjdsmbmguhojaftf.exe*."

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\pbzsqjywofqpktlbtqlx.exe*."

C:\Windows\cnkczrfctjtrltkzqmg.exe

cnkczrfctjtrltkzqmg.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\erqkjdtsldpplvofywsfe.exe

C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe

C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe

C:\Windows\cnkczrfctjtrltkzqmg.exe

cnkczrfctjtrltkzqmg.exe .

C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe

C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe .

C:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exe

C:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exe

C:\Users\Admin\AppData\Local\Temp\erqkjdtsldpplvofywsfe.exe

C:\Users\Admin\AppData\Local\Temp\erqkjdtsldpplvofywsfe.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bjdsmbmguhojaftf.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe .

C:\Windows\erqkjdtsldpplvofywsfe.exe

erqkjdtsldpplvofywsfe.exe

C:\Users\Admin\AppData\Local\Temp\erqkjdtsldpplvofywsfe.exe

C:\Users\Admin\AppData\Local\Temp\erqkjdtsldpplvofywsfe.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c rbxokbokapyvovlzpk.exe

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\bjdsmbmguhojaftf.exe*."

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\cnkczrfctjtrltkzqmg.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c irmcxnzujxfbtzobq.exe .

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\erqkjdtsldpplvofywsfe.exe*."

C:\Windows\bjdsmbmguhojaftf.exe

bjdsmbmguhojaftf.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe

C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe

C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe .

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\bjdsmbmguhojaftf.exe*."

C:\Windows\irmcxnzujxfbtzobq.exe

irmcxnzujxfbtzobq.exe .

C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe

C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\bjdsmbmguhojaftf.exe*."

C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe

C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe .

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\irmcxnzujxfbtzobq.exe*."

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\bjdsmbmguhojaftf.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exe

C:\Windows\rbxokbokapyvovlzpk.exe

rbxokbokapyvovlzpk.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exe .

C:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exe

C:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exe

C:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exe

C:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exe .

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\irmcxnzujxfbtzobq.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c pbzsqjywofqpktlbtqlx.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\pbzsqjywofqpktlbtqlx.exe

pbzsqjywofqpktlbtqlx.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c irmcxnzujxfbtzobq.exe .

C:\Windows\irmcxnzujxfbtzobq.exe

irmcxnzujxfbtzobq.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c rbxokbokapyvovlzpk.exe

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\irmcxnzujxfbtzobq.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c erqkjdtsldpplvofywsfe.exe .

C:\Windows\rbxokbokapyvovlzpk.exe

rbxokbokapyvovlzpk.exe

C:\Windows\erqkjdtsldpplvofywsfe.exe

erqkjdtsldpplvofywsfe.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exe

C:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exe

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\erqkjdtsldpplvofywsfe.exe*."

C:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exe

C:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exe .

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\cnkczrfctjtrltkzqmg.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exe .

C:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exe

C:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exe

C:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exe

C:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exe .

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\irmcxnzujxfbtzobq.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c pbzsqjywofqpktlbtqlx.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\pbzsqjywofqpktlbtqlx.exe

pbzsqjywofqpktlbtqlx.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c pbzsqjywofqpktlbtqlx.exe .

C:\Windows\pbzsqjywofqpktlbtqlx.exe

pbzsqjywofqpktlbtqlx.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c rbxokbokapyvovlzpk.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\pbzsqjywofqpktlbtqlx.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c pbzsqjywofqpktlbtqlx.exe .

C:\Windows\rbxokbokapyvovlzpk.exe

rbxokbokapyvovlzpk.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe

C:\Windows\pbzsqjywofqpktlbtqlx.exe

pbzsqjywofqpktlbtqlx.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe .

C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe

C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\pbzsqjywofqpktlbtqlx.exe*."

C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe

C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe .

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\bjdsmbmguhojaftf.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rbxokbokapyvovlzpk.exe .

C:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exe

C:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exe

C:\Users\Admin\AppData\Local\Temp\rbxokbokapyvovlzpk.exe

C:\Users\Admin\AppData\Local\Temp\rbxokbokapyvovlzpk.exe .

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\rbxokbokapyvovlzpk.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c pbzsqjywofqpktlbtqlx.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\pbzsqjywofqpktlbtqlx.exe

pbzsqjywofqpktlbtqlx.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bjdsmbmguhojaftf.exe .

C:\Windows\bjdsmbmguhojaftf.exe

bjdsmbmguhojaftf.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cnkczrfctjtrltkzqmg.exe

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\bjdsmbmguhojaftf.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c erqkjdtsldpplvofywsfe.exe .

C:\Windows\cnkczrfctjtrltkzqmg.exe

cnkczrfctjtrltkzqmg.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\erqkjdtsldpplvofywsfe.exe

erqkjdtsldpplvofywsfe.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\erqkjdtsldpplvofywsfe.exe .

C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe

C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\erqkjdtsldpplvofywsfe.exe*."

C:\Users\Admin\AppData\Local\Temp\erqkjdtsldpplvofywsfe.exe

C:\Users\Admin\AppData\Local\Temp\erqkjdtsldpplvofywsfe.exe .

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\erqkjdtsldpplvofywsfe.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe .

C:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exe

C:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exe

C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe

C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe .

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\bjdsmbmguhojaftf.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bjdsmbmguhojaftf.exe

C:\Windows\bjdsmbmguhojaftf.exe

bjdsmbmguhojaftf.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c erqkjdtsldpplvofywsfe.exe .

C:\Windows\erqkjdtsldpplvofywsfe.exe

erqkjdtsldpplvofywsfe.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c irmcxnzujxfbtzobq.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\erqkjdtsldpplvofywsfe.exe*."

C:\Windows\irmcxnzujxfbtzobq.exe

irmcxnzujxfbtzobq.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bjdsmbmguhojaftf.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\erqkjdtsldpplvofywsfe.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\bjdsmbmguhojaftf.exe

bjdsmbmguhojaftf.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\erqkjdtsldpplvofywsfe.exe .

C:\Users\Admin\AppData\Local\Temp\erqkjdtsldpplvofywsfe.exe

C:\Users\Admin\AppData\Local\Temp\erqkjdtsldpplvofywsfe.exe

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\bjdsmbmguhojaftf.exe*."

C:\Users\Admin\AppData\Local\Temp\erqkjdtsldpplvofywsfe.exe

C:\Users\Admin\AppData\Local\Temp\erqkjdtsldpplvofywsfe.exe .

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\erqkjdtsldpplvofywsfe.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\erqkjdtsldpplvofywsfe.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe .

C:\Users\Admin\AppData\Local\Temp\erqkjdtsldpplvofywsfe.exe

C:\Users\Admin\AppData\Local\Temp\erqkjdtsldpplvofywsfe.exe

C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe

C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe .

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\bjdsmbmguhojaftf.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c pbzsqjywofqpktlbtqlx.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\pbzsqjywofqpktlbtqlx.exe

pbzsqjywofqpktlbtqlx.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c rbxokbokapyvovlzpk.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\rbxokbokapyvovlzpk.exe

rbxokbokapyvovlzpk.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c irmcxnzujxfbtzobq.exe

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\rbxokbokapyvovlzpk.exe*."

C:\Windows\irmcxnzujxfbtzobq.exe

irmcxnzujxfbtzobq.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c erqkjdtsldpplvofywsfe.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exe

C:\Windows\erqkjdtsldpplvofywsfe.exe

erqkjdtsldpplvofywsfe.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe .

C:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exe

C:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exe

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\erqkjdtsldpplvofywsfe.exe*."

C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe

C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe .

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\pbzsqjywofqpktlbtqlx.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\erqkjdtsldpplvofywsfe.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exe .

C:\Users\Admin\AppData\Local\Temp\erqkjdtsldpplvofywsfe.exe

C:\Users\Admin\AppData\Local\Temp\erqkjdtsldpplvofywsfe.exe

C:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exe

C:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exe .

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\irmcxnzujxfbtzobq.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bjdsmbmguhojaftf.exe

C:\Windows\bjdsmbmguhojaftf.exe

bjdsmbmguhojaftf.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c pbzsqjywofqpktlbtqlx.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cnkczrfctjtrltkzqmg.exe

C:\Windows\pbzsqjywofqpktlbtqlx.exe

pbzsqjywofqpktlbtqlx.exe .

C:\Windows\cnkczrfctjtrltkzqmg.exe

cnkczrfctjtrltkzqmg.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bjdsmbmguhojaftf.exe

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\pbzsqjywofqpktlbtqlx.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cnkczrfctjtrltkzqmg.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c pbzsqjywofqpktlbtqlx.exe .

C:\Windows\bjdsmbmguhojaftf.exe

bjdsmbmguhojaftf.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c pbzsqjywofqpktlbtqlx.exe

C:\Windows\cnkczrfctjtrltkzqmg.exe

cnkczrfctjtrltkzqmg.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exe

C:\Windows\pbzsqjywofqpktlbtqlx.exe

pbzsqjywofqpktlbtqlx.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c irmcxnzujxfbtzobq.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c pbzsqjywofqpktlbtqlx.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c erqkjdtsldpplvofywsfe.exe .

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\cnkczrfctjtrltkzqmg.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rbxokbokapyvovlzpk.exe

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\pbzsqjywofqpktlbtqlx.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c rbxokbokapyvovlzpk.exe

C:\Windows\pbzsqjywofqpktlbtqlx.exe

pbzsqjywofqpktlbtqlx.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exe

C:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exe

C:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exe .

C:\Windows\irmcxnzujxfbtzobq.exe

irmcxnzujxfbtzobq.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c irmcxnzujxfbtzobq.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exe

C:\Windows\erqkjdtsldpplvofywsfe.exe

erqkjdtsldpplvofywsfe.exe .

C:\Users\Admin\AppData\Local\Temp\rbxokbokapyvovlzpk.exe

C:\Users\Admin\AppData\Local\Temp\rbxokbokapyvovlzpk.exe

C:\Windows\pbzsqjywofqpktlbtqlx.exe

pbzsqjywofqpktlbtqlx.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\erqkjdtsldpplvofywsfe.exe .

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\cnkczrfctjtrltkzqmg.exe*."

C:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exe

C:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exe .

C:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exe

C:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exe

C:\Windows\irmcxnzujxfbtzobq.exe

irmcxnzujxfbtzobq.exe .

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\cnkczrfctjtrltkzqmg.exe*."

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\pbzsqjywofqpktlbtqlx.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exe

C:\Windows\rbxokbokapyvovlzpk.exe

rbxokbokapyvovlzpk.exe

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\erqkjdtsldpplvofywsfe.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\erqkjdtsldpplvofywsfe.exe .

C:\Users\Admin\AppData\Local\Temp\erqkjdtsldpplvofywsfe.exe

C:\Users\Admin\AppData\Local\Temp\erqkjdtsldpplvofywsfe.exe .

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\irmcxnzujxfbtzobq.exe*."

C:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exe

C:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exe .

C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe

C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe .

C:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exe

C:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exe

C:\Users\Admin\AppData\Local\Temp\erqkjdtsldpplvofywsfe.exe

C:\Users\Admin\AppData\Local\Temp\erqkjdtsldpplvofywsfe.exe .

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\erqkjdtsldpplvofywsfe.exe*."

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\cnkczrfctjtrltkzqmg.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bjdsmbmguhojaftf.exe

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\pbzsqjywofqpktlbtqlx.exe*."

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\erqkjdtsldpplvofywsfe.exe*."

C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe

C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe

C:\Windows\bjdsmbmguhojaftf.exe

bjdsmbmguhojaftf.exe

C:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exe

C:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exe

C:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exe

C:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c erqkjdtsldpplvofywsfe.exe .

C:\Windows\erqkjdtsldpplvofywsfe.exe

erqkjdtsldpplvofywsfe.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c rbxokbokapyvovlzpk.exe

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\erqkjdtsldpplvofywsfe.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c pbzsqjywofqpktlbtqlx.exe .

C:\Windows\rbxokbokapyvovlzpk.exe

rbxokbokapyvovlzpk.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe

C:\Windows\pbzsqjywofqpktlbtqlx.exe

pbzsqjywofqpktlbtqlx.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\erqkjdtsldpplvofywsfe.exe .

C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe

C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\pbzsqjywofqpktlbtqlx.exe*."

C:\Users\Admin\AppData\Local\Temp\erqkjdtsldpplvofywsfe.exe

C:\Users\Admin\AppData\Local\Temp\erqkjdtsldpplvofywsfe.exe .

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\erqkjdtsldpplvofywsfe.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe

C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe

C:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exe

C:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exe .

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\irmcxnzujxfbtzobq.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c pbzsqjywofqpktlbtqlx.exe

C:\Windows\pbzsqjywofqpktlbtqlx.exe

pbzsqjywofqpktlbtqlx.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c rbxokbokapyvovlzpk.exe .

C:\Windows\rbxokbokapyvovlzpk.exe

rbxokbokapyvovlzpk.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c rbxokbokapyvovlzpk.exe

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\rbxokbokapyvovlzpk.exe*."

C:\Windows\rbxokbokapyvovlzpk.exe

rbxokbokapyvovlzpk.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c pbzsqjywofqpktlbtqlx.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe

C:\Windows\pbzsqjywofqpktlbtqlx.exe

pbzsqjywofqpktlbtqlx.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\erqkjdtsldpplvofywsfe.exe .

C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe

C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\pbzsqjywofqpktlbtqlx.exe*."

C:\Users\Admin\AppData\Local\Temp\erqkjdtsldpplvofywsfe.exe

C:\Users\Admin\AppData\Local\Temp\erqkjdtsldpplvofywsfe.exe .

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\erqkjdtsldpplvofywsfe.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rbxokbokapyvovlzpk.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exe .

C:\Users\Admin\AppData\Local\Temp\rbxokbokapyvovlzpk.exe

C:\Users\Admin\AppData\Local\Temp\rbxokbokapyvovlzpk.exe

C:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exe

C:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exe .

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\cnkczrfctjtrltkzqmg.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bjdsmbmguhojaftf.exe

C:\Windows\bjdsmbmguhojaftf.exe

bjdsmbmguhojaftf.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bjdsmbmguhojaftf.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\bjdsmbmguhojaftf.exe

bjdsmbmguhojaftf.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bjdsmbmguhojaftf.exe

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\bjdsmbmguhojaftf.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c irmcxnzujxfbtzobq.exe .

C:\Windows\bjdsmbmguhojaftf.exe

bjdsmbmguhojaftf.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exe

C:\Windows\irmcxnzujxfbtzobq.exe

irmcxnzujxfbtzobq.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe .

C:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exe

C:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exe

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\irmcxnzujxfbtzobq.exe*."

C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe

C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe .

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\bjdsmbmguhojaftf.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exe .

C:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exe

C:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exe

C:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exe

C:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exe .

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\cnkczrfctjtrltkzqmg.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bjdsmbmguhojaftf.exe

C:\Windows\bjdsmbmguhojaftf.exe

bjdsmbmguhojaftf.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c pbzsqjywofqpktlbtqlx.exe .

C:\Windows\pbzsqjywofqpktlbtqlx.exe

pbzsqjywofqpktlbtqlx.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cnkczrfctjtrltkzqmg.exe

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\pbzsqjywofqpktlbtqlx.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cnkczrfctjtrltkzqmg.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\cnkczrfctjtrltkzqmg.exe

cnkczrfctjtrltkzqmg.exe

C:\Windows\cnkczrfctjtrltkzqmg.exe

cnkczrfctjtrltkzqmg.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\cnkczrfctjtrltkzqmg.exe*."

C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe

C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exe .

C:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exe

C:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exe .

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\irmcxnzujxfbtzobq.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rbxokbokapyvovlzpk.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe .

C:\Users\Admin\AppData\Local\Temp\rbxokbokapyvovlzpk.exe

C:\Users\Admin\AppData\Local\Temp\rbxokbokapyvovlzpk.exe

C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe

C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe .

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\bjdsmbmguhojaftf.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c erqkjdtsldpplvofywsfe.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c rbxokbokapyvovlzpk.exe .

C:\Windows\erqkjdtsldpplvofywsfe.exe

erqkjdtsldpplvofywsfe.exe

C:\Windows\rbxokbokapyvovlzpk.exe

rbxokbokapyvovlzpk.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c pbzsqjywofqpktlbtqlx.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c pbzsqjywofqpktlbtqlx.exe .

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\rbxokbokapyvovlzpk.exe*."

C:\Windows\pbzsqjywofqpktlbtqlx.exe

pbzsqjywofqpktlbtqlx.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exe

C:\Windows\pbzsqjywofqpktlbtqlx.exe

pbzsqjywofqpktlbtqlx.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\erqkjdtsldpplvofywsfe.exe .

C:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exe

C:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exe

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\pbzsqjywofqpktlbtqlx.exe*."

C:\Users\Admin\AppData\Local\Temp\erqkjdtsldpplvofywsfe.exe

C:\Users\Admin\AppData\Local\Temp\erqkjdtsldpplvofywsfe.exe .

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\erqkjdtsldpplvofywsfe.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rbxokbokapyvovlzpk.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe .

C:\Users\Admin\AppData\Local\Temp\rbxokbokapyvovlzpk.exe

C:\Users\Admin\AppData\Local\Temp\rbxokbokapyvovlzpk.exe

C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe

C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe .

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\bjdsmbmguhojaftf.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bjdsmbmguhojaftf.exe

C:\Windows\bjdsmbmguhojaftf.exe

bjdsmbmguhojaftf.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c irmcxnzujxfbtzobq.exe .

C:\Windows\irmcxnzujxfbtzobq.exe

irmcxnzujxfbtzobq.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c irmcxnzujxfbtzobq.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c erqkjdtsldpplvofywsfe.exe .

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\irmcxnzujxfbtzobq.exe*."

C:\Windows\irmcxnzujxfbtzobq.exe

irmcxnzujxfbtzobq.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c irmcxnzujxfbtzobq.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe

C:\Windows\erqkjdtsldpplvofywsfe.exe

erqkjdtsldpplvofywsfe.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cnkczrfctjtrltkzqmg.exe .

C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe

C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe

C:\Windows\irmcxnzujxfbtzobq.exe

irmcxnzujxfbtzobq.exe

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\erqkjdtsldpplvofywsfe.exe*."

C:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exe

C:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exe .

C:\Windows\cnkczrfctjtrltkzqmg.exe

cnkczrfctjtrltkzqmg.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c pbzsqjywofqpktlbtqlx.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rbxokbokapyvovlzpk.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bjdsmbmguhojaftf.exe .

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\cnkczrfctjtrltkzqmg.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\cnkczrfctjtrltkzqmg.exe*."

