Analysis Overview
SHA256
9223f4748f528658ba3ac30515cf3ac1817677baaf345441d021e98ebd8891af
Threat Level: Known bad
The file JaffaCakes118_bc2c2e6019e42289641123c2db3584dc was found to be: Known bad.
Malicious Activity Summary
UAC bypass
Pykspa family
Pykspa
Modifies WinLogon for persistence
Detect Pykspa worm
Disables RegEdit via registry modification
Adds policy Run key to start application
Impair Defenses: Safe Mode Boot
Executes dropped EXE
Adds Run key to start application
Looks up external IP address via web service
Checks whether UAC is enabled
Hijack Execution Flow: Executable Installer File Permissions Weakness
Drops autorun.inf file
Drops file in System32 directory
Drops file in Windows directory
Drops file in Program Files directory
System Location Discovery: System Language Discovery
Unsigned PE
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
System policy modification
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V16
Analysis: static1
Detonation Overview
Reported
2025-04-18 02:28
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-04-18 02:28
Reported
2025-04-18 02:31
Platform
win11-20250410-en
Max time kernel
54s
Max time network
161s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\xhlow.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\xhlow.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
Pykspa
Pykspa family
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\xhlow.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\xhlow.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\xhlow.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\xhlow.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\xhlow.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\xhlow.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\xhlow.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\xhlow.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
Detect Pykspa worm
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mfsevhulzhjzcj = "vtlcyphdwjqltfwnbpz.exe" | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mfsevhulzhjzcj = "upeslzohxhldirft.exe" | C:\Users\Admin\AppData\Local\Temp\xhlow.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mfsevhulzhjzcj = "bxncwlbvmxcvblapb.exe" | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mfsevhulzhjzcj = "ihasphaxrfnjsfxpeted.exe" | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mfsevhulzhjzcj = "upeslzohxhldirft.exe" | C:\Users\Admin\AppData\Local\Temp\xhlow.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mfsevhulzhjzcj = "khyojzqldpvpwhxnan.exe" | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pfpymvfteji = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vtlcyphdwjqltfwnbpz.exe" | C:\Users\Admin\AppData\Local\Temp\xhlow.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pfpymvfteji = "C:\\Users\\Admin\\AppData\\Local\\Temp\\khyojzqldpvpwhxnan.exe" | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\xhlow.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mfsevhulzhjzcj = "ihasphaxrfnjsfxpeted.exe" | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pfpymvfteji = "C:\\Users\\Admin\\AppData\\Local\\Temp\\khyojzqldpvpwhxnan.exe" | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mfsevhulzhjzcj = "xxrkibvtodmjthatjzllf.exe" | C:\Users\Admin\AppData\Local\Temp\xhlow.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mfsevhulzhjzcj = "khyojzqldpvpwhxnan.exe" | C:\Users\Admin\AppData\Local\Temp\xhlow.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mfsevhulzhjzcj = "upeslzohxhldirft.exe" | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pfpymvfteji = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ihasphaxrfnjsfxpeted.exe" | C:\Users\Admin\AppData\Local\Temp\xhlow.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pfpymvfteji = "C:\\Users\\Admin\\AppData\\Local\\Temp\\upeslzohxhldirft.exe" | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mfsevhulzhjzcj = "upeslzohxhldirft.exe" | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\xhlow.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pfpymvfteji = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xxrkibvtodmjthatjzllf.exe" | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pfpymvfteji = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bxncwlbvmxcvblapb.exe" | C:\Users\Admin\AppData\Local\Temp\xhlow.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mfsevhulzhjzcj = "khyojzqldpvpwhxnan.exe" | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mfsevhulzhjzcj = "ihasphaxrfnjsfxpeted.exe" | C:\Users\Admin\AppData\Local\Temp\xhlow.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mfsevhulzhjzcj = "bxncwlbvmxcvblapb.exe" | C:\Users\Admin\AppData\Local\Temp\xhlow.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pfpymvfteji = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vtlcyphdwjqltfwnbpz.exe" | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mfsevhulzhjzcj = "khyojzqldpvpwhxnan.exe" | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mfsevhulzhjzcj = "vtlcyphdwjqltfwnbpz.exe" | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mfsevhulzhjzcj = "ihasphaxrfnjsfxpeted.exe" | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pfpymvfteji = "C:\\Users\\Admin\\AppData\\Local\\Temp\\khyojzqldpvpwhxnan.exe" | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pfpymvfteji = "C:\\Users\\Admin\\AppData\\Local\\Temp\\upeslzohxhldirft.exe" | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mfsevhulzhjzcj = "khyojzqldpvpwhxnan.exe" | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mfsevhulzhjzcj = "xxrkibvtodmjthatjzllf.exe" | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mfsevhulzhjzcj = "vtlcyphdwjqltfwnbpz.exe" | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mfsevhulzhjzcj = "xxrkibvtodmjthatjzllf.exe" | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pfpymvfteji = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vtlcyphdwjqltfwnbpz.exe" | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pfpymvfteji = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xxrkibvtodmjthatjzllf.exe" | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pfpymvfteji = "C:\\Users\\Admin\\AppData\\Local\\Temp\\khyojzqldpvpwhxnan.exe" | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pfpymvfteji = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xxrkibvtodmjthatjzllf.exe" | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mfsevhulzhjzcj = "upeslzohxhldirft.exe" | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pfpymvfteji = "C:\\Users\\Admin\\AppData\\Local\\Temp\\khyojzqldpvpwhxnan.exe" | C:\Users\Admin\AppData\Local\Temp\xhlow.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pfpymvfteji = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vtlcyphdwjqltfwnbpz.exe" | C:\Users\Admin\AppData\Local\Temp\xhlow.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pfpymvfteji = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xxrkibvtodmjthatjzllf.exe" | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mfsevhulzhjzcj = "bxncwlbvmxcvblapb.exe" | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mfsevhulzhjzcj = "upeslzohxhldirft.exe" | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pfpymvfteji = "C:\\Users\\Admin\\AppData\\Local\\Temp\\upeslzohxhldirft.exe" | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pfpymvfteji = "C:\\Users\\Admin\\AppData\\Local\\Temp\\upeslzohxhldirft.exe" | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pfpymvfteji = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xxrkibvtodmjthatjzllf.exe" | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
Disables RegEdit via registry modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\xhlow.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\xhlow.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\xhlow.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\xhlow.exe | N/A |
Executes dropped EXE
Impair Defenses: Safe Mode Boot
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager | C:\Users\Admin\AppData\Local\Temp\xhlow.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys | C:\Users\Admin\AppData\Local\Temp\xhlow.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc | C:\Users\Admin\AppData\Local\Temp\xhlow.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power | C:\Users\Admin\AppData\Local\Temp\xhlow.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys | C:\Users\Admin\AppData\Local\Temp\xhlow.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc | C:\Users\Admin\AppData\Local\Temp\xhlow.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Software\Microsoft\Windows\CurrentVersion\Run\mdoynxixjppd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\upeslzohxhldirft.exe" | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ldpaqbndqxynp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ihasphaxrfnjsfxpeted.exe ." | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mdoynxixjppd = "upeslzohxhldirft.exe" | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Software\Microsoft\Windows\CurrentVersion\Run\mdoynxixjppd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bxncwlbvmxcvblapb.exe" | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ldpaqbndqxynp = "vtlcyphdwjqltfwnbpz.exe ." | C:\Users\Admin\AppData\Local\Temp\xhlow.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\upeslzohxhldirft = "khyojzqldpvpwhxnan.exe ." | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ldpaqbndqxynp = "bxncwlbvmxcvblapb.exe ." | C:\Users\Admin\AppData\Local\Temp\xhlow.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bxncwlbvmxcvblapb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\khyojzqldpvpwhxnan.exe ." | C:\Users\Admin\AppData\Local\Temp\xhlow.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\khyojzqldpvpwhxnan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vtlcyphdwjqltfwnbpz.exe" | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Software\Microsoft\Windows\CurrentVersion\Run\mdoynxixjppd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xxrkibvtodmjthatjzllf.exe" | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ldpaqbndqxynp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\khyojzqldpvpwhxnan.exe ." | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ldpaqbndqxynp = "upeslzohxhldirft.exe ." | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Software\Microsoft\Windows\CurrentVersion\Run\pjxkcpdvktwnrzm = "xxrkibvtodmjthatjzllf.exe" | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Software\Microsoft\Windows\CurrentVersion\Run\mdoynxixjppd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bxncwlbvmxcvblapb.exe" | C:\Users\Admin\AppData\Local\Temp\xhlow.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\upeslzohxhldirft = "xxrkibvtodmjthatjzllf.exe ." | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mdoynxixjppd = "upeslzohxhldirft.exe" | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mdoynxixjppd = "ihasphaxrfnjsfxpeted.exe" | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ldpaqbndqxynp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vtlcyphdwjqltfwnbpz.exe ." | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ldpaqbndqxynp = "xxrkibvtodmjthatjzllf.exe ." | C:\Users\Admin\AppData\Local\Temp\xhlow.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Software\Microsoft\Windows\CurrentVersion\Run\pjxkcpdvktwnrzm = "ihasphaxrfnjsfxpeted.exe" | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\upeslzohxhldirft = "vtlcyphdwjqltfwnbpz.exe ." | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\khyojzqldpvpwhxnan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vtlcyphdwjqltfwnbpz.exe" | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ldpaqbndqxynp = "vtlcyphdwjqltfwnbpz.exe ." | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bxncwlbvmxcvblapb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xxrkibvtodmjthatjzllf.exe ." | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Software\Microsoft\Windows\CurrentVersion\Run\mdoynxixjppd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ihasphaxrfnjsfxpeted.exe" | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\khyojzqldpvpwhxnan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vtlcyphdwjqltfwnbpz.exe" | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ldpaqbndqxynp = "vtlcyphdwjqltfwnbpz.exe ." | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ldpaqbndqxynp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xxrkibvtodmjthatjzllf.exe ." | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ldpaqbndqxynp = "ihasphaxrfnjsfxpeted.exe ." | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Software\Microsoft\Windows\CurrentVersion\Run\mdoynxixjppd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xxrkibvtodmjthatjzllf.exe" | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mdoynxixjppd = "vtlcyphdwjqltfwnbpz.exe" | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mdoynxixjppd = "xxrkibvtodmjthatjzllf.exe" | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\upeslzohxhldirft = "xxrkibvtodmjthatjzllf.exe ." | C:\Users\Admin\AppData\Local\Temp\xhlow.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Software\Microsoft\Windows\CurrentVersion\Run\mdoynxixjppd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vtlcyphdwjqltfwnbpz.exe" | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\upeslzohxhldirft = "khyojzqldpvpwhxnan.exe ." | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Software\Microsoft\Windows\CurrentVersion\Run\pjxkcpdvktwnrzm = "upeslzohxhldirft.exe" | C:\Users\Admin\AppData\Local\Temp\xhlow.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bxncwlbvmxcvblapb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ihasphaxrfnjsfxpeted.exe ." | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mdoynxixjppd = "khyojzqldpvpwhxnan.exe" | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\upeslzohxhldirft = "vtlcyphdwjqltfwnbpz.exe ." | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ldpaqbndqxynp = "khyojzqldpvpwhxnan.exe ." | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Software\Microsoft\Windows\CurrentVersion\Run\pjxkcpdvktwnrzm = "xxrkibvtodmjthatjzllf.exe" | C:\Users\Admin\AppData\Local\Temp\xhlow.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mdoynxixjppd = "ihasphaxrfnjsfxpeted.exe" | C:\Users\Admin\AppData\Local\Temp\xhlow.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Software\Microsoft\Windows\CurrentVersion\Run\mdoynxixjppd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\upeslzohxhldirft.exe" | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ldpaqbndqxynp = "xxrkibvtodmjthatjzllf.exe ." | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ldpaqbndqxynp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bxncwlbvmxcvblapb.exe ." | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ldpaqbndqxynp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vtlcyphdwjqltfwnbpz.exe ." | C:\Users\Admin\AppData\Local\Temp\xhlow.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\upeslzohxhldirft = "khyojzqldpvpwhxnan.exe ." | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mdoynxixjppd = "khyojzqldpvpwhxnan.exe" | C:\Users\Admin\AppData\Local\Temp\xhlow.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mdoynxixjppd = "bxncwlbvmxcvblapb.exe" | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Software\Microsoft\Windows\CurrentVersion\Run\pjxkcpdvktwnrzm = "khyojzqldpvpwhxnan.exe" | C:\Users\Admin\AppData\Local\Temp\xhlow.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Software\Microsoft\Windows\CurrentVersion\Run\pjxkcpdvktwnrzm = "upeslzohxhldirft.exe" | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mdoynxixjppd = "ihasphaxrfnjsfxpeted.exe" | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bxncwlbvmxcvblapb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xxrkibvtodmjthatjzllf.exe ." | C:\Users\Admin\AppData\Local\Temp\xhlow.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mdoynxixjppd = "upeslzohxhldirft.exe" | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\khyojzqldpvpwhxnan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\khyojzqldpvpwhxnan.exe" | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mdoynxixjppd = "vtlcyphdwjqltfwnbpz.exe" | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bxncwlbvmxcvblapb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\upeslzohxhldirft.exe ." | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mdoynxixjppd = "ihasphaxrfnjsfxpeted.exe" | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Software\Microsoft\Windows\CurrentVersion\Run\mdoynxixjppd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xxrkibvtodmjthatjzllf.exe" | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Software\Microsoft\Windows\CurrentVersion\Run\mdoynxixjppd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vtlcyphdwjqltfwnbpz.exe" | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Software\Microsoft\Windows\CurrentVersion\Run\pjxkcpdvktwnrzm = "bxncwlbvmxcvblapb.exe" | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\khyojzqldpvpwhxnan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bxncwlbvmxcvblapb.exe" | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Software\Microsoft\Windows\CurrentVersion\Run\mdoynxixjppd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ihasphaxrfnjsfxpeted.exe" | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Software\Microsoft\Windows\CurrentVersion\Run\pjxkcpdvktwnrzm = "bxncwlbvmxcvblapb.exe" | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\xhlow.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\xhlow.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\xhlow.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\xhlow.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
Hijack Execution Flow: Executable Installer File Permissions Weakness
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" | C:\Users\Admin\AppData\Local\Temp\xhlow.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" | C:\Users\Admin\AppData\Local\Temp\xhlow.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | whatismyip.everdot.org | N/A | N/A |
| N/A | www.showmyipaddress.com | N/A | N/A |
| N/A | whatismyip.everdot.org | N/A | N/A |
| N/A | www.whatismyip.ca | N/A | N/A |
| N/A | whatismyipaddress.com | N/A | N/A |
Drops autorun.inf file
| Description | Indicator | Process | Target |
| File opened for modification | C:\autorun.inf | C:\Users\Admin\AppData\Local\Temp\xhlow.exe | N/A |
| File created | C:\autorun.inf | C:\Users\Admin\AppData\Local\Temp\xhlow.exe | N/A |
| File opened for modification | F:\autorun.inf | C:\Users\Admin\AppData\Local\Temp\xhlow.exe | N/A |