C:\Users\Admin\AppData\Local\Temp\rbxokbokapyvovlzpk.exe

C:\Users\Admin\AppData\Local\Temp\rbxokbokapyvovlzpk.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c irmcxnzujxfbtzobq.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rbxokbokapyvovlzpk.exe .

C:\Windows\pbzsqjywofqpktlbtqlx.exe

pbzsqjywofqpktlbtqlx.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cnkczrfctjtrltkzqmg.exe .

C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe

C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe

C:\Windows\bjdsmbmguhojaftf.exe

bjdsmbmguhojaftf.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe

C:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exe

C:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exe .

C:\Windows\irmcxnzujxfbtzobq.exe

irmcxnzujxfbtzobq.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\erqkjdtsldpplvofywsfe.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cnkczrfctjtrltkzqmg.exe

C:\Users\Admin\AppData\Local\Temp\rbxokbokapyvovlzpk.exe

C:\Users\Admin\AppData\Local\Temp\rbxokbokapyvovlzpk.exe .

C:\Windows\cnkczrfctjtrltkzqmg.exe

cnkczrfctjtrltkzqmg.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bjdsmbmguhojaftf.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c pbzsqjywofqpktlbtqlx.exe

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\bjdsmbmguhojaftf.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\cnkczrfctjtrltkzqmg.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c rbxokbokapyvovlzpk.exe .

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\rbxokbokapyvovlzpk.exe*."

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\cnkczrfctjtrltkzqmg.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c erqkjdtsldpplvofywsfe.exe

C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe

C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c rbxokbokapyvovlzpk.exe .

C:\Windows\cnkczrfctjtrltkzqmg.exe

cnkczrfctjtrltkzqmg.exe

C:\Users\Admin\AppData\Local\Temp\erqkjdtsldpplvofywsfe.exe

C:\Users\Admin\AppData\Local\Temp\erqkjdtsldpplvofywsfe.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exe .

C:\Windows\bjdsmbmguhojaftf.exe

bjdsmbmguhojaftf.exe .

C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe

C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe .

C:\Windows\pbzsqjywofqpktlbtqlx.exe

pbzsqjywofqpktlbtqlx.exe

C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe

C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\erqkjdtsldpplvofywsfe.exe*."

C:\Windows\erqkjdtsldpplvofywsfe.exe

erqkjdtsldpplvofywsfe.exe

C:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exe

C:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exe

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\bjdsmbmguhojaftf.exe*."

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\bjdsmbmguhojaftf.exe*."

C:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exe

C:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exe

C:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exe

C:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exe .

C:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exe

C:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\erqkjdtsldpplvofywsfe.exe .

C:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exe

C:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exe

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\irmcxnzujxfbtzobq.exe*."

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\cnkczrfctjtrltkzqmg.exe*."

C:\Users\Admin\AppData\Local\Temp\erqkjdtsldpplvofywsfe.exe

C:\Users\Admin\AppData\Local\Temp\erqkjdtsldpplvofywsfe.exe .

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\erqkjdtsldpplvofywsfe.exe*."

C:\Windows\rbxokbokapyvovlzpk.exe

rbxokbokapyvovlzpk.exe .

C:\Windows\rbxokbokapyvovlzpk.exe

rbxokbokapyvovlzpk.exe .

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\rbxokbokapyvovlzpk.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c rbxokbokapyvovlzpk.exe

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\rbxokbokapyvovlzpk.exe*."

C:\Windows\rbxokbokapyvovlzpk.exe

rbxokbokapyvovlzpk.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bjdsmbmguhojaftf.exe .

C:\Windows\bjdsmbmguhojaftf.exe

bjdsmbmguhojaftf.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cnkczrfctjtrltkzqmg.exe

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\bjdsmbmguhojaftf.exe*."

C:\Windows\cnkczrfctjtrltkzqmg.exe

cnkczrfctjtrltkzqmg.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c erqkjdtsldpplvofywsfe.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe

C:\Windows\erqkjdtsldpplvofywsfe.exe

erqkjdtsldpplvofywsfe.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\erqkjdtsldpplvofywsfe.exe .

C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe

C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe

C:\Users\Admin\AppData\Local\Temp\erqkjdtsldpplvofywsfe.exe

C:\Users\Admin\AppData\Local\Temp\erqkjdtsldpplvofywsfe.exe .

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\erqkjdtsldpplvofywsfe.exe*."

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\erqkjdtsldpplvofywsfe.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rbxokbokapyvovlzpk.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe .

C:\Users\Admin\AppData\Local\Temp\rbxokbokapyvovlzpk.exe

C:\Users\Admin\AppData\Local\Temp\rbxokbokapyvovlzpk.exe

C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe

C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe .

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\bjdsmbmguhojaftf.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c erqkjdtsldpplvofywsfe.exe

C:\Windows\erqkjdtsldpplvofywsfe.exe

erqkjdtsldpplvofywsfe.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cnkczrfctjtrltkzqmg.exe .

C:\Windows\cnkczrfctjtrltkzqmg.exe

cnkczrfctjtrltkzqmg.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cnkczrfctjtrltkzqmg.exe

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\cnkczrfctjtrltkzqmg.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c rbxokbokapyvovlzpk.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\cnkczrfctjtrltkzqmg.exe

cnkczrfctjtrltkzqmg.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe

C:\Windows\rbxokbokapyvovlzpk.exe

rbxokbokapyvovlzpk.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe .

C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe

C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\rbxokbokapyvovlzpk.exe*."

C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe

C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe .

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\pbzsqjywofqpktlbtqlx.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exe .

C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe

C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe

C:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exe

C:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exe .

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\irmcxnzujxfbtzobq.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c rbxokbokapyvovlzpk.exe

C:\Windows\rbxokbokapyvovlzpk.exe

rbxokbokapyvovlzpk.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cnkczrfctjtrltkzqmg.exe .

C:\Windows\cnkczrfctjtrltkzqmg.exe

cnkczrfctjtrltkzqmg.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bjdsmbmguhojaftf.exe

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\cnkczrfctjtrltkzqmg.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c pbzsqjywofqpktlbtqlx.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\bjdsmbmguhojaftf.exe

bjdsmbmguhojaftf.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rbxokbokapyvovlzpk.exe

C:\Windows\pbzsqjywofqpktlbtqlx.exe

pbzsqjywofqpktlbtqlx.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\rbxokbokapyvovlzpk.exe

C:\Users\Admin\AppData\Local\Temp\rbxokbokapyvovlzpk.exe

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\pbzsqjywofqpktlbtqlx.exe*."

C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe

C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe .

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\bjdsmbmguhojaftf.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe .

C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe

C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe

C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe

C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe .

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\bjdsmbmguhojaftf.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cnkczrfctjtrltkzqmg.exe

C:\Windows\cnkczrfctjtrltkzqmg.exe

cnkczrfctjtrltkzqmg.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c pbzsqjywofqpktlbtqlx.exe .

C:\Windows\pbzsqjywofqpktlbtqlx.exe

pbzsqjywofqpktlbtqlx.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c erqkjdtsldpplvofywsfe.exe

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\pbzsqjywofqpktlbtqlx.exe*."

C:\Windows\erqkjdtsldpplvofywsfe.exe

erqkjdtsldpplvofywsfe.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c rbxokbokapyvovlzpk.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe

C:\Windows\rbxokbokapyvovlzpk.exe

rbxokbokapyvovlzpk.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe .

C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe

C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe

C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe

C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe .

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\rbxokbokapyvovlzpk.exe*."

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\bjdsmbmguhojaftf.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe .

C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe

C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe

C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe

C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe .

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\bjdsmbmguhojaftf.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c rbxokbokapyvovlzpk.exe

C:\Windows\rbxokbokapyvovlzpk.exe

rbxokbokapyvovlzpk.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c erqkjdtsldpplvofywsfe.exe .

C:\Windows\erqkjdtsldpplvofywsfe.exe

erqkjdtsldpplvofywsfe.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c pbzsqjywofqpktlbtqlx.exe

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\erqkjdtsldpplvofywsfe.exe*."

C:\Windows\pbzsqjywofqpktlbtqlx.exe

pbzsqjywofqpktlbtqlx.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bjdsmbmguhojaftf.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\erqkjdtsldpplvofywsfe.exe

C:\Windows\bjdsmbmguhojaftf.exe

bjdsmbmguhojaftf.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\erqkjdtsldpplvofywsfe.exe .

C:\Users\Admin\AppData\Local\Temp\erqkjdtsldpplvofywsfe.exe

C:\Users\Admin\AppData\Local\Temp\erqkjdtsldpplvofywsfe.exe

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\bjdsmbmguhojaftf.exe*."

C:\Users\Admin\AppData\Local\Temp\erqkjdtsldpplvofywsfe.exe

C:\Users\Admin\AppData\Local\Temp\erqkjdtsldpplvofywsfe.exe .

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\erqkjdtsldpplvofywsfe.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\erqkjdtsldpplvofywsfe.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exe .

C:\Users\Admin\AppData\Local\Temp\erqkjdtsldpplvofywsfe.exe

C:\Users\Admin\AppData\Local\Temp\erqkjdtsldpplvofywsfe.exe

C:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exe

C:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exe .

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\irmcxnzujxfbtzobq.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cnkczrfctjtrltkzqmg.exe

C:\Windows\cnkczrfctjtrltkzqmg.exe

cnkczrfctjtrltkzqmg.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cnkczrfctjtrltkzqmg.exe .

C:\Windows\cnkczrfctjtrltkzqmg.exe

cnkczrfctjtrltkzqmg.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c pbzsqjywofqpktlbtqlx.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c erqkjdtsldpplvofywsfe.exe

C:\Windows\pbzsqjywofqpktlbtqlx.exe

pbzsqjywofqpktlbtqlx.exe

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\cnkczrfctjtrltkzqmg.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c rbxokbokapyvovlzpk.exe .

C:\Windows\erqkjdtsldpplvofywsfe.exe

erqkjdtsldpplvofywsfe.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c irmcxnzujxfbtzobq.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exe

C:\Windows\rbxokbokapyvovlzpk.exe

rbxokbokapyvovlzpk.exe .

C:\Windows\irmcxnzujxfbtzobq.exe

irmcxnzujxfbtzobq.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c irmcxnzujxfbtzobq.exe

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\rbxokbokapyvovlzpk.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c pbzsqjywofqpktlbtqlx.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c erqkjdtsldpplvofywsfe.exe .

C:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exe

C:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exe

C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe

C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe .

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\irmcxnzujxfbtzobq.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\erqkjdtsldpplvofywsfe.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c irmcxnzujxfbtzobq.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rbxokbokapyvovlzpk.exe

C:\Windows\erqkjdtsldpplvofywsfe.exe

erqkjdtsldpplvofywsfe.exe .

C:\Windows\pbzsqjywofqpktlbtqlx.exe

pbzsqjywofqpktlbtqlx.exe

C:\Windows\irmcxnzujxfbtzobq.exe

irmcxnzujxfbtzobq.exe

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\pbzsqjywofqpktlbtqlx.exe*."

C:\Users\Admin\AppData\Local\Temp\erqkjdtsldpplvofywsfe.exe

C:\Users\Admin\AppData\Local\Temp\erqkjdtsldpplvofywsfe.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cnkczrfctjtrltkzqmg.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bjdsmbmguhojaftf.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\erqkjdtsldpplvofywsfe.exe*."

C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe

C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe .

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 www.whatismyip.com udp
US 172.66.43.169:80 www.whatismyip.com tcp
GB 95.101.143.219:443 www.bing.com tcp
US 172.66.43.169:80 www.whatismyip.com tcp
US 8.8.8.8:53 www.whatismyip.ca udp
US 8.8.8.8:53 whatismyip.everdot.org udp
US 172.66.43.169:80 www.whatismyip.com tcp
US 8.8.8.8:53 www.whatismyip.ca udp
US 172.66.43.169:80 www.whatismyip.com tcp
US 8.8.8.8:53 whatismyip.everdot.org udp
US 172.66.43.169:80 www.whatismyip.com tcp
US 8.8.8.8:53 www.showmyipaddress.com udp
US 172.67.155.175:80 www.showmyipaddress.com tcp
US 8.8.8.8:53 whatismyipaddress.com udp
US 104.19.222.79:80 whatismyipaddress.com tcp
US 172.67.155.175:80 www.showmyipaddress.com tcp
US 8.8.8.8:53 whatismyip.everdot.org udp
US 104.19.222.79:80 whatismyipaddress.com tcp
US 172.66.43.169:80 www.whatismyip.com tcp
US 172.66.43.169:80 www.whatismyip.com tcp
US 8.8.8.8:53 whatismyip.everdot.org udp
US 8.8.8.8:53 www.adobe.com udp
GB 2.18.190.144:80 www.adobe.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.179.227:80 c.pki.goog tcp
US 8.8.8.8:53 www.adobe.com udp
GB 2.18.190.144:80 www.adobe.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe

MD5 838bacd7ba6249144711a2bf8bc7b80a
SHA1 de953447809e72922c5299fa2c9a8ff73c805f98
SHA256 f820f58c72644862a9ded05cb9cc6353baebcdac479309237858b41a300a303c
SHA512 a5dc6e35d037b286e4bf92c68d001eb0d2885b88651cdc75cc89f7e0d0fc348bbaefe00217945dc79947371865eeeb52f96e82b7cc32e466a274f307c86a60d1

C:\Windows\SysWOW64\rbxokbokapyvovlzpk.exe

MD5 b9c1a84350d1c4881dd1eac4ffb453b0
SHA1 e2c094bbe105e9ced9c996c140f4fb1ae5f48585
SHA256 19bfc62f4162a8399e6c22f14721710d96007e027aaa8154e3d80bb725c360e4
SHA512 4122450a3b2fb3698229b12cac896378eee63798ca6c928addfd1a5fdd4af87001c55b19a3072e643bc8586a596f4af6f1b1920c15aa63404212636329da192c

C:\Users\Admin\AppData\Local\Temp\pnxcmr.exe

MD5 9559ab86c1345c15b5ef71e5cd032cc2
SHA1 b79c3d6551f1c9584e5d0f37fd31c65a66e7cd4f
SHA256 2c0e0f3d504d7162a98503f23918d0f96e5529796a677400ab985752f64b463f
SHA512 91d2ca94e6d014d8fc0178b98094b1654f1f1717e81d6eb4e858fb63acdcb0fcd77eafea951034af4892f21f850af05828beb2a70f50ec7a581e4bc7c29f0dfb

C:\Users\Admin\AppData\Local\gxaybztwtpfjjxupmoofi.jhb

MD5 74899d647faec4471aec7c976d6c43eb
SHA1 e0939c94e8ce0864b0bf7c284293124ea178e6d7
SHA256 196a96f9c2de6b3055a012686a61960335a82a227b5fa177bb90767046d251d2
SHA512 2e189012e53008632e48a8f585959b7bfa6b8a1838a451e9534a723a4a880aa7a4e271fac2969a60e69836cba000fa9249f0ea459552bbe3601f90ab4d6dfc91

C:\Users\Admin\AppData\Local\bdraoxcqyfgvgfntbozbpymvaowdeted.rzm

MD5 0b7a36ecadd0b17904ed4e205eef30fb
SHA1 790aabc147c4f8f280ba9fd2605649ad9ff6a5fa
SHA256 256325344a62f486d85c9cbc6adf2fc072382e7559d193e699003e650b1d1ffa
SHA512 f84d1b13c9a850660923bfc1962efbbbfa42743b8416611334ae380e933065ff62dc063d4a19226d6c2e9d98ac0acb3a1b39a4047b962ca624bdfb51c08a6ab7

Analysis: behavioral2

Detonation Overview

Submitted

2025-04-15 11:57

Reported

2025-04-15 11:59

Platform

win11-20250410-en

Max time kernel

51s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\zbmsads.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\zbmsads.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A

Pykspa

worm pykspa

Pykspa family

pykspa

UAC bypass

defense_evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\zbmsads.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\zbmsads.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\zbmsads.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\zbmsads.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\zbmsads.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\zbmsads.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\zbmsads.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\zbmsads.exe N/A