| File created | F:\autorun.inf | C:\Users\Admin\AppData\Local\Temp\xhlow.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\vtlcyphdwjqltfwnbpz.exe | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| File created | C:\Windows\SysWOW64\upeslzohxhldirft.exe | C:\Users\Admin\AppData\Local\Temp\xhlow.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ihasphaxrfnjsfxpeted.exe | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\opkedxsrndnlwlfzqhuvqk.exe | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\khyojzqldpvpwhxnan.exe | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\upeslzohxhldirft.exe | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\upeslzohxhldirft.exe | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| File created | C:\Windows\SysWOW64\khyojzqldpvpwhxnan.exe | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| File created | C:\Windows\SysWOW64\bxncwlbvmxcvblapb.exe | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| File created | C:\Windows\SysWOW64\opkedxsrndnlwlfzqhuvqk.exe | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\vtlcyphdwjqltfwnbpz.exe | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| File created | C:\Windows\SysWOW64\ihasphaxrfnjsfxpeted.exe | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\vtlcyphdwjqltfwnbpz.exe | C:\Users\Admin\AppData\Local\Temp\xhlow.exe | N/A |
| File created | C:\Windows\SysWOW64\xxrkibvtodmjthatjzllf.exe | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| File created | C:\Windows\SysWOW64\upeslzohxhldirft.exe | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\xxrkibvtodmjthatjzllf.exe | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| File created | C:\Windows\SysWOW64\upeslzohxhldirft.exe | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| File created | C:\Windows\SysWOW64\bxncwlbvmxcvblapb.exe | C:\Users\Admin\AppData\Local\Temp\xhlow.exe | N/A |
| File created | C:\Windows\SysWOW64\bxncwlbvmxcvblapb.exe | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\khyojzqldpvpwhxnan.exe | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| File created | C:\Windows\SysWOW64\ihasphaxrfnjsfxpeted.exe | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ihasphaxrfnjsfxpeted.exe | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\bxncwlbvmxcvblapb.exe | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\upeslzohxhldirft.exe | C:\Users\Admin\AppData\Local\Temp\xhlow.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\xxrkibvtodmjthatjzllf.exe | C:\Users\Admin\AppData\Local\Temp\xhlow.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\opkedxsrndnlwlfzqhuvqk.exe | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| File created | C:\Windows\SysWOW64\vtlcyphdwjqltfwnbpz.exe | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| File created | C:\Windows\SysWOW64\opkedxsrndnlwlfzqhuvqk.exe | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\upeslzohxhldirft.exe | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\bxncwlbvmxcvblapb.exe | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| File created | C:\Windows\SysWOW64\khyojzqldpvpwhxnan.exe | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| File created | C:\Windows\SysWOW64\bxncwlbvmxcvblapb.exe | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ihasphaxrfnjsfxpeted.exe | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\xxrkibvtodmjthatjzllf.exe | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\bxncwlbvmxcvblapb.exe | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\opkedxsrndnlwlfzqhuvqk.exe | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| File created | C:\Windows\SysWOW64\khyojzqldpvpwhxnan.exe | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\xxrkibvtodmjthatjzllf.exe | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ihasphaxrfnjsfxpeted.exe | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| File created | C:\Windows\SysWOW64\ihasphaxrfnjsfxpeted.exe | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| File created | C:\Windows\SysWOW64\khyojzqldpvpwhxnan.exe | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\khyojzqldpvpwhxnan.exe | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| File created | C:\Windows\SysWOW64\ihasphaxrfnjsfxpeted.exe | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\bxncwlbvmxcvblapb.exe | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\xxrkibvtodmjthatjzllf.exe | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| File created | C:\Windows\SysWOW64\upeslzohxhldirft.exe | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\khyojzqldpvpwhxnan.exe | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\xxrkibvtodmjthatjzllf.exe | C:\Users\Admin\AppData\Local\Temp\xhlow.exe | N/A |
| File created | C:\Windows\SysWOW64\opkedxsrndnlwlfzqhuvqk.exe | C:\Users\Admin\AppData\Local\Temp\xhlow.exe | N/A |
| File created | C:\Windows\SysWOW64\opkedxsrndnlwlfzqhuvqk.exe | C:\Users\Admin\AppData\Local\Temp\xhlow.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\khyojzqldpvpwhxnan.exe | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\vtlcyphdwjqltfwnbpz.exe | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| File created | C:\Windows\SysWOW64\upeslzohxhldirft.exe | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\upeslzohxhldirft.exe | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\vtlcyphdwjqltfwnbpz.exe | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| File created | C:\Windows\SysWOW64\bxncwlbvmxcvblapb.exe | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\vtlcyphdwjqltfwnbpz.exe | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| File created | C:\Windows\SysWOW64\bxncwlbvmxcvblapb.exe | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| File created | C:\Windows\SysWOW64\khyojzqldpvpwhxnan.exe | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| File created | C:\Windows\SysWOW64\bxncwlbvmxcvblapb.exe | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| File created | C:\Windows\SysWOW64\opkedxsrndnlwlfzqhuvqk.exe | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| File created | C:\Windows\SysWOW64\upeslzohxhldirft.exe | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| File created | C:\Windows\SysWOW64\xxrkibvtodmjthatjzllf.exe | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| File created | C:\Windows\SysWOW64\vtlcyphdwjqltfwnbpz.exe | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\zffeihhlmhwzpjihdzrxxwa.zde | C:\Users\Admin\AppData\Local\Temp\xhlow.exe | N/A |
| File created | C:\Program Files (x86)\zffeihhlmhwzpjihdzrxxwa.zde | C:\Users\Admin\AppData\Local\Temp\xhlow.exe | N/A |
| File opened for modification | C:\Program Files (x86)\mdoynxixjppdejtdkrulwgvfqfrxxlmrbl.zct | C:\Users\Admin\AppData\Local\Temp\xhlow.exe | N/A |
| File created | C:\Program Files (x86)\mdoynxixjppdejtdkrulwgvfqfrxxlmrbl.zct | C:\Users\Admin\AppData\Local\Temp\xhlow.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\khyojzqldpvpwhxnan.exe | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| File created | C:\Windows\vtlcyphdwjqltfwnbpz.exe | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| File opened for modification | C:\Windows\ihasphaxrfnjsfxpeted.exe | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| File opened for modification | C:\Windows\xxrkibvtodmjthatjzllf.exe | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| File opened for modification | C:\Windows\upeslzohxhldirft.exe | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| File opened for modification | C:\Windows\ihasphaxrfnjsfxpeted.exe | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| File opened for modification | C:\Windows\khyojzqldpvpwhxnan.exe | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| File opened for modification | C:\Windows\upeslzohxhldirft.exe | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| File opened for modification | C:\Windows\bxncwlbvmxcvblapb.exe | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| File opened for modification | C:\Windows\khyojzqldpvpwhxnan.exe | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| File opened for modification | C:\Windows\bxncwlbvmxcvblapb.exe | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| File opened for modification | C:\Windows\opkedxsrndnlwlfzqhuvqk.exe | C:\Users\Admin\AppData\Local\Temp\xhlow.exe | N/A |
| File opened for modification | C:\Windows\ihasphaxrfnjsfxpeted.exe | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| File opened for modification | C:\Windows\upeslzohxhldirft.exe | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| File opened for modification | C:\Windows\khyojzqldpvpwhxnan.exe | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| File opened for modification | C:\Windows\vtlcyphdwjqltfwnbpz.exe | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| File opened for modification | C:\Windows\opkedxsrndnlwlfzqhuvqk.exe | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| File opened for modification | C:\Windows\xxrkibvtodmjthatjzllf.exe | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| File opened for modification | C:\Windows\xxrkibvtodmjthatjzllf.exe | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| File opened for modification | C:\Windows\xxrkibvtodmjthatjzllf.exe | C:\Users\Admin\AppData\Local\Temp\xhlow.exe | N/A |
| File opened for modification | C:\Windows\xxrkibvtodmjthatjzllf.exe | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| File opened for modification | C:\Windows\opkedxsrndnlwlfzqhuvqk.exe | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| File opened for modification | C:\Windows\opkedxsrndnlwlfzqhuvqk.exe | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| File opened for modification | C:\Windows\ihasphaxrfnjsfxpeted.exe | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| File opened for modification | C:\Windows\bxncwlbvmxcvblapb.exe | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| File opened for modification | C:\Windows\upeslzohxhldirft.exe | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| File opened for modification | C:\Windows\khyojzqldpvpwhxnan.exe | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| File opened for modification | C:\Windows\bxncwlbvmxcvblapb.exe | C:\Users\Admin\AppData\Local\Temp\xhlow.exe | N/A |
| File opened for modification | C:\Windows\opkedxsrndnlwlfzqhuvqk.exe | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| File opened for modification | C:\Windows\bxncwlbvmxcvblapb.exe | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| File opened for modification | C:\Windows\bxncwlbvmxcvblapb.exe | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| File opened for modification | C:\Windows\xxrkibvtodmjthatjzllf.exe | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| File opened for modification | C:\Windows\ihasphaxrfnjsfxpeted.exe | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| File opened for modification | C:\Windows\ihasphaxrfnjsfxpeted.exe | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| File opened for modification | C:\Windows\bxncwlbvmxcvblapb.exe | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| File opened for modification | C:\Windows\vtlcyphdwjqltfwnbpz.exe | C:\Users\Admin\AppData\Local\Temp\xhlow.exe | N/A |
| File opened for modification | C:\Windows\xxrkibvtodmjthatjzllf.exe | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| File created | C:\Windows\xxrkibvtodmjthatjzllf.exe | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| File opened for modification | C:\Windows\khyojzqldpvpwhxnan.exe | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| File opened for modification | C:\Windows\vtlcyphdwjqltfwnbpz.exe | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| File opened for modification | C:\Windows\vtlcyphdwjqltfwnbpz.exe | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| File opened for modification | C:\Windows\ihasphaxrfnjsfxpeted.exe | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| File opened for modification | C:\Windows\khyojzqldpvpwhxnan.exe | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| File opened for modification | C:\Windows\vtlcyphdwjqltfwnbpz.exe | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| File opened for modification | C:\Windows\bxncwlbvmxcvblapb.exe | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| File created | C:\Windows\vtlcyphdwjqltfwnbpz.exe | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| File opened for modification | C:\Windows\bxncwlbvmxcvblapb.exe | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| File opened for modification | C:\Windows\upeslzohxhldirft.exe | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| File opened for modification | C:\Windows\khyojzqldpvpwhxnan.exe | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| File opened for modification | C:\Windows\upeslzohxhldirft.exe | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| File opened for modification | C:\Windows\xxrkibvtodmjthatjzllf.exe | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| File created | C:\Windows\upeslzohxhldirft.exe | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| File opened for modification | C:\Windows\upeslzohxhldirft.exe | C:\Users\Admin\AppData\Local\Temp\xhlow.exe | N/A |
| File opened for modification | C:\Windows\upeslzohxhldirft.exe | C:\Users\Admin\AppData\Local\Temp\xhlow.exe | N/A |
| File created | C:\Windows\mdoynxixjppdejtdkrulwgvfqfrxxlmrbl.zct | C:\Users\Admin\AppData\Local\Temp\xhlow.exe | N/A |
| File opened for modification | C:\Windows\ihasphaxrfnjsfxpeted.exe | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| File opened for modification | C:\Windows\upeslzohxhldirft.exe | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| File opened for modification | C:\Windows\ihasphaxrfnjsfxpeted.exe | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| File created | C:\Windows\ihasphaxrfnjsfxpeted.exe | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| File opened for modification | C:\Windows\khyojzqldpvpwhxnan.exe | C:\Users\Admin\AppData\Local\Temp\xhlow.exe | N/A |
| File opened for modification | C:\Windows\ihasphaxrfnjsfxpeted.exe | C:\Users\Admin\AppData\Local\Temp\xhlow.exe | N/A |
| File opened for modification | C:\Windows\vtlcyphdwjqltfwnbpz.exe | C:\Users\Admin\AppData\Local\Temp\xhlow.exe | N/A |
| File opened for modification | C:\Windows\xxrkibvtodmjthatjzllf.exe | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| File opened for modification | C:\Windows\ihasphaxrfnjsfxpeted.exe | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\vtlcyphdwjqltfwnbpz.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\khyojzqldpvpwhxnan.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\ihasphaxrfnjsfxpeted.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\xxrkibvtodmjthatjzllf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\xxrkibvtodmjthatjzllf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\vtlcyphdwjqltfwnbpz.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\bxncwlbvmxcvblapb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\bxncwlbvmxcvblapb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\bxncwlbvmxcvblapb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\khyojzqldpvpwhxnan.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\xxrkibvtodmjthatjzllf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\xxrkibvtodmjthatjzllf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\bxncwlbvmxcvblapb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\vtlcyphdwjqltfwnbpz.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\bxncwlbvmxcvblapb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\bxncwlbvmxcvblapb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ihasphaxrfnjsfxpeted.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\vtlcyphdwjqltfwnbpz.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\upeslzohxhldirft.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\upeslzohxhldirft.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\bxncwlbvmxcvblapb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\ihasphaxrfnjsfxpeted.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\khyojzqldpvpwhxnan.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\xxrkibvtodmjthatjzllf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\xxrkibvtodmjthatjzllf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ihasphaxrfnjsfxpeted.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\khyojzqldpvpwhxnan.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\upeslzohxhldirft.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\khyojzqldpvpwhxnan.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\xxrkibvtodmjthatjzllf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\vtlcyphdwjqltfwnbpz.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\vtlcyphdwjqltfwnbpz.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\bxncwlbvmxcvblapb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\khyojzqldpvpwhxnan.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\vtlcyphdwjqltfwnbpz.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\xxrkibvtodmjthatjzllf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\bxncwlbvmxcvblapb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\vtlcyphdwjqltfwnbpz.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\xxrkibvtodmjthatjzllf.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xhlow.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\xhlow.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" | C:\Users\Admin\AppData\Local\Temp\xhlow.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" | C:\Users\Admin\AppData\Local\Temp\xhlow.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\xhlow.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\xhlow.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\xhlow.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" | C:\Users\Admin\AppData\Local\Temp\xhlow.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\xhlow.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" | C:\Users\Admin\AppData\Local\Temp\xhlow.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\xhlow.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\xhlow.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" | C:\Users\Admin\AppData\Local\Temp\xhlow.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" | C:\Users\Admin\AppData\Local\Temp\xhlow.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\xhlow.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\AppData\Local\Temp\xhlow.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\xhlow.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\AppData\Local\Temp\xhlow.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" | C:\Users\Admin\AppData\Local\Temp\xhlow.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe"
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\jaffacakes118_bc2c2e6019e42289641123c2db3584dc.exe*"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xxrkibvtodmjthatjzllf.exe
C:\Windows\xxrkibvtodmjthatjzllf.exe
xxrkibvtodmjthatjzllf.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c upeslzohxhldirft.exe .