Detect Pykspa worm

worm
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds policy Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qzretdzgujzhec = "obxohvvgyrlxyacgte.exe" C:\Users\Admin\AppData\Local\Temp\zbmsads.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tzoykrkozly = "C:\\Users\\Admin\\AppData\\Local\\Temp\\znkcwlmyrlgtvybgugd.exe" C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tzoykrkozly = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mbzsndfsmhdruycixkix.exe" C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tzoykrkozly = "C:\\Users\\Admin\\AppData\\Local\\Temp\\brqkgxaojfcrvafmcqpfe.exe" C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tzoykrkozly = "C:\\Users\\Admin\\AppData\\Local\\Temp\\znkcwlmyrlgtvybgugd.exe" C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qzretdzgujzhec = "obxohvvgyrlxyacgte.exe" C:\Users\Admin\AppData\Local\Temp\zbmsads.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qzretdzgujzhec = "yjdsjvtcsjblkkkm.exe" C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qzretdzgujzhec = "yjdsjvtcsjblkkkm.exe" C:\Users\Admin\AppData\Local\Temp\zbmsads.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qzretdzgujzhec = "mbzsndfsmhdruycixkix.exe" C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qzretdzgujzhec = "brqkgxaojfcrvafmcqpfe.exe" C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tzoykrkozly = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mbzsndfsmhdruycixkix.exe" C:\Users\Admin\AppData\Local\Temp\zbmsads.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qzretdzgujzhec = "frmcuhgqhzsddefiu.exe" C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tzoykrkozly = "C:\\Users\\Admin\\AppData\\Local\\Temp\\znkcwlmyrlgtvybgugd.exe" C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qzretdzgujzhec = "mbzsndfsmhdruycixkix.exe" C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tzoykrkozly = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yjdsjvtcsjblkkkm.exe" C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qzretdzgujzhec = "frmcuhgqhzsddefiu.exe" C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qzretdzgujzhec = "frmcuhgqhzsddefiu.exe" C:\Users\Admin\AppData\Local\Temp\zbmsads.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qzretdzgujzhec = "frmcuhgqhzsddefiu.exe" C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qzretdzgujzhec = "yjdsjvtcsjblkkkm.exe" C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tzoykrkozly = "C:\\Users\\Admin\\AppData\\Local\\Temp\\frmcuhgqhzsddefiu.exe" C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tzoykrkozly = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mbzsndfsmhdruycixkix.exe" C:\Users\Admin\AppData\Local\Temp\zbmsads.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qzretdzgujzhec = "brqkgxaojfcrvafmcqpfe.exe" C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tzoykrkozly = "C:\\Users\\Admin\\AppData\\Local\\Temp\\znkcwlmyrlgtvybgugd.exe" C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tzoykrkozly = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mbzsndfsmhdruycixkix.exe" C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tzoykrkozly = "C:\\Users\\Admin\\AppData\\Local\\Temp\\obxohvvgyrlxyacgte.exe" C:\Users\Admin\AppData\Local\Temp\zbmsads.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tzoykrkozly = "C:\\Users\\Admin\\AppData\\Local\\Temp\\brqkgxaojfcrvafmcqpfe.exe" C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tzoykrkozly = "C:\\Users\\Admin\\AppData\\Local\\Temp\\frmcuhgqhzsddefiu.exe" C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tzoykrkozly = "C:\\Users\\Admin\\AppData\\Local\\Temp\\brqkgxaojfcrvafmcqpfe.exe" C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qzretdzgujzhec = "obxohvvgyrlxyacgte.exe" C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tzoykrkozly = "C:\\Users\\Admin\\AppData\\Local\\Temp\\obxohvvgyrlxyacgte.exe" C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tzoykrkozly = "C:\\Users\\Admin\\AppData\\Local\\Temp\\brqkgxaojfcrvafmcqpfe.exe" C:\Users\Admin\AppData\Local\Temp\zbmsads.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tzoykrkozly = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mbzsndfsmhdruycixkix.exe" C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qzretdzgujzhec = "yjdsjvtcsjblkkkm.exe" C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tzoykrkozly = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mbzsndfsmhdruycixkix.exe" C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tzoykrkozly = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yjdsjvtcsjblkkkm.exe" C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tzoykrkozly = "C:\\Users\\Admin\\AppData\\Local\\Temp\\frmcuhgqhzsddefiu.exe" C:\Users\Admin\AppData\Local\Temp\zbmsads.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tzoykrkozly = "C:\\Users\\Admin\\AppData\\Local\\Temp\\frmcuhgqhzsddefiu.exe" C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qzretdzgujzhec = "mbzsndfsmhdruycixkix.exe" C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qzretdzgujzhec = "mbzsndfsmhdruycixkix.exe" C:\Users\Admin\AppData\Local\Temp\zbmsads.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qzretdzgujzhec = "yjdsjvtcsjblkkkm.exe" C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tzoykrkozly = "C:\\Users\\Admin\\AppData\\Local\\Temp\\frmcuhgqhzsddefiu.exe" C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\zbmsads.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qzretdzgujzhec = "yjdsjvtcsjblkkkm.exe" C:\Users\Admin\AppData\Local\Temp\zbmsads.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qzretdzgujzhec = "brqkgxaojfcrvafmcqpfe.exe" C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qzretdzgujzhec = "brqkgxaojfcrvafmcqpfe.exe" C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tzoykrkozly = "C:\\Users\\Admin\\AppData\\Local\\Temp\\frmcuhgqhzsddefiu.exe" C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tzoykrkozly = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yjdsjvtcsjblkkkm.exe" C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A

Disables RegEdit via registry modification

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\zbmsads.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\zbmsads.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\zbmsads.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\zbmsads.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
N/A N/A C:\Windows\brqkgxaojfcrvafmcqpfe.exe N/A
N/A N/A C:\Windows\brqkgxaojfcrvafmcqpfe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
N/A N/A C:\Windows\brqkgxaojfcrvafmcqpfe.exe N/A
N/A N/A C:\Windows\mbzsndfsmhdruycixkix.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zbmsads.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zbmsads.exe N/A
N/A N/A C:\Windows\obxohvvgyrlxyacgte.exe N/A
N/A N/A C:\Windows\yjdsjvtcsjblkkkm.exe N/A
N/A N/A C:\Windows\obxohvvgyrlxyacgte.exe N/A
N/A N/A C:\Windows\brqkgxaojfcrvafmcqpfe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
N/A N/A C:\Windows\brqkgxaojfcrvafmcqpfe.exe N/A
N/A N/A C:\Windows\frmcuhgqhzsddefiu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exe N/A
N/A N/A C:\Windows\frmcuhgqhzsddefiu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\obxohvvgyrlxyacgte.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\obxohvvgyrlxyacgte.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
N/A N/A C:\Windows\obxohvvgyrlxyacgte.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
N/A N/A C:\Windows\frmcuhgqhzsddefiu.exe N/A
N/A N/A C:\Windows\mbzsndfsmhdruycixkix.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
N/A N/A C:\Windows\yjdsjvtcsjblkkkm.exe N/A
N/A N/A C:\Windows\yjdsjvtcsjblkkkm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
N/A N/A C:\Windows\brqkgxaojfcrvafmcqpfe.exe N/A
N/A N/A C:\Windows\mbzsndfsmhdruycixkix.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
N/A N/A C:\Windows\znkcwlmyrlgtvybgugd.exe N/A
N/A N/A C:\Windows\obxohvvgyrlxyacgte.exe N/A
N/A N/A C:\Windows\brqkgxaojfcrvafmcqpfe.exe N/A
N/A N/A C:\Windows\brqkgxaojfcrvafmcqpfe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe N/A
N/A N/A C:\Windows\mbzsndfsmhdruycixkix.exe N/A
N/A N/A C:\Windows\znkcwlmyrlgtvybgugd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A

Impair Defenses: Safe Mode Boot

defense_evasion
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys C:\Users\Admin\AppData\Local\Temp\zbmsads.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc C:\Users\Admin\AppData\Local\Temp\zbmsads.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power C:\Users\Admin\AppData\Local\Temp\zbmsads.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys C:\Users\Admin\AppData\Local\Temp\zbmsads.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc C:\Users\Admin\AppData\Local\Temp\zbmsads.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager C:\Users\Admin\AppData\Local\Temp\zbmsads.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\obxohvvgyrlxyacgte = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yjdsjvtcsjblkkkm.exe" C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\pxoaoxsylzovr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\brqkgxaojfcrvafmcqpfe.exe ." C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\obxohvvgyrlxyacgte = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yjdsjvtcsjblkkkm.exe" C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\Run\tdwkaliqfvmvtsr = "obxohvvgyrlxyacgte.exe" C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\Run\tdwkaliqfvmvtsr = "brqkgxaojfcrvafmcqpfe.exe" C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qxnyltnserfl = "yjdsjvtcsjblkkkm.exe" C:\Users\Admin\AppData\Local\Temp\zbmsads.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\yjdsjvtcsjblkkkm = "frmcuhgqhzsddefiu.exe ." C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\Run\tdwkaliqfvmvtsr = "yjdsjvtcsjblkkkm.exe" C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pxoaoxsylzovr = "znkcwlmyrlgtvybgugd.exe ." C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\Run\tdwkaliqfvmvtsr = "znkcwlmyrlgtvybgugd.exe" C:\Users\Admin\AppData\Local\Temp\zbmsads.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\pxoaoxsylzovr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\brqkgxaojfcrvafmcqpfe.exe ." C:\Users\Admin\AppData\Local\Temp\zbmsads.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\Run\tdwkaliqfvmvtsr = "znkcwlmyrlgtvybgugd.exe" C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\pxoaoxsylzovr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yjdsjvtcsjblkkkm.exe ." C:\Users\Admin\AppData\Local\Temp\zbmsads.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pxoaoxsylzovr = "frmcuhgqhzsddefiu.exe ." C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pxoaoxsylzovr = "yjdsjvtcsjblkkkm.exe ." C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qxnyltnserfl = "brqkgxaojfcrvafmcqpfe.exe" C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qxnyltnserfl = "znkcwlmyrlgtvybgugd.exe" C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\yjdsjvtcsjblkkkm = "mbzsndfsmhdruycixkix.exe ." C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qxnyltnserfl = "frmcuhgqhzsddefiu.exe" C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qxnyltnserfl = "frmcuhgqhzsddefiu.exe" C:\Users\Admin\AppData\Local\Temp\zbmsads.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pxoaoxsylzovr = "brqkgxaojfcrvafmcqpfe.exe ." C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pxoaoxsylzovr = "znkcwlmyrlgtvybgugd.exe ." C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pxoaoxsylzovr = "obxohvvgyrlxyacgte.exe ." C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\pxoaoxsylzovr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\obxohvvgyrlxyacgte.exe ." C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\Run\qxnyltnserfl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yjdsjvtcsjblkkkm.exe" C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\pxoaoxsylzovr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mbzsndfsmhdruycixkix.exe ." C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\frmcuhgqhzsddefiu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\frmcuhgqhzsddefiu.exe ." C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\Run\tdwkaliqfvmvtsr = "brqkgxaojfcrvafmcqpfe.exe" C:\Users\Admin\AppData\Local\Temp\zbmsads.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\Run\qxnyltnserfl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\frmcuhgqhzsddefiu.exe" C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\pxoaoxsylzovr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\brqkgxaojfcrvafmcqpfe.exe ." C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\obxohvvgyrlxyacgte = "C:\\Users\\Admin\\AppData\\Local\\Temp\\obxohvvgyrlxyacgte.exe" C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\Run\qxnyltnserfl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mbzsndfsmhdruycixkix.exe" C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qxnyltnserfl = "znkcwlmyrlgtvybgugd.exe" C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\Run\qxnyltnserfl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yjdsjvtcsjblkkkm.exe" C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\pxoaoxsylzovr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\brqkgxaojfcrvafmcqpfe.exe ." C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pxoaoxsylzovr = "frmcuhgqhzsddefiu.exe ." C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\obxohvvgyrlxyacgte = "C:\\Users\\Admin\\AppData\\Local\\Temp\\frmcuhgqhzsddefiu.exe" C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\frmcuhgqhzsddefiu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\obxohvvgyrlxyacgte.exe ." C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\frmcuhgqhzsddefiu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\frmcuhgqhzsddefiu.exe ." C:\Users\Admin\AppData\Local\Temp\zbmsads.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qxnyltnserfl = "yjdsjvtcsjblkkkm.exe" C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pxoaoxsylzovr = "mbzsndfsmhdruycixkix.exe ." C:\Users\Admin\AppData\Local\Temp\zbmsads.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\pxoaoxsylzovr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\obxohvvgyrlxyacgte.exe ." C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\pxoaoxsylzovr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\frmcuhgqhzsddefiu.exe ." C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\yjdsjvtcsjblkkkm = "brqkgxaojfcrvafmcqpfe.exe ." C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\Run\qxnyltnserfl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yjdsjvtcsjblkkkm.exe" C:\Users\Admin\AppData\Local\Temp\zbmsads.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pxoaoxsylzovr = "frmcuhgqhzsddefiu.exe ." C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qxnyltnserfl = "mbzsndfsmhdruycixkix.exe" C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\Run\qxnyltnserfl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yjdsjvtcsjblkkkm.exe" C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pxoaoxsylzovr = "yjdsjvtcsjblkkkm.exe ." C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\frmcuhgqhzsddefiu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yjdsjvtcsjblkkkm.exe ." C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\obxohvvgyrlxyacgte = "C:\\Users\\Admin\\AppData\\Local\\Temp\\obxohvvgyrlxyacgte.exe" C:\Users\Admin\AppData\Local\Temp\zbmsads.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pxoaoxsylzovr = "brqkgxaojfcrvafmcqpfe.exe ." C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\frmcuhgqhzsddefiu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\brqkgxaojfcrvafmcqpfe.exe ." C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\obxohvvgyrlxyacgte = "C:\\Users\\Admin\\AppData\\Local\\Temp\\brqkgxaojfcrvafmcqpfe.exe" C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\yjdsjvtcsjblkkkm = "yjdsjvtcsjblkkkm.exe ." C:\Users\Admin\AppData\Local\Temp\zbmsads.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\Run\tdwkaliqfvmvtsr = "yjdsjvtcsjblkkkm.exe" C:\Users\Admin\AppData\Local\Temp\zbmsads.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\obxohvvgyrlxyacgte = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mbzsndfsmhdruycixkix.exe" C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\Run\tdwkaliqfvmvtsr = "yjdsjvtcsjblkkkm.exe" C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\Run\tdwkaliqfvmvtsr = "znkcwlmyrlgtvybgugd.exe" C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\frmcuhgqhzsddefiu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\obxohvvgyrlxyacgte.exe ." C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\frmcuhgqhzsddefiu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yjdsjvtcsjblkkkm.exe ." C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\frmcuhgqhzsddefiu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\obxohvvgyrlxyacgte.exe ." C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\Run\tdwkaliqfvmvtsr = "frmcuhgqhzsddefiu.exe" C:\Users\Admin\AppData\Local\Temp\zbmsads.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\obxohvvgyrlxyacgte = "C:\\Users\\Admin\\AppData\\Local\\Temp\\brqkgxaojfcrvafmcqpfe.exe" C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A

Checks whether UAC is enabled

defense_evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\zbmsads.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\zbmsads.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\zbmsads.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\zbmsads.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A

Hijack Execution Flow: Executable Installer File Permissions Weakness

defense_evasion persistence privilege_escalation
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\zbmsads.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\zbmsads.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A www.showmyipaddress.com N/A N/A
N/A www.whatismyip.ca N/A N/A
N/A whatismyip.everdot.org N/A N/A
N/A whatismyipaddress.com N/A N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification C:\autorun.inf C:\Users\Admin\AppData\Local\Temp\zbmsads.exe N/A
File created C:\autorun.inf C:\Users\Admin\AppData\Local\Temp\zbmsads.exe N/A
File opened for modification F:\autorun.inf C:\Users\Admin\AppData\Local\Temp\zbmsads.exe N/A
File created F:\autorun.inf C:\Users\Admin\AppData\Local\Temp\zbmsads.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\sjjebtxmifdtyeksjyyppk.exe C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
File opened for modification C:\Windows\SysWOW64\frmcuhgqhzsddefiu.exe C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
File opened for modification C:\Windows\SysWOW64\yjdsjvtcsjblkkkm.exe C:\Users\Admin\AppData\Local\Temp\zbmsads.exe N/A
File opened for modification C:\Windows\SysWOW64\obxohvvgyrlxyacgte.exe C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
File opened for modification C:\Windows\SysWOW64\yjdsjvtcsjblkkkm.exe C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
File opened for modification C:\Windows\SysWOW64\mbzsndfsmhdruycixkix.exe C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
File opened for modification C:\Windows\SysWOW64\frmcuhgqhzsddefiu.exe C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
File opened for modification C:\Windows\SysWOW64\yjdsjvtcsjblkkkm.exe C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
File opened for modification C:\Windows\SysWOW64\yjdsjvtcsjblkkkm.exe C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
File opened for modification C:\Windows\SysWOW64\frmcuhgqhzsddefiu.exe C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
File opened for modification C:\Windows\SysWOW64\mbzsndfsmhdruycixkix.exe C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
File opened for modification C:\Windows\SysWOW64\sjjebtxmifdtyeksjyyppk.exe C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
File opened for modification C:\Windows\SysWOW64\frmcuhgqhzsddefiu.exe C:\Users\Admin\AppData\Local\Temp\zbmsads.exe N/A
File opened for modification C:\Windows\SysWOW64\yjdsjvtcsjblkkkm.exe C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
File opened for modification C:\Windows\SysWOW64\sjjebtxmifdtyeksjyyppk.exe C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
File opened for modification C:\Windows\SysWOW64\znkcwlmyrlgtvybgugd.exe C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
File opened for modification C:\Windows\SysWOW64\obxohvvgyrlxyacgte.exe C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
File opened for modification C:\Windows\SysWOW64\brqkgxaojfcrvafmcqpfe.exe C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
File opened for modification C:\Windows\SysWOW64\znkcwlmyrlgtvybgugd.exe C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
File opened for modification C:\Windows\SysWOW64\yjdsjvtcsjblkkkm.exe C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
File opened for modification C:\Windows\SysWOW64\znkcwlmyrlgtvybgugd.exe C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
File opened for modification C:\Windows\SysWOW64\sjjebtxmifdtyeksjyyppk.exe C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
File opened for modification C:\Windows\SysWOW64\brqkgxaojfcrvafmcqpfe.exe C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
File opened for modification C:\Windows\SysWOW64\znkcwlmyrlgtvybgugd.exe C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
File opened for modification C:\Windows\SysWOW64\yjdsjvtcsjblkkkm.exe C:\Users\Admin\AppData\Local\Temp\zbmsads.exe N/A
File opened for modification C:\Windows\SysWOW64\sjjebtxmifdtyeksjyyppk.exe C:\Users\Admin\AppData\Local\Temp\zbmsads.exe N/A
File opened for modification C:\Windows\SysWOW64\mbzsndfsmhdruycixkix.exe C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
File opened for modification C:\Windows\SysWOW64\brqkgxaojfcrvafmcqpfe.exe C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
File opened for modification C:\Windows\SysWOW64\obxohvvgyrlxyacgte.exe C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
File opened for modification C:\Windows\SysWOW64\mbzsndfsmhdruycixkix.exe C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
File opened for modification C:\Windows\SysWOW64\brqkgxaojfcrvafmcqpfe.exe C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
File opened for modification C:\Windows\SysWOW64\yjdsjvtcsjblkkkm.exe C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
File opened for modification C:\Windows\SysWOW64\mbzsndfsmhdruycixkix.exe C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
File opened for modification C:\Windows\SysWOW64\obxohvvgyrlxyacgte.exe C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
File opened for modification C:\Windows\SysWOW64\mbzsndfsmhdruycixkix.exe C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
File opened for modification C:\Windows\SysWOW64\yjdsjvtcsjblkkkm.exe C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
File opened for modification C:\Windows\SysWOW64\brqkgxaojfcrvafmcqpfe.exe C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
File opened for modification C:\Windows\SysWOW64\brqkgxaojfcrvafmcqpfe.exe C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
File opened for modification C:\Windows\SysWOW64\znkcwlmyrlgtvybgugd.exe C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
File opened for modification C:\Windows\SysWOW64\yjdsjvtcsjblkkkm.exe C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
File opened for modification C:\Windows\SysWOW64\yjdsjvtcsjblkkkm.exe C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
File opened for modification C:\Windows\SysWOW64\obxohvvgyrlxyacgte.exe C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
File opened for modification C:\Windows\SysWOW64\sjjebtxmifdtyeksjyyppk.exe C:\Users\Admin\AppData\Local\Temp\zbmsads.exe N/A
File opened for modification C:\Windows\SysWOW64\yjdsjvtcsjblkkkm.exe C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
File opened for modification C:\Windows\SysWOW64\sjjebtxmifdtyeksjyyppk.exe C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
File opened for modification C:\Windows\SysWOW64\znkcwlmyrlgtvybgugd.exe C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
File opened for modification C:\Windows\SysWOW64\znkcwlmyrlgtvybgugd.exe C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
File opened for modification C:\Windows\SysWOW64\sjjebtxmifdtyeksjyyppk.exe C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
File created C:\Windows\SysWOW64\qzretdzgujzhecaajqirjwlvrymbrzwussbi.jbo C:\Users\Admin\AppData\Local\Temp\zbmsads.exe N/A
File opened for modification C:\Windows\SysWOW64\brqkgxaojfcrvafmcqpfe.exe C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
File opened for modification C:\Windows\SysWOW64\sjjebtxmifdtyeksjyyppk.exe C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
File opened for modification C:\Windows\SysWOW64\yjdsjvtcsjblkkkm.exe C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
File opened for modification C:\Windows\SysWOW64\obxohvvgyrlxyacgte.exe C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
File opened for modification C:\Windows\SysWOW64\yjdsjvtcsjblkkkm.exe C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
File opened for modification C:\Windows\SysWOW64\znkcwlmyrlgtvybgugd.exe C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
File opened for modification C:\Windows\SysWOW64\znkcwlmyrlgtvybgugd.exe C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
File opened for modification C:\Windows\SysWOW64\yjdsjvtcsjblkkkm.exe C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
File opened for modification C:\Windows\SysWOW64\obxohvvgyrlxyacgte.exe C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
File opened for modification C:\Windows\SysWOW64\znkcwlmyrlgtvybgugd.exe C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
File opened for modification C:\Windows\SysWOW64\obxohvvgyrlxyacgte.exe C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
File opened for modification C:\Windows\SysWOW64\frmcuhgqhzsddefiu.exe C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
File opened for modification C:\Windows\SysWOW64\frmcuhgqhzsddefiu.exe C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
File opened for modification C:\Windows\SysWOW64\yjdsjvtcsjblkkkm.exe C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
File opened for modification C:\Windows\SysWOW64\znkcwlmyrlgtvybgugd.exe C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\ljqswvgcfjolxkxmkgnlsuyxi.hlq C:\Users\Admin\AppData\Local\Temp\zbmsads.exe N/A
File opened for modification C:\Program Files (x86)\qzretdzgujzhecaajqirjwlvrymbrzwussbi.jbo C:\Users\Admin\AppData\Local\Temp\zbmsads.exe N/A
File created C:\Program Files (x86)\qzretdzgujzhecaajqirjwlvrymbrzwussbi.jbo C:\Users\Admin\AppData\Local\Temp\zbmsads.exe N/A
File opened for modification C:\Program Files (x86)\ljqswvgcfjolxkxmkgnlsuyxi.hlq C:\Users\Admin\AppData\Local\Temp\zbmsads.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\frmcuhgqhzsddefiu.exe C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
File opened for modification C:\Windows\znkcwlmyrlgtvybgugd.exe C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
File opened for modification C:\Windows\frmcuhgqhzsddefiu.exe C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
File opened for modification C:\Windows\brqkgxaojfcrvafmcqpfe.exe C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
File opened for modification C:\Windows\znkcwlmyrlgtvybgugd.exe C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
File opened for modification C:\Windows\yjdsjvtcsjblkkkm.exe C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
File opened for modification C:\Windows\frmcuhgqhzsddefiu.exe C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
File opened for modification C:\Windows\yjdsjvtcsjblkkkm.exe C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
File opened for modification C:\Windows\mbzsndfsmhdruycixkix.exe C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
File opened for modification C:\Windows\sjjebtxmifdtyeksjyyppk.exe C:\Users\Admin\AppData\Local\Temp\zbmsads.exe N/A
File opened for modification C:\Windows\ljqswvgcfjolxkxmkgnlsuyxi.hlq C:\Users\Admin\AppData\Local\Temp\zbmsads.exe N/A
File opened for modification C:\Windows\mbzsndfsmhdruycixkix.exe C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
File opened for modification C:\Windows\brqkgxaojfcrvafmcqpfe.exe C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
File opened for modification C:\Windows\frmcuhgqhzsddefiu.exe C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
File opened for modification C:\Windows\sjjebtxmifdtyeksjyyppk.exe C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
File opened for modification C:\Windows\sjjebtxmifdtyeksjyyppk.exe C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
File opened for modification C:\Windows\yjdsjvtcsjblkkkm.exe C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
File opened for modification C:\Windows\mbzsndfsmhdruycixkix.exe C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
File opened for modification C:\Windows\brqkgxaojfcrvafmcqpfe.exe C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
File opened for modification C:\Windows\znkcwlmyrlgtvybgugd.exe C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
File opened for modification C:\Windows\yjdsjvtcsjblkkkm.exe C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
File opened for modification C:\Windows\sjjebtxmifdtyeksjyyppk.exe C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
File opened for modification C:\Windows\znkcwlmyrlgtvybgugd.exe C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
File opened for modification C:\Windows\znkcwlmyrlgtvybgugd.exe C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
File opened for modification C:\Windows\qzretdzgujzhecaajqirjwlvrymbrzwussbi.jbo C:\Users\Admin\AppData\Local\Temp\zbmsads.exe N/A
File opened for modification C:\Windows\znkcwlmyrlgtvybgugd.exe C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
File opened for modification C:\Windows\yjdsjvtcsjblkkkm.exe C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
File opened for modification C:\Windows\mbzsndfsmhdruycixkix.exe C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
File opened for modification C:\Windows\brqkgxaojfcrvafmcqpfe.exe C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
File opened for modification C:\Windows\frmcuhgqhzsddefiu.exe C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
File opened for modification C:\Windows\brqkgxaojfcrvafmcqpfe.exe C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
File opened for modification C:\Windows\mbzsndfsmhdruycixkix.exe C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
File opened for modification C:\Windows\sjjebtxmifdtyeksjyyppk.exe C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
File opened for modification C:\Windows\sjjebtxmifdtyeksjyyppk.exe C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
File opened for modification C:\Windows\yjdsjvtcsjblkkkm.exe C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
File opened for modification C:\Windows\brqkgxaojfcrvafmcqpfe.exe C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
File created C:\Windows\qzretdzgujzhecaajqirjwlvrymbrzwussbi.jbo C:\Users\Admin\AppData\Local\Temp\zbmsads.exe N/A
File opened for modification C:\Windows\frmcuhgqhzsddefiu.exe C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
File opened for modification C:\Windows\obxohvvgyrlxyacgte.exe C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
File opened for modification C:\Windows\sjjebtxmifdtyeksjyyppk.exe C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
File opened for modification C:\Windows\mbzsndfsmhdruycixkix.exe C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
File opened for modification C:\Windows\brqkgxaojfcrvafmcqpfe.exe C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
File opened for modification C:\Windows\frmcuhgqhzsddefiu.exe C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
File opened for modification C:\Windows\yjdsjvtcsjblkkkm.exe C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
File opened for modification C:\Windows\sjjebtxmifdtyeksjyyppk.exe C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
File opened for modification C:\Windows\sjjebtxmifdtyeksjyyppk.exe C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
File opened for modification C:\Windows\obxohvvgyrlxyacgte.exe C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
File opened for modification C:\Windows\yjdsjvtcsjblkkkm.exe C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
File opened for modification C:\Windows\mbzsndfsmhdruycixkix.exe C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
File opened for modification C:\Windows\obxohvvgyrlxyacgte.exe C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
File opened for modification C:\Windows\mbzsndfsmhdruycixkix.exe C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
File opened for modification C:\Windows\mbzsndfsmhdruycixkix.exe C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
File opened for modification C:\Windows\frmcuhgqhzsddefiu.exe C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
File opened for modification C:\Windows\yjdsjvtcsjblkkkm.exe C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
File opened for modification C:\Windows\znkcwlmyrlgtvybgugd.exe C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
File opened for modification C:\Windows\sjjebtxmifdtyeksjyyppk.exe C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
File opened for modification C:\Windows\brqkgxaojfcrvafmcqpfe.exe C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
File opened for modification C:\Windows\frmcuhgqhzsddefiu.exe C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
File opened for modification C:\Windows\znkcwlmyrlgtvybgugd.exe C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
File opened for modification C:\Windows\mbzsndfsmhdruycixkix.exe C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
File opened for modification C:\Windows\znkcwlmyrlgtvybgugd.exe C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
File opened for modification C:\Windows\frmcuhgqhzsddefiu.exe C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
File opened for modification C:\Windows\frmcuhgqhzsddefiu.exe C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
File opened for modification C:\Windows\yjdsjvtcsjblkkkm.exe C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\obxohvvgyrlxyacgte.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\frmcuhgqhzsddefiu.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\obxohvvgyrlxyacgte.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\znkcwlmyrlgtvybgugd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\frmcuhgqhzsddefiu.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\obxohvvgyrlxyacgte.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\obxohvvgyrlxyacgte.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\frmcuhgqhzsddefiu.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\yjdsjvtcsjblkkkm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\frmcuhgqhzsddefiu.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\znkcwlmyrlgtvybgugd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\znkcwlmyrlgtvybgugd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\yjdsjvtcsjblkkkm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\brqkgxaojfcrvafmcqpfe.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\mbzsndfsmhdruycixkix.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\znkcwlmyrlgtvybgugd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\yjdsjvtcsjblkkkm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\yjdsjvtcsjblkkkm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\frmcuhgqhzsddefiu.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\brqkgxaojfcrvafmcqpfe.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\brqkgxaojfcrvafmcqpfe.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\obxohvvgyrlxyacgte.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\frmcuhgqhzsddefiu.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\brqkgxaojfcrvafmcqpfe.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\mbzsndfsmhdruycixkix.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\obxohvvgyrlxyacgte.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\obxohvvgyrlxyacgte.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\brqkgxaojfcrvafmcqpfe.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\yjdsjvtcsjblkkkm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\obxohvvgyrlxyacgte.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\brqkgxaojfcrvafmcqpfe.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\znkcwlmyrlgtvybgugd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\obxohvvgyrlxyacgte.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\mbzsndfsmhdruycixkix.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\yjdsjvtcsjblkkkm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\obxohvvgyrlxyacgte.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\frmcuhgqhzsddefiu.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\yjdsjvtcsjblkkkm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\obxohvvgyrlxyacgte.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\frmcuhgqhzsddefiu.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\obxohvvgyrlxyacgte.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\yjdsjvtcsjblkkkm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\znkcwlmyrlgtvybgugd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\frmcuhgqhzsddefiu.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\frmcuhgqhzsddefiu.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\frmcuhgqhzsddefiu.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zbmsads.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zbmsads.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zbmsads.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zbmsads.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\zbmsads.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 6104 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe C:\Windows\system32\cmd.exe
PID 6104 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe C:\Windows\system32\cmd.exe
PID 6104 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe C:\Windows\system32\cmd.exe
PID 488 wrote to memory of 4932 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe
PID 488 wrote to memory of 4932 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe
PID 488 wrote to memory of 4932 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe
PID 1828 wrote to memory of 4856 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe
PID 1828 wrote to memory of 4856 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe
PID 1828 wrote to memory of 4856 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe
PID 4856 wrote to memory of 4372 N/A C:\Windows\brqkgxaojfcrvafmcqpfe.exe C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe
PID 4856 wrote to memory of 4372 N/A C:\Windows\brqkgxaojfcrvafmcqpfe.exe C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe
PID 4856 wrote to memory of 4372 N/A C:\Windows\brqkgxaojfcrvafmcqpfe.exe C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe
PID 4420 wrote to memory of 412 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe
PID 4420 wrote to memory of 412 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe
PID 4420 wrote to memory of 412 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe
PID 4328 wrote to memory of 5372 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe
PID 4328 wrote to memory of 5372 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe
PID 4328 wrote to memory of 5372 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe
PID 5136 wrote to memory of 4636 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exe
PID 5136 wrote to memory of 4636 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exe
PID 5136 wrote to memory of 4636 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exe
PID 5372 wrote to memory of 4916 N/A C:\Windows\mbzsndfsmhdruycixkix.exe C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe
PID 5372 wrote to memory of 4916 N/A C:\Windows\mbzsndfsmhdruycixkix.exe C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe
PID 5372 wrote to memory of 4916 N/A C:\Windows\mbzsndfsmhdruycixkix.exe C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe
PID 2724 wrote to memory of 3592 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exe
PID 2724 wrote to memory of 3592 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exe
PID 2724 wrote to memory of 3592 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exe
PID 3592 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exe C:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exe
PID 3592 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exe C:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exe
PID 3592 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exe C:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exe
PID 5100 wrote to memory of 5756 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exe
PID 5100 wrote to memory of 5756 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exe
PID 5100 wrote to memory of 5756 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exe
PID 5156 wrote to memory of 4908 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exe
PID 5156 wrote to memory of 4908 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exe
PID 5156 wrote to memory of 4908 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exe
PID 4908 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exe C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe
PID 4908 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exe C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe
PID 4908 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exe C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe
PID 2608 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe C:\Users\Admin\AppData\Local\Temp\zbmsads.exe
PID 2608 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe C:\Users\Admin\AppData\Local\Temp\zbmsads.exe
PID 2608 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe C:\Users\Admin\AppData\Local\Temp\zbmsads.exe
PID 2608 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe C:\Users\Admin\AppData\Local\Temp\zbmsads.exe
PID 2608 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe C:\Users\Admin\AppData\Local\Temp\zbmsads.exe
PID 2608 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe C:\Users\Admin\AppData\Local\Temp\zbmsads.exe
PID 1792 wrote to memory of 4500 N/A C:\Windows\system32\cmd.exe C:\Windows\obxohvvgyrlxyacgte.exe
PID 1792 wrote to memory of 4500 N/A C:\Windows\system32\cmd.exe C:\Windows\obxohvvgyrlxyacgte.exe
PID 1792 wrote to memory of 4500 N/A C:\Windows\system32\cmd.exe C:\Windows\obxohvvgyrlxyacgte.exe
PID 2200 wrote to memory of 3588 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Conhost.exe
PID 2200 wrote to memory of 3588 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Conhost.exe
PID 2200 wrote to memory of 3588 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Conhost.exe
PID 3888 wrote to memory of 5688 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Conhost.exe
PID 3888 wrote to memory of 5688 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Conhost.exe
PID 3888 wrote to memory of 5688 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Conhost.exe
PID 2732 wrote to memory of 3316 N/A C:\Windows\system32\cmd.exe C:\Windows\brqkgxaojfcrvafmcqpfe.exe
PID 2732 wrote to memory of 3316 N/A C:\Windows\system32\cmd.exe C:\Windows\brqkgxaojfcrvafmcqpfe.exe
PID 2732 wrote to memory of 3316 N/A C:\Windows\system32\cmd.exe C:\Windows\brqkgxaojfcrvafmcqpfe.exe
PID 5688 wrote to memory of 1496 N/A C:\Windows\obxohvvgyrlxyacgte.exe C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe
PID 5688 wrote to memory of 1496 N/A C:\Windows\obxohvvgyrlxyacgte.exe C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe
PID 5688 wrote to memory of 1496 N/A C:\Windows\obxohvvgyrlxyacgte.exe C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe
PID 3316 wrote to memory of 3172 N/A C:\Windows\brqkgxaojfcrvafmcqpfe.exe C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe
PID 3316 wrote to memory of 3172 N/A C:\Windows\brqkgxaojfcrvafmcqpfe.exe C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe
PID 3316 wrote to memory of 3172 N/A C:\Windows\brqkgxaojfcrvafmcqpfe.exe C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe
PID 1936 wrote to memory of 3096 N/A C:\Windows\system32\cmd.exe C:\Windows\brqkgxaojfcrvafmcqpfe.exe

System policy modification

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\zbmsads.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\AppData\Local\Temp\zbmsads.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" C:\Users\Admin\AppData\Local\Temp\zbmsads.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\zbmsads.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" C:\Users\Admin\AppData\Local\Temp\zbmsads.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\zbmsads.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" C:\Users\Admin\AppData\Local\Temp\zbmsads.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\zbmsads.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\zbmsads.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\zbmsads.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Users\Admin\AppData\Local\Temp\zbmsads.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Users\Admin\AppData\Local\Temp\zbmsads.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\zbmsads.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\AppData\Local\Temp\zbmsads.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\zbmsads.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" C:\Users\Admin\AppData\Local\Temp\zbmsads.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" C:\Users\Admin\AppData\Local\Temp\zbmsads.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\zbmsads.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe"

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\jaffacakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe*"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c brqkgxaojfcrvafmcqpfe.exe

C:\Windows\brqkgxaojfcrvafmcqpfe.exe

brqkgxaojfcrvafmcqpfe.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c brqkgxaojfcrvafmcqpfe.exe .

C:\Windows\brqkgxaojfcrvafmcqpfe.exe

brqkgxaojfcrvafmcqpfe.exe .

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\brqkgxaojfcrvafmcqpfe.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c brqkgxaojfcrvafmcqpfe.exe

C:\Windows\brqkgxaojfcrvafmcqpfe.exe

brqkgxaojfcrvafmcqpfe.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c mbzsndfsmhdruycixkix.exe .

C:\Windows\mbzsndfsmhdruycixkix.exe

mbzsndfsmhdruycixkix.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exe

C:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exe

C:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exe .

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\mbzsndfsmhdruycixkix.exe*."

C:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exe

C:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exe .

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\znkcwlmyrlgtvybgugd.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exe

C:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exe

C:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exe .

C:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exe

C:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exe .

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\mbzsndfsmhdruycixkix.exe*."

C:\Users\Admin\AppData\Local\Temp\zbmsads.exe

"C:\Users\Admin\AppData\Local\Temp\zbmsads.exe" "-C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe"

C:\Users\Admin\AppData\Local\Temp\zbmsads.exe

"C:\Users\Admin\AppData\Local\Temp\zbmsads.exe" "-C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c obxohvvgyrlxyacgte.exe

C:\Windows\obxohvvgyrlxyacgte.exe

obxohvvgyrlxyacgte.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c yjdsjvtcsjblkkkm.exe

C:\Windows\yjdsjvtcsjblkkkm.exe

yjdsjvtcsjblkkkm.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c obxohvvgyrlxyacgte.exe .

C:\Windows\obxohvvgyrlxyacgte.exe

obxohvvgyrlxyacgte.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c brqkgxaojfcrvafmcqpfe.exe .

C:\Windows\brqkgxaojfcrvafmcqpfe.exe

brqkgxaojfcrvafmcqpfe.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c brqkgxaojfcrvafmcqpfe.exe

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\obxohvvgyrlxyacgte.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c yjdsjvtcsjblkkkm.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c frmcuhgqhzsddefiu.exe .