C:\Windows\upeslzohxhldirft.exe
upeslzohxhldirft.exe .
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\upeslzohxhldirft.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c khyojzqldpvpwhxnan.exe
C:\Windows\khyojzqldpvpwhxnan.exe
khyojzqldpvpwhxnan.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c khyojzqldpvpwhxnan.exe .
C:\Windows\khyojzqldpvpwhxnan.exe
khyojzqldpvpwhxnan.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\khyojzqldpvpwhxnan.exe*."
C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe
C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe .
C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe
C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe .
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\upeslzohxhldirft.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe
C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe
C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe .
C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe
C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe .
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\vtlcyphdwjqltfwnbpz.exe*."
C:\Users\Admin\AppData\Local\Temp\xhlow.exe
"C:\Users\Admin\AppData\Local\Temp\xhlow.exe" "-C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe"
C:\Users\Admin\AppData\Local\Temp\xhlow.exe
"C:\Users\Admin\AppData\Local\Temp\xhlow.exe" "-C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxncwlbvmxcvblapb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxncwlbvmxcvblapb.exe
C:\Windows\bxncwlbvmxcvblapb.exe
bxncwlbvmxcvblapb.exe
C:\Windows\bxncwlbvmxcvblapb.exe
bxncwlbvmxcvblapb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxncwlbvmxcvblapb.exe .
C:\Windows\bxncwlbvmxcvblapb.exe
bxncwlbvmxcvblapb.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ihasphaxrfnjsfxpeted.exe .
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\bxncwlbvmxcvblapb.exe*."
C:\Windows\ihasphaxrfnjsfxpeted.exe
ihasphaxrfnjsfxpeted.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c upeslzohxhldirft.exe
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\ihasphaxrfnjsfxpeted.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxncwlbvmxcvblapb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xxrkibvtodmjthatjzllf.exe .
C:\Windows\upeslzohxhldirft.exe
upeslzohxhldirft.exe
C:\Windows\xxrkibvtodmjthatjzllf.exe
xxrkibvtodmjthatjzllf.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vtlcyphdwjqltfwnbpz.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exe
C:\Windows\bxncwlbvmxcvblapb.exe
bxncwlbvmxcvblapb.exe
C:\Windows\vtlcyphdwjqltfwnbpz.exe
vtlcyphdwjqltfwnbpz.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe .
C:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exe
C:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exe
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\xxrkibvtodmjthatjzllf.exe*."
C:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exe
C:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exe
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\vtlcyphdwjqltfwnbpz.exe*."
C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe
C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe .
C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe
C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxncwlbvmxcvblapb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exe .
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\vtlcyphdwjqltfwnbpz.exe*."
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\vtlcyphdwjqltfwnbpz.exe*."
C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe
C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ihasphaxrfnjsfxpeted.exe .
C:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exe
C:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exe .
C:\Users\Admin\AppData\Local\Temp\bxncwlbvmxcvblapb.exe
C:\Users\Admin\AppData\Local\Temp\bxncwlbvmxcvblapb.exe
C:\Users\Admin\AppData\Local\Temp\ihasphaxrfnjsfxpeted.exe
C:\Users\Admin\AppData\Local\Temp\ihasphaxrfnjsfxpeted.exe .
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\khyojzqldpvpwhxnan.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ihasphaxrfnjsfxpeted.exe
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\ihasphaxrfnjsfxpeted.exe*."
C:\Windows\ihasphaxrfnjsfxpeted.exe
ihasphaxrfnjsfxpeted.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xxrkibvtodmjthatjzllf.exe .
C:\Windows\xxrkibvtodmjthatjzllf.exe
xxrkibvtodmjthatjzllf.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c upeslzohxhldirft.exe
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\xxrkibvtodmjthatjzllf.exe*."
C:\Windows\upeslzohxhldirft.exe
upeslzohxhldirft.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vtlcyphdwjqltfwnbpz.exe .
C:\Windows\vtlcyphdwjqltfwnbpz.exe
vtlcyphdwjqltfwnbpz.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exe
C:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exe
C:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exe
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\vtlcyphdwjqltfwnbpz.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe .
C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe
C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe .
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\upeslzohxhldirft.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ihasphaxrfnjsfxpeted.exe
C:\Users\Admin\AppData\Local\Temp\ihasphaxrfnjsfxpeted.exe
C:\Users\Admin\AppData\Local\Temp\ihasphaxrfnjsfxpeted.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exe .
C:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exe
C:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exe .
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\xxrkibvtodmjthatjzllf.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vtlcyphdwjqltfwnbpz.exe
C:\Windows\vtlcyphdwjqltfwnbpz.exe
vtlcyphdwjqltfwnbpz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vtlcyphdwjqltfwnbpz.exe .
C:\Windows\vtlcyphdwjqltfwnbpz.exe
vtlcyphdwjqltfwnbpz.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ihasphaxrfnjsfxpeted.exe
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\vtlcyphdwjqltfwnbpz.exe*."
C:\Windows\ihasphaxrfnjsfxpeted.exe
ihasphaxrfnjsfxpeted.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxncwlbvmxcvblapb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c upeslzohxhldirft.exe
C:\Windows\bxncwlbvmxcvblapb.exe
bxncwlbvmxcvblapb.exe
C:\Windows\upeslzohxhldirft.exe
upeslzohxhldirft.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xxrkibvtodmjthatjzllf.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vtlcyphdwjqltfwnbpz.exe .
C:\Windows\xxrkibvtodmjthatjzllf.exe
xxrkibvtodmjthatjzllf.exe .
C:\Windows\vtlcyphdwjqltfwnbpz.exe
vtlcyphdwjqltfwnbpz.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xxrkibvtodmjthatjzllf.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ihasphaxrfnjsfxpeted.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vtlcyphdwjqltfwnbpz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxncwlbvmxcvblapb.exe .
C:\Windows\xxrkibvtodmjthatjzllf.exe
xxrkibvtodmjthatjzllf.exe .
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\vtlcyphdwjqltfwnbpz.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c upeslzohxhldirft.exe .
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\xxrkibvtodmjthatjzllf.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c upeslzohxhldirft.exe
C:\Users\Admin\AppData\Local\Temp\ihasphaxrfnjsfxpeted.exe
C:\Users\Admin\AppData\Local\Temp\ihasphaxrfnjsfxpeted.exe
C:\Windows\vtlcyphdwjqltfwnbpz.exe
vtlcyphdwjqltfwnbpz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xxrkibvtodmjthatjzllf.exe .
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\xxrkibvtodmjthatjzllf.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exe .
C:\Windows\upeslzohxhldirft.exe
upeslzohxhldirft.exe
C:\Windows\upeslzohxhldirft.exe
upeslzohxhldirft.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe
C:\Users\Admin\AppData\Local\Temp\bxncwlbvmxcvblapb.exe
C:\Users\Admin\AppData\Local\Temp\bxncwlbvmxcvblapb.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxncwlbvmxcvblapb.exe
C:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exe
C:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exe
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\upeslzohxhldirft.exe*."
C:\Windows\xxrkibvtodmjthatjzllf.exe
xxrkibvtodmjthatjzllf.exe .
C:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exe
C:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe .
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\bxncwlbvmxcvblapb.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe .
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe
C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe
C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe
C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe
C:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exe
C:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exe .
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\khyojzqldpvpwhxnan.exe*."
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\xxrkibvtodmjthatjzllf.exe*."
C:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exe
C:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exe .
C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe
C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe .
C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe
C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe
C:\Users\Admin\AppData\Local\Temp\bxncwlbvmxcvblapb.exe
C:\Users\Admin\AppData\Local\Temp\bxncwlbvmxcvblapb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxncwlbvmxcvblapb.exe
C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe
C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe .
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\xxrkibvtodmjthatjzllf.exe*."
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\xxrkibvtodmjthatjzllf.exe*."
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\upeslzohxhldirft.exe*."
C:\Windows\bxncwlbvmxcvblapb.exe
bxncwlbvmxcvblapb.exe
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\upeslzohxhldirft.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c khyojzqldpvpwhxnan.exe .
C:\Windows\khyojzqldpvpwhxnan.exe
khyojzqldpvpwhxnan.exe .
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\khyojzqldpvpwhxnan.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vtlcyphdwjqltfwnbpz.exe
C:\Windows\vtlcyphdwjqltfwnbpz.exe
vtlcyphdwjqltfwnbpz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vtlcyphdwjqltfwnbpz.exe .
C:\Windows\vtlcyphdwjqltfwnbpz.exe
vtlcyphdwjqltfwnbpz.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxncwlbvmxcvblapb.exe
C:\Users\Admin\AppData\Local\Temp\bxncwlbvmxcvblapb.exe
C:\Users\Admin\AppData\Local\Temp\bxncwlbvmxcvblapb.exe
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\vtlcyphdwjqltfwnbpz.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ihasphaxrfnjsfxpeted.exe .
C:\Users\Admin\AppData\Local\Temp\ihasphaxrfnjsfxpeted.exe
C:\Users\Admin\AppData\Local\Temp\ihasphaxrfnjsfxpeted.exe .
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\ihasphaxrfnjsfxpeted.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ihasphaxrfnjsfxpeted.exe
C:\Users\Admin\AppData\Local\Temp\ihasphaxrfnjsfxpeted.exe
C:\Users\Admin\AppData\Local\Temp\ihasphaxrfnjsfxpeted.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exe .
C:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exe
C:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exe .
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\khyojzqldpvpwhxnan.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxncwlbvmxcvblapb.exe
C:\Windows\bxncwlbvmxcvblapb.exe
bxncwlbvmxcvblapb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c khyojzqldpvpwhxnan.exe .
C:\Windows\khyojzqldpvpwhxnan.exe
khyojzqldpvpwhxnan.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxncwlbvmxcvblapb.exe
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\khyojzqldpvpwhxnan.exe*."
C:\Windows\bxncwlbvmxcvblapb.exe
bxncwlbvmxcvblapb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vtlcyphdwjqltfwnbpz.exe .
C:\Windows\vtlcyphdwjqltfwnbpz.exe
vtlcyphdwjqltfwnbpz.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ihasphaxrfnjsfxpeted.exe
C:\Users\Admin\AppData\Local\Temp\ihasphaxrfnjsfxpeted.exe
C:\Users\Admin\AppData\Local\Temp\ihasphaxrfnjsfxpeted.exe
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\vtlcyphdwjqltfwnbpz.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe .