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\brqkgxaojfcrvafmcqpfe.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c frmcuhgqhzsddefiu.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exe

C:\Windows\brqkgxaojfcrvafmcqpfe.exe

brqkgxaojfcrvafmcqpfe.exe

C:\Windows\frmcuhgqhzsddefiu.exe

frmcuhgqhzsddefiu.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\obxohvvgyrlxyacgte.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exe .

C:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exe

C:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exe

C:\Users\Admin\AppData\Local\Temp\obxohvvgyrlxyacgte.exe

C:\Users\Admin\AppData\Local\Temp\obxohvvgyrlxyacgte.exe .

C:\Windows\frmcuhgqhzsddefiu.exe

frmcuhgqhzsddefiu.exe .

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\frmcuhgqhzsddefiu.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\obxohvvgyrlxyacgte.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exe .

C:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exe

C:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exe

C:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exe

C:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exe .

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\frmcuhgqhzsddefiu.exe*."

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\obxohvvgyrlxyacgte.exe*."

C:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exe

C:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exe

C:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exe

C:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c obxohvvgyrlxyacgte.exe

C:\Users\Admin\AppData\Local\Temp\obxohvvgyrlxyacgte.exe

C:\Users\Admin\AppData\Local\Temp\obxohvvgyrlxyacgte.exe .

C:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exe

C:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exe

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\brqkgxaojfcrvafmcqpfe.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c frmcuhgqhzsddefiu.exe .

C:\Windows\obxohvvgyrlxyacgte.exe

obxohvvgyrlxyacgte.exe

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\obxohvvgyrlxyacgte.exe*."

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\brqkgxaojfcrvafmcqpfe.exe*."

C:\Windows\frmcuhgqhzsddefiu.exe

frmcuhgqhzsddefiu.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c mbzsndfsmhdruycixkix.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c yjdsjvtcsjblkkkm.exe .

C:\Windows\mbzsndfsmhdruycixkix.exe

mbzsndfsmhdruycixkix.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exe

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\frmcuhgqhzsddefiu.exe*."

C:\Windows\yjdsjvtcsjblkkkm.exe

yjdsjvtcsjblkkkm.exe

C:\Windows\yjdsjvtcsjblkkkm.exe

yjdsjvtcsjblkkkm.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exe .

C:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exe

C:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exe

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\yjdsjvtcsjblkkkm.exe*."

C:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exe

C:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exe .

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\mbzsndfsmhdruycixkix.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exe

C:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exe

C:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exe .

C:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exe

C:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exe .

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\mbzsndfsmhdruycixkix.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c brqkgxaojfcrvafmcqpfe.exe

C:\Windows\brqkgxaojfcrvafmcqpfe.exe

brqkgxaojfcrvafmcqpfe.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c mbzsndfsmhdruycixkix.exe .

C:\Windows\mbzsndfsmhdruycixkix.exe

mbzsndfsmhdruycixkix.exe .

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\mbzsndfsmhdruycixkix.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c znkcwlmyrlgtvybgugd.exe

C:\Windows\znkcwlmyrlgtvybgugd.exe

znkcwlmyrlgtvybgugd.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c obxohvvgyrlxyacgte.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c brqkgxaojfcrvafmcqpfe.exe .

C:\Windows\obxohvvgyrlxyacgte.exe

obxohvvgyrlxyacgte.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c brqkgxaojfcrvafmcqpfe.exe

C:\Windows\brqkgxaojfcrvafmcqpfe.exe

brqkgxaojfcrvafmcqpfe.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\brqkgxaojfcrvafmcqpfe.exe

brqkgxaojfcrvafmcqpfe.exe

C:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exe

C:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c mbzsndfsmhdruycixkix.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\brqkgxaojfcrvafmcqpfe.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c znkcwlmyrlgtvybgugd.exe .

C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe

C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe .

C:\Windows\mbzsndfsmhdruycixkix.exe

mbzsndfsmhdruycixkix.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c brqkgxaojfcrvafmcqpfe.exe

C:\Windows\znkcwlmyrlgtvybgugd.exe

znkcwlmyrlgtvybgugd.exe .

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\mbzsndfsmhdruycixkix.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c frmcuhgqhzsddefiu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c znkcwlmyrlgtvybgugd.exe .

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\yjdsjvtcsjblkkkm.exe*."

C:\Windows\brqkgxaojfcrvafmcqpfe.exe

brqkgxaojfcrvafmcqpfe.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c obxohvvgyrlxyacgte.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exe .

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\znkcwlmyrlgtvybgugd.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exe .

C:\Windows\znkcwlmyrlgtvybgugd.exe

znkcwlmyrlgtvybgugd.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\frmcuhgqhzsddefiu.exe .

C:\Windows\frmcuhgqhzsddefiu.exe

frmcuhgqhzsddefiu.exe

C:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exe

C:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exe

C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe

C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe

C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe

C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe

C:\Windows\obxohvvgyrlxyacgte.exe

obxohvvgyrlxyacgte.exe .

C:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exe

C:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exe .

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\znkcwlmyrlgtvybgugd.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c frmcuhgqhzsddefiu.exe

C:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exe

C:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c obxohvvgyrlxyacgte.exe .

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\brqkgxaojfcrvafmcqpfe.exe*."

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\obxohvvgyrlxyacgte.exe*."

C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe

C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe

C:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exe

C:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exe .

C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe

C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe

C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe

C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe .

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\znkcwlmyrlgtvybgugd.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c yjdsjvtcsjblkkkm.exe

C:\Windows\obxohvvgyrlxyacgte.exe

obxohvvgyrlxyacgte.exe .

C:\Windows\frmcuhgqhzsddefiu.exe

frmcuhgqhzsddefiu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c frmcuhgqhzsddefiu.exe .

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\znkcwlmyrlgtvybgugd.exe*."

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\yjdsjvtcsjblkkkm.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\frmcuhgqhzsddefiu.exe

C:\Windows\yjdsjvtcsjblkkkm.exe

yjdsjvtcsjblkkkm.exe

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\obxohvvgyrlxyacgte.exe*."

C:\Windows\frmcuhgqhzsddefiu.exe

frmcuhgqhzsddefiu.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exe .

C:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exe

C:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exe .

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\frmcuhgqhzsddefiu.exe*."

C:\Users\Admin\AppData\Local\Temp\frmcuhgqhzsddefiu.exe

C:\Users\Admin\AppData\Local\Temp\frmcuhgqhzsddefiu.exe

C:\Users\Admin\AppData\Local\Temp\frmcuhgqhzsddefiu.exe

C:\Users\Admin\AppData\Local\Temp\frmcuhgqhzsddefiu.exe .

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\mbzsndfsmhdruycixkix.exe*."

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\frmcuhgqhzsddefiu.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exe

C:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exe

C:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\obxohvvgyrlxyacgte.exe .

C:\Users\Admin\AppData\Local\Temp\obxohvvgyrlxyacgte.exe

C:\Users\Admin\AppData\Local\Temp\obxohvvgyrlxyacgte.exe .

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\obxohvvgyrlxyacgte.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c obxohvvgyrlxyacgte.exe

C:\Windows\obxohvvgyrlxyacgte.exe

obxohvvgyrlxyacgte.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c frmcuhgqhzsddefiu.exe .

C:\Windows\frmcuhgqhzsddefiu.exe

frmcuhgqhzsddefiu.exe .

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\frmcuhgqhzsddefiu.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c mbzsndfsmhdruycixkix.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c znkcwlmyrlgtvybgugd.exe .

C:\Windows\mbzsndfsmhdruycixkix.exe

mbzsndfsmhdruycixkix.exe

C:\Windows\znkcwlmyrlgtvybgugd.exe

znkcwlmyrlgtvybgugd.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\frmcuhgqhzsddefiu.exe

C:\Users\Admin\AppData\Local\Temp\frmcuhgqhzsddefiu.exe

C:\Users\Admin\AppData\Local\Temp\frmcuhgqhzsddefiu.exe

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\znkcwlmyrlgtvybgugd.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\frmcuhgqhzsddefiu.exe .

C:\Users\Admin\AppData\Local\Temp\frmcuhgqhzsddefiu.exe

C:\Users\Admin\AppData\Local\Temp\frmcuhgqhzsddefiu.exe .

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\frmcuhgqhzsddefiu.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\frmcuhgqhzsddefiu.exe

C:\Users\Admin\AppData\Local\Temp\frmcuhgqhzsddefiu.exe

C:\Users\Admin\AppData\Local\Temp\frmcuhgqhzsddefiu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exe .

C:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exe

C:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exe .

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\znkcwlmyrlgtvybgugd.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c frmcuhgqhzsddefiu.exe

C:\Windows\frmcuhgqhzsddefiu.exe

frmcuhgqhzsddefiu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c mbzsndfsmhdruycixkix.exe .

C:\Windows\mbzsndfsmhdruycixkix.exe

mbzsndfsmhdruycixkix.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c znkcwlmyrlgtvybgugd.exe

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\mbzsndfsmhdruycixkix.exe*."

C:\Windows\znkcwlmyrlgtvybgugd.exe

znkcwlmyrlgtvybgugd.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c yjdsjvtcsjblkkkm.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\obxohvvgyrlxyacgte.exe

C:\Windows\yjdsjvtcsjblkkkm.exe

yjdsjvtcsjblkkkm.exe .

C:\Users\Admin\AppData\Local\Temp\obxohvvgyrlxyacgte.exe

C:\Users\Admin\AppData\Local\Temp\obxohvvgyrlxyacgte.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe .

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\yjdsjvtcsjblkkkm.exe*."

C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe

C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe .

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\yjdsjvtcsjblkkkm.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exe

C:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exe

C:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exe .

C:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exe

C:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exe .

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\mbzsndfsmhdruycixkix.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c mbzsndfsmhdruycixkix.exe

C:\Windows\mbzsndfsmhdruycixkix.exe

mbzsndfsmhdruycixkix.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c obxohvvgyrlxyacgte.exe .

C:\Windows\obxohvvgyrlxyacgte.exe

obxohvvgyrlxyacgte.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c mbzsndfsmhdruycixkix.exe

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\obxohvvgyrlxyacgte.exe*."

C:\Windows\mbzsndfsmhdruycixkix.exe

mbzsndfsmhdruycixkix.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c yjdsjvtcsjblkkkm.exe .

C:\Windows\yjdsjvtcsjblkkkm.exe

yjdsjvtcsjblkkkm.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exe

C:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exe

C:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exe .

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\yjdsjvtcsjblkkkm.exe*."

C:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exe

C:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exe .

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\brqkgxaojfcrvafmcqpfe.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe

C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe

C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exe .

C:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exe

C:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exe .

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\mbzsndfsmhdruycixkix.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c brqkgxaojfcrvafmcqpfe.exe

C:\Windows\brqkgxaojfcrvafmcqpfe.exe

brqkgxaojfcrvafmcqpfe.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c brqkgxaojfcrvafmcqpfe.exe .

C:\Windows\brqkgxaojfcrvafmcqpfe.exe

brqkgxaojfcrvafmcqpfe.exe .

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\brqkgxaojfcrvafmcqpfe.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c znkcwlmyrlgtvybgugd.exe

C:\Windows\znkcwlmyrlgtvybgugd.exe

znkcwlmyrlgtvybgugd.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c obxohvvgyrlxyacgte.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exe

C:\Windows\obxohvvgyrlxyacgte.exe

obxohvvgyrlxyacgte.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe .

C:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exe

C:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exe

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\obxohvvgyrlxyacgte.exe*."

C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe

C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe .

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\yjdsjvtcsjblkkkm.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe .

C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe

C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe

C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe

C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe .

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\yjdsjvtcsjblkkkm.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c znkcwlmyrlgtvybgugd.exe

C:\Windows\znkcwlmyrlgtvybgugd.exe

znkcwlmyrlgtvybgugd.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c mbzsndfsmhdruycixkix.exe .

C:\Windows\mbzsndfsmhdruycixkix.exe

mbzsndfsmhdruycixkix.exe .

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\mbzsndfsmhdruycixkix.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c brqkgxaojfcrvafmcqpfe.exe

C:\Windows\brqkgxaojfcrvafmcqpfe.exe

brqkgxaojfcrvafmcqpfe.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c frmcuhgqhzsddefiu.exe .

C:\Windows\frmcuhgqhzsddefiu.exe

frmcuhgqhzsddefiu.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exe

C:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exe

C:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\obxohvvgyrlxyacgte.exe .

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\frmcuhgqhzsddefiu.exe*."

C:\Users\Admin\AppData\Local\Temp\obxohvvgyrlxyacgte.exe

C:\Users\Admin\AppData\Local\Temp\obxohvvgyrlxyacgte.exe .

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\obxohvvgyrlxyacgte.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe

C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe

C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe .

C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe

C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe .

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\yjdsjvtcsjblkkkm.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c yjdsjvtcsjblkkkm.exe

C:\Windows\yjdsjvtcsjblkkkm.exe

yjdsjvtcsjblkkkm.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c znkcwlmyrlgtvybgugd.exe .

C:\Windows\znkcwlmyrlgtvybgugd.exe

znkcwlmyrlgtvybgugd.exe .

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\znkcwlmyrlgtvybgugd.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c yjdsjvtcsjblkkkm.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\yjdsjvtcsjblkkkm.exe

yjdsjvtcsjblkkkm.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c obxohvvgyrlxyacgte.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe

C:\Windows\obxohvvgyrlxyacgte.exe

obxohvvgyrlxyacgte.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe .

C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe

C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\obxohvvgyrlxyacgte.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c mbzsndfsmhdruycixkix.exe

C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe

C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe .

C:\Windows\mbzsndfsmhdruycixkix.exe

mbzsndfsmhdruycixkix.exe

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\yjdsjvtcsjblkkkm.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c frmcuhgqhzsddefiu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c znkcwlmyrlgtvybgugd.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\frmcuhgqhzsddefiu.exe .

C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe

C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe

C:\Windows\frmcuhgqhzsddefiu.exe

frmcuhgqhzsddefiu.exe

C:\Windows\znkcwlmyrlgtvybgugd.exe

znkcwlmyrlgtvybgugd.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c znkcwlmyrlgtvybgugd.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c znkcwlmyrlgtvybgugd.exe

C:\Users\Admin\AppData\Local\Temp\frmcuhgqhzsddefiu.exe

C:\Users\Admin\AppData\Local\Temp\frmcuhgqhzsddefiu.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c obxohvvgyrlxyacgte.exe .

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\znkcwlmyrlgtvybgugd.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c brqkgxaojfcrvafmcqpfe.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\obxohvvgyrlxyacgte.exe

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\frmcuhgqhzsddefiu.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\frmcuhgqhzsddefiu.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c obxohvvgyrlxyacgte.exe .

C:\Windows\obxohvvgyrlxyacgte.exe

obxohvvgyrlxyacgte.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exe

C:\Users\Admin\AppData\Local\Temp\obxohvvgyrlxyacgte.exe

C:\Users\Admin\AppData\Local\Temp\obxohvvgyrlxyacgte.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exe .

C:\Windows\znkcwlmyrlgtvybgugd.exe

znkcwlmyrlgtvybgugd.exe

C:\Windows\znkcwlmyrlgtvybgugd.exe

znkcwlmyrlgtvybgugd.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c mbzsndfsmhdruycixkix.exe

C:\Windows\obxohvvgyrlxyacgte.exe

obxohvvgyrlxyacgte.exe .

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\obxohvvgyrlxyacgte.exe*."

C:\Users\Admin\AppData\Local\Temp\frmcuhgqhzsddefiu.exe

C:\Users\Admin\AppData\Local\Temp\frmcuhgqhzsddefiu.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\frmcuhgqhzsddefiu.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c obxohvvgyrlxyacgte.exe .

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\znkcwlmyrlgtvybgugd.exe*."

C:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exe

C:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exe .

C:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exe

C:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c obxohvvgyrlxyacgte.exe

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\obxohvvgyrlxyacgte.exe*."

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\frmcuhgqhzsddefiu.exe*."

C:\Windows\mbzsndfsmhdruycixkix.exe

mbzsndfsmhdruycixkix.exe

C:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exe

C:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c znkcwlmyrlgtvybgugd.exe .

C:\Users\Admin\AppData\Local\Temp\frmcuhgqhzsddefiu.exe

C:\Users\Admin\AppData\Local\Temp\frmcuhgqhzsddefiu.exe .

C:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exe

C:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exe

C:\Windows\obxohvvgyrlxyacgte.exe

obxohvvgyrlxyacgte.exe .

C:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exe

C:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exe .

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\brqkgxaojfcrvafmcqpfe.exe*."

C:\Windows\obxohvvgyrlxyacgte.exe

obxohvvgyrlxyacgte.exe

C:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exe

C:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exe

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\frmcuhgqhzsddefiu.exe*."

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\obxohvvgyrlxyacgte.exe*."

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\brqkgxaojfcrvafmcqpfe.exe*."

C:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exe

C:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exe .

C:\Windows\znkcwlmyrlgtvybgugd.exe

znkcwlmyrlgtvybgugd.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\frmcuhgqhzsddefiu.exe

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\znkcwlmyrlgtvybgugd.exe*."

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\znkcwlmyrlgtvybgugd.exe*."

C:\Users\Admin\AppData\Local\Temp\frmcuhgqhzsddefiu.exe

C:\Users\Admin\AppData\Local\Temp\frmcuhgqhzsddefiu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exe .

C:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exe

C:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exe .

C:\Windows\brqkgxaojfcrvafmcqpfe.exe

brqkgxaojfcrvafmcqpfe.exe

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\brqkgxaojfcrvafmcqpfe.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c brqkgxaojfcrvafmcqpfe.exe

C:\Windows\brqkgxaojfcrvafmcqpfe.exe

brqkgxaojfcrvafmcqpfe.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c yjdsjvtcsjblkkkm.exe .

C:\Windows\yjdsjvtcsjblkkkm.exe

yjdsjvtcsjblkkkm.exe .

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\yjdsjvtcsjblkkkm.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c frmcuhgqhzsddefiu.exe

C:\Windows\frmcuhgqhzsddefiu.exe

frmcuhgqhzsddefiu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c znkcwlmyrlgtvybgugd.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\obxohvvgyrlxyacgte.exe

C:\Windows\znkcwlmyrlgtvybgugd.exe

znkcwlmyrlgtvybgugd.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\obxohvvgyrlxyacgte.exe

C:\Users\Admin\AppData\Local\Temp\obxohvvgyrlxyacgte.exe

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\znkcwlmyrlgtvybgugd.exe*."