C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe
C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe .
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\vtlcyphdwjqltfwnbpz.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exe
C:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exe
C:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ihasphaxrfnjsfxpeted.exe .
C:\Users\Admin\AppData\Local\Temp\ihasphaxrfnjsfxpeted.exe
C:\Users\Admin\AppData\Local\Temp\ihasphaxrfnjsfxpeted.exe .
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\ihasphaxrfnjsfxpeted.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ihasphaxrfnjsfxpeted.exe
C:\Windows\ihasphaxrfnjsfxpeted.exe
ihasphaxrfnjsfxpeted.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xxrkibvtodmjthatjzllf.exe .
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\xxrkibvtodmjthatjzllf.exe
xxrkibvtodmjthatjzllf.exe .
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\xxrkibvtodmjthatjzllf.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ihasphaxrfnjsfxpeted.exe
C:\Windows\ihasphaxrfnjsfxpeted.exe
ihasphaxrfnjsfxpeted.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xxrkibvtodmjthatjzllf.exe .
C:\Windows\xxrkibvtodmjthatjzllf.exe
xxrkibvtodmjthatjzllf.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exe
C:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exe
C:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exe
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\xxrkibvtodmjthatjzllf.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ihasphaxrfnjsfxpeted.exe .
C:\Users\Admin\AppData\Local\Temp\ihasphaxrfnjsfxpeted.exe
C:\Users\Admin\AppData\Local\Temp\ihasphaxrfnjsfxpeted.exe .
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\ihasphaxrfnjsfxpeted.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe
C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe .
C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe
C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe .
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\vtlcyphdwjqltfwnbpz.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxncwlbvmxcvblapb.exe
C:\Windows\bxncwlbvmxcvblapb.exe
bxncwlbvmxcvblapb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c upeslzohxhldirft.exe .
C:\Windows\upeslzohxhldirft.exe
upeslzohxhldirft.exe .
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\upeslzohxhldirft.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ihasphaxrfnjsfxpeted.exe
C:\Windows\ihasphaxrfnjsfxpeted.exe
ihasphaxrfnjsfxpeted.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c khyojzqldpvpwhxnan.exe .
C:\Windows\khyojzqldpvpwhxnan.exe
khyojzqldpvpwhxnan.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxncwlbvmxcvblapb.exe
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\khyojzqldpvpwhxnan.exe*."
C:\Users\Admin\AppData\Local\Temp\bxncwlbvmxcvblapb.exe
C:\Users\Admin\AppData\Local\Temp\bxncwlbvmxcvblapb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exe .
C:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exe
C:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exe .
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\khyojzqldpvpwhxnan.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe
C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe
C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ihasphaxrfnjsfxpeted.exe .
C:\Users\Admin\AppData\Local\Temp\ihasphaxrfnjsfxpeted.exe
C:\Users\Admin\AppData\Local\Temp\ihasphaxrfnjsfxpeted.exe .
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\ihasphaxrfnjsfxpeted.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c upeslzohxhldirft.exe
C:\Windows\upeslzohxhldirft.exe
upeslzohxhldirft.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ihasphaxrfnjsfxpeted.exe .
C:\Windows\ihasphaxrfnjsfxpeted.exe
ihasphaxrfnjsfxpeted.exe .
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\ihasphaxrfnjsfxpeted.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ihasphaxrfnjsfxpeted.exe
C:\Windows\ihasphaxrfnjsfxpeted.exe
ihasphaxrfnjsfxpeted.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vtlcyphdwjqltfwnbpz.exe .
C:\Windows\vtlcyphdwjqltfwnbpz.exe
vtlcyphdwjqltfwnbpz.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ihasphaxrfnjsfxpeted.exe
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\vtlcyphdwjqltfwnbpz.exe*."
C:\Users\Admin\AppData\Local\Temp\ihasphaxrfnjsfxpeted.exe
C:\Users\Admin\AppData\Local\Temp\ihasphaxrfnjsfxpeted.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exe .
C:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exe
C:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exe .
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\khyojzqldpvpwhxnan.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exe
C:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exe
C:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxncwlbvmxcvblapb.exe .
C:\Users\Admin\AppData\Local\Temp\bxncwlbvmxcvblapb.exe
C:\Users\Admin\AppData\Local\Temp\bxncwlbvmxcvblapb.exe .
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\bxncwlbvmxcvblapb.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c upeslzohxhldirft.exe
C:\Windows\upeslzohxhldirft.exe
upeslzohxhldirft.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vtlcyphdwjqltfwnbpz.exe .
C:\Windows\vtlcyphdwjqltfwnbpz.exe
vtlcyphdwjqltfwnbpz.exe .
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\vtlcyphdwjqltfwnbpz.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxncwlbvmxcvblapb.exe
C:\Windows\bxncwlbvmxcvblapb.exe
bxncwlbvmxcvblapb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vtlcyphdwjqltfwnbpz.exe .
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\vtlcyphdwjqltfwnbpz.exe
vtlcyphdwjqltfwnbpz.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exe
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\vtlcyphdwjqltfwnbpz.exe*."
C:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exe
C:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxncwlbvmxcvblapb.exe .
C:\Users\Admin\AppData\Local\Temp\bxncwlbvmxcvblapb.exe
C:\Users\Admin\AppData\Local\Temp\bxncwlbvmxcvblapb.exe .
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\bxncwlbvmxcvblapb.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe
C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe
C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe .
C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe
C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe .
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\upeslzohxhldirft.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c khyojzqldpvpwhxnan.exe
C:\Windows\khyojzqldpvpwhxnan.exe
khyojzqldpvpwhxnan.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xxrkibvtodmjthatjzllf.exe .
C:\Windows\xxrkibvtodmjthatjzllf.exe
xxrkibvtodmjthatjzllf.exe .
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\xxrkibvtodmjthatjzllf.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ihasphaxrfnjsfxpeted.exe
C:\Windows\ihasphaxrfnjsfxpeted.exe
ihasphaxrfnjsfxpeted.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ihasphaxrfnjsfxpeted.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ihasphaxrfnjsfxpeted.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xxrkibvtodmjthatjzllf.exe .
C:\Windows\ihasphaxrfnjsfxpeted.exe
ihasphaxrfnjsfxpeted.exe
C:\Windows\xxrkibvtodmjthatjzllf.exe
xxrkibvtodmjthatjzllf.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exe
C:\Windows\ihasphaxrfnjsfxpeted.exe
ihasphaxrfnjsfxpeted.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c khyojzqldpvpwhxnan.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c khyojzqldpvpwhxnan.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe .
C:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exe
C:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exe
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\xxrkibvtodmjthatjzllf.exe*."
C:\Windows\khyojzqldpvpwhxnan.exe
khyojzqldpvpwhxnan.exe .
C:\Windows\khyojzqldpvpwhxnan.exe
khyojzqldpvpwhxnan.exe .
C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe
C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c khyojzqldpvpwhxnan.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c khyojzqldpvpwhxnan.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vtlcyphdwjqltfwnbpz.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vtlcyphdwjqltfwnbpz.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exe
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\khyojzqldpvpwhxnan.exe*."
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\khyojzqldpvpwhxnan.exe*."
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\vtlcyphdwjqltfwnbpz.exe*."
C:\Windows\khyojzqldpvpwhxnan.exe
khyojzqldpvpwhxnan.exe
C:\Windows\khyojzqldpvpwhxnan.exe
khyojzqldpvpwhxnan.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxncwlbvmxcvblapb.exe .
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ihasphaxrfnjsfxpeted.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe .
C:\Windows\vtlcyphdwjqltfwnbpz.exe
vtlcyphdwjqltfwnbpz.exe .
C:\Windows\vtlcyphdwjqltfwnbpz.exe
vtlcyphdwjqltfwnbpz.exe .
C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe
C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe .
C:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exe
C:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exe
C:\Users\Admin\AppData\Local\Temp\bxncwlbvmxcvblapb.exe
C:\Users\Admin\AppData\Local\Temp\bxncwlbvmxcvblapb.exe .
C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe
C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe
C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe
C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\vtlcyphdwjqltfwnbpz.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxncwlbvmxcvblapb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exe
C:\Users\Admin\AppData\Local\Temp\ihasphaxrfnjsfxpeted.exe
C:\Users\Admin\AppData\Local\Temp\ihasphaxrfnjsfxpeted.exe .
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\vtlcyphdwjqltfwnbpz.exe*."
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\vtlcyphdwjqltfwnbpz.exe*."
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\bxncwlbvmxcvblapb.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe .
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\bxncwlbvmxcvblapb.exe
C:\Users\Admin\AppData\Local\Temp\bxncwlbvmxcvblapb.exe
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\ihasphaxrfnjsfxpeted.exe*."
C:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exe
C:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exe
C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe
C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe .
C:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exe
C:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vtlcyphdwjqltfwnbpz.exe
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\vtlcyphdwjqltfwnbpz.exe*."
C:\Windows\vtlcyphdwjqltfwnbpz.exe
vtlcyphdwjqltfwnbpz.exe
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\xxrkibvtodmjthatjzllf.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxncwlbvmxcvblapb.exe .
C:\Windows\bxncwlbvmxcvblapb.exe
bxncwlbvmxcvblapb.exe .
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\bxncwlbvmxcvblapb.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xxrkibvtodmjthatjzllf.exe
C:\Windows\xxrkibvtodmjthatjzllf.exe
xxrkibvtodmjthatjzllf.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vtlcyphdwjqltfwnbpz.exe .
C:\Windows\vtlcyphdwjqltfwnbpz.exe
vtlcyphdwjqltfwnbpz.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\vtlcyphdwjqltfwnbpz.exe*."
C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe
C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe .
C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe
C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe .
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\upeslzohxhldirft.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe
C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe
C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe .
C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe
C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe .
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\vtlcyphdwjqltfwnbpz.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxncwlbvmxcvblapb.exe
C:\Windows\bxncwlbvmxcvblapb.exe
bxncwlbvmxcvblapb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vtlcyphdwjqltfwnbpz.exe .
C:\Windows\vtlcyphdwjqltfwnbpz.exe
vtlcyphdwjqltfwnbpz.exe .
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\vtlcyphdwjqltfwnbpz.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vtlcyphdwjqltfwnbpz.exe
C:\Windows\vtlcyphdwjqltfwnbpz.exe
vtlcyphdwjqltfwnbpz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c khyojzqldpvpwhxnan.exe .
C:\Windows\khyojzqldpvpwhxnan.exe
khyojzqldpvpwhxnan.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ihasphaxrfnjsfxpeted.exe
C:\Users\Admin\AppData\Local\Temp\ihasphaxrfnjsfxpeted.exe
C:\Users\Admin\AppData\Local\Temp\ihasphaxrfnjsfxpeted.exe
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\khyojzqldpvpwhxnan.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exe .
C:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exe
C:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exe .
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\khyojzqldpvpwhxnan.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxncwlbvmxcvblapb.exe
C:\Users\Admin\AppData\Local\Temp\bxncwlbvmxcvblapb.exe
C:\Users\Admin\AppData\Local\Temp\bxncwlbvmxcvblapb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe .
C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe
C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe .
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\upeslzohxhldirft.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vtlcyphdwjqltfwnbpz.exe
C:\Windows\vtlcyphdwjqltfwnbpz.exe
vtlcyphdwjqltfwnbpz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c khyojzqldpvpwhxnan.exe .
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\khyojzqldpvpwhxnan.exe
khyojzqldpvpwhxnan.exe .
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\khyojzqldpvpwhxnan.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c upeslzohxhldirft.exe
C:\Windows\upeslzohxhldirft.exe
upeslzohxhldirft.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxncwlbvmxcvblapb.exe .
C:\Windows\bxncwlbvmxcvblapb.exe
bxncwlbvmxcvblapb.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exe
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\bxncwlbvmxcvblapb.exe*."
C:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exe
C:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxncwlbvmxcvblapb.exe .
C:\Users\Admin\AppData\Local\Temp\bxncwlbvmxcvblapb.exe
C:\Users\Admin\AppData\Local\Temp\bxncwlbvmxcvblapb.exe .
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\bxncwlbvmxcvblapb.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ihasphaxrfnjsfxpeted.exe
C:\Users\Admin\AppData\Local\Temp\ihasphaxrfnjsfxpeted.exe
C:\Users\Admin\AppData\Local\Temp\ihasphaxrfnjsfxpeted.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe .
C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe
C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe .
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\upeslzohxhldirft.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vtlcyphdwjqltfwnbpz.exe
C:\Windows\vtlcyphdwjqltfwnbpz.exe
vtlcyphdwjqltfwnbpz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ihasphaxrfnjsfxpeted.exe .
C:\Windows\ihasphaxrfnjsfxpeted.exe
ihasphaxrfnjsfxpeted.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxncwlbvmxcvblapb.exe
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\ihasphaxrfnjsfxpeted.exe*."
C:\Windows\bxncwlbvmxcvblapb.exe
bxncwlbvmxcvblapb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxncwlbvmxcvblapb.exe .
C:\Windows\bxncwlbvmxcvblapb.exe
bxncwlbvmxcvblapb.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe
C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe
C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\bxncwlbvmxcvblapb.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exe .
C:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exe
C:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exe .