C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe

C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe .

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\yjdsjvtcsjblkkkm.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exe

C:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exe

C:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe .

C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe

C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe .

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\yjdsjvtcsjblkkkm.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c mbzsndfsmhdruycixkix.exe

C:\Windows\mbzsndfsmhdruycixkix.exe

mbzsndfsmhdruycixkix.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c yjdsjvtcsjblkkkm.exe .

C:\Windows\yjdsjvtcsjblkkkm.exe

yjdsjvtcsjblkkkm.exe .

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\yjdsjvtcsjblkkkm.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c frmcuhgqhzsddefiu.exe

C:\Windows\frmcuhgqhzsddefiu.exe

frmcuhgqhzsddefiu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c yjdsjvtcsjblkkkm.exe .

C:\Windows\yjdsjvtcsjblkkkm.exe

yjdsjvtcsjblkkkm.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\frmcuhgqhzsddefiu.exe .

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\yjdsjvtcsjblkkkm.exe*."

C:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exe

C:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exe

C:\Users\Admin\AppData\Local\Temp\frmcuhgqhzsddefiu.exe

C:\Users\Admin\AppData\Local\Temp\frmcuhgqhzsddefiu.exe .

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\frmcuhgqhzsddefiu.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe

C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe

C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exe .

C:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exe

C:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exe .

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\brqkgxaojfcrvafmcqpfe.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c znkcwlmyrlgtvybgugd.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\znkcwlmyrlgtvybgugd.exe

znkcwlmyrlgtvybgugd.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c frmcuhgqhzsddefiu.exe .

C:\Windows\frmcuhgqhzsddefiu.exe

frmcuhgqhzsddefiu.exe .

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\frmcuhgqhzsddefiu.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c yjdsjvtcsjblkkkm.exe

C:\Windows\yjdsjvtcsjblkkkm.exe

yjdsjvtcsjblkkkm.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c brqkgxaojfcrvafmcqpfe.exe .

C:\Windows\brqkgxaojfcrvafmcqpfe.exe

brqkgxaojfcrvafmcqpfe.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exe

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\brqkgxaojfcrvafmcqpfe.exe*."

C:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exe

C:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exe .

C:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exe

C:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exe .

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\brqkgxaojfcrvafmcqpfe.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe

C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe

C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exe .

C:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exe

C:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exe .

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\znkcwlmyrlgtvybgugd.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c znkcwlmyrlgtvybgugd.exe

C:\Windows\znkcwlmyrlgtvybgugd.exe

znkcwlmyrlgtvybgugd.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c brqkgxaojfcrvafmcqpfe.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\brqkgxaojfcrvafmcqpfe.exe

brqkgxaojfcrvafmcqpfe.exe .

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\brqkgxaojfcrvafmcqpfe.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c znkcwlmyrlgtvybgugd.exe

C:\Windows\znkcwlmyrlgtvybgugd.exe

znkcwlmyrlgtvybgugd.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c frmcuhgqhzsddefiu.exe .

C:\Windows\frmcuhgqhzsddefiu.exe

frmcuhgqhzsddefiu.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\obxohvvgyrlxyacgte.exe

C:\Users\Admin\AppData\Local\Temp\obxohvvgyrlxyacgte.exe

C:\Users\Admin\AppData\Local\Temp\obxohvvgyrlxyacgte.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\frmcuhgqhzsddefiu.exe*."

C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe

C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe .

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\yjdsjvtcsjblkkkm.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exe

C:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exe

C:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exe .

C:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exe

C:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exe .

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\znkcwlmyrlgtvybgugd.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c frmcuhgqhzsddefiu.exe

C:\Windows\frmcuhgqhzsddefiu.exe

frmcuhgqhzsddefiu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c znkcwlmyrlgtvybgugd.exe .

C:\Windows\znkcwlmyrlgtvybgugd.exe

znkcwlmyrlgtvybgugd.exe .

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\znkcwlmyrlgtvybgugd.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c mbzsndfsmhdruycixkix.exe

C:\Windows\mbzsndfsmhdruycixkix.exe

mbzsndfsmhdruycixkix.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c obxohvvgyrlxyacgte.exe .

C:\Windows\obxohvvgyrlxyacgte.exe

obxohvvgyrlxyacgte.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exe

C:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exe

C:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exe

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\obxohvvgyrlxyacgte.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\obxohvvgyrlxyacgte.exe .

C:\Users\Admin\AppData\Local\Temp\obxohvvgyrlxyacgte.exe

C:\Users\Admin\AppData\Local\Temp\obxohvvgyrlxyacgte.exe .

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\obxohvvgyrlxyacgte.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exe

C:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exe

C:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exe .

C:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exe

C:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exe .

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\brqkgxaojfcrvafmcqpfe.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c yjdsjvtcsjblkkkm.exe

C:\Windows\yjdsjvtcsjblkkkm.exe

yjdsjvtcsjblkkkm.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c yjdsjvtcsjblkkkm.exe .

C:\Windows\yjdsjvtcsjblkkkm.exe

yjdsjvtcsjblkkkm.exe .

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\yjdsjvtcsjblkkkm.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c znkcwlmyrlgtvybgugd.exe

C:\Windows\znkcwlmyrlgtvybgugd.exe

znkcwlmyrlgtvybgugd.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c frmcuhgqhzsddefiu.exe .

C:\Windows\frmcuhgqhzsddefiu.exe

frmcuhgqhzsddefiu.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\frmcuhgqhzsddefiu.exe*."

C:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exe

C:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\frmcuhgqhzsddefiu.exe .

C:\Users\Admin\AppData\Local\Temp\frmcuhgqhzsddefiu.exe

C:\Users\Admin\AppData\Local\Temp\frmcuhgqhzsddefiu.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c obxohvvgyrlxyacgte.exe

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\frmcuhgqhzsddefiu.exe*."

C:\Windows\obxohvvgyrlxyacgte.exe

obxohvvgyrlxyacgte.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c frmcuhgqhzsddefiu.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c frmcuhgqhzsddefiu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exe

C:\Windows\frmcuhgqhzsddefiu.exe

frmcuhgqhzsddefiu.exe .

C:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exe

C:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exe

C:\Windows\frmcuhgqhzsddefiu.exe

frmcuhgqhzsddefiu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c yjdsjvtcsjblkkkm.exe

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\frmcuhgqhzsddefiu.exe*."

C:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exe

C:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c brqkgxaojfcrvafmcqpfe.exe .

C:\Windows\yjdsjvtcsjblkkkm.exe

yjdsjvtcsjblkkkm.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c yjdsjvtcsjblkkkm.exe .

C:\Windows\brqkgxaojfcrvafmcqpfe.exe

brqkgxaojfcrvafmcqpfe.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exe

C:\Windows\yjdsjvtcsjblkkkm.exe

yjdsjvtcsjblkkkm.exe .

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\brqkgxaojfcrvafmcqpfe.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c znkcwlmyrlgtvybgugd.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c yjdsjvtcsjblkkkm.exe .

C:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exe

C:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exe

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\brqkgxaojfcrvafmcqpfe.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\obxohvvgyrlxyacgte.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\obxohvvgyrlxyacgte.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\yjdsjvtcsjblkkkm.exe*."

C:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exe

C:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exe .

C:\Windows\znkcwlmyrlgtvybgugd.exe

znkcwlmyrlgtvybgugd.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\frmcuhgqhzsddefiu.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c yjdsjvtcsjblkkkm.exe

C:\Users\Admin\AppData\Local\Temp\obxohvvgyrlxyacgte.exe

C:\Users\Admin\AppData\Local\Temp\obxohvvgyrlxyacgte.exe

C:\Users\Admin\AppData\Local\Temp\obxohvvgyrlxyacgte.exe

C:\Users\Admin\AppData\Local\Temp\obxohvvgyrlxyacgte.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe

C:\Users\Admin\AppData\Local\Temp\frmcuhgqhzsddefiu.exe

C:\Users\Admin\AppData\Local\Temp\frmcuhgqhzsddefiu.exe .

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\znkcwlmyrlgtvybgugd.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c brqkgxaojfcrvafmcqpfe.exe .

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\obxohvvgyrlxyacgte.exe*."

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\frmcuhgqhzsddefiu.exe*."

C:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exe

C:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exe .

C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe

C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c brqkgxaojfcrvafmcqpfe.exe

C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe

C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\znkcwlmyrlgtvybgugd.exe*."

C:\Windows\yjdsjvtcsjblkkkm.exe

yjdsjvtcsjblkkkm.exe

C:\Windows\yjdsjvtcsjblkkkm.exe

yjdsjvtcsjblkkkm.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c yjdsjvtcsjblkkkm.exe .

C:\Windows\yjdsjvtcsjblkkkm.exe

yjdsjvtcsjblkkkm.exe .

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\yjdsjvtcsjblkkkm.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe

C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\yjdsjvtcsjblkkkm.exe*."

C:\Windows\brqkgxaojfcrvafmcqpfe.exe

brqkgxaojfcrvafmcqpfe.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exe .

C:\Windows\brqkgxaojfcrvafmcqpfe.exe

brqkgxaojfcrvafmcqpfe.exe .

C:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exe

C:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exe .

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\brqkgxaojfcrvafmcqpfe.exe*."

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\znkcwlmyrlgtvybgugd.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe

C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe

C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exe .

C:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exe

C:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exe .

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\brqkgxaojfcrvafmcqpfe.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c obxohvvgyrlxyacgte.exe

C:\Windows\obxohvvgyrlxyacgte.exe

obxohvvgyrlxyacgte.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c frmcuhgqhzsddefiu.exe .

C:\Windows\frmcuhgqhzsddefiu.exe

frmcuhgqhzsddefiu.exe .

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\frmcuhgqhzsddefiu.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c obxohvvgyrlxyacgte.exe

C:\Windows\obxohvvgyrlxyacgte.exe

obxohvvgyrlxyacgte.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c obxohvvgyrlxyacgte.exe .

C:\Windows\obxohvvgyrlxyacgte.exe

obxohvvgyrlxyacgte.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\obxohvvgyrlxyacgte.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\frmcuhgqhzsddefiu.exe .

C:\Users\Admin\AppData\Local\Temp\obxohvvgyrlxyacgte.exe

C:\Users\Admin\AppData\Local\Temp\obxohvvgyrlxyacgte.exe

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\obxohvvgyrlxyacgte.exe*."

C:\Users\Admin\AppData\Local\Temp\frmcuhgqhzsddefiu.exe

C:\Users\Admin\AppData\Local\Temp\frmcuhgqhzsddefiu.exe .

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\frmcuhgqhzsddefiu.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\frmcuhgqhzsddefiu.exe

C:\Users\Admin\AppData\Local\Temp\frmcuhgqhzsddefiu.exe

C:\Users\Admin\AppData\Local\Temp\frmcuhgqhzsddefiu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\obxohvvgyrlxyacgte.exe .

C:\Users\Admin\AppData\Local\Temp\obxohvvgyrlxyacgte.exe

C:\Users\Admin\AppData\Local\Temp\obxohvvgyrlxyacgte.exe .

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\obxohvvgyrlxyacgte.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c mbzsndfsmhdruycixkix.exe

C:\Windows\mbzsndfsmhdruycixkix.exe

mbzsndfsmhdruycixkix.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c brqkgxaojfcrvafmcqpfe.exe .

C:\Windows\brqkgxaojfcrvafmcqpfe.exe

brqkgxaojfcrvafmcqpfe.exe .

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\brqkgxaojfcrvafmcqpfe.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c brqkgxaojfcrvafmcqpfe.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\brqkgxaojfcrvafmcqpfe.exe

brqkgxaojfcrvafmcqpfe.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c brqkgxaojfcrvafmcqpfe.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\brqkgxaojfcrvafmcqpfe.exe

brqkgxaojfcrvafmcqpfe.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exe

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\brqkgxaojfcrvafmcqpfe.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe .

C:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exe

C:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exe

C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe

C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe .

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\yjdsjvtcsjblkkkm.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\frmcuhgqhzsddefiu.exe

C:\Users\Admin\AppData\Local\Temp\frmcuhgqhzsddefiu.exe

C:\Users\Admin\AppData\Local\Temp\frmcuhgqhzsddefiu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\obxohvvgyrlxyacgte.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\obxohvvgyrlxyacgte.exe

C:\Users\Admin\AppData\Local\Temp\obxohvvgyrlxyacgte.exe .

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\obxohvvgyrlxyacgte.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c obxohvvgyrlxyacgte.exe

C:\Windows\obxohvvgyrlxyacgte.exe

obxohvvgyrlxyacgte.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c yjdsjvtcsjblkkkm.exe .

C:\Windows\yjdsjvtcsjblkkkm.exe

yjdsjvtcsjblkkkm.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c znkcwlmyrlgtvybgugd.exe

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\yjdsjvtcsjblkkkm.exe*."

C:\Windows\znkcwlmyrlgtvybgugd.exe

znkcwlmyrlgtvybgugd.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c yjdsjvtcsjblkkkm.exe .

C:\Windows\yjdsjvtcsjblkkkm.exe

yjdsjvtcsjblkkkm.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\frmcuhgqhzsddefiu.exe

C:\Users\Admin\AppData\Local\Temp\frmcuhgqhzsddefiu.exe

C:\Users\Admin\AppData\Local\Temp\frmcuhgqhzsddefiu.exe

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\yjdsjvtcsjblkkkm.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\obxohvvgyrlxyacgte.exe .

C:\Users\Admin\AppData\Local\Temp\obxohvvgyrlxyacgte.exe

C:\Users\Admin\AppData\Local\Temp\obxohvvgyrlxyacgte.exe .

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\obxohvvgyrlxyacgte.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exe

C:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exe

C:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exe .

C:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exe

C:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exe .

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\mbzsndfsmhdruycixkix.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c obxohvvgyrlxyacgte.exe

C:\Windows\obxohvvgyrlxyacgte.exe

obxohvvgyrlxyacgte.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c frmcuhgqhzsddefiu.exe .

C:\Windows\frmcuhgqhzsddefiu.exe

frmcuhgqhzsddefiu.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c obxohvvgyrlxyacgte.exe

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\frmcuhgqhzsddefiu.exe*."

C:\Windows\obxohvvgyrlxyacgte.exe

obxohvvgyrlxyacgte.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c znkcwlmyrlgtvybgugd.exe .

C:\Windows\znkcwlmyrlgtvybgugd.exe

znkcwlmyrlgtvybgugd.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\znkcwlmyrlgtvybgugd.exe*."

C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe

C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe .

C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe

C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe .

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\yjdsjvtcsjblkkkm.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exe

C:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exe

C:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exe .

C:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exe

C:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exe .

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\znkcwlmyrlgtvybgugd.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c znkcwlmyrlgtvybgugd.exe

C:\Windows\znkcwlmyrlgtvybgugd.exe

znkcwlmyrlgtvybgugd.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c obxohvvgyrlxyacgte.exe .

C:\Windows\obxohvvgyrlxyacgte.exe

obxohvvgyrlxyacgte.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c brqkgxaojfcrvafmcqpfe.exe

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\obxohvvgyrlxyacgte.exe*."

C:\Windows\brqkgxaojfcrvafmcqpfe.exe

brqkgxaojfcrvafmcqpfe.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c mbzsndfsmhdruycixkix.exe .

C:\Windows\mbzsndfsmhdruycixkix.exe

mbzsndfsmhdruycixkix.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\frmcuhgqhzsddefiu.exe

C:\Users\Admin\AppData\Local\Temp\frmcuhgqhzsddefiu.exe

C:\Users\Admin\AppData\Local\Temp\frmcuhgqhzsddefiu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe .

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\mbzsndfsmhdruycixkix.exe*."

C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe

C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe .

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\yjdsjvtcsjblkkkm.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\frmcuhgqhzsddefiu.exe

C:\Users\Admin\AppData\Local\Temp\frmcuhgqhzsddefiu.exe

C:\Users\Admin\AppData\Local\Temp\frmcuhgqhzsddefiu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe .

C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe

C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe .

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\yjdsjvtcsjblkkkm.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c frmcuhgqhzsddefiu.exe

C:\Windows\frmcuhgqhzsddefiu.exe

frmcuhgqhzsddefiu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c obxohvvgyrlxyacgte.exe .

C:\Windows\obxohvvgyrlxyacgte.exe

obxohvvgyrlxyacgte.exe .

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\obxohvvgyrlxyacgte.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c mbzsndfsmhdruycixkix.exe

C:\Windows\mbzsndfsmhdruycixkix.exe

mbzsndfsmhdruycixkix.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c frmcuhgqhzsddefiu.exe .

C:\Windows\frmcuhgqhzsddefiu.exe

frmcuhgqhzsddefiu.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exe

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\frmcuhgqhzsddefiu.exe*."

C:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exe

C:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\obxohvvgyrlxyacgte.exe .

C:\Users\Admin\AppData\Local\Temp\obxohvvgyrlxyacgte.exe

C:\Users\Admin\AppData\Local\Temp\obxohvvgyrlxyacgte.exe .

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\obxohvvgyrlxyacgte.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exe

C:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exe

C:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exe .

C:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exe

C:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exe .

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\mbzsndfsmhdruycixkix.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c yjdsjvtcsjblkkkm.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\yjdsjvtcsjblkkkm.exe

yjdsjvtcsjblkkkm.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c frmcuhgqhzsddefiu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c frmcuhgqhzsddefiu.exe .

C:\Windows\frmcuhgqhzsddefiu.exe

frmcuhgqhzsddefiu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c frmcuhgqhzsddefiu.exe

C:\Windows\frmcuhgqhzsddefiu.exe

frmcuhgqhzsddefiu.exe .

C:\Windows\frmcuhgqhzsddefiu.exe

frmcuhgqhzsddefiu.exe

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\frmcuhgqhzsddefiu.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c znkcwlmyrlgtvybgugd.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c mbzsndfsmhdruycixkix.exe

C:\Windows\znkcwlmyrlgtvybgugd.exe

znkcwlmyrlgtvybgugd.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c brqkgxaojfcrvafmcqpfe.exe .

C:\Windows\mbzsndfsmhdruycixkix.exe

mbzsndfsmhdruycixkix.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c mbzsndfsmhdruycixkix.exe .

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\znkcwlmyrlgtvybgugd.exe*."

C:\Windows\brqkgxaojfcrvafmcqpfe.exe

brqkgxaojfcrvafmcqpfe.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c mbzsndfsmhdruycixkix.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c obxohvvgyrlxyacgte.exe

C:\Windows\mbzsndfsmhdruycixkix.exe

mbzsndfsmhdruycixkix.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c mbzsndfsmhdruycixkix.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c frmcuhgqhzsddefiu.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe .

C:\Windows\mbzsndfsmhdruycixkix.exe

mbzsndfsmhdruycixkix.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\frmcuhgqhzsddefiu.exe

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\brqkgxaojfcrvafmcqpfe.exe*."

C:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exe

C:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exe .

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\mbzsndfsmhdruycixkix.exe*."

C:\Windows\mbzsndfsmhdruycixkix.exe

mbzsndfsmhdruycixkix.exe .

C:\Windows\obxohvvgyrlxyacgte.exe

obxohvvgyrlxyacgte.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exe .

C:\Users\Admin\AppData\Local\Temp\frmcuhgqhzsddefiu.exe

C:\Users\Admin\AppData\Local\Temp\frmcuhgqhzsddefiu.exe

C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe

C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\frmcuhgqhzsddefiu.exe

C:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exe

C:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exe .

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\mbzsndfsmhdruycixkix.exe*."

C:\Windows\frmcuhgqhzsddefiu.exe

frmcuhgqhzsddefiu.exe .

C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe

C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe

C:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exe

C:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exe .

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\yjdsjvtcsjblkkkm.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exe .

C:\Users\Admin\AppData\Local\Temp\frmcuhgqhzsddefiu.exe

C:\Users\Admin\AppData\Local\Temp\frmcuhgqhzsddefiu.exe

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\frmcuhgqhzsddefiu.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exe .

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\mbzsndfsmhdruycixkix.exe*."

C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe

C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe

C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe

C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe .

C:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exe

C:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exe .

C:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exe

C:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exe

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\znkcwlmyrlgtvybgugd.exe*."

C:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exe

C:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exe .

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\mbzsndfsmhdruycixkix.exe*."

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\yjdsjvtcsjblkkkm.exe*."

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\mbzsndfsmhdruycixkix.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c mbzsndfsmhdruycixkix.exe

C:\Windows\mbzsndfsmhdruycixkix.exe

mbzsndfsmhdruycixkix.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c brqkgxaojfcrvafmcqpfe.exe .

C:\Windows\brqkgxaojfcrvafmcqpfe.exe

brqkgxaojfcrvafmcqpfe.exe .

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\brqkgxaojfcrvafmcqpfe.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c mbzsndfsmhdruycixkix.exe

C:\Windows\mbzsndfsmhdruycixkix.exe

mbzsndfsmhdruycixkix.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c mbzsndfsmhdruycixkix.exe .

C:\Windows\mbzsndfsmhdruycixkix.exe

mbzsndfsmhdruycixkix.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\frmcuhgqhzsddefiu.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\mbzsndfsmhdruycixkix.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exe .

C:\Users\Admin\AppData\Local\Temp\frmcuhgqhzsddefiu.exe

C:\Users\Admin\AppData\Local\Temp\frmcuhgqhzsddefiu.exe

C:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exe

C:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exe .

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\znkcwlmyrlgtvybgugd.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exe

C:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exe

C:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe .

C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe

C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe .

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\yjdsjvtcsjblkkkm.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c znkcwlmyrlgtvybgugd.exe

C:\Windows\znkcwlmyrlgtvybgugd.exe

znkcwlmyrlgtvybgugd.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c frmcuhgqhzsddefiu.exe .

C:\Windows\frmcuhgqhzsddefiu.exe

frmcuhgqhzsddefiu.exe .

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\frmcuhgqhzsddefiu.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c mbzsndfsmhdruycixkix.exe

C:\Windows\mbzsndfsmhdruycixkix.exe

mbzsndfsmhdruycixkix.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c obxohvvgyrlxyacgte.exe .

C:\Windows\obxohvvgyrlxyacgte.exe

obxohvvgyrlxyacgte.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe

C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe

C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\obxohvvgyrlxyacgte.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exe

C:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exe .

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\mbzsndfsmhdruycixkix.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\frmcuhgqhzsddefiu.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\frmcuhgqhzsddefiu.exe

C:\Users\Admin\AppData\Local\Temp\frmcuhgqhzsddefiu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe .

C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe

C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe .

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\yjdsjvtcsjblkkkm.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c yjdsjvtcsjblkkkm.exe

C:\Windows\yjdsjvtcsjblkkkm.exe

yjdsjvtcsjblkkkm.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c mbzsndfsmhdruycixkix.exe .

C:\Windows\mbzsndfsmhdruycixkix.exe

mbzsndfsmhdruycixkix.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c brqkgxaojfcrvafmcqpfe.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\mbzsndfsmhdruycixkix.exe*."

C:\Windows\brqkgxaojfcrvafmcqpfe.exe

brqkgxaojfcrvafmcqpfe.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c mbzsndfsmhdruycixkix.exe .

C:\Windows\mbzsndfsmhdruycixkix.exe

mbzsndfsmhdruycixkix.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\obxohvvgyrlxyacgte.exe

C:\Users\Admin\AppData\Local\Temp\obxohvvgyrlxyacgte.exe

C:\Users\Admin\AppData\Local\Temp\obxohvvgyrlxyacgte.exe

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\mbzsndfsmhdruycixkix.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exe .

C:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exe

C:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exe .

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\znkcwlmyrlgtvybgugd.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe

C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe

C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\obxohvvgyrlxyacgte.exe .

C:\Users\Admin\AppData\Local\Temp\obxohvvgyrlxyacgte.exe

C:\Users\Admin\AppData\Local\Temp\obxohvvgyrlxyacgte.exe .

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\obxohvvgyrlxyacgte.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c brqkgxaojfcrvafmcqpfe.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\brqkgxaojfcrvafmcqpfe.exe

brqkgxaojfcrvafmcqpfe.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c brqkgxaojfcrvafmcqpfe.exe .

C:\Windows\brqkgxaojfcrvafmcqpfe.exe

brqkgxaojfcrvafmcqpfe.exe .

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\brqkgxaojfcrvafmcqpfe.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c znkcwlmyrlgtvybgugd.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\znkcwlmyrlgtvybgugd.exe

znkcwlmyrlgtvybgugd.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c frmcuhgqhzsddefiu.exe .

C:\Windows\frmcuhgqhzsddefiu.exe

frmcuhgqhzsddefiu.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exe

C:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exe

C:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exe

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\frmcuhgqhzsddefiu.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exe .

C:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exe

C:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exe .

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\znkcwlmyrlgtvybgugd.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exe

C:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exe

C:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe .

C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe

C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe .

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\yjdsjvtcsjblkkkm.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c yjdsjvtcsjblkkkm.exe

C:\Windows\yjdsjvtcsjblkkkm.exe

yjdsjvtcsjblkkkm.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c mbzsndfsmhdruycixkix.exe .

C:\Windows\mbzsndfsmhdruycixkix.exe

mbzsndfsmhdruycixkix.exe .

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\mbzsndfsmhdruycixkix.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c brqkgxaojfcrvafmcqpfe.exe

C:\Windows\brqkgxaojfcrvafmcqpfe.exe

brqkgxaojfcrvafmcqpfe.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c yjdsjvtcsjblkkkm.exe .

C:\Windows\yjdsjvtcsjblkkkm.exe

yjdsjvtcsjblkkkm.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exe

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\yjdsjvtcsjblkkkm.exe*."

C:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exe

C:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exe .

C:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exe

C:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exe .

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\mbzsndfsmhdruycixkix.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe

C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe

C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\obxohvvgyrlxyacgte.exe .

C:\Users\Admin\AppData\Local\Temp\obxohvvgyrlxyacgte.exe

C:\Users\Admin\AppData\Local\Temp\obxohvvgyrlxyacgte.exe .

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\obxohvvgyrlxyacgte.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c obxohvvgyrlxyacgte.exe

C:\Windows\obxohvvgyrlxyacgte.exe

obxohvvgyrlxyacgte.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c mbzsndfsmhdruycixkix.exe .

C:\Windows\mbzsndfsmhdruycixkix.exe

mbzsndfsmhdruycixkix.exe .

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\mbzsndfsmhdruycixkix.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c frmcuhgqhzsddefiu.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\frmcuhgqhzsddefiu.exe

frmcuhgqhzsddefiu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c znkcwlmyrlgtvybgugd.exe .

C:\Windows\znkcwlmyrlgtvybgugd.exe

znkcwlmyrlgtvybgugd.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\znkcwlmyrlgtvybgugd.exe*."

C:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exe

C:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\obxohvvgyrlxyacgte.exe .

C:\Users\Admin\AppData\Local\Temp\obxohvvgyrlxyacgte.exe

C:\Users\Admin\AppData\Local\Temp\obxohvvgyrlxyacgte.exe .

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\obxohvvgyrlxyacgte.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exe

C:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exe .

C:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exe

C:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exe .

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\znkcwlmyrlgtvybgugd.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c obxohvvgyrlxyacgte.exe

C:\Windows\obxohvvgyrlxyacgte.exe

obxohvvgyrlxyacgte.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c obxohvvgyrlxyacgte.exe .

C:\Windows\obxohvvgyrlxyacgte.exe

obxohvvgyrlxyacgte.exe .

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\obxohvvgyrlxyacgte.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c znkcwlmyrlgtvybgugd.exe

C:\Windows\znkcwlmyrlgtvybgugd.exe

znkcwlmyrlgtvybgugd.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c obxohvvgyrlxyacgte.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\obxohvvgyrlxyacgte.exe

obxohvvgyrlxyacgte.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\frmcuhgqhzsddefiu.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\obxohvvgyrlxyacgte.exe*."

C:\Users\Admin\AppData\Local\Temp\frmcuhgqhzsddefiu.exe

C:\Users\Admin\AppData\Local\Temp\frmcuhgqhzsddefiu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\frmcuhgqhzsddefiu.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c obxohvvgyrlxyacgte.exe

C:\Users\Admin\AppData\Local\Temp\frmcuhgqhzsddefiu.exe

C:\Users\Admin\AppData\Local\Temp\frmcuhgqhzsddefiu.exe .

C:\Windows\obxohvvgyrlxyacgte.exe

obxohvvgyrlxyacgte.exe

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\frmcuhgqhzsddefiu.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c frmcuhgqhzsddefiu.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\frmcuhgqhzsddefiu.exe

C:\Windows\frmcuhgqhzsddefiu.exe

frmcuhgqhzsddefiu.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c frmcuhgqhzsddefiu.exe

C:\Users\Admin\AppData\Local\Temp\frmcuhgqhzsddefiu.exe

C:\Users\Admin\AppData\Local\Temp\frmcuhgqhzsddefiu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\obxohvvgyrlxyacgte.exe .

C:\Windows\frmcuhgqhzsddefiu.exe

frmcuhgqhzsddefiu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c frmcuhgqhzsddefiu.exe

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\frmcuhgqhzsddefiu.exe*."

C:\Users\Admin\AppData\Local\Temp\obxohvvgyrlxyacgte.exe

C:\Users\Admin\AppData\Local\Temp\obxohvvgyrlxyacgte.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c brqkgxaojfcrvafmcqpfe.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c mbzsndfsmhdruycixkix.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\frmcuhgqhzsddefiu.exe

frmcuhgqhzsddefiu.exe

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\obxohvvgyrlxyacgte.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\frmcuhgqhzsddefiu.exe

C:\Windows\brqkgxaojfcrvafmcqpfe.exe

brqkgxaojfcrvafmcqpfe.exe .

C:\Windows\mbzsndfsmhdruycixkix.exe

mbzsndfsmhdruycixkix.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\obxohvvgyrlxyacgte.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c frmcuhgqhzsddefiu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c obxohvvgyrlxyacgte.exe .

C:\Users\Admin\AppData\Local\Temp\frmcuhgqhzsddefiu.exe

C:\Users\Admin\AppData\Local\Temp\frmcuhgqhzsddefiu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exe

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\brqkgxaojfcrvafmcqpfe.exe*."

C:\Users\Admin\AppData\Local\Temp\obxohvvgyrlxyacgte.exe

C:\Users\Admin\AppData\Local\Temp\obxohvvgyrlxyacgte.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c mbzsndfsmhdruycixkix.exe

C:\Windows\obxohvvgyrlxyacgte.exe

obxohvvgyrlxyacgte.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\obxohvvgyrlxyacgte.exe .

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\mbzsndfsmhdruycixkix.exe*."

C:\Windows\frmcuhgqhzsddefiu.exe

frmcuhgqhzsddefiu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exe .

C:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exe

C:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exe

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\obxohvvgyrlxyacgte.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c frmcuhgqhzsddefiu.exe .

C:\Users\Admin\AppData\Local\Temp\obxohvvgyrlxyacgte.exe

C:\Users\Admin\AppData\Local\Temp\obxohvvgyrlxyacgte.exe .

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\obxohvvgyrlxyacgte.exe*."

C:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exe

C:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exe

C:\Windows\mbzsndfsmhdruycixkix.exe

mbzsndfsmhdruycixkix.exe

C:\Windows\frmcuhgqhzsddefiu.exe

frmcuhgqhzsddefiu.exe .

C:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exe

C:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c mbzsndfsmhdruycixkix.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exe .

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\obxohvvgyrlxyacgte.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c frmcuhgqhzsddefiu.exe .

C:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exe

C:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exe

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\frmcuhgqhzsddefiu.exe*."

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\mbzsndfsmhdruycixkix.exe*."

C:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exe

C:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\obxohvvgyrlxyacgte.exe

C:\Windows\mbzsndfsmhdruycixkix.exe

mbzsndfsmhdruycixkix.exe

C:\Windows\frmcuhgqhzsddefiu.exe

frmcuhgqhzsddefiu.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\frmcuhgqhzsddefiu.exe .

C:\Users\Admin\AppData\Local\Temp\obxohvvgyrlxyacgte.exe

C:\Users\Admin\AppData\Local\Temp\obxohvvgyrlxyacgte.exe

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\znkcwlmyrlgtvybgugd.exe*."

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\frmcuhgqhzsddefiu.exe*."

C:\Users\Admin\AppData\Local\Temp\frmcuhgqhzsddefiu.exe

C:\Users\Admin\AppData\Local\Temp\frmcuhgqhzsddefiu.exe .

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\frmcuhgqhzsddefiu.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exe

C:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exe

C:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exe .

C:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exe

C:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exe .

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\brqkgxaojfcrvafmcqpfe.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c mbzsndfsmhdruycixkix.exe

C:\Windows\mbzsndfsmhdruycixkix.exe

mbzsndfsmhdruycixkix.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c yjdsjvtcsjblkkkm.exe .

C:\Windows\yjdsjvtcsjblkkkm.exe

yjdsjvtcsjblkkkm.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c yjdsjvtcsjblkkkm.exe

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\yjdsjvtcsjblkkkm.exe*."

C:\Windows\yjdsjvtcsjblkkkm.exe

yjdsjvtcsjblkkkm.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c frmcuhgqhzsddefiu.exe .

C:\Windows\frmcuhgqhzsddefiu.exe

frmcuhgqhzsddefiu.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\frmcuhgqhzsddefiu.exe*."

C:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exe

C:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exe

C:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exe .

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\brqkgxaojfcrvafmcqpfe.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe

C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exe .

C:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exe

C:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exe .

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\brqkgxaojfcrvafmcqpfe.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c yjdsjvtcsjblkkkm.exe

C:\Windows\yjdsjvtcsjblkkkm.exe

yjdsjvtcsjblkkkm.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c mbzsndfsmhdruycixkix.exe .

C:\Windows\mbzsndfsmhdruycixkix.exe

mbzsndfsmhdruycixkix.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c mbzsndfsmhdruycixkix.exe

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\mbzsndfsmhdruycixkix.exe*."

C:\Windows\mbzsndfsmhdruycixkix.exe

mbzsndfsmhdruycixkix.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c brqkgxaojfcrvafmcqpfe.exe .

C:\Windows\brqkgxaojfcrvafmcqpfe.exe

brqkgxaojfcrvafmcqpfe.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exe

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\brqkgxaojfcrvafmcqpfe.exe*."

C:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exe

C:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\obxohvvgyrlxyacgte.exe .

C:\Users\Admin\AppData\Local\Temp\obxohvvgyrlxyacgte.exe

C:\Users\Admin\AppData\Local\Temp\obxohvvgyrlxyacgte.exe .

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\obxohvvgyrlxyacgte.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exe

C:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exe

C:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\obxohvvgyrlxyacgte.exe .

C:\Users\Admin\AppData\Local\Temp\obxohvvgyrlxyacgte.exe

C:\Users\Admin\AppData\Local\Temp\obxohvvgyrlxyacgte.exe .

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\obxohvvgyrlxyacgte.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c mbzsndfsmhdruycixkix.exe

C:\Windows\mbzsndfsmhdruycixkix.exe

mbzsndfsmhdruycixkix.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c brqkgxaojfcrvafmcqpfe.exe .

C:\Windows\brqkgxaojfcrvafmcqpfe.exe

brqkgxaojfcrvafmcqpfe.exe .

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\brqkgxaojfcrvafmcqpfe.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c brqkgxaojfcrvafmcqpfe.exe

C:\Windows\brqkgxaojfcrvafmcqpfe.exe

brqkgxaojfcrvafmcqpfe.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c frmcuhgqhzsddefiu.exe .

C:\Windows\frmcuhgqhzsddefiu.exe

frmcuhgqhzsddefiu.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exe

C:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exe

C:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exe .

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\frmcuhgqhzsddefiu.exe*."

C:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exe

C:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exe .

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\mbzsndfsmhdruycixkix.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe

C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe

C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exe .

C:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exe

C:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exe .

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\brqkgxaojfcrvafmcqpfe.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c mbzsndfsmhdruycixkix.exe

C:\Windows\mbzsndfsmhdruycixkix.exe

mbzsndfsmhdruycixkix.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c mbzsndfsmhdruycixkix.exe .

C:\Windows\mbzsndfsmhdruycixkix.exe

mbzsndfsmhdruycixkix.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c mbzsndfsmhdruycixkix.exe

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\mbzsndfsmhdruycixkix.exe*."

C:\Windows\mbzsndfsmhdruycixkix.exe

mbzsndfsmhdruycixkix.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c mbzsndfsmhdruycixkix.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\obxohvvgyrlxyacgte.exe

C:\Windows\mbzsndfsmhdruycixkix.exe

mbzsndfsmhdruycixkix.exe .

C:\Users\Admin\AppData\Local\Temp\obxohvvgyrlxyacgte.exe

C:\Users\Admin\AppData\Local\Temp\obxohvvgyrlxyacgte.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exe .