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\xxrkibvtodmjthatjzllf.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ihasphaxrfnjsfxpeted.exe
C:\Users\Admin\AppData\Local\Temp\ihasphaxrfnjsfxpeted.exe
C:\Users\Admin\AppData\Local\Temp\ihasphaxrfnjsfxpeted.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxncwlbvmxcvblapb.exe .
C:\Users\Admin\AppData\Local\Temp\bxncwlbvmxcvblapb.exe
C:\Users\Admin\AppData\Local\Temp\bxncwlbvmxcvblapb.exe .
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\bxncwlbvmxcvblapb.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c upeslzohxhldirft.exe
C:\Windows\upeslzohxhldirft.exe
upeslzohxhldirft.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c upeslzohxhldirft.exe .
C:\Windows\upeslzohxhldirft.exe
upeslzohxhldirft.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxncwlbvmxcvblapb.exe
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\upeslzohxhldirft.exe*."
C:\Windows\bxncwlbvmxcvblapb.exe
bxncwlbvmxcvblapb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ihasphaxrfnjsfxpeted.exe .
C:\Windows\ihasphaxrfnjsfxpeted.exe
ihasphaxrfnjsfxpeted.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\ihasphaxrfnjsfxpeted.exe*."
C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe
C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe .
C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe
C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe .
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\vtlcyphdwjqltfwnbpz.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe
C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxncwlbvmxcvblapb.exe .
C:\Users\Admin\AppData\Local\Temp\bxncwlbvmxcvblapb.exe
C:\Users\Admin\AppData\Local\Temp\bxncwlbvmxcvblapb.exe .
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\bxncwlbvmxcvblapb.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c upeslzohxhldirft.exe
C:\Windows\upeslzohxhldirft.exe
upeslzohxhldirft.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vtlcyphdwjqltfwnbpz.exe .
C:\Windows\vtlcyphdwjqltfwnbpz.exe
vtlcyphdwjqltfwnbpz.exe .
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\vtlcyphdwjqltfwnbpz.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vtlcyphdwjqltfwnbpz.exe
C:\Windows\vtlcyphdwjqltfwnbpz.exe
vtlcyphdwjqltfwnbpz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c khyojzqldpvpwhxnan.exe .
C:\Windows\khyojzqldpvpwhxnan.exe
khyojzqldpvpwhxnan.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\khyojzqldpvpwhxnan.exe*."
C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe
C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exe .
C:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exe
C:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exe .
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\khyojzqldpvpwhxnan.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxncwlbvmxcvblapb.exe
C:\Users\Admin\AppData\Local\Temp\bxncwlbvmxcvblapb.exe
C:\Users\Admin\AppData\Local\Temp\bxncwlbvmxcvblapb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe .
C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe
C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe .
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\vtlcyphdwjqltfwnbpz.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xxrkibvtodmjthatjzllf.exe
C:\Windows\xxrkibvtodmjthatjzllf.exe
xxrkibvtodmjthatjzllf.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vtlcyphdwjqltfwnbpz.exe .
C:\Windows\vtlcyphdwjqltfwnbpz.exe
vtlcyphdwjqltfwnbpz.exe .
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\vtlcyphdwjqltfwnbpz.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vtlcyphdwjqltfwnbpz.exe
C:\Windows\vtlcyphdwjqltfwnbpz.exe
vtlcyphdwjqltfwnbpz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c upeslzohxhldirft.exe .
C:\Windows\upeslzohxhldirft.exe
upeslzohxhldirft.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c khyojzqldpvpwhxnan.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xxrkibvtodmjthatjzllf.exe
C:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exe
C:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe .
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\upeslzohxhldirft.exe*."
C:\Windows\khyojzqldpvpwhxnan.exe
khyojzqldpvpwhxnan.exe
C:\Windows\xxrkibvtodmjthatjzllf.exe
xxrkibvtodmjthatjzllf.exe
C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe
C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ihasphaxrfnjsfxpeted.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vtlcyphdwjqltfwnbpz.exe .
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\upeslzohxhldirft.exe*."
C:\Windows\vtlcyphdwjqltfwnbpz.exe
vtlcyphdwjqltfwnbpz.exe .
C:\Windows\ihasphaxrfnjsfxpeted.exe
ihasphaxrfnjsfxpeted.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ihasphaxrfnjsfxpeted.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c upeslzohxhldirft.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxncwlbvmxcvblapb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe .
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\ihasphaxrfnjsfxpeted.exe*."
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\vtlcyphdwjqltfwnbpz.exe*."
C:\Users\Admin\AppData\Local\Temp\ihasphaxrfnjsfxpeted.exe
C:\Users\Admin\AppData\Local\Temp\ihasphaxrfnjsfxpeted.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxncwlbvmxcvblapb.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xxrkibvtodmjthatjzllf.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exe
C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe
C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe .
C:\Windows\bxncwlbvmxcvblapb.exe
bxncwlbvmxcvblapb.exe
C:\Windows\upeslzohxhldirft.exe
upeslzohxhldirft.exe
C:\Windows\bxncwlbvmxcvblapb.exe
bxncwlbvmxcvblapb.exe .
C:\Windows\xxrkibvtodmjthatjzllf.exe
xxrkibvtodmjthatjzllf.exe .
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\vtlcyphdwjqltfwnbpz.exe*."
C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe
C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe .
C:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exe
C:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exe
C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe
C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe .
C:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exe
C:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xxrkibvtodmjthatjzllf.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exe .
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\xxrkibvtodmjthatjzllf.exe*."
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\vtlcyphdwjqltfwnbpz.exe*."
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\bxncwlbvmxcvblapb.exe*."
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\upeslzohxhldirft.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vtlcyphdwjqltfwnbpz.exe .
C:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exe
C:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exe .
C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe
C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe
C:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exe
C:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exe
C:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exe
C:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exe .
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\khyojzqldpvpwhxnan.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxncwlbvmxcvblapb.exe
C:\Windows\vtlcyphdwjqltfwnbpz.exe
vtlcyphdwjqltfwnbpz.exe .
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\khyojzqldpvpwhxnan.exe*."
C:\Windows\bxncwlbvmxcvblapb.exe
bxncwlbvmxcvblapb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c khyojzqldpvpwhxnan.exe .
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\vtlcyphdwjqltfwnbpz.exe*."
C:\Windows\khyojzqldpvpwhxnan.exe
khyojzqldpvpwhxnan.exe .
C:\Windows\xxrkibvtodmjthatjzllf.exe
xxrkibvtodmjthatjzllf.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\khyojzqldpvpwhxnan.exe*."
C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe
C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe .
C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe
C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe .
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\upeslzohxhldirft.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ihasphaxrfnjsfxpeted.exe .
C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe
C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe
C:\Users\Admin\AppData\Local\Temp\ihasphaxrfnjsfxpeted.exe
C:\Users\Admin\AppData\Local\Temp\ihasphaxrfnjsfxpeted.exe .
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\ihasphaxrfnjsfxpeted.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ihasphaxrfnjsfxpeted.exe
C:\Windows\ihasphaxrfnjsfxpeted.exe
ihasphaxrfnjsfxpeted.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxncwlbvmxcvblapb.exe .
C:\Windows\bxncwlbvmxcvblapb.exe
bxncwlbvmxcvblapb.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vtlcyphdwjqltfwnbpz.exe
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\bxncwlbvmxcvblapb.exe*."
C:\Windows\vtlcyphdwjqltfwnbpz.exe
vtlcyphdwjqltfwnbpz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vtlcyphdwjqltfwnbpz.exe .
C:\Windows\vtlcyphdwjqltfwnbpz.exe
vtlcyphdwjqltfwnbpz.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\vtlcyphdwjqltfwnbpz.exe*."
C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe
C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe .
C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe
C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe .
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\upeslzohxhldirft.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exe
C:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exe
C:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe .
C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe
C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe .
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\upeslzohxhldirft.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ihasphaxrfnjsfxpeted.exe
C:\Windows\ihasphaxrfnjsfxpeted.exe
ihasphaxrfnjsfxpeted.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxncwlbvmxcvblapb.exe .
C:\Windows\bxncwlbvmxcvblapb.exe
bxncwlbvmxcvblapb.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxncwlbvmxcvblapb.exe
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\bxncwlbvmxcvblapb.exe*."
C:\Windows\bxncwlbvmxcvblapb.exe
bxncwlbvmxcvblapb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c khyojzqldpvpwhxnan.exe .
C:\Windows\khyojzqldpvpwhxnan.exe
khyojzqldpvpwhxnan.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\khyojzqldpvpwhxnan.exe*."
C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe
C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxncwlbvmxcvblapb.exe .
C:\Users\Admin\AppData\Local\Temp\bxncwlbvmxcvblapb.exe
C:\Users\Admin\AppData\Local\Temp\bxncwlbvmxcvblapb.exe .
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\bxncwlbvmxcvblapb.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe
C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe
C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exe .
C:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exe
C:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exe .
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\khyojzqldpvpwhxnan.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ihasphaxrfnjsfxpeted.exe
C:\Windows\ihasphaxrfnjsfxpeted.exe
ihasphaxrfnjsfxpeted.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c khyojzqldpvpwhxnan.exe .
C:\Windows\khyojzqldpvpwhxnan.exe
khyojzqldpvpwhxnan.exe .
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\khyojzqldpvpwhxnan.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxncwlbvmxcvblapb.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\bxncwlbvmxcvblapb.exe
bxncwlbvmxcvblapb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xxrkibvtodmjthatjzllf.exe .
C:\Windows\xxrkibvtodmjthatjzllf.exe
xxrkibvtodmjthatjzllf.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxncwlbvmxcvblapb.exe
C:\Users\Admin\AppData\Local\Temp\bxncwlbvmxcvblapb.exe
C:\Users\Admin\AppData\Local\Temp\bxncwlbvmxcvblapb.exe
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\xxrkibvtodmjthatjzllf.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ihasphaxrfnjsfxpeted.exe .
C:\Users\Admin\AppData\Local\Temp\ihasphaxrfnjsfxpeted.exe
C:\Users\Admin\AppData\Local\Temp\ihasphaxrfnjsfxpeted.exe .
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\ihasphaxrfnjsfxpeted.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exe
C:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exe
C:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxncwlbvmxcvblapb.exe .
C:\Users\Admin\AppData\Local\Temp\bxncwlbvmxcvblapb.exe
C:\Users\Admin\AppData\Local\Temp\bxncwlbvmxcvblapb.exe .
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\bxncwlbvmxcvblapb.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c upeslzohxhldirft.exe
C:\Windows\upeslzohxhldirft.exe
upeslzohxhldirft.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c upeslzohxhldirft.exe .
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\upeslzohxhldirft.exe
upeslzohxhldirft.exe .
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\upeslzohxhldirft.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vtlcyphdwjqltfwnbpz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c khyojzqldpvpwhxnan.exe .
C:\Windows\vtlcyphdwjqltfwnbpz.exe
vtlcyphdwjqltfwnbpz.exe
C:\Windows\khyojzqldpvpwhxnan.exe
khyojzqldpvpwhxnan.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\khyojzqldpvpwhxnan.exe*."
C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe
C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe .
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe
C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe .
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\upeslzohxhldirft.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exe
C:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exe
C:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exe .
C:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exe
C:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exe .
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\khyojzqldpvpwhxnan.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxncwlbvmxcvblapb.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\bxncwlbvmxcvblapb.exe
bxncwlbvmxcvblapb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c khyojzqldpvpwhxnan.exe .
C:\Windows\khyojzqldpvpwhxnan.exe
khyojzqldpvpwhxnan.exe .
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\khyojzqldpvpwhxnan.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ihasphaxrfnjsfxpeted.exe
C:\Windows\ihasphaxrfnjsfxpeted.exe
ihasphaxrfnjsfxpeted.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ihasphaxrfnjsfxpeted.exe .
C:\Windows\ihasphaxrfnjsfxpeted.exe
ihasphaxrfnjsfxpeted.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exe
C:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exe
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\ihasphaxrfnjsfxpeted.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exe .
C:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exe
C:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exe .
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\xxrkibvtodmjthatjzllf.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe
C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe
C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe .
C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe
C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe .
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\vtlcyphdwjqltfwnbpz.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c upeslzohxhldirft.exe
C:\Windows\upeslzohxhldirft.exe
upeslzohxhldirft.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vtlcyphdwjqltfwnbpz.exe .
C:\Windows\vtlcyphdwjqltfwnbpz.exe
vtlcyphdwjqltfwnbpz.exe .
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\vtlcyphdwjqltfwnbpz.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxncwlbvmxcvblapb.exe
C:\Windows\bxncwlbvmxcvblapb.exe
bxncwlbvmxcvblapb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xxrkibvtodmjthatjzllf.exe .
C:\Windows\xxrkibvtodmjthatjzllf.exe
xxrkibvtodmjthatjzllf.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exe
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\xxrkibvtodmjthatjzllf.exe*."
C:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exe
C:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxncwlbvmxcvblapb.exe .
C:\Users\Admin\AppData\Local\Temp\bxncwlbvmxcvblapb.exe
C:\Users\Admin\AppData\Local\Temp\bxncwlbvmxcvblapb.exe .
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\bxncwlbvmxcvblapb.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe
C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe
C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe .
C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe
C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vtlcyphdwjqltfwnbpz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c khyojzqldpvpwhxnan.exe
C:\Windows\khyojzqldpvpwhxnan.exe
khyojzqldpvpwhxnan.exe
C:\Windows\vtlcyphdwjqltfwnbpz.exe
vtlcyphdwjqltfwnbpz.exe
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\upeslzohxhldirft.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxncwlbvmxcvblapb.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ihasphaxrfnjsfxpeted.exe .
C:\Windows\bxncwlbvmxcvblapb.exe
bxncwlbvmxcvblapb.exe .
C:\Windows\ihasphaxrfnjsfxpeted.exe
ihasphaxrfnjsfxpeted.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xxrkibvtodmjthatjzllf.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xxrkibvtodmjthatjzllf.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vtlcyphdwjqltfwnbpz.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xxrkibvtodmjthatjzllf.exe .
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\ihasphaxrfnjsfxpeted.exe*."
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\bxncwlbvmxcvblapb.exe*."
C:\Windows\xxrkibvtodmjthatjzllf.exe
xxrkibvtodmjthatjzllf.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ihasphaxrfnjsfxpeted.exe
C:\Windows\xxrkibvtodmjthatjzllf.exe
xxrkibvtodmjthatjzllf.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ihasphaxrfnjsfxpeted.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\xxrkibvtodmjthatjzllf.exe
xxrkibvtodmjthatjzllf.exe .
C:\Windows\vtlcyphdwjqltfwnbpz.exe
vtlcyphdwjqltfwnbpz.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vtlcyphdwjqltfwnbpz.exe .
C:\Users\Admin\AppData\Local\Temp\ihasphaxrfnjsfxpeted.exe
C:\Users\Admin\AppData\Local\Temp\ihasphaxrfnjsfxpeted.exe
C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe
C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\vtlcyphdwjqltfwnbpz.exe*."
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\xxrkibvtodmjthatjzllf.exe*."
C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe
C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe .
C:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exe
C:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exe .
C:\Windows\vtlcyphdwjqltfwnbpz.exe
vtlcyphdwjqltfwnbpz.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxncwlbvmxcvblapb.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ihasphaxrfnjsfxpeted.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\vtlcyphdwjqltfwnbpz.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxncwlbvmxcvblapb.exe .
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\xxrkibvtodmjthatjzllf.exe*."
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exe
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\vtlcyphdwjqltfwnbpz.exe*."
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\ihasphaxrfnjsfxpeted.exe
C:\Users\Admin\AppData\Local\Temp\ihasphaxrfnjsfxpeted.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exe .
C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe
C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe
C:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exe
C:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exe .
C:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exe
C:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exe .
C:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exe
C:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exe
C:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exe
C:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exe .
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\khyojzqldpvpwhxnan.exe*."
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\xxrkibvtodmjthatjzllf.exe*."
C:\Windows\bxncwlbvmxcvblapb.exe
bxncwlbvmxcvblapb.exe .
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\khyojzqldpvpwhxnan.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe
C:\Windows\bxncwlbvmxcvblapb.exe
bxncwlbvmxcvblapb.exe
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\bxncwlbvmxcvblapb.exe*."
C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe
C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe
C:\Windows\ihasphaxrfnjsfxpeted.exe
ihasphaxrfnjsfxpeted.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe .
C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe
C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe .
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\vtlcyphdwjqltfwnbpz.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ihasphaxrfnjsfxpeted.exe
C:\Windows\ihasphaxrfnjsfxpeted.exe
ihasphaxrfnjsfxpeted.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c upeslzohxhldirft.exe .
C:\Windows\upeslzohxhldirft.exe
upeslzohxhldirft.exe .
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\upeslzohxhldirft.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxncwlbvmxcvblapb.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\bxncwlbvmxcvblapb.exe
bxncwlbvmxcvblapb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xxrkibvtodmjthatjzllf.exe .
C:\Windows\xxrkibvtodmjthatjzllf.exe
xxrkibvtodmjthatjzllf.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exe
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\xxrkibvtodmjthatjzllf.exe*."
C:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exe
C:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ihasphaxrfnjsfxpeted.exe .
C:\Users\Admin\AppData\Local\Temp\ihasphaxrfnjsfxpeted.exe
C:\Users\Admin\AppData\Local\Temp\ihasphaxrfnjsfxpeted.exe .
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\ihasphaxrfnjsfxpeted.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ihasphaxrfnjsfxpeted.exe
C:\Users\Admin\AppData\Local\Temp\ihasphaxrfnjsfxpeted.exe
C:\Users\Admin\AppData\Local\Temp\ihasphaxrfnjsfxpeted.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe .
C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe
C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe .
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\upeslzohxhldirft.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ihasphaxrfnjsfxpeted.exe
C:\Windows\ihasphaxrfnjsfxpeted.exe
ihasphaxrfnjsfxpeted.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c upeslzohxhldirft.exe .
C:\Windows\upeslzohxhldirft.exe
upeslzohxhldirft.exe .
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\upeslzohxhldirft.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xxrkibvtodmjthatjzllf.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\xxrkibvtodmjthatjzllf.exe
xxrkibvtodmjthatjzllf.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ihasphaxrfnjsfxpeted.exe .
C:\Windows\ihasphaxrfnjsfxpeted.exe
ihasphaxrfnjsfxpeted.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exe
C:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exe
C:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exe
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\ihasphaxrfnjsfxpeted.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exe .
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k wsappx -p -s AppXSvc
C:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exe
C:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exe .
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\xxrkibvtodmjthatjzllf.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exe
C:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exe
C:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exe .
C:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exe
C:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exe .
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\khyojzqldpvpwhxnan.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xxrkibvtodmjthatjzllf.exe
C:\Windows\xxrkibvtodmjthatjzllf.exe
xxrkibvtodmjthatjzllf.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xxrkibvtodmjthatjzllf.exe .
C:\Windows\xxrkibvtodmjthatjzllf.exe
xxrkibvtodmjthatjzllf.exe .
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\xxrkibvtodmjthatjzllf.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxncwlbvmxcvblapb.exe
C:\Windows\bxncwlbvmxcvblapb.exe
bxncwlbvmxcvblapb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxncwlbvmxcvblapb.exe .
C:\Windows\bxncwlbvmxcvblapb.exe
bxncwlbvmxcvblapb.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe
C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe
C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\bxncwlbvmxcvblapb.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exe .
C:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exe
C:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exe .
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\khyojzqldpvpwhxnan.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ihasphaxrfnjsfxpeted.exe
C:\Users\Admin\AppData\Local\Temp\ihasphaxrfnjsfxpeted.exe
C:\Users\Admin\AppData\Local\Temp\ihasphaxrfnjsfxpeted.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxncwlbvmxcvblapb.exe .
C:\Users\Admin\AppData\Local\Temp\bxncwlbvmxcvblapb.exe
C:\Users\Admin\AppData\Local\Temp\bxncwlbvmxcvblapb.exe .
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\bxncwlbvmxcvblapb.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c upeslzohxhldirft.exe
C:\Windows\upeslzohxhldirft.exe
upeslzohxhldirft.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ihasphaxrfnjsfxpeted.exe .
C:\Windows\ihasphaxrfnjsfxpeted.exe
ihasphaxrfnjsfxpeted.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c khyojzqldpvpwhxnan.exe
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\ihasphaxrfnjsfxpeted.exe*."
C:\Windows\khyojzqldpvpwhxnan.exe
khyojzqldpvpwhxnan.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vtlcyphdwjqltfwnbpz.exe .
C:\Windows\vtlcyphdwjqltfwnbpz.exe
vtlcyphdwjqltfwnbpz.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\vtlcyphdwjqltfwnbpz.exe*."
C:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exe
C:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxncwlbvmxcvblapb.exe .
C:\Users\Admin\AppData\Local\Temp\bxncwlbvmxcvblapb.exe
C:\Users\Admin\AppData\Local\Temp\bxncwlbvmxcvblapb.exe .
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\bxncwlbvmxcvblapb.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe
C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe
C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe .
C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe
C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe .
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\vtlcyphdwjqltfwnbpz.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xxrkibvtodmjthatjzllf.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\xxrkibvtodmjthatjzllf.exe
xxrkibvtodmjthatjzllf.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xxrkibvtodmjthatjzllf.exe .
C:\Windows\xxrkibvtodmjthatjzllf.exe
xxrkibvtodmjthatjzllf.exe .
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\xxrkibvtodmjthatjzllf.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c upeslzohxhldirft.exe
C:\Windows\upeslzohxhldirft.exe
upeslzohxhldirft.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ihasphaxrfnjsfxpeted.exe .
C:\Windows\ihasphaxrfnjsfxpeted.exe
ihasphaxrfnjsfxpeted.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\ihasphaxrfnjsfxpeted.exe*."
C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe
C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe .
C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe
C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe .
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\vtlcyphdwjqltfwnbpz.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exe
C:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exe
C:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe .
C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe
C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe .
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\upeslzohxhldirft.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c upeslzohxhldirft.exe
C:\Windows\upeslzohxhldirft.exe
upeslzohxhldirft.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ihasphaxrfnjsfxpeted.exe .
C:\Windows\ihasphaxrfnjsfxpeted.exe
ihasphaxrfnjsfxpeted.exe .
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\ihasphaxrfnjsfxpeted.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c upeslzohxhldirft.exe
C:\Windows\upeslzohxhldirft.exe
upeslzohxhldirft.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c upeslzohxhldirft.exe .
C:\Windows\upeslzohxhldirft.exe
upeslzohxhldirft.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exe
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\upeslzohxhldirft.exe*."
C:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exe
C:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ihasphaxrfnjsfxpeted.exe .
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\ihasphaxrfnjsfxpeted.exe
C:\Users\Admin\AppData\Local\Temp\ihasphaxrfnjsfxpeted.exe .
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\ihasphaxrfnjsfxpeted.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exe
C:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exe
C:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exe .
C:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exe
C:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exe .
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\xxrkibvtodmjthatjzllf.exe*."
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c khyojzqldpvpwhxnan.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vtlcyphdwjqltfwnbpz.exe
C:\Windows\vtlcyphdwjqltfwnbpz.exe
vtlcyphdwjqltfwnbpz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c upeslzohxhldirft.exe
C:\Windows\khyojzqldpvpwhxnan.exe
khyojzqldpvpwhxnan.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vtlcyphdwjqltfwnbpz.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c khyojzqldpvpwhxnan.exe .
C:\Windows\upeslzohxhldirft.exe
upeslzohxhldirft.exe
C:\Windows\khyojzqldpvpwhxnan.exe
khyojzqldpvpwhxnan.exe .
C:\Windows\vtlcyphdwjqltfwnbpz.exe
vtlcyphdwjqltfwnbpz.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ihasphaxrfnjsfxpeted.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xxrkibvtodmjthatjzllf.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ihasphaxrfnjsfxpeted.exe
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\khyojzqldpvpwhxnan.exe*."
C:\Windows\ihasphaxrfnjsfxpeted.exe
ihasphaxrfnjsfxpeted.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c upeslzohxhldirft.exe .
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\vtlcyphdwjqltfwnbpz.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xxrkibvtodmjthatjzllf.exe .
C:\Windows\ihasphaxrfnjsfxpeted.exe
ihasphaxrfnjsfxpeted.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xxrkibvtodmjthatjzllf.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exe
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\ihasphaxrfnjsfxpeted.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxncwlbvmxcvblapb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vtlcyphdwjqltfwnbpz.exe .
C:\Windows\xxrkibvtodmjthatjzllf.exe
xxrkibvtodmjthatjzllf.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ihasphaxrfnjsfxpeted.exe .
C:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exe
C:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exe
C:\Windows\upeslzohxhldirft.exe
upeslzohxhldirft.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exe
C:\Windows\xxrkibvtodmjthatjzllf.exe
xxrkibvtodmjthatjzllf.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxncwlbvmxcvblapb.exe
C:\Windows\xxrkibvtodmjthatjzllf.exe
xxrkibvtodmjthatjzllf.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxncwlbvmxcvblapb.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ihasphaxrfnjsfxpeted.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxncwlbvmxcvblapb.exe .
C:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exe
C:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exe
C:\Windows\vtlcyphdwjqltfwnbpz.exe
vtlcyphdwjqltfwnbpz.exe .
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\upeslzohxhldirft.exe*."
C:\Users\Admin\AppData\Local\Temp\bxncwlbvmxcvblapb.exe
C:\Users\Admin\AppData\Local\Temp\bxncwlbvmxcvblapb.exe
C:\Users\Admin\AppData\Local\Temp\ihasphaxrfnjsfxpeted.exe
C:\Users\Admin\AppData\Local\Temp\ihasphaxrfnjsfxpeted.exe .
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\xxrkibvtodmjthatjzllf.exe*."
C:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exe
C:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exe .
C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe
C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe .
C:\Users\Admin\AppData\Local\Temp\bxncwlbvmxcvblapb.exe
C:\Users\Admin\AppData\Local\Temp\bxncwlbvmxcvblapb.exe
C:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exe
C:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exe
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\vtlcyphdwjqltfwnbpz.exe*."
C:\Users\Admin\AppData\Local\Temp\bxncwlbvmxcvblapb.exe
C:\Users\Admin\AppData\Local\Temp\bxncwlbvmxcvblapb.exe .
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\ihasphaxrfnjsfxpeted.exe*."
C:\Users\Admin\AppData\Local\Temp\bxncwlbvmxcvblapb.exe
C:\Users\Admin\AppData\Local\Temp\bxncwlbvmxcvblapb.exe .