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\mbzsndfsmhdruycixkix.exe*."

C:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exe

C:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exe .

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\znkcwlmyrlgtvybgugd.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\frmcuhgqhzsddefiu.exe

C:\Users\Admin\AppData\Local\Temp\frmcuhgqhzsddefiu.exe

C:\Users\Admin\AppData\Local\Temp\frmcuhgqhzsddefiu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exe .

C:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exe

C:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exe .

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\brqkgxaojfcrvafmcqpfe.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c mbzsndfsmhdruycixkix.exe

C:\Windows\mbzsndfsmhdruycixkix.exe

mbzsndfsmhdruycixkix.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c obxohvvgyrlxyacgte.exe .

C:\Windows\obxohvvgyrlxyacgte.exe

obxohvvgyrlxyacgte.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c brqkgxaojfcrvafmcqpfe.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.whatismyip.com udp
US 172.66.40.87:80 www.whatismyip.com tcp
US 104.19.222.79:80 whatismyipaddress.com tcp
US 172.67.155.175:80 www.showmyipaddress.com tcp
US 172.67.155.175:80 www.showmyipaddress.com tcp
US 104.19.222.79:80 whatismyipaddress.com tcp
US 172.66.40.87:80 www.whatismyip.com tcp
US 172.66.40.87:80 www.whatismyip.com tcp
US 104.19.222.79:80 whatismyipaddress.com tcp
US 172.67.155.175:80 www.showmyipaddress.com tcp
US 172.67.155.175:80 www.showmyipaddress.com tcp
US 172.66.40.87:80 www.whatismyip.com tcp
US 34.111.176.156:80 www.myspace.com tcp
SG 180.215.73.232:19641 tcp
DE 85.214.228.140:80 gyuuym.org tcp
SG 18.142.91.111:80 unxfuild.info tcp
US 104.156.155.94:80 cydlrge.info tcp
BG 109.121.251.137:34242 tcp
US 8.8.8.8:53 riwggatvku.net udp
US 8.8.8.8:53 qetblcp.info udp
US 8.8.8.8:53 dqjrswwie.com udp
US 8.8.8.8:53 xfyzcliuhtjc.net udp
MD 188.237.129.253:31262 tcp
US 8.8.8.8:53 hpeucnfc.info udp
US 8.8.8.8:53 dyjimy.info udp
US 8.8.8.8:53 kgwovpmux.info udp
US 93.180.203.127:33325 tcp
US 8.8.8.8:53 fdlbrec.info udp
US 8.8.8.8:53 bdxddkrvo.org udp
US 8.8.8.8:53 zhpqvm.info udp
TR 46.1.178.249:43014 tcp
US 8.8.8.8:53 trwirs.info udp
US 8.8.8.8:53 oojgoo.net udp
US 8.8.8.8:53 eujcdalm.info udp
TR 78.169.67.181:26921 tcp
US 8.8.8.8:53 plvydh.net udp
US 8.8.8.8:53 lvzawgnjgazj.info udp
US 8.8.8.8:53 vvvwqixitbr.com udp
KZ 178.90.132.82:16160 tcp
US 8.8.8.8:53 zxegvt.net udp
US 8.8.8.8:53 xrctizgjhu.net udp
US 8.8.8.8:53 tilgoixn.info udp
LV 77.38.217.46:39917 tcp
US 8.8.8.8:53 oopqdamgqme.net udp
US 8.8.8.8:53 vkpzxu.info udp
US 8.8.8.8:53 dgtmdybkns.net udp
LT 86.100.28.108:13964 tcp
US 8.8.8.8:53 obfcnytd.net udp
US 8.8.8.8:53 ewiuauieao.com udp
PK 103.12.120.171:18384 tcp
US 8.8.8.8:53 hawfyqp.net udp
US 8.8.8.8:53 bunzpahdi.com udp
PK 111.119.188.16:24907 tcp
US 8.8.8.8:53 qseoumkkca.org udp
KZ 2.134.31.242:36488 tcp
US 8.8.8.8:53 lreubkbwfsvr.net udp
KZ 178.91.27.10:44010 tcp
US 8.8.8.8:53 ymcypcpuo.net udp
US 8.8.8.8:53 sssikyme.org udp
US 8.8.8.8:53 gdiecndz.net udp
BG 109.121.251.137:34242 tcp
US 8.8.8.8:53 givvdko.info udp
US 8.8.8.8:53 vphpoazahk.info udp
US 8.8.8.8:53 fevpfshvp.org udp
US 8.8.8.8:53 bpxpjgf.net udp
BR 200.161.101.50:34810 tcp
US 8.8.8.8:53 yywyhohomrx.net udp
US 8.8.8.8:53 gkkiki.org udp
NL 176.101.61.92:43724 tcp
DE 85.214.228.140:80 gyuuym.org tcp
SG 18.142.91.111:80 unxfuild.info tcp
US 104.156.155.94:80 cydlrge.info tcp
US 8.8.8.8:53 actlyiz.net udp
US 8.8.8.8:53 gcdphcuo.net udp
US 8.8.8.8:53 dkakxir.com udp
US 8.8.8.8:53 eejvxqlpeab.net udp
US 8.8.8.8:53 qtgqqinahbp.info udp
US 8.8.8.8:53 hkrejmf.org udp
US 8.8.8.8:53 ebokcprbw.info udp
US 8.8.8.8:53 tcvuvhjwh.info udp
US 8.8.8.8:53 isaqvwvoz.info udp
US 8.8.8.8:53 tiuwjncqtq.net udp
US 8.8.8.8:53 zrvqjgtf.net udp
US 8.8.8.8:53 jubvpax.info udp
US 8.8.8.8:53 erkkchbzwwt.info udp
US 8.8.8.8:53 lrizwpxcpv.info udp
US 8.8.8.8:53 hedqdcqtvgl.org udp
US 8.8.8.8:53 xuuspo.info udp
US 8.8.8.8:53 svpidwu.net udp
US 8.8.8.8:53 vgyqtpcnj.net udp
US 8.8.8.8:53 ucqyyewa.com udp
US 8.8.8.8:53 nyuzczoi.info udp
US 8.8.8.8:53 rhcborknoj.net udp
US 8.8.8.8:53 igqgkwuysyca.org udp
US 8.8.8.8:53 lqpenxf.org udp
US 8.8.8.8:53 aecorsmkwxv.net udp
US 8.8.8.8:53 jvigxrrchb.net udp
US 8.8.8.8:53 njmyupro.net udp
US 8.8.8.8:53 bobbdvtqt.org udp
US 8.8.8.8:53 caumgukqqiom.org udp
US 8.8.8.8:53 xhgpvkuhkl.net udp
US 8.8.8.8:53 xrpwmsl.info udp
US 8.8.8.8:53 dotksydeo.org udp
US 8.8.8.8:53 wlqkaa.net udp
US 8.8.8.8:53 wazwlesbbnlj.net udp
US 8.8.8.8:53 suyygo.org udp
US 8.8.8.8:53 zszvraw.net udp
US 8.8.8.8:53 iusioomq.org udp
US 8.8.8.8:53 qpncsrph.net udp
US 8.8.8.8:53 jquxzj.info udp
US 8.8.8.8:53 dgroesgczqf.org udp
US 8.8.8.8:53 wcsbrpz.net udp
US 8.8.8.8:53 cjplpm.info udp
US 8.8.8.8:53 ouruimewpej.info udp
US 8.8.8.8:53 uwcuws.org udp
US 8.8.8.8:53 iqauqkuogkky.com udp
US 8.8.8.8:53 hoborea.net udp
US 8.8.8.8:53 azlfou.info udp
US 8.8.8.8:53 jtaidgac.info udp
US 8.8.8.8:53 umyicieyee.org udp
US 8.8.8.8:53 jkssnbkem.com udp
US 8.8.8.8:53 esckmagcmo.org udp
US 8.8.8.8:53 fzrfjposq.info udp
US 8.8.8.8:53 pcirsgzhlu.info udp
US 8.8.8.8:53 hyjchkcx.net udp
US 8.8.8.8:53 vcsuct.net udp
US 8.8.8.8:53 deasnwidjef.net udp
US 8.8.8.8:53 fsyczawoha.info udp
US 8.8.8.8:53 bdzvtmnkcxl.org udp
US 8.8.8.8:53 atkzfclhbift.info udp
US 8.8.8.8:53 lhenxejblgfr.info udp
US 8.8.8.8:53 jifwjxlr.net udp
US 8.8.8.8:53 brxejfal.net udp
US 8.8.8.8:53 tlutrqda.info udp
US 8.8.8.8:53 wueysyqiyg.org udp
US 8.8.8.8:53 pdqkztoxkn.net udp
US 8.8.8.8:53 tatidwvgk.info udp
US 8.8.8.8:53 rzukpime.net udp
US 8.8.8.8:53 jjrefkv.net udp
US 8.8.8.8:53 vhhvehjz.net udp
US 8.8.8.8:53 xiymhzbux.net udp
US 8.8.8.8:53 hqklhiyl.net udp
US 8.8.8.8:53 phtoggztqx.info udp
US 8.8.8.8:53 kjskvzf.info udp
US 8.8.8.8:53 mgiocemotks.info udp
US 8.8.8.8:53 jnhgkgrstxm.com udp
US 8.8.8.8:53 iciiqmay.com udp
US 8.8.8.8:53 kqexvdog.net udp
US 8.8.8.8:53 elphyesv.info udp
US 8.8.8.8:53 lzbjkx.info udp
US 8.8.8.8:53 tskmyvp.info udp
US 8.8.8.8:53 enpnjodai.net udp
US 8.8.8.8:53 cqhujduebap.net udp
US 8.8.8.8:53 blriytvijot.com udp
US 8.8.8.8:53 gosuwjetcx.info udp
US 8.8.8.8:53 tbjdznb.com udp
US 8.8.8.8:53 kyilnx.net udp
US 8.8.8.8:53 ycuuqgyiscgu.org udp
US 8.8.8.8:53 gbmqatfh.net udp
US 8.8.8.8:53 gaqkygwq.org udp
US 8.8.8.8:53 qizgxgvop.info udp
US 8.8.8.8:53 jrbulad.info udp
US 8.8.8.8:53 sqncad.net udp
US 8.8.8.8:53 hhljmihfzlnz.net udp
US 8.8.8.8:53 bpzorpfuhtf.org udp
US 8.8.8.8:53 kwcydphcrgs.net udp
US 8.8.8.8:53 ukagku.org udp
US 8.8.8.8:53 gemwwqec.com udp
US 8.8.8.8:53 abmunu.net udp
US 8.8.8.8:53 xwiyhrj.org udp
US 8.8.8.8:53 nmvehyrkcny.info udp
US 8.8.8.8:53 jmnykt.info udp
US 8.8.8.8:53 wvkmvfzxvodj.info udp
US 8.8.8.8:53 bkngmvgi.net udp
US 8.8.8.8:53 ieqwwj.net udp
US 8.8.8.8:53 nwwefa.net udp
US 8.8.8.8:53 bwvcggpmbmc.info udp
US 8.8.8.8:53 helwwccqo.info udp
US 8.8.8.8:53 cqymxwzmnum.info udp
US 8.8.8.8:53 skuiki.com udp
US 8.8.8.8:53 cgmocqekss.com udp
US 8.8.8.8:53 bqdindvszcl.com udp
US 8.8.8.8:53 qymuiaeg.com udp
US 8.8.8.8:53 xqwboo.info udp
US 8.8.8.8:53 oymmdlc.info udp
US 8.8.8.8:53 eanyrik.info udp
US 8.8.8.8:53 yvwwzkrnk.info udp
US 8.8.8.8:53 emtgfezjf.info udp
US 8.8.8.8:53 dykwknvmdfdj.info udp
US 8.8.8.8:53 kuysyucago.org udp
US 8.8.8.8:53 ikewtilij.info udp
US 8.8.8.8:53 rthqrivhwdxm.net udp
US 8.8.8.8:53 ldiklcyvom.net udp
US 8.8.8.8:53 tgtyayekl.info udp
US 8.8.8.8:53 wawaoiyk.com udp
US 8.8.8.8:53 cesqcycmmy.org udp
US 8.8.8.8:53 azhqocwy.net udp
US 8.8.8.8:53 beftdpo.info udp
US 8.8.8.8:53 rebarux.com udp
US 8.8.8.8:53 xogqpeq.org udp
US 8.8.8.8:53 lczoradauoz.net udp
US 8.8.8.8:53 rnlsnzlvnkrp.info udp
US 8.8.8.8:53 myuuec.org udp
US 8.8.8.8:53 xcygjjv.com udp
US 8.8.8.8:53 dazulnj.org udp
US 8.8.8.8:53 kjkgihxh.info udp
US 8.8.8.8:53 qxjgbsv.info udp
US 8.8.8.8:53 dqvfqtbcd.net udp
US 8.8.8.8:53 sqmugskqya.com udp
US 8.8.8.8:53 mswiwe.org udp

Files

C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe

MD5 c4c0eacae76a12e21d0ee9e9cc4eb3d8
SHA1 047ba8084fb1dc0cd3b2fcddbd620c106eba9e26
SHA256 a4a5c3a7226c301017880b326b6b7b78d2001c0b27c0fce9ddbef6d6302415ba
SHA512 d08970a86f282701cb99cfda8499c73c735dd37a471474853d213a926a1d74cdb12ded59c42710e17e7dedcd47ff09d368c6b5eb5726feb496a14c74bec09573

C:\Windows\SysWOW64\obxohvvgyrlxyacgte.exe

MD5 b9c1a84350d1c4881dd1eac4ffb453b0
SHA1 e2c094bbe105e9ced9c996c140f4fb1ae5f48585
SHA256 19bfc62f4162a8399e6c22f14721710d96007e027aaa8154e3d80bb725c360e4
SHA512 4122450a3b2fb3698229b12cac896378eee63798ca6c928addfd1a5fdd4af87001c55b19a3072e643bc8586a596f4af6f1b1920c15aa63404212636329da192c

C:\Users\Admin\AppData\Local\Temp\zbmsads.exe

MD5 b1c1f6d849fca5b0679b0eb807530506
SHA1 453eb6c69e8e45835471294b6f36c3442e9e2c44
SHA256 e8345830f9ebea52f6e7379fc90191d9833d2cb8ab8140045b8b238edacf64a5
SHA512 f719c0db22b94ad638bfb1105b574133b1b08d0a87f98afc410d18cfa7e5a39d8497283a92eb602d378dc4206f676722ec8e4baeb8b3534006f31cfd2d90de9d

C:\Users\Admin\AppData\Local\ljqswvgcfjolxkxmkgnlsuyxi.hlq

MD5 5b1fd19a528f384c9ede270a6c9437cf
SHA1 a7b673a5d0bce26e03b46bcd4f361eb40e656606
SHA256 26aeec408c8dd273ac5320db47b9baf72fa605684e2cd050463fdb04c2563164
SHA512 747717613d704a8c32c5bfb380cd2d9605c2dd6648d344eee8f0ee7590d583fcbab2090a28a2e7db74b458788d9c08f8f94382039fba48f55d462fa14e176b2d

C:\Users\Admin\AppData\Local\qzretdzgujzhecaajqirjwlvrymbrzwussbi.jbo

MD5 dcd76049f738fb81c0a2d737f227d3e9
SHA1 f812b76a6d236b120b0c95de058978190a80df72
SHA256 32d78abcb32d43f7b056478e5a1a95e7ac4f5d77ddeac8de7ffca0e370749916
SHA512 085f8efc53241fab8e172c2ac6be5ee3f7f53a35f899c3def1aee4913b4a5836fc5290cb6764042141085ecfd6760da1daf3d8ee4c88f595e98dd44c7767d89c

C:\Program Files (x86)\ljqswvgcfjolxkxmkgnlsuyxi.hlq

MD5 85754770fb695d989ae69ea2860e23ea
SHA1 e49330359d4b8307585e1fb628111a87367ce6fe
SHA256 30c1f019aa4147e2aff5ff44ed822ba0b63ba7181b218007766c86a5ad970e4d
SHA512 8cf717986dffd8c633ac825a0f4ef9485cadf49cb99419fa8692efb3f0e52451e66cd3082704b4f7a69bed20a191d18434786578cf924b7d8c5d215d2af75345

C:\Program Files (x86)\ljqswvgcfjolxkxmkgnlsuyxi.hlq

MD5 37ccf1b984c2bb2be4ebd3d5d267860f
SHA1 fbf52dcd200feafa5e25b70349976044434e7bff
SHA256 dc08d333d89165c2a1ca881538c88c1cbc7c25a0fff0dac7ea013feb87fb93c9
SHA512 0cfc1aaaac4ffbc3efb66de5ad380fae669d581e604adf72426d83dce3326a5a34a46b4a568aa7600260fd36e93ae02f3320b10649a59ad64d163fb0208b4037

C:\Program Files (x86)\ljqswvgcfjolxkxmkgnlsuyxi.hlq

MD5 163880ea36c614f61dc63b31caff2af6
SHA1 568de0867f2365dd4072397981e1a27be9b7beab
SHA256 cb1ade61a2a5732065a55594b1c66ade3e79074eb23a169450f73a0a9d190d29
SHA512 b5d0fdca36da52ccb989968f3a112bd8edda3829a82d6f3505a979633859fd4923d414dbdb7dc59defa71b35fc134849343033e9a576c8d883148e87e47479e9

C:\Program Files (x86)\ljqswvgcfjolxkxmkgnlsuyxi.hlq

MD5 03934dc35f19b76bb4c1651b62eb36ec
SHA1 9efb1b84f0959f02f7b9964d4f7efcfb2ac5e7c1
SHA256 e015e15c3409274039c5f34795cfb7642c55f1c03bece4a5a3f1ee1db8125a56
SHA512 96e3fa948bdde3b006d31d7b7251f818b6aa9b904632fda8b878a3ec36b3f06e348bb00e34f7b99e37c0a7d8707cb598c16f2e46dc1e42ac54d8b3f06aa851c6

C:\Program Files (x86)\ljqswvgcfjolxkxmkgnlsuyxi.hlq

MD5 3475580dd8207bddc4c29347a62c5a8c
SHA1 2e29eab20d8de6a25c0b3fa013e3504e66f25647
SHA256 f06d006323508aad27f7f42e6da65651e1e81622057fcf47a8c815bfd580414c
SHA512 9df9b45d01bd09839cdd0ef66a266f0894e281de822ee566ee1ac122356a57010d238eac6ecb94c02a7e4cbc44be731022928e8e7359f20bb22df33184c31a54