C:\Users\Admin\AppData\Local\Temp\ihasphaxrfnjsfxpeted.exe
C:\Users\Admin\AppData\Local\Temp\ihasphaxrfnjsfxpeted.exe
C:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exe
C:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exe .
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\xxrkibvtodmjthatjzllf.exe*."
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\vtlcyphdwjqltfwnbpz.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxncwlbvmxcvblapb.exe
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\xxrkibvtodmjthatjzllf.exe*."
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\bxncwlbvmxcvblapb.exe*."
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\bxncwlbvmxcvblapb.exe*."
C:\Windows\bxncwlbvmxcvblapb.exe
bxncwlbvmxcvblapb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ihasphaxrfnjsfxpeted.exe .
C:\Windows\ihasphaxrfnjsfxpeted.exe
ihasphaxrfnjsfxpeted.exe .
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\ihasphaxrfnjsfxpeted.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ihasphaxrfnjsfxpeted.exe
C:\Windows\ihasphaxrfnjsfxpeted.exe
ihasphaxrfnjsfxpeted.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ihasphaxrfnjsfxpeted.exe .
C:\Windows\ihasphaxrfnjsfxpeted.exe
ihasphaxrfnjsfxpeted.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exe
C:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exe
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\ihasphaxrfnjsfxpeted.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe .
C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe
C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe .
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\vtlcyphdwjqltfwnbpz.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ihasphaxrfnjsfxpeted.exe
C:\Users\Admin\AppData\Local\Temp\ihasphaxrfnjsfxpeted.exe
C:\Users\Admin\AppData\Local\Temp\ihasphaxrfnjsfxpeted.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe .
C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe
C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe .
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\vtlcyphdwjqltfwnbpz.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xxrkibvtodmjthatjzllf.exe
C:\Windows\xxrkibvtodmjthatjzllf.exe
xxrkibvtodmjthatjzllf.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c upeslzohxhldirft.exe .
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\upeslzohxhldirft.exe
upeslzohxhldirft.exe .
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\upeslzohxhldirft.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vtlcyphdwjqltfwnbpz.exe
C:\Windows\vtlcyphdwjqltfwnbpz.exe
vtlcyphdwjqltfwnbpz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxncwlbvmxcvblapb.exe .
C:\Windows\bxncwlbvmxcvblapb.exe
bxncwlbvmxcvblapb.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ihasphaxrfnjsfxpeted.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\ihasphaxrfnjsfxpeted.exe
C:\Users\Admin\AppData\Local\Temp\ihasphaxrfnjsfxpeted.exe
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\bxncwlbvmxcvblapb.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe .
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe
C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe .
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\upeslzohxhldirft.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exe
C:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exe
C:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ihasphaxrfnjsfxpeted.exe .
C:\Users\Admin\AppData\Local\Temp\ihasphaxrfnjsfxpeted.exe
C:\Users\Admin\AppData\Local\Temp\ihasphaxrfnjsfxpeted.exe .
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\ihasphaxrfnjsfxpeted.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c upeslzohxhldirft.exe
C:\Windows\upeslzohxhldirft.exe
upeslzohxhldirft.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxncwlbvmxcvblapb.exe .
C:\Windows\bxncwlbvmxcvblapb.exe
bxncwlbvmxcvblapb.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c upeslzohxhldirft.exe
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\bxncwlbvmxcvblapb.exe*."
C:\Windows\upeslzohxhldirft.exe
upeslzohxhldirft.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bxncwlbvmxcvblapb.exe .
C:\Windows\bxncwlbvmxcvblapb.exe
bxncwlbvmxcvblapb.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\bxncwlbvmxcvblapb.exe*."
C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe
C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exe .
C:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exe
C:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exe .
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\xxrkibvtodmjthatjzllf.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe
C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exe .
C:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exe
C:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exe .
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\xxrkibvtodmjthatjzllf.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vtlcyphdwjqltfwnbpz.exe
C:\Windows\vtlcyphdwjqltfwnbpz.exe
vtlcyphdwjqltfwnbpz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xxrkibvtodmjthatjzllf.exe .
C:\Windows\xxrkibvtodmjthatjzllf.exe
xxrkibvtodmjthatjzllf.exe .
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\xxrkibvtodmjthatjzllf.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ihasphaxrfnjsfxpeted.exe
C:\Windows\ihasphaxrfnjsfxpeted.exe
ihasphaxrfnjsfxpeted.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vtlcyphdwjqltfwnbpz.exe .
C:\Windows\vtlcyphdwjqltfwnbpz.exe
vtlcyphdwjqltfwnbpz.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\vtlcyphdwjqltfwnbpz.exe*."
C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe
C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe .
C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe
C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe .
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\upeslzohxhldirft.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe
C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe
C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exe .
C:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exe
C:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exe .
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\xxrkibvtodmjthatjzllf.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vtlcyphdwjqltfwnbpz.exe
C:\Windows\vtlcyphdwjqltfwnbpz.exe
vtlcyphdwjqltfwnbpz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c upeslzohxhldirft.exe .
C:\Windows\upeslzohxhldirft.exe
upeslzohxhldirft.exe .
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\upeslzohxhldirft.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xxrkibvtodmjthatjzllf.exe
C:\Windows\xxrkibvtodmjthatjzllf.exe
xxrkibvtodmjthatjzllf.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ihasphaxrfnjsfxpeted.exe .
C:\Windows\ihasphaxrfnjsfxpeted.exe
ihasphaxrfnjsfxpeted.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxncwlbvmxcvblapb.exe
C:\Users\Admin\AppData\Local\Temp\bxncwlbvmxcvblapb.exe
C:\Users\Admin\AppData\Local\Temp\bxncwlbvmxcvblapb.exe
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\ihasphaxrfnjsfxpeted.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe .
C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe
C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe .
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\upeslzohxhldirft.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe
C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe
C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exe .
C:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exe
C:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exe .
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\khyojzqldpvpwhxnan.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vtlcyphdwjqltfwnbpz.exe
C:\Windows\vtlcyphdwjqltfwnbpz.exe
vtlcyphdwjqltfwnbpz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c upeslzohxhldirft.exe .
C:\Windows\upeslzohxhldirft.exe
upeslzohxhldirft.exe .
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\upeslzohxhldirft.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vtlcyphdwjqltfwnbpz.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.showmyipaddress.com | udp |
| US | 104.21.74.56:80 | www.showmyipaddress.com | tcp |
| US | 172.66.40.87:80 | www.whatismyip.com | tcp |
| US | 172.66.40.87:80 | www.whatismyip.com | tcp |
| US | 104.19.222.79:80 | whatismyipaddress.com | tcp |
| US | 104.21.74.56:80 | www.showmyipaddress.com | tcp |
| US | 104.21.74.56:80 | www.showmyipaddress.com | tcp |
| US | 104.21.74.56:80 | www.showmyipaddress.com | tcp |
| US | 104.19.222.79:80 | whatismyipaddress.com | tcp |
| US | 104.19.222.79:80 | whatismyipaddress.com | tcp |
| US | 172.66.40.87:80 | www.whatismyip.com | tcp |
| US | 104.19.222.79:80 | whatismyipaddress.com | tcp |
| US | 104.19.222.79:80 | whatismyipaddress.com | tcp |
| US | 104.19.222.79:80 | whatismyipaddress.com | tcp |
| US | 172.66.40.87:80 | www.whatismyip.com | tcp |
| US | 104.21.74.56:80 | www.showmyipaddress.com | tcp |
| US | 172.66.40.87:80 | www.whatismyip.com | tcp |
| NL | 142.250.153.136:80 | www.youtube.com | tcp |
| LT | 78.61.84.37:30728 | tcp | |
| DE | 85.214.228.140:80 | gyuuym.org | tcp |
| SG | 18.142.91.111:80 | unxfuild.info | tcp |
| US | 104.156.155.94:80 | cydlrge.info | tcp |
| LT | 78.61.84.37:30728 | tcp | |
| US | 8.8.8.8:53 | oqpueadiu.info | udp |
| US | 8.8.8.8:53 | dscesxdpr.info | udp |
| US | 8.8.8.8:53 | uioslo.net | udp |
| US | 8.8.8.8:53 | unxyhnhfacdb.info | udp |
| US | 8.8.8.8:53 | telgzgb.org | udp |
| US | 8.8.8.8:53 | leqdurjb.net | udp |
| US | 8.8.8.8:53 | bopunjusjat.com | udp |
| US | 8.8.8.8:53 | uogedjqtvfzn.net | udp |
| US | 8.8.8.8:53 | egsmyysc.org | udp |
| US | 8.8.8.8:53 | hujafqjqvop.com | udp |
| US | 8.8.8.8:53 | jlzknyfma.net | udp |
| US | 8.8.8.8:53 | fgzztozvljrc.net | udp |
| US | 8.8.8.8:53 | alisjad.info | udp |
| US | 8.8.8.8:53 | ugrwpahat.info | udp |
| US | 8.8.8.8:53 | kedyiorokn.net | udp |
| GB | 184.50.115.89:443 | tcp | |
| US | 8.8.8.8:53 | browser.pipe.aria.microsoft.com | udp |
| FR | 51.11.192.49:443 | browser.pipe.aria.microsoft.com | tcp |
| US | 8.8.8.8:53 | rkcplkbir.net | udp |
| US | 8.8.8.8:53 | zuhmapbot.net | udp |
| US | 8.8.8.8:53 | dxbbpapgt.info | udp |
| US | 8.8.8.8:53 | yojkaljecqs.info | udp |
| US | 8.8.8.8:53 | ivewnr.info | udp |
| US | 8.8.8.8:53 | agbugeqtssj.info | udp |
| GB | 95.101.143.201:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | rhxuqchemcp.info | udp |
| US | 8.8.8.8:53 | tutczuf.info | udp |
| US | 8.8.8.8:53 | aiseiuymcico.com | udp |
| US | 8.8.8.8:53 | rrscifnk.info | udp |
| US | 8.8.8.8:53 | aaftpevwng.net | udp |
| US | 8.8.8.8:53 | iowglhtdvuf.info | udp |
| US | 8.8.8.8:53 | kjkypkrjhvgn.info | udp |
| US | 8.8.8.8:53 | ycoequugkyic.com | udp |
| US | 8.8.8.8:53 | vmuydfkdvn.info | udp |
| US | 8.8.8.8:53 | iapkroxwkqh.net | udp |
| US | 8.8.8.8:53 | nehgbbj.com | udp |
| US | 8.8.8.8:53 | nzitfaav.info | udp |
| US | 8.8.8.8:53 | htyxbehinw.net | udp |
| US | 8.8.8.8:53 | macycgogqqic.org | udp |
| US | 8.8.8.8:53 | itoujqvn.net | udp |
| US | 8.8.8.8:53 | rwneninkjwr.info | udp |
| US | 8.8.8.8:53 | pbspki.info | udp |
| US | 8.8.8.8:53 | zpkorqjsh.org | udp |
| US | 8.8.8.8:53 | jytuhr.net | udp |
| US | 8.8.8.8:53 | eaictyqxc.info | udp |
| US | 8.8.8.8:53 | vgqxvqngngx.info | udp |
| US | 8.8.8.8:53 | svpwaldszszs.net | udp |
| US | 8.8.8.8:53 | cgzqtowog.info | udp |
| US | 8.8.8.8:53 | qeasooggkkye.org | udp |
| US | 8.8.8.8:53 | wmeguukokeiy.org | udp |
| US | 8.8.8.8:53 | geumtvlsv.info | udp |
| US | 8.8.8.8:53 | uykpxgrmozah.info | udp |
| US | 8.8.8.8:53 | gdiecndz.net | udp |
| US | 8.8.8.8:53 | fevpfshvp.org | udp |
| US | 8.8.8.8:53 | xqirhc.net | udp |
| US | 8.8.8.8:53 | kcryxrris.info | udp |
| US | 8.8.8.8:53 | tqzsbvmg.info | udp |
| US | 8.8.8.8:53 | vpkeohe.com | udp |
| US | 8.8.8.8:53 | tupszgxurah.info | udp |
| US | 8.8.8.8:53 | fkgritslx.org | udp |
| US | 8.8.8.8:53 | nkmhfak.com | udp |
| US | 8.8.8.8:53 | vafciwf.net | udp |
| US | 8.8.8.8:53 | eeeiusoc.com | udp |
| US | 8.8.8.8:53 | rktgokimnqz.com | udp |
| US | 8.8.8.8:53 | axfoxwjijqks.net | udp |
| US | 8.8.8.8:53 | zazytev.com | udp |
| US | 8.8.8.8:53 | pedeuysdx.info | udp |
| US | 8.8.8.8:53 | wvfwnplhli.info | udp |
| US | 8.8.8.8:53 | danrzaesv.com | udp |
| US | 8.8.8.8:53 | skhgjocoow.net | udp |
| US | 8.8.8.8:53 | lxzviggfp.com | udp |
| US | 8.8.8.8:53 | eewkvwybuok.info | udp |
| US | 8.8.8.8:53 | bcbwvop.com | udp |
| US | 8.8.8.8:53 | fzkrxmam.info | udp |
| US | 8.8.8.8:53 | ptoszoyvmgb.info | udp |
| US | 8.8.8.8:53 | akiuyoke.org | udp |
| US | 8.8.8.8:53 | fixijml.org | udp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| US | 8.8.8.8:53 | xgkcxllrj.net | udp |
| NL | 173.194.69.94:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | bujydax.net | udp |
| US | 8.8.8.8:53 | omwwcm.com | udp |
| US | 8.8.8.8:53 | eyuwwu.com | udp |
| US | 8.8.8.8:53 | jvnrpdb.com | udp |
| US | 8.8.8.8:53 | moetetosx.info | udp |
| US | 8.8.8.8:53 | awtrjqbmv.net | udp |
| US | 8.8.8.8:53 | xhpbpqpttzdm.info | udp |
| US | 8.8.8.8:53 | ikcsiusbdy.net | udp |
| US | 8.8.8.8:53 | uuzwlh.info | udp |
| US | 8.8.8.8:53 | yiquqgkgcmao.org | udp |
| US | 8.8.8.8:53 | nmieqmwuj.net | udp |
| US | 8.8.8.8:53 | bibuxrxez.info | udp |
| US | 8.8.8.8:53 | dqvuujx.info | udp |
| US | 8.8.8.8:53 | jzoqfzbz.info | udp |
| US | 8.8.8.8:53 | cxritgbkwiqj.net | udp |
| US | 8.8.8.8:53 | llfasvez.net | udp |
| US | 8.8.8.8:53 | iaaykguo.org | udp |
| US | 8.8.8.8:53 | tijnoupmzo.net | udp |
| US | 8.8.8.8:53 | yugmak.com | udp |
| US | 8.8.8.8:53 | vqeckyrqhip.info | udp |
| US | 8.8.8.8:53 | yabgjuiyvpj.net | udp |
| US | 8.8.8.8:53 | coiyusimwa.org | udp |
| US | 8.8.8.8:53 | uflthxhorbyl.net | udp |
| US | 8.8.8.8:53 | fawonpop.net | udp |
| US | 8.8.8.8:53 | wckuxxtei.info | udp |
| US | 8.8.8.8:53 | npbpje.net | udp |
| US | 8.8.8.8:53 | vdecbuzoqen.com | udp |
| US | 8.8.8.8:53 | nddufynvpsbv.net | udp |
| US | 8.8.8.8:53 | uspqlzl.info | udp |
| US | 8.8.8.8:53 | hagmjxaj.net | udp |
| US | 8.8.8.8:53 | vnpxusbqkyzc.net | udp |
| US | 8.8.8.8:53 | wrbgtg.info | udp |
| US | 8.8.8.8:53 | dvgvla.info | udp |
| US | 8.8.8.8:53 | ngwsifdzbe.net | udp |
| US | 8.8.8.8:53 | zwymxedw.net | udp |
| DE | 85.214.228.140:80 | gyuuym.org | tcp |
| US | 8.8.8.8:53 | mbbczll.info | udp |
| US | 8.8.8.8:53 | rsikekibxv.info | udp |
| SG | 18.142.91.111:80 | unxfuild.info | tcp |
| US | 8.8.8.8:53 | ojtafsn.info | udp |
| US | 8.8.8.8:53 | zufoqnzxtstt.net | udp |
| US | 8.8.8.8:53 | xytxtmrr.net | udp |
| US | 8.8.8.8:53 | gkkqikkgqg.com | udp |
| US | 8.8.8.8:53 | nbdtjcdnsouc.info | udp |
| US | 8.8.8.8:53 | myyjaigs.info | udp |
| US | 8.8.8.8:53 | mbdicymqjgud.net | udp |
| US | 8.8.8.8:53 | fcoqmgckn.net | udp |
| US | 8.8.8.8:53 | ygoukmwg.org | udp |
| US | 8.8.8.8:53 | qdpoiwcmgtve.net | udp |
| US | 8.8.8.8:53 | fxgbxdxoyj.net | udp |
| US | 104.156.155.94:80 | cydlrge.info | tcp |
| US | 8.8.8.8:53 | zwpmymx.com | udp |
| US | 8.8.8.8:53 | icnidhsmobbx.info | udp |
| US | 8.8.8.8:53 | ivbxdpfvpf.info | udp |
| US | 8.8.8.8:53 | mjotpzfbosdh.info | udp |
| US | 8.8.8.8:53 | ausgwo.com | udp |
| US | 8.8.8.8:53 | pubdruogecu.org | udp |
| US | 8.8.8.8:53 | ouyybkrmc.net | udp |
| US | 8.8.8.8:53 | fphkbcxwbqp.com | udp |
| US | 8.8.8.8:53 | qucqaogcwi.com | udp |
| US | 8.8.8.8:53 | wetofgnoy.net | udp |
| US | 8.8.8.8:53 | bzticsmcwq.info | udp |
| US | 8.8.8.8:53 | ddpobim.org | udp |
| US | 8.8.8.8:53 | bdpflywmtg.net | udp |
| US | 8.8.8.8:53 | ewhqxezcwwc.net | udp |
| US | 8.8.8.8:53 | ogdyamg.net | udp |
Files
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe
| MD5 | 88a3d7432ff5d5cee011047d7a3acb16 |
| SHA1 | 9c5b95142911b292dc75e120545949a1dca72d12 |
| SHA256 | fa10ed2990ca760fb82fc16facf3d805f1a12ee3a8e5a723844cc1a0e3b88fcb |
| SHA512 | 3d0ff8fe2113ddb3f94bb4f041d7005e11681e4c912ce55f486722adef62df1bd36332fb489a2d61632980ba1f5a60dd8ef71697b21f199611b6010da3ca2147 |
C:\Windows\SysWOW64\khyojzqldpvpwhxnan.exe
| MD5 | bc2c2e6019e42289641123c2db3584dc |
| SHA1 | e7b2c809bf63f0a3a362b2b5e4930a5a1b5c7d9b |
| SHA256 | 9223f4748f528658ba3ac30515cf3ac1817677baaf345441d021e98ebd8891af |
| SHA512 | f31491a41da42f042c41060fa394c5fe36afcb9edb1507d1119936c9f26c79b5a90945393d532b817f1b8007989800e1b823766673f3704154b32cb4ae99af6b |
C:\Users\Admin\AppData\Local\Temp\xhlow.exe
| MD5 | 050d1ee9cbfc5f72000529f3a4776249 |
| SHA1 | 6442833d4ef39884ae20bfdf8af2a0d7efc5b5c9 |
| SHA256 | c0b6e1bcf47dcbb23f3ce069786811e581705ed950b153b4d4b7072d23b439de |
| SHA512 | 9f47575a25d5404d8c4ebc7febd9d7e5bb3fb4f1c9ced6e96f891cce76e142aac1887283a704c640ce9e139e9e37f8c70b6e8fe75931a14f0a9499bacc82b4be |
C:\Users\Admin\AppData\Local\zffeihhlmhwzpjihdzrxxwa.zde
| MD5 | 2717133da12415438e7eba5fef20521c |
| SHA1 | affa49ccaebb3111cac2111d301bcb5f008ef2bf |
| SHA256 | 9e00fd4ee2aa1ef5804525c8cd8848b301c0ee829002743665ab2ab4d3bb94bf |
| SHA512 | 7b6ef305e774e46cc8c812d7ef3459ef1f9f5b324db8b4ee0d2b7e1e0db089f26892b9c44ec8eb061655d120a28f1403fb6a994bb6db01c744508caf24a78c8b |
C:\Users\Admin\AppData\Local\mdoynxixjppdejtdkrulwgvfqfrxxlmrbl.zct
| MD5 | c7d93a9cefc105b004ebac40a8488522 |
| SHA1 | 6e5513dc85b3c05ce488206ae294e111e24a490a |
| SHA256 | 51c7614f6a6ac16a2f8a98955713f9b48d4ac90d23c9727ebce68ea23d401728 |
| SHA512 | f4353baaa9daa23c7b865553d77daa35499a7055593f237fe75e5781e170722da2fa7450d6fa3144b3dc2c19098049ac48de8dfeaca80abc06f7a56cb062078d |
C:\Program Files (x86)\zffeihhlmhwzpjihdzrxxwa.zde
| MD5 | 227e0c98b78b343def1d94bc4acc5717 |
| SHA1 | 13a4746f84c2e2c0b2976c498e5c4cb70595b7e5 |
| SHA256 | 5392a1d0266c93aaf53dc384010613df5f1eaae8ae40dcfaaff50ccfe9ed2950 |
| SHA512 | 6b1214b68d77f1ebff9fd5f00690af3e66dcbccfbc368ea67545cdd887f0163ec29dfa30d2b4651f93eeafdce30c295f04e37df3d3234b70003e763dd5542e0f |
C:\Program Files (x86)\zffeihhlmhwzpjihdzrxxwa.zde
| MD5 | 7553a4af237b1578eb0984271a014ede |
| SHA1 | f23e03f2c4b6aa920510fe2f2ce4bfda4d5566e1 |
| SHA256 | 5a61ffa3e8b8077c239016c5f3972223ad0bd213a77d25f040df195347cf50fb |
| SHA512 | 09b6d26e8351858fdc8af2ddb470cca8d5595cdd75f782290e6a4da3851a20dfa2ac0bb61fce79fe3177ef92ada80e578ce2ab173429c00e887953183fdbbc72 |
C:\Program Files (x86)\zffeihhlmhwzpjihdzrxxwa.zde
| MD5 | a3e80efffbf6f549000f73476ca5c6d7 |
| SHA1 | 014eddc8e864470586fd7afda4694f18a43b8156 |
| SHA256 | 3647b25829180f0c21e2250d825f2910cbe406939b06d714b67d7e2c1cc1ab69 |
| SHA512 | 67e333cceeb9f23261a2bda7a3509acded9b8c5272ee27c9deca6a5265e448ebe109a0299aa9592b031545b54a5f8e4aea91f4cce87e62268a23b8e10421a377 |
C:\Program Files (x86)\zffeihhlmhwzpjihdzrxxwa.zde
| MD5 | 29c30b18a8ce5b40e1ec77f6c6e8630e |
| SHA1 | f0cde68cca7bfd1f03267311be540ee38b5c0fdd |
| SHA256 | da358a30ff67b0aa5f1a71490998e67bfa7dd93193a0bc2b28b38c4ec665df69 |
| SHA512 | 1869d9b24776b2a4a74cab203e9fb9ca80240b61d74606be8dcd9d755aba4209c81f7c134377ed98118d05695bc8d7d5e8a908016d7625ba35be312361e491b6 |
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\c442b4dc-a191-4123-8209-426d502b68cb.down_data
| MD5 | 5683c0028832cae4ef93ca39c8ac5029 |
| SHA1 | 248755e4e1db552e0b6f8651b04ca6d1b31a86fb |
| SHA256 | 855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e |
| SHA512 | aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3 |
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
| MD5 | 42443383f62b4750f5e4077aaddacb6e |
| SHA1 | c3311fdca3d0fad525f1f3bdf2816e8b2d9e0241 |
| SHA256 | b4f6bed52b8b56e5480846fb48fc25b03e024bdb96888e9b1e2b5c2bd56cad06 |
| SHA512 | 2e4a12c65c46a6c24cc1bbd5c91ed96acbd1a5b47661bec32b7fe556cb52084ecb3122f079768dfabc75c2738b0c1f9a600c40c3e00c304d66223a2403892643 |
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
| MD5 | e7e18cfc1d9e536faebe167b2c15b299 |
| SHA1 | 911f0bb79fc64c482613b723421fcb2c8689d022 |
| SHA256 | 89030c4a1c78ff197092b529f8710a701bc70fc02a3de9bd375e6d336dad6ed1 |
| SHA512 | c338473f5ee75faaf8b210958d38daa6265468b3f65af80179aab99f620d4f111fc397c1f4a893134d0a4b99f62ae86246101879b44a52f4051c9ef1a0dcb91e |
C:\Program Files (x86)\zffeihhlmhwzpjihdzrxxwa.zde
| MD5 | 0ee4af88f3c036e3b76bfc83f8f7fd1f |
| SHA1 | e789703df384220cae6bab7684c304ebb2e1a747 |
| SHA256 | e4948840ebcacaf4b6045d14c59a7ae5fcbc70abe183f30045471c46841d16f2 |
| SHA512 | 6ff8625d80a577e2a5e89ecb329131846ac2ba3ccbd08276c0b1dabd451a13521a01f1bf8bb938152f9144c76771ad0f66b5aa6e4d88bb183f4c679e4a50e189 |
C:\Program Files (x86)\zffeihhlmhwzpjihdzrxxwa.zde
| MD5 | 36392fbe08c320940b4a4aeaed19e3e4 |
| SHA1 | 3730f90dbf8abb4ae2a5937a5d454a4b91c7d1ac |
| SHA256 | 2d0cca52b2ada05139e3f5eb60b0b78f72d6e61badaaf8a2e269bc146e249ad9 |
| SHA512 | ae7a98cb22bc4f9b9f5f259a40d8fb41b48c7f71cebbb1c1c115130309bd166cf4a335b09e995761f5dd4bc41ab5a1a688f2a364037ce368250010482d26f34f |
C:\Program Files (x86)\zffeihhlmhwzpjihdzrxxwa.zde
| MD5 | b33e4009b719dd61c556b158d8ef1598 |
| SHA1 | 5f849e561fc50286612272bd4408b6c1353fdfc6 |
| SHA256 | f99d6bfd04b5580c3ad7a957c7d8feeaa11c8070ad40f042f011e954eb07a768 |
| SHA512 | 074742bdd935f85be7b0a965be3bc632a9d94dd1bed3d54bb03caf9c25bacbc9c70285039e264512a4603986459a5b31c27194f44b75b23fd4ee46380a3124f5 |